BIG-IP® Command Line Interface Guide
Transcription
BIG-IP® Command Line Interface Guide
BIG-IP® Command Line Interface Guide version 9.4.3 MAN-0236-02 Product Version This manual applies to version 9.4.3 of the BIG-IP® product family. Publication Date This guide was published on October 24, 2007. Legal Notices Copyright Copyright 2007, F5 Networks, Inc. All rights reserved. F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable iControl user licenses. F5 reserves the right to change specifications at any time without notice. Trademarks F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, iControl, Internet Control Architecture, IP Application Switch, iRules, OneConnect, Packet Velocity, SYN Check, Control Your World, ZoneRunner, uRoam, FirePass, TrafficShield, Swan, WANJet, WebAccelerator, and TMOS are registered trademarks or trademarks, and Ask F5 is a service mark, of F5 Networks, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. F5 Networks' trademarks may not be used in connection with any product or service except as permitted in writing by F5. Patents This product protected by U.S. Patents 6,374,300; 6,473,802; 6,970,933. Other patents pending. Export Regulation Notice This product may include cryptographic software. Under the Export Administration Act, the United States government may consider it a criminal offense to export this product from the United States. RF Interference Warning This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures. FCC Compliance This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference. Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules. Canadian Regulatory Compliance This class A digital apparatus complies with Canadian I CES-003. BIG-IP® Command Line Interface Guide i Standards Compliance This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture. Acknowledgments This product includes software developed by the University of California, Berkeley and its contributors. This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory. This product includes software developed by the NetBSD Foundation, Inc. and its contributors. This product includes software developed by Christopher G. Demetriou for the NetBSD Project. This product includes software developed by Adam Glass. This product includes software developed by Christian E. Hopps. This product includes software developed by Dean Huxley. This product includes software developed by John Kohl. This product includes software developed by Paul Kranenburg. This product includes software developed by Terrence R. Lambert. This product includes software developed by Philip A. Nelson. This product includes software developed by Herb Peyerl. This product includes software developed by Jochen Pohl for the NetBSD Project. This product includes software developed by Chris Provenzano. This product includes software developed by Theo de Raadt. This product includes software developed by David Muir Sharnoff. This product includes software developed by SigmaSoft, Th. Lockert. This product includes software developed for the NetBSD Project by Jason R. Thorpe. This product includes software developed by Jason R. Thorpe for And Communications, http://www.and.com. This product includes software developed for the NetBSD Project by Frank Van der Linden. This product includes software developed for the NetBSD Project by John M. Vinopal. This product includes software developed by Christos Zoulas. This product includes software developed by Charles Hannum. This product includes software developed by Charles Hannum, by the University of Vermont and State Agricultural College and Garrett A. Wollman, by William F. Jolitz, and by the University of California, Berkeley, Lawrence Berkeley Laboratory, and its contributors. This product includes software developed by the University of Vermont and State Agricultural College and Garrett A. Wollman. In the following statement, "This software" refers to the Mitsumi CD-ROM driver: This software was developed by Holger Veit and Brian Moore for use with "386BSD" and similar operating systems. "Similar operating systems" includes mainly non-profit oriented systems for research and education, including but not restricted to "NetBSD," "FreeBSD," "Mach" (by CMU). In the following statement, "This software" refers to the parallel port driver: This software is a component of "386BSD" developed by William F. Jolitz, TeleMuse. This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/). This product includes software developed by Darren Reed. (© 1993-1998 by Darren Reed). This product includes software licensed from Richard H. Porter under the GNU Library General Public License (© 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html. This product includes the standard version of Perl software licensed under the Perl Artistic License (© 1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standard version of Perl at http://www.perl.com. ii Table of Contents Table of Contents 1 Introducing the BIG-IP System Introducing the BIG-IP system .....................................................................................................1-1 Overview of the BIG-IP system command line interface .............................................1-2 About this guide ..............................................................................................................................1-4 Additional information ..........................................................................................................1-5 Stylistic conventions ..............................................................................................................1-6 Finding help and technical support resources ..........................................................................1-8 2 Understanding the bigpipe Utility Introducing the bigpipe utility ......................................................................................................2-1 Using the bigpipe shell ...................................................................................................................2-2 Controlling the bigpipe shell ...............................................................................................2-2 Using the bigpipe shell command history feature ..........................................................2-2 Using the bigpipe shell command edit feature ................................................................2-3 Using the bigpipe shell audit feature ..................................................................................2-3 Using the bigpipe shell command completion feature ..................................................2-4 Using the bigpipe shell command continuation feature ................................................2-4 Using grep functionality in the bigpipe shell ....................................................................2-5 Customizing the bigpipe shell ..............................................................................................2-5 Using the bigpipe shell escape feature ..............................................................................2-6 bigpipe command summary ..........................................................................................................2-6 3 Managing the BIG-IP System Network Components Configuring the BIG-IP system network components ...........................................................3-1 Performing network management tasks ....................................................................................3-1 Managing the size of the log file ..........................................................................................3-1 Expanding the codes in the log file. ...................................................................................3-3 Configuring encrypted remote logging .............................................................................3-3 Implementing packet filtering ..............................................................................................3-8 Configuring routing ...............................................................................................................3-8 Implementing the trunk algorithm on FFP-supported platforms ................................3-8 4 Managing the BIG-IP System Introducing BIG-IP system management ....................................................................................4-1 Understanding BIG-IP system management tools ...................................................................4-2 Using system management tools at the BIG-IP system prompt ..................................4-2 Using the bigpipe utility ........................................................................................................4-3 Understanding the BIG-IP system configuration state ...........................................................4-4 Understanding the stored configuration files ..................................................................4-6 Introducing the Single Configuration File ..................................................................................4-9 What is a single configuration file? .....................................................................................4-9 About the bigpipe utility and the single configuration file ......................................... 4-10 Creating a single configuration file .................................................................................. 4-12 Configuring a BIG-IP system using an SCF .................................................................... 4-13 Restoring a BIG-IP system configuration using an SCF .............................................. 4-14 Using the Copy and Paste SCF Feature ......................................................................... 4-15 BIG-IP® Command Line Interface Guide v Table of Contents Performing BIG-IP system management tasks ....................................................................... 4-17 Configuring the MGMT port ............................................................................................ 4-17 Creating and managing administrative partitions ......................................................... 4-17 Managing user accounts ..................................................................................................... 4-21 Configuring failover for redundant systems ................................................................. 4-23 Displaying protocol statistics ........................................................................................... 4-26 Using the bigstart utility .................................................................................................... 4-27 Working with the bigtop utility ....................................................................................... 4-29 Working with the bigdb database ................................................................................... 4-30 Managing the Log File System .......................................................................................... 4-32 Removing and returning items to service ..................................................................... 4-34 Viewing the currently-defined system objects ............................................................. 4-35 Viewing system licenses ..................................................................................................... 4-35 Backing up and restoring the BIG-IP system product image .................................... 4-36 5 Managing Local Application Traffic Performing local traffic management tasks ...............................................................................5-1 Setting up load balancing ...............................................................................................................5-2 Managing traffic types ............................................................................................................5-2 Configuring manual resumption of pool members and nodes ....................................5-3 Configuring clone pools .......................................................................................................5-3 Configuring a last hop pool .................................................................................................5-3 Implementing SNATs ............................................................................................................5-4 Controlling HTTP traffic ...............................................................................................................5-5 Configuring HTTP compression .........................................................................................5-5 Redirecting HTTP requests .................................................................................................5-5 Rewriting HTTP redirections ..............................................................................................5-5 Inserting and erasing HTTP headers .................................................................................5-6 Enabling or disabling cookie encryption ...........................................................................5-6 Enabling or disabling SYN cookie support .......................................................................5-7 Configuring the HTTP Class profile ..................................................................................5-7 Unchunking and rechunking HTTP response data .........................................................5-8 Configuring HTTP compression on the BIG-IP system .........................................................5-8 Understanding compression providers .............................................................................5-8 Understanding compression strategy selection ..............................................................5-9 Introducing adaptive compression .................................................................................. 5-10 Viewing compression statistics ........................................................................................ 5-14 Implementing HTTP and TCP optimization profiles ............................................................ 5-15 Authenticating application traffic .............................................................................................. 5-16 Generating SSL certificates ............................................................................................... 5-16 Generating CA certificates ............................................................................................... 5-16 Creating client certificates ................................................................................................ 5-17 Creating a certificate for a web site ............................................................................... 5-18 Working with certificate revocation .............................................................................. 5-18 Associating keys and certificates with SSL profiles ..................................................... 5-19 Performing other certificate-related tasks .................................................................... 5-19 Configuring remote server authentication ................................................................... 5-20 Implementing persistence ........................................................................................................... 5-22 Implementing session persistence ................................................................................... 5-22 Implementing connection persistence ............................................................................ 5-22 Enhancing the performance of the BIG-IP system ................................................................ 5-24 Setting Link QoS and IP ToS levels on packets ........................................................... 5-24 Setting idle timeout values ................................................................................................ 5-24 Implementing rate shaping ................................................................................................ 5-25 vi Table of Contents Managing health and performance monitors ......................................................................... 5-25 Creating custom monitors ............................................................................................... 5-25 Associating monitors with pools or nodes ................................................................... 5-25 Monitoring services ............................................................................................................ 5-26 Configuring a monitor for manual resume ................................................................... 5-27 Implementing iRules ..................................................................................................................... 5-28 A bigpipe Command Reference Introduction to command syntax ...............................................................................................A-1 Using the keyword, all .........................................................................................................A-1 Identifying command types .................................................................................................A-1 Basic definitions .....................................................................................................................A-2 Alphabetical list of commands .....................................................................................................A-2 arp ......................................................................................................................................................A-3 auth crldp .........................................................................................................................................A-6 auth ldap ...........................................................................................................................................A-9 auth radius .....................................................................................................................................A-14 auth ssl cc ldap ..............................................................................................................................A-17 auth ssl ocsp ..................................................................................................................................A-22 auth tacacs .....................................................................................................................................A-24 bigpipe shell ...................................................................................................................................A-27 class .................................................................................................................................................A-29 cli ......................................................................................................................................................A-33 config ...............................................................................................................................................A-36 configsync .......................................................................................................................................A-39 conn .................................................................................................................................................A-42 crldp server ...................................................................................................................................A-44 daemon ...........................................................................................................................................A-47 daemon bigdbd .............................................................................................................................A-50 daemon mcpd ...............................................................................................................................A-52 daemon tmm .................................................................................................................................A-54 db .....................................................................................................................................................A-57 dns ...................................................................................................................................................A-59 exit ...................................................................................................................................................A-62 export .............................................................................................................................................A-63 f5adduser ........................................................................................................................................A-65 failover ............................................................................................................................................A-67 fasthttp ............................................................................................................................................A-71 fastL4 ...............................................................................................................................................A-72 fipscardsync ...................................................................................................................................A-73 fipsutil ..............................................................................................................................................A-74 ftp .....................................................................................................................................................A-77 global ...............................................................................................................................................A-78 ha table ...........................................................................................................................................A-79 hardware ........................................................................................................................................A-81 help ..................................................................................................................................................A-82 http ..................................................................................................................................................A-83 httpd ................................................................................................................................................A-84 icmp .................................................................................................................................................A-88 import .............................................................................................................................................A-89 interface ..........................................................................................................................................A-91 ip ......................................................................................................................................................A-95 list ....................................................................................................................................................A-96 load ..................................................................................................................................................A-97 BIG-IP® Command Line Interface Guide vii Table of Contents logrotate ...................................................................................................................................... A-100 ltm ................................................................................................................................................. A-103 mcp ............................................................................................................................................... A-107 memory ....................................................................................................................................... A-108 merge ........................................................................................................................................... A-109 mgmt ............................................................................................................................................ A-111 mgmt route ................................................................................................................................. A-113 mirror .......................................................................................................................................... A-116 monitor ....................................................................................................................................... A-118 nat ................................................................................................................................................. A-130 ndp ................................................................................................................................................ A-133 node ............................................................................................................................................. A-135 ntp ................................................................................................................................................. A-138 ocsp responder .......................................................................................................................... A-140 oneconnect ................................................................................................................................. A-145 packet filter ................................................................................................................................. A-146 partition ....................................................................................................................................... A-152 password policy ......................................................................................................................... A-154 persist .......................................................................................................................................... A-157 platform ....................................................................................................................................... A-161 pool .............................................................................................................................................. A-163 profile ........................................................................................................................................... A-169 profile auth ................................................................................................................................. A-171 profile clientssl ........................................................................................................................... A-176 profile dns ................................................................................................................................... A-184 profile fasthttp ........................................................................................................................... A-186 profile fastl4 ................................................................................................................................ A-191 profile ftp .................................................................................................................................... A-196 profile http .................................................................................................................................. A-198 profile httpclass ......................................................................................................................... A-208 profile oneconnect .................................................................................................................... A-211 profile persist ............................................................................................................................. A-214 profile rtsp .................................................................................................................................. A-220 profile sctp .................................................................................................................................. A-223 profile serverssl ......................................................................................................................... A-227 profile sip .................................................................................................................................... A-235 profile stats ................................................................................................................................. A-238 profile stream ............................................................................................................................. A-240 profile tcp .................................................................................................................................... A-242 profile udp ................................................................................................................................... A-249 pva ................................................................................................................................................ A-252 radius server .............................................................................................................................. A-253 rate class ..................................................................................................................................... A-256 remote users .............................................................................................................................. A-259 remoterole ................................................................................................................................. A-262 route ............................................................................................................................................ A-265 rtsp ............................................................................................................................................... A-267 rule ............................................................................................................................................... A-268 save ............................................................................................................................................... A-271 sctp ............................................................................................................................................... A-273 self ................................................................................................................................................. A-274 self allow ...................................................................................................................................... A-276 shell .............................................................................................................................................. A-278 snat ............................................................................................................................................... A-280 snat translation .......................................................................................................................... A-283 snatpool ....................................................................................................................................... A-286 viii Table of Contents snmpd .......................................................................................................................................... A-288 sshd ............................................................................................................................................... A-301 ssl .................................................................................................................................................. A-305 statemirror ................................................................................................................................. A-306 stop ............................................................................................................................................... A-309 stp ................................................................................................................................................. A-310 stp instance ................................................................................................................................. A-314 stream .......................................................................................................................................... A-317 sys-icheck .................................................................................................................................... A-318 sys-reset ...................................................................................................................................... A-319 syslog ............................................................................................................................................ A-320 system .......................................................................................................................................... A-324 tcp ................................................................................................................................................. A-329 tmm .............................................................................................................................................. A-330 trunk ............................................................................................................................................. A-331 udp ................................................................................................................................................ A-335 unit ................................................................................................................................................ A-336 user ............................................................................................................................................... A-337 version ......................................................................................................................................... A-340 virtual ........................................................................................................................................... A-341 virtual address ............................................................................................................................ A-347 vlan ............................................................................................................................................... A-350 vlangroup ..................................................................................................................................... A-354 B Configuring bigdb Database Variables Introducing the bigdb database ................................................................................................... B-1 Summarizing bigdb database variables for redundant system administration .................. B-2 Using failover bigdb database variables ............................................................................ B-2 Using connection mirroring bigdb database variables .................................................. B-3 Using configuration synchronization bigdb database variables ................................... B-3 Summarizing bigdb database variables for user account administration ........................... B-4 Summarizing bigdb database variables for event logging ....................................................... B-4 Summarizing bigdb database variables for HTTP compression ........................................... B-5 Configuring RAM Cache by setting a bigdb database variable ............................................. B-7 Configuring the MAC address of a VLAN using bigdb database variables ....................... B-7 Configuring debugging for the system using bigdb database variables ............................... B-8 Configuring the PVA10 Syn Cookie feature with bigdb database variables ................... B-10 Configuring dynamic routing with bigdb database variables .............................................. B-11 Glossary Index BIG-IP® Command Line Interface Guide ix Table of Contents x 1 Introducing the BIG-IP System • Introducing the BIG-IP system • About this guide • Finding help and technical support resources Introducing the BIG-IP System Introducing the BIG-IP system The BIG-IP® system is a port-based, multilayer switch that supports virtual local area network (VLAN) technology. Because hosts within a VLAN can communicate at the data-link layer (Layer 2), a BIG-IP system reduces the need for routers and IP routing on the network. This in turn reduces equipment costs and boosts overall network performance. At the same time, the multilayer capabilities of the BIG-IP system enable the system to process traffic at other OSI layers. The BIG-IP system can perform IP routing at Layer 3, as well as manage TCP, UDP, and other application traffic at Layers 4 through 7. The following modules provide comprehensive traffic management and security for many traffic types. The modules are fully integrated to provide efficient solutions to meet any network, traffic management, and security needs. ◆ BIG-IP Local Traffic Manager The BIG-IP® system includes local traffic management features that help make the most of network resources. Using the powerful Configuration utility, you can customize the way that the BIG-IP system processes specific types of protocol and application traffic. By using features such as virtual servers, pools, and profiles, you ensure that traffic passing through the BIG-IP system is processed quickly and efficiently, while meeting all of your security needs. For more information, see the Configuration Guide for BIG-IP® Local Traffic Management. ◆ BIG-IP Global Traffic Manager The BIG-IP® Global Traffic Manager provides intelligent traffic management to your globally available network resources. Through the Global Traffic Manager, you can select from an array of load balancing modes, ensuring that your clients access the most responsive and robust resources at any given time. In addition, the Global Traffic Manager provides extensive monitoring capabilities so the health of any given resource is always available. For more information, see the Configuration Guide for BIG-IP® Global Traffic Management. ◆ BIG-IP Link Controller The BIG-IP® Link Controller seamlessly monitors availability and performance of multiple WAN connections to intelligently manage bi-directional traffic flows to a site, providing fault tolerant, optimized Internet access regardless of connection type or provider. The Link Controller ensures that traffic is always sent over the best available link to maximize user performance and minimize bandwidth cost to a data center. For more information, see the Configuration Guide for BIG-IP® Link Controller. ◆ BIG-IP Application Security Manager The BIG-IP® Application Security Manager provides web application protection from application-layer attacks. The Application Security Manager protects Web applications from both generalized and targeted application layer attacks including buffer overflow, SQL injection, BIG-IP® Command Line Interface Guide 1-1 Chapter 1 cross-site scripting, and parameter tampering. For more information, see the Configuration Guide for BIG-IP® Application Security Management. Overview of the BIG-IP system command line interface The BIG-IP system, a powerful combination of hardware and software elements, is designed to meet your traffic management needs in the most efficient, scalable, reliable, and secure way possible. Although the primary tool for managing the BIG-IP system is the browser-based Configuration utility, there are other tools available that are command-line-based. That is, there are commands and utilities that you can either type at the BIG-IP system prompt, or use within scripts such as iRules™. While some of these utilities and commands are provided as part of the BIG-IP system, others are industry-standard tools that you can use to further enhance the power of the BIG-IP system. Understanding command line utilities and tools There are several command line utilities and tools that you can use to manage the BIG-IP system: 1-2 ◆ The config utility You use the config utility to define the IP address, network mask, and gateway for the management (MGMT) port, when you initially set up your BIG-IP system. ◆ The bigpipe utility The bigpipe utility is a set of commands that you can use to configure elements of the BIG-IP system such as VLANs, load balancing pools, and virtual servers. Using bigpipe commands, you can manage the BIG-IP system and the BIG-IP network components, and control local application traffic to suit your exact needs. ◆ The bigtop utility The bigtop utility is a command that provides statistical monitoring, and displays connections and throughput. You can set a refresh interval and specify a sort order for this statistical information. ◆ The bigstart command With the bigstart command, you can start, stop, restart, and check the status of various daemons, such as snmpd. ◆ The gencert utility You can use the gencert utility to generate a key, a temporary certificate and a certificate signing request file. You then submit the request file to a certificate authority to obtain an SSL certificate. Introducing the BIG-IP System The industry-standard tools that you can also use to manage the BIG-IP system are: ◆ The Tools Command Language (Tcl) programming language The Tools Command Language (Tcl) programming language is an industry-standard programming language that you can use to create BIG-IP system iRules™. iRules™ are scripts you can write to direct and manipulate the way that the BIG-IP system manages application traffic. ◆ The OpenSSL utility A component of the industry-standard OpenSSL toolkit, the OpenSSL utility is a set of commands that perform various cryptographic functions, such as generating SSL certificates and keys. For more information This guide provides information about a subset of the commands that you can use to manage the BIG-IP system. You can find additional information about the command line interface in the following locations: ◆ Online man pages The BIG-IP product includes a complete set of online man pages for the commands that make up the bigpipe utility. You can access the online man pages for bigpipe commands in one of two ways: • From the BIG-IP system prompt, type man followed by the command name. You must use underscores between the words in the command name. For example: man stp_instance • From the bigpipe shell prompt, use the command name followed by help. Do not use underscores between the words in the command name. For example: bp> auth crldp help ◆ The Linux syslog-ng man page This man page is included with the standard set of Linux operating system man pages. • The log2mail man page The man page for the log2mail utility includes information about using the log2mail utility with the syslog-ng utility. ◆ User-supplied third-party Tcl reference books Various third-party reference books on the Tcl programming language are available. You can use these books when you write iRules™ for managing local application traffic. BIG-IP® Command Line Interface Guide 1-3 Chapter 1 About this guide Before you use this guide, we recommend that you run the Setup utility on the BIG-IP system to configure basic network and system elements such as static and floating self IP addresses, interfaces, and VLANs, to name a few. After running the Setup utility, you can further customize your system by using the Configuration utility to create local traffic management objects such as virtual servers, load balancing pools, and profiles. Finally, you can return to this guide when you want to adjust the elements you have configured, or to add additional ones as your needs change. Before you continue adjusting or customizing your BIG-IP system configuration, complete these tasks: • Choose a configuration tool. • Familiarize yourself with additional resources such as product guides and online help. • Review the stylistic conventions that appear in this chapter. This guide is written for use by system administrators who prefer to configure the BIG-IP system using the command line interface, instead of the Configuration utility. This guide includes instructions for handling specific tasks, but it does not include instructions for configuring every aspect of the system. Chapter 2, Understanding the bigpipe Utility, describes the bigpipe utility and the bigpipe shell. It also includes a list of bigpipe commands. Chapter 3, Managing the BIG-IP System Network Components, describes how to configure the BIG-IP system network components and perform network management tasks, such as working with trunks, routing, and packet filtering, using the command line interface. Chapter 4, Managing the BIG-IP System, describes the system management tools that are available for configuring the BIG-IP system. It describes how to use the command line interface to perform system management tasks, such as configuring the management port, creating and managing administrative partitions, and managing user accounts. Chapter 5, Managing Local Application Traffic, describes how to use the command line interface to perform local traffic management tasks, such as managing traffic, configuring pools, pool members, and nodes, and implementing persistence and rate shaping. Appendix A, bigpipe Command Reference contains information about each bigpipe command that you can use to configure the BIG-IP system, including limited examples for usage of each command. Appendix B, Configuring bigdb Database Variables contains information about bigdb database variables that you can configure manually. For complete instructions for configuring the BIG-IP system, see the online help, the Configuration Guide for BIG-IP® Local Traffic Management, and the Configuration Guide for BIG-IP® Global Traffic Management. 1-4 Introducing the BIG-IP System Additional information In addition to this guide, you can use the following printed documents that are included with the BIG-IP system to help you configure the system. ◆ Configuration Worksheet Use this worksheet to plan the basic configuration of your BIG-IP system. ◆ BIG-IP Quick Start Instructions Use the basic configuration steps in this pamphlet to get the BIG-IP system up and running in the network. The following guides are available in PDF format from the CD-ROM provided with the BIG-IP system. These guides are also available from the first web page you see when you log on to the administrative web server on the BIG-IP system. Tip This BIG-IP® Command Line Interface Guide assumes that you have read the following guides for important concepts and information. ◆ Platform Guide: 1500, 3400, 6400, and 6800 Platform Guide: 8400, and 8800 These guides contains information about the BIG-IP hardware, including important environmental warnings. ◆ Installation, Licensing, and Upgrades for BIG-IP® Systems This guide provides detailed information about installing upgrades to the BIG-IP system. It also provides information about licensing the BIG-IP system software, and connecting the system to a management workstation or network. ◆ Configuration Guide for BIG-IP® Local Traffic Management This guide contains the information you need for configuring the BIG-IP system to manage local network traffic. With this guide, you can perform tasks such as creating virtual servers and load balancing pools, configuring application and persistence profiles, implementing health monitors, and setting up remote authentication. ◆ BIG-IP® Network and System Management Guide This guide contains the information you need to configure and maintain the network and system-related components of the BIG-IP system. With this guide, you can perform tasks such as configuring VLANs, assigning self IP addresses, creating administrative user accounts, and managing a redundant system. BIG-IP® Command Line Interface Guide 1-5 Chapter 1 Stylistic conventions To help you easily identify and understand important information, all of our documentation uses the stylistic conventions described here. Using the configuration examples All examples in this document use only private class IP addresses. When you set up the configurations we describe, you must use valid IP addresses suitable to your own network in place of our sample addresses. Identifying new terms To help you identify sections where a term is defined, the term itself is shown in bold italic text. For example, a floating IP address is an IP address assigned to a VLAN and shared between two computer systems. Identifying references to objects, names, and commands We apply bold formatting to a variety of items to help you easily pick them out of a block of text. These items include web addresses, IP addresses, utility names, and portions of commands, such as variables and keywords. For example, with the bp> self <ip_address> show command, you can specify a specific self IP address to show by specifying an IP address for the <ip_address> variable. Identifying references to other documents We use italic text to denote a reference to another document. In references where we provide the name of a book as well as a specific chapter or section in the book, we show the book name in bold, italic text, and the chapter or section name in italic text to help quickly differentiate the two. For example, you can find information about SNMP traps in Appendix A of the BIG-IP® Network and System Management Guide. Identifying command syntax We show complete commands in bold Courier text. In this guide, we include the corresponding screen prompt when the command is shown in a figure that depicts an entire command line screen. We also include the corresponding screen prompt when the command is used in the bigpipe shell. For example, this command shows the configuration of the specified pool name: bp> self <ip_address> show For more information about the bigpipe shell see Using the bigpipe shell, on page 2-2. 1-6 Introducing the BIG-IP System Note that we do not include the corresponding screen prompt when a command is used at the BIG-IP system prompt. For example, this command configures the network address for the system: config Table 1.1 explains additional special conventions used in command line syntax. Item in text Description \ Indicates that the command continues on the following line, and that users should type the entire command without typing a line break. < > Identifies a user-defined parameter. For example, if the command has <your name>, type in your name, but do not include the brackets. | Separates parts of a command. [] Indicates that syntax inside the brackets is optional. ... Indicates that you can type a series of items. ::= Indicates the options that you can use. Table 1.1 Command line syntax conventions BIG-IP® Command Line Interface Guide 1-7 Chapter 1 Finding help and technical support resources You can find additional technical documentation and product information in the following locations: ◆ Online help for local traffic management The Configuration utility has online help for each screen. The online help contains descriptions of each control and setting on the screen. Click the Help tab in the left navigation pane to view the online help for a screen. ◆ Welcome screen in the Configuration utility The Welcome screen in the Configuration utility contains links to many useful web sites and resources, including: • The Ask F5sm Knowledge Base web site • The F5 Solution Center • The F5 DevCentral web site • Plug-ins, SNMP MIBs, and SSH clients • User documentation ◆ F5 Networks Technical Support web site The F5 Networks Technical Support web site, http://tech.f5.com, provides the latest documentation for the product, including: • Release notes for the BIG-IP system, current and past • Updates for guides (in PDF format) • Technical notes • Answers to frequently asked questions • The Ask F5sm Knowledge Base To access this site, you need to register at http://tech.f5.com. 1-8 2 Understanding the bigpipe Utility • Introducing the bigpipe utility • Using the bigpipe shell • bigpipe command summary Understanding the bigpipe Utility Introducing the bigpipe utility The BIG-IP system includes a tool known as the bigpipe utility. The bigpipe utility consists of an extensive set of commands that you can use to manage the BIG-IP system. Using these commands, you can configure system features such as user accounts, backup and recovery files, redundant systems, and more. You can also set up network elements such as routes, self IP addresses, and VLANs, and you can configure the BIG-IP system to manage local traffic passing through the system. The commands that the bigpipe utility contains serve as an alternative to the Configuration utility, which is the browser-based BIG-IP system and network management tool. For information on using the Configuration utility, see these documents: • BIG-IP® Local Traffic Manager: Implementations • BIG-IP® Network and System Management Guide • Configuration Guide for BIG-IP® Application Security Management • Configuration Guide for BIG-IP® Local Traffic Management You can type bigpipe utility commands in either of two ways: • You can type the command sequence bigpipe <command> <options> at the BIG-IP system prompt (such as BIG-IP>). For example, you can display all BIG-IP system user accounts by typing this command sequence at the BIG-IP system prompt: bigpipe user show • You can invoke the bigpipe shell and type a command sequence at the bigpipe shell prompt (bp>). For example, you can display all BIG-IP system user accounts by typing this command sequence at the bigpipe shell prompt: bp> user show For information on invoking the bigpipe shell, see Using the bigpipe shell, following. BIG-IP® Command Line Interface Guide 2-1 Chapter 2 Using the bigpipe shell The bigpipe utility includes an interactive shell that eases the task of typing bigpipe commands. You can invoke this shell by typing the command bigpipe shell at a BIG-IP system prompt. Typing the command bigpipe shell displays the prompt: bp>. At this prompt, you can type any bigpipe command sequence, using the syntax described in Appendix A, bigpipe Command Reference. The bigpipe shell includes several features, designed to optimize your use of the bigpipe utility. The following sections describe these features. Controlling the bigpipe shell You use the command bigpipe shell at the BIG-IP system prompt to invoke the bigpipe shell. If you include the prompt <string> option, the command bigpipe shell customizes the shell prompt. For more information, see Customizing the bigpipe shell, on page 2-5. Furthermore, the shell itself has its own set of subcommands that you can use: • exit Use this command to exit the bigpipe shell. • quit Use this command to exit the bigpipe shell (same as the exit command). • stop Use this command to discontinue command continuation. For more information, see Using the bigpipe shell command completion feature, on page 2-4. Using the bigpipe shell command history feature The bigpipe shell saves each command that you enter at the bigpipe shell prompt in a command history file. The command history persists when you log off of the system. The next time you log on to the system, you can access and edit the bigpipe commands that you entered in previous sessions. The bigpipe command history persists even through a reboot of the BIG-IP system. The only limit on the command history is the number of commands that the bigpipe shell saves in the command history file. You use the command shell history to set the maximum number of commands that you want the bigpipe shell to save in the command history file. The default is 50 commands. If you do not want to use the command history feature, you set the maximum number of commands to 0 (zero). This means that the bigpipe shell does not save any commands in history. 2-2 Understanding the bigpipe Utility To access commands in the bigpipe history 1. At the bigpipe shell prompt, press the up arrow key. The previously used commands display in the reverse order of use. 2. After you locate the command that you want to use again, press Enter, or edit the command, and then press Enter. The command runs. Using the bigpipe shell command edit feature All bigpipe configuration commands have an edit option, for example, pool mypool edit. The <command> edit command opens, in a text editor, the <command> list output of the specified object. You can then edit the value of any parameter that displays in the text editor. When you exit the text editor, the BIG-IP system modifies the running configuration based on your edits. To save your edits to the stored configuration files, you run the save all command. The default text editor is vi. If you have the Administrator or Resource Admin user role assigned to your user account, you can change the default text editor using the EDITOR or VISUAL environment variables. Note that you must include the full path name to the binary file. Using the bigpipe shell audit feature The BIG-IP system contains a read-only audit file, /var/log/audit. The bigpipe shell writes the following information in this audit file: • All commands that users enter in the bigpipe shell, including commands that do not change the configuration of the BIG-IP system, such as show commands • The user ID of the user who entered each command • The date and time each command was entered • All commands that are run by user-entered commands, based on the specified audit level, such as commands run by the merge command • Some of the commands run by the system Note that the bigpipe shell does not audit the commands run by system daemons, for example, the commands run by the mcpd daemon. Tip The audit file may be larger than you expect, because the bigpipe shell audits some of the commands that the system runs. The audit file merges consecutive white spaces into single spaces. This means that each command is a single, possibly, very long line. BIG-IP® Command Line Interface Guide 2-3 Chapter 2 You use the command cli audit to enable auditing for the bigpipe shell and to specify the level of auditing that you want the bigpipe shell to perform. There are four different levels of auditing available, including: • disable The bigpipe shell does not audit any commands. This is the default. • enable The bigpipe shell audits all commands that users enter, and the commands run by the command merge, but not the commands run by the commands load and import. • verbose The bigpipe shell audits all of the commands that users enter, and the commands run by the merge command. Additionally, the bigpipe shell audits the commands run by the commands load and import, except for those commands that are found in these four system configuration files: config_base.conf, base_monitors.conf, profile_base.conf, and daemon.conf. • all The bigpipe shell audits all commands. Using the bigpipe shell command completion feature At any point while typing or editing a command, you can press the Tab key, and the bigpipe shell completes the word you are currently typing. If the command has only one option, the shell fills in the remainder of the word with that option. If the command has more than one option, you can press the Tab key a second time to list all available options. If the shell displays nothing after you press Tab, no options exist to complete the word. Unlike other shell features, command completion works not only from inside the bigpipe shell, but also from the BIG-IP system prompt. Using the bigpipe shell command continuation feature If you type any command using an unbalanced opening brace, the bigpipe shell stores the command entered up to that point. The shell stores any subsequent commands in a similar way until you type a command that closes all open braces, or you type the stop command. For example, suppose you type the auth radius command, with an opening brace, but no closing brace: bp> auth radius rad-1 { The shell does nothing and presents an empty prompt for continuing: bp> At this point, you can continue to type more options for the auth radius command: debug enable retries 4 2-4 Understanding the bigpipe Utility The shell continues to gather the syntax for the command. When finished typing, you can either type a command containing a closing brace ( } ), in which case the shell runs the full command sequence that you typed, or you can type: stop This discards the stored command sequence, without running the command. Note An opening brace that starts a continuation does not have to be the last character on the line. Also, you can use more than one brace on a single line. Using grep functionality in the bigpipe shell The bigpipe shell supports grep functionality. grep is a command line search utility. You can pipe the output of any bigpipe command through the grep utility. Piping allows the output a bigpipe command to be used as input to the grep utility. You use the same syntax that you use in the system shell: <command> | grep <grep options> For more information about grep, see http://www.gnu.org/software/grep/. Customizing the bigpipe shell You can customize the bigpipe shell by changing the default prompt (bp>) to a prompt of your choice. To customize the bigpipe shell prompt At the bp> prompt, type the shell command with the prompt option and the text for the new prompt: bp> shell prompt <string> The prompt option sets the shell's prompt to the given string value. For example, when you type bp> shell prompt BIG-IP> the system changes the shell prompt to: BIG-IP> BIG-IP® Command Line Interface Guide 2-5 Chapter 2 Using the bigpipe shell escape feature The bigpipe shell does not directly support Linux® commands. You can type Linux commands by either exiting the bigpipe shell (returning to the BIG-IP system prompt) or by using the bigpipe shell escape feature. The shell escape is simply an exclamation point, followed by the Linux command itself. For example: bp> !ls You can disable this feature by typing the following command at the BIG-IP system prompt: bigpipe shell -s bigpipe command summary The bigpipe utility contains an extensive set of commands that you can use to configure the BIG-IP system. Table 2.1 provides a list of these commands, along with a description of the action the command invokes. For more information on each command, see Appendix A, bigpipe Command Reference. Important After you change the system configuration using any bigpipe command, you must run the command save all to save your changes to the stored configuration files. If you do not, your changes are lost. Command Description arp Creates static ARP addresses, and lists static and dynamic ARP addresses. auth crldp Configures a Certificate Revocation List Distribution Point (CRLDP) configuration object for managing certificate revocation. auth ldap Configures an LDAP configuration object for implementing remote LDAP-based client authentication. auth radius Configures a Remote Access Dialup Service (RADIUS) configuration object for implementing remote RADIUS-based client authentication. auth ssl cc ldap Configures an SSL client certificate LDAP configuration object for implementing remote SSL-based LDAP client authorization. auth ssl ocsp Configures an SSL OCSP configuration object for managing remote certificate revocation based on the Online Certificate Revocation Protocol (OCSP). auth tacacs Configures a TACACS+ configuration object for implementing remote TACACS+-based client authentication. Table 2.1 The bigpipe utility commands 2-6 Understanding the bigpipe Utility Command Description bigpipe When typed at the BIG-IP system prompt, starts the bigpipe utility in its shell mode, and configures the shell. class Configures classes on the BIG-IP system. cli Configures the bigpipe shell. config Manages the BIG-IP system user configuration sets. configsync Specifies the parameters for the task of syncing the configurations of two BIG-IP units in a redundant system. conn Sets idle timeout for, displays, and deletes active connections on the BIG-IP system. crldp server Creates a Certificate Revocation List Distribution Point (CRDLP) server for implementing a CRLDP authentication module. daemon Tunes the high availability functionality that is built into system daemons. daemon_bigdbd Sets internal settings for the bigdb daemon. daemon_mcpd Sets internal settings for the mcpd daemon. daemon_tmm Sets internal settings for the tmm daemon. db Displays or modifies bigdb database entries. dns Displays and resets global statistics for the DNS profile on the BIG-IP system. exit Exits the bigpipe shell. export Exports (saves) the running configuration into a flat, text file, with an extension of .scf. This file is known as the single configuration file or SCF. f5adduser Used at the BIG-IP system prompt to add local user accounts to the BIG-IP system. failover Sets the BIG-IP system as active or standby. fasthttp Displays and resets global statistics for the Fast HTTP profile on the BIG-IP system. fastL4 Displays and resets statistics for the Fast L4 profile on the BIG-IP system. ftp Displays and resets global statistics for the FTP profile on the BIG-IP system. global Sets global variable definitions. ha table Displays the settings for high availability on a system. hardware Displays the baud rate of the system hardware. help Displays online help for bigpipe command syntax. Table 2.1 The bigpipe utility commands BIG-IP® Command Line Interface Guide 2-7 Chapter 2 Command Description http Manages HTTP statistics. httpd Configures the HTTP daemon for the BIG-IP system. icmp Manages ICMP statistics. import Resets the running configuration of the system to the values that are contained in the SCF that you are importing. If you want the configuration that is contained in the SCF to be written to the configuration files (bigip.conf, bigip_base.conf, bigip_local.conf, and bigip_sys.conf), you must use the save all command following the import. interface Sets options on individual interfaces. ip Manages IP statistics. list When the default Read partition is All, this command displays all objects the user has permission to see. When you specify a Read partition, this command displays all objects the user has permission to see, and all objects that are not in partitions. load Resets the running configuration of the BIG-IP system configuration with the values contained in the bigip.conf, bigip_base.conf, bigip_local.conf, and bigip_sys.conf files. Note that after you run the load command, you must run the save or save all command; otherwise the system requires you to rerun the Setup utility. logrotate Configures log rotation for the BIG-IP system. ltm Configures the general properties for the BIG-IP local traffic management system. mcp Displays the Master Control Program (MCP) state. memory Manages memory statistics. merge Loads the specified configuration file, which resets the running configuration. mgmt Specifies network settings for the management interface (MGMT). mgmt route Specifies route settings for the management interface (MGMT). mirror Copies traffic from any port or set of ports to a single, separate port. monitor Defines a health check monitor. nat Defines external network address translations for nodes. ndp Manages IPv6 neighbor discovery. node Defines node property settings. ntp Configures the Network Time Protocol (NTP) daemon for the BIG-IP system. ocsp responder Configures Online Certificate System Protocol (OCSP) responder objects. Table 2.1 The bigpipe utility commands 2-8 Understanding the bigpipe Utility Command Description oneconnect Configures a OneConnect™ profile. packet filter Configures packet filter rules and trusted allow lists. partition Configures partitions for implementing access control for the BIG-IP system administrative users. password policy Specifies the parameters of the valid passwords for the BIG-IP system. persist Configures a session persistence mode on a specific pool or node, for client requests. platform Displays platform information. pool Defines load balancing pools. profile Displays profile settings, resets statistics, or deletes a profile. profile auth Configures a type of authentication profile. profile clientssl Configures a Client SSL type of profile. profile dns Configures a domain name service (DNS) profile. profile fasthttp Configures a Fast HTTP type of profile. profile fastl4 Configures a Fast Layer 4 type of profile. profile ftp Configures an FTP type of profile. profile http Configures an HTTP type of profile. profile httpclass Configures an HTTP Class type of profile. profile oneconnect Configures a OneConnect™ type of profile. profile persist Configures a session persistence profile. profile rtsp Configures a Real Time Streaming Protocol (RTSP) profile. profile sctp Configures a Stream Control Transmission Protocol (SCTP) profile. profile serverssl Configures a Server SSL type of profile. profile sip Configures a Session Initiation Protocol (SIP) profile. profile stats Configures a Statistics type of profile. profile stream Configures a Stream type of profile. profile tcp Configures a TCP type of profile. Table 2.1 The bigpipe utility commands BIG-IP® Command Line Interface Guide 2-9 Chapter 2 Command Description profile udp Configures a UDP type of profile. pva Configures Packet Velocity® ASIC. quit Exits the bigpipe shell. radius server Configures a RADIUS server for RADIUS authentication. rate class Configures a rate class. remote users Configures the default user role, partition access, and console access for all remotely authenticated user accounts that have not been added as local user accounts on the BIG-IP system. remoterole Creates a file (/config/bigip/auth/remoterole) that an LDAP or Active Directory server reads to determine the specific access rights to grant to groups of remotely authenticated users. route Configures routes for the BIG-IP system traffic. rtsp Displays or resets Real Time Streaming Protocol (RTSP) statistics for the BIG-IP system. rule Defines traffic-management iRulesTM. save all Saves the running configuration to the stored configuration files. sctp Displays or resets Stream Control Transmission Protocol (SCTP) statistics for the BIG-IP system. self Assigns a self IP address for a VLAN. self allow Configures the default allow list for all self IP addresses on the BIG-IP system. shell Starts the bigpipe utility shell. snat Defines and sets options for SNAT (Secure NAT). snat translation Configures an explicit SNAT translation address. snatpool Configures a SNAT pool. snmpd Configures the simple network management protocol (SNMP) daemon for the BIG-IP system. sshd Configures the Secure Shell (SSH) daemon for the BIG-IP system. ssl Displays or modifies SSL statistics. statemirror Configures connection mirroring for a BIG-IP unit that is part of a redundant system in a high availability system. stop Discontinues command continuation. stp Implements one of the spanning tree protocols. Table 2.1 The bigpipe utility commands 2 - 10 Understanding the bigpipe Utility Command Description stp instance Configures an STP configuration instance. stream Displays or resets global stream statistics for the BIG-IP system. syslog Configures connection mirroring for a BIG-IP system that is part of a redundant pair in a high availability system. system Sets up the BIG-IP system. tcp Manages TCP statistics for the system. tmm Manages the tmm daemon. trunk Configures a trunk, with link aggregation. udp Manages UDP statistics for the system. unit Displays the unit number assigned to a particular BIG-IP system. user Configures administrative user accounts on the BIG-IP system. version Displays the bigpipe utility version number. virtual Defines virtual servers, virtual server mappings, and virtual server properties. virtual address Configures virtual addresses. vlan Defines VLANs, VLAN mappings, and VLAN properties. vlangroup Defines VLAN groups. Table 2.1 The bigpipe utility commands BIG-IP® Command Line Interface Guide 2 - 11 Chapter 2 2 - 12 3 Managing the BIG-IP System Network Components • Configuring the BIG-IP system network components • Performing network management tasks Managing the BIG-IP System Network Components Configuring the BIG-IP system network components Before you configure a BIG-IP system to manage local application traffic, you must use the Setup utility to configure the network components for the BIG-IP system. The BIG-IP system network components are: • Interfaces • Routes • Self IP addresses • Packet Filters • Trunks (802.3ad Link Aggregation) • Spanning Tree Protocol (STP) • VLANs and VLAN groups • ARP Once you have configured the BIG-IP system network components using the Setup utility, you can customize the configuration of those components. The bigpipe utility that is provided with the BIG-IP system includes a number of commands designed to help you customize the configuration of the BIG-IP system network components. For details on these commands, see the corresponding online man pages or Appendix A, bigpipe Command Reference. Performing network management tasks The following sections of this chapter describe some of the network management tasks that you can perform on the BIG-IP system using the bigpipe utility. Managing the size of the log file When you initially start the BIG-IP system, the system allocates a finite amount of disk space for storing the log file. The advantage to having a finite size for the log file is that the file cannot increase to the point where it adversely affects other facilities that are running on the system in the same Linux® partition. The default amount of disk space that the BIG-IP system allocates for the log file is 7 gigabytes (Gb). In most cases, this is sufficient space for the log file. However, you can either allocate additional disk space, or decrease the amount of disk space allocated for the log file. The minimum amount of disk space that you can specify for the log file is 1 Gb. The maximum amount of disk space that you can specify is 10 Gb. BIG-IP® Command Line Interface Guide 3-1 Chapter 3 You adjust the amount of disk space that the system allocates for the log file by using a command line script named resize-logFS. When you use the resize-logFS script, the system prompts you for information, and validates two facts: • The amount of disk space you specify falls within the valid range of 1 to 10 gigabytes. • The BIG-IP system has enough disk space to allocate the requested amount. WARNING Before using the resize-logFS script, it is imperative that you stop the BIG-IP system, or put the system into a safe condition such as standby mode. To change the allocated disk space for the log file 1. Stop the BIG-IP system or put the system into a safe condition such as standby mode. You can stop the BIG-IP system using the command bigstart stop. 2. Type the following command at the system command line prompt: resize-logFS Note: This command prompts you for the file size in gigabytes. 3. At the prompt, type an integer. The minimum allowed value is 1, and the maximum allowed value is 10. A prompt appears that allows you to confirm the specified file size. 4. Type Y. A message appears, notifying you of the need for the BIG-IP system to perform a reboot, followed by a prompt, which allows you to permit the reboot operation. Note: Prior to rebooting, the BIG-IP system verifies that the integer you typed in step 3 is within the allowed range, and checks to ensure that enough disk space exists for the specified size. 5. Type Y. A confirmation prompt appears. 6. Type Y. The system displays messages indicating that the reboot operation is about to occur. 7. Wait for the reboot operation to finish. When the system becomes available again, the newly-specified disk space for the log file is in effect. If, at any time during the resize-logFS operation, you decide to exit the script, no reboot occurs and the amount of allocated disk space remains as is. 3-2 Managing the BIG-IP System Network Components Expanding the codes in the log file. The BIG-IP log contains codes that provide information about the system. You can run the bigcodes command at the system prompt to expand the codes in the log files to provide more information. In Figure 3.1 the bold text is the expansion of the log code 012c0012. Jun 14 14:28:03 sccp bcm56xxd [ 226 ] : 012c0012 : (Product=BIGIP Subset=BCM565XXD) : 6: 4.1 rx [ OK 171009 Bad 0 ] tx [ OK 171014 Bad 0 ] Figure 3.1 Sample of expanded codes in the log file To expand the codes in the BIG-IP local traffic management system log file At the system prompt, type one of the following command sequences: • cat /var/log/ltm | bigcodes | less • cat /var/log/ltm.1.gz | bigcodes | less The system displays the log file with the codes expanded. Configuring encrypted remote logging You can configure the syslog-ng utility on the BIG-IP system to send BIG-IP system log information to a remote logging host, using an encrypted network connection. To do this, you create a port-forwarding SSH tunnel to the remote logging host, and configure the syslog-ng utility on the BIG-IP system to send log messages through the SSH tunnel. Before you begin Before you attempt to configure encrypted remote logging, you must meet the following conditions on the BIG-IP system and your remote logging host: • On the BIG-IP system You must have a console with root access to the BIG-IP system. • On the remote logging host You must have a console with root access to the remote logging host, the IP address, or the host name of the remote logging host. • For both systems You must have both systems connected to the same subnetwork. WARNING Attempt this configuration only if you understand the risks associated with making changes to daemon startup scripts. BIG-IP® Command Line Interface Guide 3-3 Chapter 3 Creating the remote encrypted logging configuration When creating an encrypted remote logging configuration, you must complete the following tasks: • Review the SSH syntax required to create this configuration. • Create a unique SSH identity key to identify and authorize the BIG-IP system. • Edit the syslog-ng utility startup script to create and destroy the SSH tunnels. • Edit the remote logging host to accept syslog-ng messages through the SSH tunnel. • Copy the unique SSH identity key to the remote logging host and append it to the authorized key file. • Verify the logging configuration and restart the syslog-ng utility. Reviewing the SSH syntax required to create this configuration This configuration requires that the BIG-IP system is able to establish an SSH connection to the remote logging host. On the BIG-IP system, use the ssh command to create the tunnel. Figure 3.2 is an example of the syntax required to create an SSH tunnel. $ ssh -L <local tunnel port>:<remote log hostname>:<remote tunnel port> \ <remote user>@<remote log hostname> \ -nNCxf \ -i <key identity file> Figure 3.2 Syntax to establish an SSH tunnel from the BIG-IP system Table 3.1 contains detailed descriptions of the ssh syntax elements shown in Figure 3.2. SSH syntax Description <local tunnel port> The port SSH listens on for connections in order to forward them to <remote log hostname>:<remote tunnel port>. <remote log hostname> The IP address or FQDN of the remote logging server. <remote tunnel port> The port to which you want the SSH daemon on the remote logging server to forward connections. Table 3.1 Detailed syntax elements for configuring SSH 3-4 Managing the BIG-IP System Network Components SSH syntax Description <remote user> The user name that SSH attempts to authenticate, as on <remote log hostname>. <key identity file> A file name from which the identity (private key) for authentication is read. Table 3.1 Detailed syntax elements for configuring SSH Creating a unique SSH key to identify and authorize the BIG-IP system After you have reviewed the ssh command syntax, use the ssh command to create the encrypted tunnel on the BIG-IP system. You must create a unique key on the BIG-IP system. The unique key is used to identify and authorize the BIG-IP system to the remote logging host. To create the file syslog_tunnel_ID and syslog_tunnel_ID.pub, use the following command sequence: $ ssh -b 2048 -f syslog_tunnel_ID -t rsa -N "" -P "" To make syslog_tunnel_ID readable only by the root account, use the following command sequence: $ chmod 600 syslog_tunnel_ID To make the public portion of the unique SSH ID named syslog_tunnel_ID.pub readable by all accounts, use the following command sequence: $ chmod 644 syslog_tunnel_ID.pub Copy syslog_tunnel_ID and syslog_tunnel_ID.pub into /var/ssh with the following command: $ cp syslog_tunnel_ID* /var/ssh Editing the syslog-ng start script to open and close the encrypted tunnel Next change the syslog-ng utility startup script, /etc/init.d/syslog-ng, so that the encrypted tunnel is opened when the syslog-ng script starts up, and is closed when the script is restarted or stopped. Before you edit the syslog-ng utility startup script, save a backup copy to the root directory. Use the following command to save the backup to the root directory: $ cp /etc/init.d/syslog-ng /root/syslog-ng.backup After you save a backup of the syslog-ng utility startup script, /etc/init.d/syslog-ng, edit it to automatically create SSH tunnels when the syslog-ng utility is started, or close the SSH tunnels when the syslog-ng utility is restarted or stopped. BIG-IP® Command Line Interface Guide 3-5 Chapter 3 The example configuration in this document demonstrates how to create a tunnel to a host using the following IP addresses and ports: • IP address of 10.0.0.100 • Local tunnel port of 5140 • Remote tunnel port of 5140 • User name logger on host 10.0.0.100 Start by adding syntax below the line that reads start). Figure 3.3 is an example of what the section of the syslog-ng start script looks like after you add the new syntax. In this example, the syntax you need to add is shown with bold text. start) ssh -L 5140:10.0.0.100:5140 \ logger@10.0.0.100 -nNCxf \ -i var/ssh/syslog_tunnel_ID echo -n "Starting $INIT_NAME: " daemon --check $INIT_PROG "$INIT_PROG $INIT_OPTS" Figure 3.3 The syntax to add below the start) line Next, add syntax below the line that reads stop). Figure 3.4 shows the syntax you need to add in bold text. stop) for sshTunnel in \ `ps -ewo "%p!%a" | \ grep ssh | \ grep syslog_tunnel_ID | \ grep -v grep | \ cut -f 1 -d !`; do if [ -n "$sshTunnel" -a $sshTunnel -gt 10 ]; then echo " -- Shutting down SSH tunnel with process $sshTunnel" kill -TERM $sshTunnel fi done echo -n "Stopping $INIT_NAME: " Figure 3.4 The syntax to add below the stop) line Using the syslog command to set up message logging on a remote logging host After you add the syntax to open and close SSH tunnels, you can modify the configuration of the syslog-ng utility to log messages to the remote machine. To do this, you need to create source and filter configuration blocks based on the local environment. Using the example IP addresses and ports used in the example in the previous section, use the syslog command to set up the remote logging host. bigpipe syslog remote server 127.0.0.1 remote port 5140 3-6 Managing the BIG-IP System Network Components Copying the unique SSH identity to the remote logging host and appending it to the authorized keys file After you have used the syslog command to set up the remote logging host to log messages, you must copy the unique SSH identity to the remote logging host. To do this, copy the syslog_tunnel_ID.pub to the remote syslog server, and append this key to the authorized_keys file found in the .ssh folder under the home directory of the user that you want to use to capture remote log messages. $ cat syslog_tunnel_ID.pub >> ~logger/.ssh/authorized_keys Note The following instructions are given as examples. The actual process for setting up the new SSH key to be automatically authorized, and configuring the syslog-ng utility may be different. Verify that the logging facility is configured and ready to receive syslog-ng messages on the <remote tunnel port>. If the remote logging host uses the syslog-ng utility, you need to add a source configuration block like the one in Figure 3.5. source remote { tcp(ip(10.0.0.100) port(5140)); }; Figure 3.5 Remote logging host source identification block In addition to the source identification block, you also need to add filter, destination, and log configuration blocks to use the data from the source remote as required by your application. Verifying the logging configuration and restarting syslog-ng Finally, verify that the SSH connection is functional and restart the syslog-ng utility. To verify the configuration from a command line and restart the syslog-ng utility 1. Log on as root to the BIG-IP system. 2. Make an SSH connection to the remote logging host using the new identity key you created. # ssh logger@10.0.0.100 -i /var/shh/syslog_tunnel_ID If everything is configured correctly, you should be able to get shell access to the remote logging host without being challenged for a password. (When you add the new identity key to the remote host's authorized_keys file, the key is used to authenticate the BIG-IP system.) BIG-IP® Command Line Interface Guide 3-7 Chapter 3 3. Exit from the SSH session to the BIG-IP system command line. 4. Restart the syslog-ng utility by typing the following command: $ /etc/init.d/syslog-ng restart The BIG-IP system should now be sending log messages to your remote host. Implementing packet filtering Packet filters provide a level of access control by filtering packets from a client based on criteria that you specify. You can specify these criteria by configuring the general properties of a packet filter, and by creating a packet filter rule. To implement packet filtering Enable packet filtering using the command packet filter. When using this command, you can specify a packet filter rule to provide access control, rate shaping, or logging. Configuring routing When you add routes for the switch interfaces, including the management port, you must configure them. You can also remove routes from the system. To add and configure routes Use the command route, specifying a list of route keys and a resource (gateway IP address, pool name, VLAN name, or reject). For more information, see the route online man page. To remove routes Use this command to remove routes: bp> route (<route key list> | all | inet | inet6) delete Implementing the trunk algorithm on FFP-supported platforms On fast filtering process (FFP)-supported platforms, you can configure the bigdb database variable, trunk.internal.ffp to affect the algorithm that the BIG-IP system uses for internal trunk distribution. The following platforms are FFP-supported: D62, D63, D63a, D68, D84, and D88. The trunk.internal.ffp bigdb database variable has values of enable and disable. The default value is enable. When enabled, internal trunk distribution operates based on source and destination TCP ports. 3-8 Managing the BIG-IP System Network Components If you disable trunk.internal.ffp, the internal trunk distribution operates according to the bigdb database variable, trunk.internal.distribution. The trunk.internal.distribution bigdb database variable has the following values: ◆ srcdestip Select Source/Destination IP address to have the system base the hash on the combined MAC addresses of the source and the destination. ◆ srcdestmac Select Source/Destination MAC address to have the system base the hash on the combined MAC addresses of the source and the destination. ◆ destmac Select Destination MAC address to have the system base the hash on the MAC address of the destination. The default value is srcdestip. To set the trunk.internal.distribution bigdb database variable using the default value of the variable, use the following syntax: bp> db trunk.internal.distribution srcdestip After you change a bigdb database variable using the db command, you must run the save all command. If you do not, the next time that you run the load command, the value of the bigdb database variable may be reset to the value in the stored configuration. BIG-IP® Command Line Interface Guide 3-9 Chapter 3 3 - 10 4 Managing the BIG-IP System • Introducing BIG-IP system management • Understanding BIG-IP system management tools • Understanding the BIG-IP system configuration state • Introducing the Single Configuration File • Performing BIG-IP system management tasks Managing the BIG-IP System Introducing BIG-IP system management The BIG-IP system includes several command line tools that you can use to perform routine system management tasks such as creating and managing administrative user accounts, displaying traffic statistics, and managing BIG-IP units in a redundant system configuration. With these tools, you can manage many parts of the system: • The management port • BIG-IP system host name and IP address • Global system properties • High Availability • User configuration archives • System daemons (for example, SSH and HTTP) • SNMP • Logging • qkview and tcpdump (diagnostic tools) • Serial console • Real-time statistics For information on configuring the BIG-IP system to control local application traffic, see the Configuration Guide for BIG-IP® Local Traffic Management. BIG-IP® Command Line Interface Guide 4-1 Chapter 4 Understanding BIG-IP system management tools You can manage the BIG-IP system using a number of system management tools and commands at the BIG-IP system prompt, using the bigpipe utility from within the new bigpipe shell, and by editing certain files using a text editor. Using system management tools at the BIG-IP system prompt Table 4.1 lists and describes the tools you can use to manage the BIG-IP system from the BIG-IP system prompt. To use these tools, you must have access to the BIG-IP system prompt. By default, only the root account has access to the BIG-IP system prompt. When you assign advanced shell access to the account of a user who is also assigned the Administrator or Resource Admin user role, that user can access the BIG-IP system prompt, and thus can use the tools listed below. Note F5 recommends that you do not give advanced shell access to users who are assigned the user role of Resource Admin unless they must use the tcpdump, ssldump, or qkview utilities, or manage certificate and key files from the console. Instead, F5 recommends that you give these users bigpipe shell access. For more information, see user, on page A-337. For information on user accounts, see Managing user accounts, on page 4-21, and the BIG-IP® Network and System Management Guide. BIG-IP system Commands Description bigstart Restarts the SNMP agent bigsnmpd. bigtop Displays real-time statistics. config Configures the IP address, network mask, and gateway on the management (MGMT) port. Use this command at the BIG-IP system prompt prior to licensing the BIG-IP system, and do not confuse it with the command bigpipe config or the BIG-IP Configuration utility. fipsutil Used at the console, configures and maintains a FIPS security domain for a BIG-IP redundant system. For more information, see the Platform Guide: 1500, 3400, 6400, 6800. Table 4.1 BIG-IP system commands 4-2 Managing the BIG-IP System BIG-IP system Commands fipscardsync Description Synchronizes the FIPS hardware security modules (HSMs) of a redundant system. Note that synchronizing the HSMs provides the ability to exchange keys between the units of a redundant system. For more information, see the Platform Guide: 1500, 3400, 6400, 6800. halt Shuts down the BIG-IP software application. hostname Displays the name you have given to the BIG-IP system. printdb Prints the values of one or more entries in the bigdb database. reboot Reboots the BIG-IP system. ssh and sctp Access command line interfaces on other SSH-enabled devices, and copy files to or from a BIG-IP system. sys-icheck Identifies any unintended modifications to BIG-IP system files. Note that a hot fix (patch) is an intended modification that will not be identified by the sys-icheck command. sys-reset Runs the sys-icheck command, and if there are no system integrity issues, returns the system to the factory default state. Note that if you have applied hot fixes (patches) to your system, for sys-reset to run, you must specify an override option. The override options are: -w Use this option to report Warn issues, as well as the default, Error issues. -i Use this option to report Info and Warn issues, as well as the default, Error issues. Table 4.1 BIG-IP system commands Using the bigpipe utility You can also use the bigpipe utility to manage the BIG-IP system. You access the bigpipe utility by typing the following command at the BIG-IP system prompt: bigpipe shell The commands you can use within the bigpipe shell to manage the BIG-IP system are listed in Appendix A, bigpipe Command Reference. You can also access a list and description of these commands by typing the following command at the bigpipe shell prompt: bp> help BIG-IP® Command Line Interface Guide 4-3 Chapter 4 For help with a specific command, access the online man page for that command from the bigpipe shell prompt by typing the command name followed by help. For example, to get help on the pool command, type this command: bp> pool help Understanding the BIG-IP system configuration state The BIG-IP system configuration exists in two different states. The two configuration states are known as the stored configuration and the running configuration. • The stored configuration comprises all of the bigpipe commands that you have used to configure the system, and that you have saved to the system configuration files using the save command • The running configuration comprises the stored configuration, plus all of the changes you have made to the system using bigpipe commands since the last save command. It is important to understand that the BIG-IP system operates based on the running configuration. In other words, when you make changes to the system, (for example, modifying a virtual server), the system operates based on those changes. It is also important to understand that if you restart the system, or run the load command before you save your changes to the stored configuration, the changes are lost. This is because a system restart utilizes the stored configuration. The load and save commands are important to understand in relation to the configuration states. The load command resets the running configuration with the values that are contained in the stored configuration. The save command writes the running configuration to the stored configuration files. The load and save commands have options that are also important to understand in relation to the configuration states. These options are briefly described in Table 4.2. For more information on these commands see Appendix A, bigpipe Command Reference; specifically, see load, on page A-97, and save, on page A-271. Important Only users with the Administrator or Resource Admin user role assigned to their user account can run the save all command. Users assigned other roles receive an error when they run the save all command. They must instead run the save command. 4-4 Managing the BIG-IP System WARNING The save all command saves all changes to the system since the last save or save all command was run. If multiple users are making changes to the system, and one of them runs the save all command, the system saves all of the changes, including the changes made by the other users. bigpipe command Action performed base load Resets the running configuration based on the contents of the following files in the order shown: /defaults/config_base.conf /config/bigip_base.conf /config/bigip_sys.conf load Replaces the entire running configuration based on the contents of the following files in the order shown: /defaults/config_base.conf /config/bigip_base.conf /config/bigip_sys.conf /usr/bin/monitors/builtins/base_monitors.conf /config/profile_base.conf /config/daemon.conf /config/bigip.conf /config/bigip_local.conf It is important to note that if you want to modify the running configuration, rather than replace it, you use the merge command. For more information, see merge, on page A-109. base save Saves only the portions of the running configuration that reside in these files: /config/bigip_base.conf /config/bigip_sys.conf save Saves only the portions of the running configuration that reside in these files: /config/bigip.conf /config/bigip_local.conf /config/bigip_sys.conf save all Saves the entire running configuration into these stored configuration files: /config/bigip.conf /config/bigip_local.conf /config/bigip_base.conf /config/bigip_sys.conf Table 4.2 About the bigpipe commands load and save, and the system configuration states BIG-IP® Command Line Interface Guide 4-5 Chapter 4 Understanding the stored configuration files The BIG-IP system has numerous stored configuration files. F5 recommends that you use bigpipe commands to make changes to the system. For more information, see Appendix A, bigpipe Command Reference. You can manually edit four of the stored configuration files to make changes to the system. For more information, see Table 4.3 following. Additional configuration files are described in Table 4.4, on page 4-7. Manually editing configuration files You can manually edit the four configuration files described in Table 4.3. After you edit these files, you must run the load command to update the running configuration. File Description /config/bigip.conf Stores all configuration objects for managing local application traffic, such as virtual servers, load balancing pools, profiles, and SNATs. You run the load command to load the configuration of these objects from the bigip.conf file into the system’s running configuration. You run the save all command to write the running configuration of these objects into the bigip.conf file. When you perform a configuration synchronization of a redundant system, this file is synchronized to the other unit. Important: Some objects, such as SNATs, do not reside in partitions. Therefore, if you edit this file, and add one of these objects to a section of the file that configures a specific partition, when you run the save all command, the object is saved, but not in the partition. Consequently, the object is not protected by partition access control. /config/bigip_base.conf Stores the BIG-IP system network components. When you perform a configuration synchronization of a redundant system, this file is not synchronized to the other unit. You run the base load command to load the configuration of these objects from the bigip_base.conf file into the system’s running configuration. You run the save all command to save the running configuration of these objects in the bigip_base.conf file. Important: The objects in this file reside in partition Common. Consequently, the objects are not protected by partition access control. Table 4.3 Four principal stored configuration files for the BIG-IP system described 4-6 Managing the BIG-IP System File Description /config/bigip_local.conf Stores the virtual servers used by the BIG-IP® Global Traffic Manager. You run the base load command to load the configuration of these objects from the bigip_local.conf file into the system’s running configuration. You run the save all command to write the running configuration of these objects into the bigip_local.conf file. /config/bigip_sys.conf Stores the Linux or UNIX configuration objects. When you perform a configuration synchronization of a redundant system, this file is synchronized to the other unit. You use the base load command to load the configuration of these objects from the bigip_base.conf file into the system’s running configuration. You run the save all command to write the running configuration of these objects into the bigip_base.conf file. Important: The objects in this file reside in partition Common. Consequently, the objects are not protected by partition access control. Table 4.3 Four principal stored configuration files for the BIG-IP system described Using bigpipe commands to make configuration changes You use bigpipe commands to make configuration changes to the configuration files described in Table 4.4. After you run the bigpipe commands shown in the table, you must run the save all command to update the stored configuration. For more information about the bigpipe commands, see Appendix A, bigpipe Command Reference. Important F5 recommends that you do not manually edit the files shown in Table 4.4 following. Associated bigpipe commands File Description /config/bigip/auth/pam.d/system-auth Stores configuration information for user authentication for the BIG-IP system. system /config/bigip/auth/pam.d/httpd Stores configuration information for user authentication for the web server. remote users /config/bigip/auth/userroles Maps the system users to their assigned user role and partitions. remote users /config/httpd/conf/httpd.conf Stores HTTP daemon configuration information for the web server. httpd /config/httpd/conf.d/ssl.conf Stores configuration information about the SSL module for the web server. httpd ssl Table 4.4 Other BIG-IP system stored configuration files described BIG-IP® Command Line Interface Guide 4-7 Chapter 4 Associated bigpipe commands File Description /config/httpd/conf.d/mod_auth_pam.conf Stores configuration information about the Pluggable Authentication Module (PAM) for the web server. httpd pam /config/ntp.conf Stores the configuration information for the NTP server. ntp /config/bigip.conf Contains static route information. route /config/ssh/sshd_config This is the configuration file for the secure shell server (SSH). It contains all the access information for people trying to get into the system by using SSH. sshd /config/snmp/netsnmp.conf Store configuration settings for the snmpd daemon. snmpd /etc/hosts Stores the hosts table for the BIG-IP system. system /etc/hosts.allow Stores the IP addresses of workstations that are allowed to make administrative shell connections to the BIG-IP system. snmpd /etc/hosts.deny Stores the IP addresses of workstations that are not allowed to make administrative shell connections to the BIG-IP system. N/A /etc/localtime Stores the configuration of the local time of day. ntp /etc/login.defs Stores the parameters for user IDs and passwords. password policy /etc/logrotate.conf Stores the configuration settings for the system logs. logrotate /etc/rateclass.conf Stores rate class definitions. For information on making changes to rate classes, see the Configuration Guide for /config/snmp/snmpd.conf sshd BIG-IP® Local Traffic Management. /etc/resolv.conf Stores DNS configuration settings. dns /config/snmp/snmpd.conf Stores SNMP configuration settings. snmpd Stores the local time zone. ntp /config/net-snmp/snmpd.conf /etc/sysconfig/clock Table 4.4 Other BIG-IP system stored configuration files described 4-8 Managing the BIG-IP System Associated bigpipe commands File Description /etc/sysconfig/network Stores network configuration settings, including the host name, and IP address of the gateway. system /etc/syslog-ng/syslog-ng.conf Stores the system log configuration settings. syslog Table 4.4 Other BIG-IP system stored configuration files described Introducing the Single Configuration File The single configuration file feature allows you to save the configuration of a BIG-IP system in a single, flat, text file. You can then use the text file to easily replicate the configuration across multiple BIG-IP systems. This not only saves you time, it also allows you to create a consistent, secure, comprehensive local traffic management environment on your network. What is a single configuration file? A single configuration file (SCF) is a flat, text file that contains a series of bigpipe commands, and the attributes and values of those commands, that reflect the configuration of the BIG-IP system. Specifically, the SCF contains the local traffic management and operating system configuration of the BIG-IP system. For a sample SCF, see Figure 4.1. BIG-IP® Command Line Interface Guide 4-9 Chapter 4 The BIG-IP system configuration exists in two different states, the stored configuration and the running configuration. Understanding the two different configuration states is important to understanding how the SCF works. For more information, see Understanding the BIG-IP system configuration state, on page 4-4. mgmt 172.16.40.3 { netmask 255.255.255.0 } mgmt route default inet { gateway 172.16.40.1 } vlan external { tag 4093 interfaces 1.1 } vlan internal { tag 4094 interfaces 1.3 } stp instance 0 { vlans external internal interfaces 1.1 external path cost 20K internal path cost 20K 1.3 external path cost 20K internal \ path cost 20K} self allow { default tcp ssh tcp domain tcp snmp tcp https tcp 4353 udp domain udp snmp udp efs udp 1026 udp 4353 proto ospf } self 10.10.10.3 { netmask 255.255.0.0 vlan internal allow default } self 172.16.1.3 { netmask 255.255.255.0 vlan external allow default } shell write partition Common system { gui setup disable hostname "beta1.gnet.com" } # No partition partition Common { description "Repository for system objects and shared objects." } user root { password crypt "$1$iLl7Yctv$ld2WUUrJR9EF3oF7OJM2H1" } route default inet { pool gw_pool static } shell write partition Common user admin { password crypt "$1$HtabUQst$PIpliwRcjZY5I2SQkRhOT1" description "Admin User" id 0 group 500 home "/home/admin" \ shell "/bin/false" role administrator in all } user f5emsvr { password crypt "!!" description "F5 EM Service Account" id 975 group 975 home "/root" shell "/bin/false" role guest in all } dns { nameservers 192.168.11.1 search "f5net.com" } ntp { servers 192.168.11.168 } configsync { password crypt "\\7DYX@Sf=8Be_KNNRgLRd;CD>I2RPrc=6R9bLQ/01Up8lC_" } pool gw_pool { monitor all gateway_icmp members 172.16.1.1:any } Figure 4.1 Sample Single Configuration File About the bigpipe utility and the single configuration file You use the bigpipe utility to create and work with single configuration files. You create an SCF using the command export. When you run the command export, the bigpipe utility gathers all of the commands, (and their attributes and values), that compose the running configuration, and saves this configuration in a file with the extension .scf. (For detailed information, see Creating a single configuration file, on page 4-12.) You then use the command import to apply the configuration contained in the SCF to another BIG-IP system. When you run the command import on a BIG-IP system, the bigpipe utility first saves the system’s stored configuration in a backup file, and then resets the system’s running configuration using the information contained in the SCF that you are importing. It is important to understand that to write the new running configuration to the system’s stored configuration you must run the command save all after you run the command import. WARNING Never copy the contents of an SCF file and paste it onto the command line in order to configure a system. Always use the import command to configure a system using an SCF file, for example, import myconfiguration.scf. 4 - 10 Managing the BIG-IP System About the import command and backup files As stated in the previous section, when you run the import command on a BIG-IP system, the bigpipe utility first saves the system’s running configuration in a backup file. This backup file is located in /var/local/scf/backup.scf file. If a backup SCF already exists, the bigpipe utility appends a number to the file name, for example, /var/local/scf/backup-1.scf. The higher the number in the backup file name, the older the file is. By default, the system only saves two backup SCF files. You can configure the system to save a different number of backup files using the cli import save <integer> command. For more information on using this command, see cli, on page A-33. Understanding the export, import, load and save commands You use the bigpipe commands export and import to create and work with an SCF. You use the bigpipe commands save and load to affect the running and stored configurations of the BIG-IP system. Table 4.5 compares the usage of these four commands. Command Usage export Use the export command to create an SCF that you can then use to configure another BIG-IP system using the import command. It is important to note that the export command does not affect the running or stored configurations of the BIG-IP system upon which you run the command; the export command simply saves the running configuration to an SCF. For more information about the parameters that you can use with the export command, see export, on page A-63. import Use the import command to replace the entire running configuration of a BIG-IP system with the values in the SCF that you are importing. You must then use the save all command to write the running configuration to the stored configuration. For more information about the parameters that you can use with the import command, see import, on page A-89. save all Use the save all command to write the running configuration to the configuration files that contain the stored configuration. For example, if you add a new NTP server to your network, and then use the ntp command to configure that server on the BIG-IP system, you must then run the save all command to save this change to the stored configuration. Important: When you want to save to the stored configuration changes that you make to the system, F5 recommends that you use the save all command. For more information about the save command and its parameters, see Table 4.5, on page 4-11, and save, on page A-271. load Use the load command to replace the entire running configuration of a BIG-IP system with the values contained in the stored configuration. For example, when you use the bigpipe utility to make changes to the system, the running configuration contains those changes. If you decide that you do not want the running configuration to contain those changes, run the load command. For more information about the parameters that you can use with the load command, see load, on page A-97. Table 4.5 Comparison of the bigpipe commands export, import, save, and load BIG-IP® Command Line Interface Guide 4 - 11 Chapter 4 Creating a single configuration file You use the export command to create an SCF. The export command saves the running configuration of the system in a flat, text file with the specified name and the extension .scf. WARNING The export command is independent of, and distinct from, the save all command. The export command does not save the running configuration into the configuration files that contain the stored configuration. To save the running configuration, you must use the save all command. You can use either the command export or the command sequence export oneline to create an SCF. When you use either command, the system creates a file (using a name that you specify) in the /var/local/scf directory. The system appends the specified file name with the .scf extension. However, if you use the .scf extension in the file name, the system does not add an additional extension. When you use the export command, the SCF contains line feeds between the command attributes and their values, which makes the file easy to read. When you use the export oneline command sequence, the SCF contains each command, including all of the command attributes and their values, in a single line. There is a line feed only after each command sequence. This file is more difficult to read. To create an SCF 1. Access the bigpipe shell. 2. To save the running configuration to the stored configuration files, run the save all command. 3. Decide how you want to save the export file, either: • Run the export command and include a name for the SCF, for example: bp> export myConfiguration053107 The system creates the file, myConfiguration053107.scf, in the /var/local/scf directory. • Run the export oneline command sequence and include a name for the SCF, for example: bp> export oneline myConfiguration053107 The system creates the file, myConfiguration053107.scf, in the /var/local/scf directory. 4 - 12 Managing the BIG-IP System Configuring a BIG-IP system using an SCF The primary benefit of the SCF feature is that you can use an SCF from one BIG-IP system to configure another BIG-IP system. This is especially beneficial when you want to configure a new BIG-IP system. When you export an SCF, the system creates a file with the name you specify in the /var/local/scf directory. However, you can specify a different location using a full path name. For example, to create an SCF named MyConfiguration in the /config/scf directory, use the command sequence export MyConfiguration /config/scf. The system appends the file with the extension .scf. If you use the extension in the command sequence, for example, export MyConfiguration.scf /config/scf, the system does not add an additional extension to the file name. Using an SCF to configure a new BIG-IP system 1. On the configured BIG-IP system, use the export command to create an SCF: bp> export myConfiguration The bigpipe utility creates the file, myConfiguration.scf, in the /var/local/scf directory. To create the SCF in another location, specify a full path for the file. For example, the command export /config/myConfiguration creates the SCF in the /config directory. 2. Copy the SCF to a location on your network that you can access from the system that you want to configure. 3. Edit the SCF to reflect the management routing and user account information of the BIG-IP system that you want to configure. a) Open the SCF in an editor. b) When necessary, change the values of the management IP address, network mask, management default route, self IP addresses, virtual server IP addresses, routes, default routes, and host name fields to the values for the new system. c) If necessary, change the passwords for the root and admin accounts using the user <name> password none newpassword <password> command. Important: When configuring a unit that is part of a redundant system using the SCF from the other unit in the system, do not modify the root and admin accounts. These accounts must be identical on both units of a redundant system. d) Save the edited SCF. BIG-IP® Command Line Interface Guide 4 - 13 Chapter 4 4. On the BIG-IP system that you want to configure, use the import command to import the SCF: bp> import myConfiguration The system saves a backup of the running configuration in the /var/local/scf/ directory, and then resets the running configuration with the configuration contained in the SCF you are importing. 5. To save the new running configuration to the stored configuration, use the save all command. The system saves the running configuration to the stored configuration. Note In step 3, you edited the SCF file changing the IP address, network mask, management route, host name, and the password information for the root and admin accounts to the values you wanted to use for this system. Therefore, you do not need to run the Setup utility for the system. Restoring a BIG-IP system configuration using an SCF The BIG-IP system ships with a default SCF. You can restore a BIG-IP system to either the factory default configuration or a previous configuration. When you restore the system to the factory default configuration, the management IP address and management default route are not reset to the default values. These settings remain the same. You use the import default command to restore a system to the factory default configuration. When you use this command, the system first saves the running configuration in the backup.scf file. Then, the system resets the local traffic management and the operating system configuration to the factory default configuration by loading the SCF, /defaults/defaults.scf. You can use the import <file_name.scf> command to change the configuration of a system using the values in the specified SCF. When you use this command, the system first saves the running configuration in the backup.scf file, and then resets the running configuration to the values contained in the specified SCF. You must then run the command save all to save the running configuration in the stored configuration files. WARNING The import default command does not reset manually modified bigdb database variables to their factory defaults. Therefore, F5 recommends that you do not manually modify any of the bigdb database variables. Instead, use the bigpipe commands to change the system configuration. For more information, see Appendix A, bigpipe Command Reference. 4 - 14 Managing the BIG-IP System To restore a system to the factory default configuration 1. Access the bigpipe shell. 2. Run the command import default. The system saves the running configuration in the backup.scf file, and then resets the local traffic management and the operating system configuration to the factory default configuration by loading the SCF, /defaults/defaults.scf. Note The import default command does not reset the management IP address or the management default route back to the default values. These settings remain the same. To restore a system to a previous configuration 1. Access the bigpipe shell. 2. Run the command import <file name> using the name of the SCF that contains the configuration to which you want to restore the system. The system saves the running configuration in the backup.scf file, and then resets the running configuration to the values contained in the specified SCF. 3. To save the running configuration to the stored configuration files, use the save all command. The system saves the running configuration to the stored configuration files. Using the Copy and Paste SCF Feature You can configure a BIG-IP system using the copy and paste functionality, an SCF, and the import command. There are two procedures to do this depending on the size of the SCF you are using. • SCF smaller than 4K When you configure a system using the copy and paste feature and an SCF smaller than 4K, if there is an error in the syntax of the data that you pasted, all the transactions before the transaction with the error run, but the transaction with the error does not run. • SCF larger than 4K When you configure a system using the copy and paste feature and an SCF larger than 4K, if there is a syntax error in the data you pasted, the system does not accept any of the transactions, and does not modify the running configuration. BIG-IP® Command Line Interface Guide 4 - 15 Chapter 4 To configure a system using the copy and paste feature and an SCF smaller than 4K 1. Copy the contents of the SCF. 2. On the system that you want to configure using the copied data, access the bigpipe shell. 3. At the bigpipe shell prompt, paste the contents of the SCF that you copied, and then press the Enter key. The system replaces the running configuration of the system based on the data you pasted. Warning: If there is an error in the syntax of the data that you pasted, all the transactions before the transaction with the error run, but the transaction with the error does not run. 4. After the command runs, type save all. The system saves the running configuration in the stored configuration files. To configure a system using the copy and paste feature and an SCF larger than 4K 1. Copy the contents of the SCF. 2. On the system that you want to configure using the copied data, access the bigpipe shell. 3. Type the command import - and then press the Enter key. The system responds with a Reading... message. 4. When the system finishes responding, on the command line, paste the contents of the SCF that you copied, and then type Ctrl-D. The system runs the command, which modifies the running configuration. Warning: If there is a syntax error in the data you pasted, the system does not accept any of the transactions, and does not modify the running configuration. 5. After the command runs, type save all. The system saves the running configuration in the stored configuration files. 4 - 16 Managing the BIG-IP System Performing BIG-IP system management tasks The following sections describe some of the system management tasks that you can perform on the BIG-IP system. Configuring the MGMT port Before you license the BIG-IP system, you must configure the management port (MGMT). You do this by running the mgmt command. When you initially run the mgmt command, you assign an IP address to the management port. You can also specify a netmask for the IP address, using the netmask keyword. For example: bp> mgmt 10.10.10.1 netmask 255.255.255.0 This command sequence assigns the IP address 10.10.10.1 with a netmask of 255.255.255.0 to the management interface. Creating and managing administrative partitions An important part of managing the BIG-IP system is configuring the system to control user access to various BIG-IP system objects. Examples of BIG-IP system objects that users typically want to access are: virtual servers, load balancing pools, health monitors, SNATs, and user accounts. If you have the Administrator user role assigned to your user account for the BIG-IP system, you can control the access of other users to objects by using a feature known as administrative partitions. A partition is a logical container that you create, containing a defined set of BIG-IP system objects. When a specific set of objects resides in a partition, you can give certain users the authority to view and manage the objects in that partition only, rather than all objects on the BIG-IP system. This feature provides a finer granularity of control. By default, the BIG-IP system contains one partition named Common. Objects that can be created in a partition and that exist by default after you install the system and run the Setup utility, automatically reside in partition Common. Examples are the internal and external VLANs, their self IP addresses, and the admin user account. If you do not create additional partitions, the following two situations occur: ◆ All users have access to every object on the system. Their user role determines whether they can create, modify, delete, or simply view the objects. ◆ Objects on the BIG-IP system are not subject to object referencing restrictions. However, note that when you have more than one partition you cannot reference objects that are in different user-created partitions. For example, a virtual server in partition Common can reference any BIG-IP® Command Line Interface Guide 4 - 17 Chapter 4 load balancing pool that is also in partition Common. For detailed information on object referencing with respect to partitions, see the BIG-IP® Network and System Management Guide. Note By default, the Administrator user role does not have Terminal Access. To allow the Administrator user role to access the bigpipe shell, you must use the Configuration utility to enable Terminal Access for the user account. For more information, see the BIG-IP® Network and System Management Guide. Creating a partition You can create one or more administrative partitions on the BIG-IP system using the command partition. Only users with the Administrator user role can create a partition. To create an administrative partition Use the following command syntax to create an administrative partition: bp> partition <partition_name> description <string> For example, you can create a partition named my_app_partition, using this command: bp> partition my_app_partition description "This partition is a repository for my_app objects." Tip The bigpipe shell syntax requires quotation marks around a string that includes spaces. Changing the current partition When you create a user account on the BIG-IP system, you give the user access to one or more partitions on the system. Giving the user access to a partition means that the user can view objects in the partition, or, depending on their user role, perform specific administrative tasks related to objects in that partition. A user who has permission to simply view objects in a partition has Read access to that partition. A user who has permission to create, modify, or delete objects in a partition has Write access to that partition. Note For information on user accounts, see Managing user accounts, on page 4-21 in this guide, and the BIG-IP® Network and System Management Guide. 4 - 18 Managing the BIG-IP System What is the current partition? Although a user account might grant a user permission to access multiple partitions, a user can access only one partition at a time. This partition is known as the user’s current partition. When a user logs in, the system determines the default current partition (usually partition Common) based on the user’s account. If the user’s account grants permission to access more than one partition, the user can change the current partition, and can also change the default current partition. Different users on the BIG-IP system can have different current partitions at any given time. For example, the current partition for user psmith might be Common, while the current partition for user tjones might be partition_b. Setting the current partition When a user creates a system object, that object resides in the partition that is the user’s current partition at the time the object is created. Therefore, users who have access to more than one partition need a way to set the partition that they want to manage or view at any given time. For example, if your user account grants you Write access to all partitions on the system, and you want to create a virtual server in partition_b, you must first set partition_b to be your current partition. The command you use to set the current partition depends on whether you want to view or modify the objects in that partition. To set the current partition when you want to create, modify, or delete an object in that partition, use the write partition argument with the shell command. For example, if you want to create a monitor in partition_a, use the following command to set the current Write partition to partition_a, and then create the monitor: bp> shell write partition partition_a To set a partition in which to simply view objects, use the command shell read partition. For example, if you want to view the monitors that reside in partition_a, use the following command to set the current Read partition to partition_a: bp> shell read partition partition_a Users with Write access to only one partition do not need to use the command shell write partition. The one partition to which the user has access is always the user’s current partition. For example, if your user account gives you the user role of Manager for partition_a only (as opposed to all partitions), then you cannot set a partition to manage. Your logon session establishes partition_a as the partition to which you have Write access. As with all user accounts that have a user role other than No Access, you can still view objects in partition Common, but with a Manager user role, combined with access to a single partition, you cannot use the shell write partition command to set a partition in which to manage objects. BIG-IP® Command Line Interface Guide 4 - 19 Chapter 4 To set a partition for object management To set a partition when you have Write access to more than one partition on the BIG-IP system, use this command before you manage the object: bp> shell write partition <partition_name> To set a partition for object viewing To set a partition when you have Read access to more than one partition on the BIG-IP system, use this command: bp> shell read partition <partition_name> To set a default partition To set a partition to be the default partition when you have Read and Write access to more than one partition on the BIG-IP system, use this command: bp> shell partition <partition_name> Writing to the current partition When using bigpipe commands, you can globally modify or delete objects of a specified type only when all objects of that type reside in a single partition. In other words, when you use the keyword, all, with an object type, the action you are performing applies only to objects of the specified type in the current Write partition. For example, suppose your system has three partitions, Common, partition_a, and partition_b. In this case, your user account grants you Write access to all partitions on the system, and your default current partition is Common. To reset the statistics for all pools on the system 1. Log on to the system. Because your default Write partition is Common, you are logged in to Common. 2. To reset the statistics for all pools that reside in Common use this command: bp> pools all stats reset The statistics for all the pools in Common are reset. 3. Change the current partition to partition_a using this command: bp> shell write partition partition_a The current partition is set to partition_a. 4. To reset the statistics for all pools that reside in partition_a use this command: bp> pools all stats reset The statistics for all the pools in partition_a are reset. 4 - 20 Managing the BIG-IP System 5. Change the current partition to partition_b using this command: bp> shell write partition partition_b The current partition is set to partition_b. 6. To reset the statistics for all pools that reside in partition_b use this command: bp> pools all stats reset The statistics for all the pools in partition_b are reset. Managing user accounts You can create user accounts on the BIG-IP system using the user command, if you are assigned the Administrator user role. When you create a user account, you assign the account a name, a user role, and a partition that the user can access. It is the user role, combined with the user’s partition access, that determines a user’s type and scope of access to BIG-IP system objects. It is important to note that a user account, which is a BIG-IP system object itself, also resides in a partition. For example, suppose user admin sets his current partition to partition_a, and then creates the user account psmith, giving psmith access to partition_b as one of the psmith account properties. In this case, user psmith can access partition_b, but the psmith account itself resides in partition_a, because partition_a is the current partition for user admin. Thus, the partition in which the psmith user account resides has no relationship to the partition access that user admin assigned to the psmith account. To create a local BIG-IP system user account To create a user account on the BIG-IP system, use this command syntax: bp> user <user_name> role <user_role> in (<partition_name> | \ all) You can create user accounts where the user names differ only by case-sensitivity (for example, david and DAVID.) Note that there are restrictions on reserved user names. You cannot create user accounts that use the reserved names admin, root, support, or operator. Note For information on creating and managing BIG-IP system user accounts, including those that are stored on a remote authentication server, see the BIG-IP® Network and System Management Guide. BIG-IP® Command Line Interface Guide 4 - 21 Chapter 4 Tip You can also create user accounts using the f5adduser command at the BIG-IP system prompt. For information about the f5adduser command, log on to the Ask F5sm Knowledge Base web site and search for solution SOL5561. Changing user accounts Users who are assigned the Administrator user role, can modify or delete user accounts on the BIG-IP system using the user command. It is important to remember that a user’s type, and scope of access to the BIG-IP system objects are determined by a combination of the user’s role, the user’s partition access, and whether or not the user has terminal access. If a user is logged in to the system at the time that you change her user role, she may receive Access Denied error messages. For example, if the user was previously assigned the Administrator user role with the ability to create pools, but you assign the user a user role of Operator without that ability, the system prevents the user from using the pool command to create a pool. WARNING The Administrator user role provides access to the BIG-IP system prompt. If a user who is assigned the Administrator user role is logged in when you change his user role to another user role without access to the BIG-IP system prompt, the user can still run commands at the BIG-IP system prompt until he logs out of the system. The same is true when you delete a user account. If a user who is assigned the Administrator user role is logged in when you delete the user account, that user can still run commands at the BIG-IP system prompt until she logs out of the system. Remote user access User accounts are either stored locally or on remote authentication servers. The access permissions for a user account that are stored on a remote authentication server are either based on the default authorization properties, or are stored in a special, duplicate account on the BIG-IP system. Remote-server user accounts based on the default authorization properties appear together on the BIG-IP system as a single user account named Other External Users. If your user account is an Other External Users account, and you are logged in to the BIG-IP system, when a user with the Administrator user role changes the default user role, your connection to the system is closed immediately. You can log on to the BIG-IP system again, and you will have access to the system based on the new default user account. For more information, see the chapter, Managing User Accounts, of the BIG-IP® Network and System Management Guide. Specifically, see the sections named Managing remote user accounts and Configuring authorization for remote accounts. 4 - 22 Managing the BIG-IP System Auditing user access to the system The BIG-IP system generates a log message whenever a user or an application attempts to log on to or log off of the system. The system logs both successful and unsuccessful logon attempts. The system stores these log messages in the /var/log/secure file. When the system logs an authentication message in the /var/log/secure file, the message can contain the following types of information: • The connecting user's ID • The IP address or host name of the user's interface • The time of each logon attempt • Successful logon attempts for command line interface sessions only • Failed logon attempts for command line interface, Configuration utility, and iControl sessions • The time of the logoff for command line interface sessions only Figure 4.2 shows examples of log messages for both successful and failed logon attempts made by user jsmith. May 10 16:25:25 jsmith-dev sshd[13272]: pam_audit: user: jsmith(jsmith) from: /dev/pts/10 at jsmith-dev attempts: 1 in: [Thu May 10 16:25:23 2007 ] out: [Thu May 10 16:25:25 2007 ] May 10 16:14:56 jsmith-dev sshd[716]: pam_audit: User jsmith from ssh at jsmith-dev failed to login after 1 attempts (start: [Thu May 10 16:14:53 2007 ] end: [Thu May 10 16:14:56 2007 ]). Figure 4.2 Sample log messages related to logon attempts Configuring failover for redundant systems When you set up a redundant system configuration, there are two command line tasks in particular that are worth emphasizing. These tasks are: • Setting failover for BIG-IP system daemons • Editing scripts that perform automatic maintenance tasks after failover For background information on configuring a redundant system, see the BIG-IP® Network and System Management Guide. BIG-IP® Command Line Interface Guide 4 - 23 Chapter 4 Setting failover for BIG-IP system daemons You can use the daemon command to define the action that you want the BIG-IP system to take when certain system daemons fail. Table 4.6 lists these daemons. Daemon Definition bigd Controls health monitoring. mcpd Manages the configuration data on a BIG-IP system. sod Controls failover for redundant systems. tmm Performs most traffic management for the BIG-IP system. bcm56xxd When the heartbeat of a system daemon fails, based on how the BIG-IP system is configured, either restarts the system daemon or takes no action. Table 4.6 BIG-IP system daemons with failover settings Configuring user-defined scripts for failover tasks You might want the system to perform some maintenance tasks on either the active or the standby system, or both, immediately after failover has occurred. To configure the BIG-IP system to automatically perform these tasks, you can use a text editor to manually edit two scripts named active and standby. You can find these files on the BIG-IP system in the /config/failover directory. The purpose of these scripts is to automatically run short, non-persistent system maintenance tasks after failover. For example, you can edit the active script to read the ARP table on the newly-active unit, to remove an erroneous entry that might appear as a result of failover. Important Two additional scripts, named f5active and f5standby, are located in the directory /usr/lib/failover. Do not edit these scripts unless an F5 Networks customer service representative instructs you to do so. Associating BIG-IP system objects with unit IDs Each BIG-IP unit in an active-active configuration has a unit ID, either 1 or 2. When you define a local traffic management object, such as a virtual server, you must associate that object with a specific unit of the active-active redundant system. When failover occurs, these associations of objects to unit IDs allow the surviving unit to process connections correctly for itself and the failed unit. 4 - 24 Managing the BIG-IP System You must associate these local traffic management objects with a unit ID: • Virtual servers • Self IP addresses • SNATs For example, associating virtual server A with unit 1 causes unit 1 to process connections for virtual server A. Associating virtual server B with unit 2 causes unit 2 to process connections for virtual server B. This allows the two units to process traffic for different virtual servers simultaneously, and results in an increase in overall performance. If one of the units fails over, the remaining unit begins processing the connections for all virtual servers of the redundant pair, until failback occurs. This scenario of using the two units to process different connections simultaneously is one reason for the requirement that both units store identical configuration files (/config/bigip.conf). If you do not associate an object with a specific unit ID in an active-active redundant pair, the redundant system uses 1 as the default unit ID. Associating a virtual server with a unit ID You can view a list of virtual servers and their associated unit IDs, and you can change the unit ID associated with a specific virtual server. You perform these tasks using the command virtual address. To view an existing virtual server-unit ID association To view the unit ID associated with your existing virtual servers, use this bigpipe command syntax: bp> virtual address [<ip addr list> | all] unit [show] To change the unit ID associated with a virtual server To change the unit ID associated with an existing virtual server, type this command sequence: bp> virtual address <ip addr> unit <id> Associating a self IP address with a unit ID You can view a list of self IP addresses and their associated unit IDs, and you can change the unit ID associated with a specific self IP address. To do this, use the command self. To view an existing self IP address-unit ID association To view the unit ID associated with your existing self IP addresses, use this bigpipe command syntax: bp> self [<ip addr list> | all] unit [show] BIG-IP® Command Line Interface Guide 4 - 25 Chapter 4 To change the unit ID associated with a self IP address To change the unit ID associated with an existing self IP address, type this command sequence: bp> self <ip addr> unit <id> Associating a SNAT with a unit ID You can view a list of SNATs and their associated unit IDs, and you can change the unit ID associated with a specific SNAT. You can perform these tasks using the bigpipe snat translation command. Note You cannot associate a default SNAT with a unit ID. The default SNAT is not compatible with an active-active system. To view an existing SNAT-unit ID association To view the unit ID associated with your existing SNAT translation addresses, use this bigpipe command syntax: bp> snat translation [<ip addr list> | all] unit [show] To change the unit ID associated with a SNAT address To change the unit ID associated with an existing SNAT translation address, type this command sequence: bp> snat translation <ip addr> unit <id> Displaying protocol statistics You can use the bigpipe utility to display statistics for various types of network traffic. You can use the following commands at the bigpipe shell prompt to display protocol-related statistics: • fastl4 • fasthttp • ftp • http • icmp • ip • oneconnect • ssl • stream • tcp • udp You can also display global statistics using this command: bp> global 4 - 26 Managing the BIG-IP System Using the bigstart utility You can use the bigstart utility not only to start or stop the BIG-IP system, but also to restart the MCPD process or view the status of one or more system processes (daemons). Note that before you restart the mcpd daemon, you should run the load command to ensure that the restart utilizes the most current configuration data. The bigstart status command provides informational messages about each process, including whether the process is running, not running, or waiting for another process to run. To restart the mcpd daemon 1. At the bigpipe shell prompt, run the command load: bp> load 2. Access the BIG-IP system prompt. 3. Run the command bigstart. Tip If you have root privileges, you can run the bigstart and bigtop utilities from within the bigpipe shell by entering an exclamation point (!) before the command. For example, to run the command bigstart, enter the command at the bigpipe shell prompt, as follows: bp>!bigstart. To view status of all daemons 1. Access the BIG-IP system prompt. 2. Run the command bigstart status. Figure 4.3, on page 4-28, shows sample output of the command bigstart status. BIG-IP® Command Line Interface Guide 4 - 27 Chapter 4 Note If you use the command bigstart status on a hardware platform that supports clustered multi-processing, the command shows a separate status for each instance of the tmm daemon that is running. alertd bcm56xxd big3d bigd bigdbd chmand cssd eventd fpdd gtmd lacpd mcpd pvac radvd rmonsnmpd snmpd sod statsd stpd subsnmpd syscalld tamd tmm tmrouted tomcat4 zebosd down, waiting for mcpd running run (pid 3816) 14 seconds, 1 start run (pid 3818) 14 seconds, 1 start down, waiting for mcpd running run (pid 3857) 14 seconds, 1 start run (pid 3860) 14 seconds, 1 start down, waiting for mcpd running down, waiting for mcpd running run (pid 3887) 14 seconds, 1 start down, not licensed down, waiting for mcpd running run (pid 3895) 14 seconds, 1 start down, not licensed down, not configured down, delaying 5 seconds run (pid 3922) 14 seconds, 1 start run (pid 3924) 14 seconds, 1 start down, waiting for mcpd running run (pid 3928) 14 seconds, 1 start down, waiting for mcpd running run (pid 3960) 14 seconds, 1 start down, waiting for mcpd running run (pid 3968) 14 seconds, 1 start down, waiting for mcpd running down, waiting for mcpd running down, waiting for mcpd running Figure 4.3 Sample output from the bigstart status command 4 - 28 Managing the BIG-IP System Working with the bigtop utility The bigtop™ utility is a real-time statistics display utility. The display shows the date and time of the latest reboot, and lists activity in bits, bytes, or packets. The bigtop utility accepts options you use to customize the display of information. For example, you can set the interval at which the data is refreshed, and you can specify a sort order. The bigtop utility displays the statistics as shown in Figure 4.4. | bits since | bits in prior | | Nov 28 18:47:50 | 3 seconds | BIG-IP ACTIVE |---In----Out---Conn-|---In----Out---Conn-| 227.19.162.82 1.1G 29.6G 145 1.6K 0 0 virtual ip:port 217.87.185.5:80 217.87.185.5:20 217.87.185.5:20 NODE ip:port 129.186.40.17:80 129.186.40.17:20 129.186.40.18:80 129.186.40.17.21 129.186.40.18:21 129.186.40.18:20 current time 00:31:59 |---In----Out---Conn-|---In----Out---Conn-|-Nodes Up-1.0G 27.4G 139.6K 1.6K 0 0 2 47.5M 2.1G 3.1K 0 0 0 2 10.2M 11.5M 2.6K 0 0 0 2 |---In----Out---Conn-|---In----Out---Conn-|--State---960.6M 27.4G 69.8K 672 0 0 UP 47.4M 2.1G 3.1K 0 0 0 UP 105.3M 189.0K 69.8K 1.0K 0 0 UP 9.4M 11.1M 1.3K 0 0 0 UP 700.8K 414.7K 1.3K 0 0 0 UP 352 320 1 0 0 0 UP Figure 4.4 The bigtop screen display Using bigtop command options The syntax for the bigtop command that is used at the BIG-IP system prompt, is as follows: bigtop [options...] Table 4.7 lists and describes the options you can use with the bigtop command. Option Description -bytes Displays counts in bytes (the default is bits). -conn Sorts by connection count (the default is to sort by byte count). -delay <value> Sets the interval at which data is refreshed (the default is four seconds). -delta Sorts by count since last sample (the default is to sort by total count). -help Displays bigtop help. Table 4.7 bigtop command options BIG-IP® Command Line Interface Guide 4 - 29 Chapter 4 Option Description -nodes <value> Sets the number of nodes to print (the default is to print all nodes). -nosort Disables sorting. -once Prints the information once and exits. -pkts Displays the counts in packets (the default is bits). -scroll Disables full-screen mode. -virtuals <value> Sets the number of virtual servers to print (the default is to print all virtual servers). Table 4.7 bigtop command options Using runtime commands in bigtop Unless you specified the -once option, the bigtop utility continually updates the display at the rate indicated by the -delay option. You can also use the following runtime options at any time: • The u option cycles through the display modes: bits, bytes, and packets. • The q option quits the bigtop utility. Exiting the bigtop utility To exit the bigtop utility, simply type q. Working with the bigdb database The bigdb database holds certain configuration information for the BIG-IP system. Most BIG-IP system utilities use the configuration stored in the bigdb database. You can load configuration information into this bigdb database. For more information, see Appendix B, Configuring bigdb Database Variables. Setting values for a bigdb database variable Using the db command, you can view a bigdb database variable, set a new value for a bigdb database variable, or reset a bigdb database variable to the default value. To view the value of a bigdb database variable Within the bigpipe shell, use this command to view the value of a bigdb database variable: bp> db [<key>] [show] 4 - 30 Managing the BIG-IP System If you do not specify a bigdb database variable name, the system displays all bigdb database variables. To set the value of a bigdb database variable Within the bigpipe shell, use this command to set a bigdb database variable to a specific value: bp> db <key> <value> Within the bigpipe shell, use this command to set a bigdb database variable to the default value: bp> db <key> reset After you change a bigdb database variable using the db command, you must run the save all command. If you do not, the next time that you run the load command, the value of the bigdb database variable may be reset to the value in the stored configuration. To set the value of a bigdb database variable attribute You can modify the values of the attributes that are associated with a bigdb database variable using this command: bp> db <key> <new value> The attributes associated with a bigdb database variable are: • Variable name (key) The name for the bigdb database variable. An example is Bigip.Failover.ActiveMode. • Value The value associated with the bigdb database variable. The system stores this value as a string. • Default value The value that the system uses when the bigdb database variable is otherwise undefined. • Type The data type that the system uses to constrain and validate the value of the bigdb database variable. Types are not case-sensitive and can be any of the following: string, integer (for signed integer), unsigned_integer, ipaddress, or enum. • Realm An attribute indicating where a bigdb database variable is relevant (not case-sensitive). Allowed values are: Local or Common. The system persists both Local and Common bigdb database variable, and transfers Common bigdb database variables to a peer during config sync operations. • Minimum value The minimum value for bigdb database variables of type integer and unsigned_integer. This is the shortest length for strings. BIG-IP® Command Line Interface Guide 4 - 31 Chapter 4 • Maximum value The maximum value for bigdb database variables of type integer and unsigned_integer. This is the maximum length for strings. • Enumerated value A list of allowed values for the bigdb database variable. The first character is a delimiter for items. Printing bigdb database variables You can print the values of any bigdb database variable and its attributes, using the db <key> command. You can print the values of all bigdb database variables using the db show all command. Managing the Log File System The BIG-IP system supports logging using the syslog-ng utility. The system generates logs automatically, and saves them in user-specified files. These logs contain all changes made to the BIG-IP system configuration, such as those made with the virtual command, or other bigpipe commands, as well as all critical events that occur in the system. Note You can configure the syslog-ng utility to send mail or activate pager notification based on the priority of a logged event. The syslog-ng log files track system events based on information defined in the /etc/syslog-ng/syslog-ng.conf file. You can view the log files in a standard text editor, or with the less file page utility. Table 4.8 shows sample syslog-ng messages for events that are specific to the BIG-IP system. For information about the format of syslog-ng messages, see RFC 3164. Sample message Description bigd: node 192.168.1.1 monitor status up The 192.168.1.1 node address was successfully pinged by the BIG-IP system. kernel: security: port denial 207.17.112.254:4379 -> 192.168.1.1:23 A client was denied access to a specific port. The client is identified as coming from 207.17.112.254:4379, and the destination node is 192.168.1.1:23. Table 4.8 Sample syslog-ng messages 4 - 32 Managing the BIG-IP System Changing the size of the log file When you initially boot the BIG-IP system, the system allocates a finite amount of disk space for storing the log file. The advantage to having a finite size for the log file is that the file cannot increase to the point where it adversely affects other facilities that are running on the system in the same partition. The default amount of disk space that the BIG-IP system allocates for the log file is 7 gigabytes (Gb). In most cases, this default size of 7 Gb is sufficient. However, you can allocate additional disk space, or decrease the disk space, for the log file if necessary. The minimum amount of disk space that you can specify for the log file is 1 Gb. The maximum amount of disk space that you can specify is 10 Gb. You adjust the amount of disk space that the system allocates for the log file by using a command line script at the BIG-IP system prompt named resize-logFS. When you use the resize-logFS script, the system prompts you for information, and validates that: • The amount of disk space you specify falls within the valid range of 1 to 10 gigabytes. • The BIG-IP system has enough disk space to allocate the requested amount. WARNING Before using the resize-logFS script, it is imperative that you stop the BIG-IP system, or put the system into a safe condition such as standby mode. To change the size of the log file 1. Access the BIG-IP system prompt. 2. Stop the BIG-IP system or put the system into a safe condition such as standby mode using the bigstart stop command. 3. Type the following command: resize-logFS This command prompts you for the desired file size in gigabytes. 4. At the prompt, type an integer. The minimum allowed value is 1, and the maximum allowed value is 10. A prompt appears that allows you to confirm the specified file size. 5. Type Y. A message appears, notifying you of the need for the BIG-IP system to perform a reboot, followed by a prompt, which allows you to permit the reboot operation. Note: Prior to rebooting, the BIG-IP system verifies that the integer you typed in step 3 is within the allowed range, and checks to ensure that enough disk space exists for the specified size. BIG-IP® Command Line Interface Guide 4 - 33 Chapter 4 6. Type Y. A confirmation prompt appears. 7. Type Y. The system displays messages indicating that the reboot operation is about to occur. 8. Wait for the reboot operation to finish. When the system becomes available again, the newly-specified disk space for the log file will be in effect. If, at any time during the resize-logFS operation, you decide to exit the script, no reboot occurs, and the amount of allocated disk space remains as is. WARNING Do not delete the files: /shared/.LoopbackLogFS and /shared/LogFS_README, because this action deletes all of your log files. Removing and returning items to service Once you have completed the initial configuration on the BIG-IP system, you may want to temporarily remove specific items from service for maintenance purposes. For example, if a specific network server needs to be upgraded, you may want to disable the nodes associated with that server, and then enable them once you finish installing the new hardware and bring the server back online. If you specifically disable the nodes associated with the server, the BIG-IP system allows the node to go down only after all the current connections are complete. During this time, the BIG-IP system does not attempt to send new connections to the node. Although the BIG-IP system monitoring features would eventually determine that the nodes associated with the server are down, specifically removing the nodes from service can prevent interruptions on long duration client connections. You can remove the entire BIG-IP system from service, or you can remove the following individual items from service: • Virtual servers • Virtual addresses • Virtual ports • Nodes • Pool members 4 - 34 Managing the BIG-IP System Removing individual virtual servers and virtual addresses from service The BIG-IP system also supports taking only selected virtual servers, and virtual addresses out of service, rather than removing the BIG-IP system itself from service. Each bigpipe command that defines virtual servers and their components supports enable and disable keywords, which allow you to remove or return the elements from service. When you remove a virtual address from service, it affects all virtual servers associated with the virtual address. Enabling and disabling virtual servers and virtual addresses The command virtual allows you to enable or disable individual virtual servers, as well as virtual addresses. To enable or disable a virtual server To enable or disable a virtual server, use the appropriate command syntax: bp> virtual <virtual addr>:<virtual port> enable | disable To enable or disable a virtual address, use the appropriate command syntax: bp> virtual address <virtual addr> enable | disable Removing individual nodes from service You can remove an individual node from service, or return an individual node to service from within the bigpipe shell. To remove an individual node from service, use the following command: bp> node <node addr>:<node port> down To return an individual node to service, use this command: bp> node <node addr>:<node port> up Viewing the currently-defined system objects When used with the show parameter, bigpipe commands typically display currently configured elements. For example, the command virtual show displays all currently defined virtual servers, and the command node displays all nodes currently included in virtual server mappings. Viewing system licenses You can view the licenses installed on your system using the find_keys command at the BIG-IP system prompt. To view the license keys and their locations, use this command: find_keys BIG-IP® Command Line Interface Guide 4 - 35 Chapter 4 To view license keys without showing the location of the files that contain the keys, use this command: find_keys -q Backing up and restoring the BIG-IP system product image Each slot on a BIG-IP system contains a file system known as the product image. You use the snapshot utility to back up this product image. Creating a backup of the product image on a slot allows you to restore that image at a future date. You also use the snapshot utility to perform the restore. You run the snapshot utility at the BIG-IP system prompt. Backing up the BIG-IP product image When you use the snapshot utility to back up the product image on a slot, by default the utility creates a snapshot of the current slot and saves it in the default directory and file, /shared/snapshot/image.snp. The size of the snapshot file is approximately 130 MB. Before you create a snapshot of the current slot, you must switch to single user mode. This ensures that there are no other users attempting to make changes to the system while you are restoring it. Before you create a snapshot, it is also important to save the current running configuration of the system. This ensures that the snapshot contains the configuration that is currently running. If you want to create a snapshot of a slot other than the current slot, you must specify the slot that you want to back up. You can also specify a directory, other than the default directory, to which the system saves the snapshot file. Backing up the product image on the current slot To back up the product image on the current slot and save the snapshot in the default directory and file (/shared/snapshot/image.snp), first save the current running configuration, using this command: save all Then switch to single user mode using this command: init 1 Finally, save the snapshot in the default directory, using this command: snapshot backup 4 - 36 Managing the BIG-IP System Backing up the product image and specifying the directory in which to save the image To back up the product image on the current slot and save the snapshot in a specified directory and file, first save the current running configuration, using this command: save all Then switch to single user mode using this command: init 1 Finally, save the image in a specified directory, using this command: snapshot -f <specified full path and file name> backup Backing up the product image of a specified slot To back up the product image of a specified slot and save the image in the default directory and file (/shared/snapshot/image.snp), first save the current running configuration, using this command: save all Then, save the product image of the specified slot, using this command: snapshot -s HD1.2 backup Restoring a BIG-IP product image You can use the snapshot utility to restore a saved product image to a slot on the same system on which the product image was saved. However, it is important to note that you cannot restore a saved product image on the currently running slot. WARNING You cannot use a snapshot file that you created from a product image on a compact flash drive to restore a product image to a hard drive, nor the reverse. To determine if you can use a specific snapshot file to restore a product image to a slot, you can view information about the file. To do this, you use the snapshot list command. BIG-IP® Command Line Interface Guide 4 - 37 Chapter 4 To view the information about a snapshot file 1. Access the BIG-IP system prompt. 2. To view information about the default snapshot file, type snapshot list. The system returns information about the file. Figure 4.5 is an example of the system response to the snapshot list command. [root@f5:Active] / # snapshot list No file specified, defaulting to /shared/snapshot/image.snp. image.snp contains BIG-IP version 9.4.2 build 170.0. image.snp should be placed on the HD of a C36. Installable locations are: HD1.1 HD1.2 [root@f5:Active] / # Figure 4.5 snapshot list command output Restoring a system using a snapshot file You use the snapshot utility to restore a BIG-IP product image to a slot using a snapshot file. When you perform the restoration, you identify the slot that you want to restore, and specify the location of the snapshot file that you want to use to restore the product image on that slot. To restore the product image from the default snapshot file to slot #1, use this command: snapshot -f /shared/snapshot/image.snp -s HD1.1 restore To restore the product image from the snapshot file, /shared/image/image010107.snp, to slot #2, use this command: snapshot -f /shared/image/image010107.snp -s HD1.2 restore 4 - 38 5 Managing Local Application Traffic • Performing local traffic management tasks • Setting up load balancing • Controlling HTTP traffic • Configuring HTTP compression on the BIG-IP system • Implementing HTTP and TCP optimization profiles • Authenticating application traffic • Implementing persistence • Enhancing the performance of the BIG-IP system • Managing health and performance monitors • Implementing iRules Managing Local Application Traffic Performing local traffic management tasks There are many tasks that you can perform to customize the way that the BIG-IP system manages local network traffic. You can set up load balancing and configure the way that the BIG-IP system manages a variety of types of network traffic, including: • HTTP • FTP • Layer 4 • TCP • UDP • Client SSL • Server SSL You can use profiles to manage network traffic. For more information on profiles, see the profile command online man page, as well as the man page for each profile type. You can also authenticate application traffic, implement session and connection persistence, enhance the performance of the BIG-IP system, and monitor the system. The primary command line tool that you use to perform these tasks is the bigpipe utility. When managing SSL traffic, however, you can use the OpenSSL, genkey, genconf, and gencert utilities at the BIG-IP system prompt to generate SSL certificates and keys. For a list of the bigpipe commands related to local traffic management, see the corresponding online man pages and Appendix A, bigpipe Command Reference. BIG-IP® Command Line Interface Guide 5-1 Chapter 5 Setting up load balancing Once you configure the BIG-IP network components, you can use the bigpipe utility to set up a basic, local traffic management system by implementing a profile, a load balancing pool, and a virtual server. To set up a basic load balancing configuration 1. Decide what types of traffic you want the BIG-IP system to manage, as well as whether you want to implement session persistence, connection persistence, and remote authentication. 2. For each decision in step 1, decide whether you want to use the corresponding default profile that the BIG-IP system provides, or whether you want to create a custom profile. 3. Access the bigpipe shell. 4. If you want to create custom profiles, use the profile command, specifying the appropriate type of profile as an argument. If you do not want to create custom profiles, skip this step. 5. Create one or more load balancing pools, using the pool command. 6. Create a virtual server, using the virtual command, and assign to it any profiles and pools that you created. If you are using default profiles, some of those profiles might already be assigned to the virtual server by default. Managing traffic types To manage a particular type of network traffic, such as HTTP traffic, you can modify the default, system-supplied profile of that type to create a custom profile (recommended). Make sure that you save the custom profile with a new name. F5 recommends that you do not save a modified, system-supplied profile, without renaming it. After creating a new profile, you must assign the profile to a virtual server. To manage a specific type of network traffic 1. From the bigpipe shell, create a profile for a specific type of traffic, such as SSL. For example, you can manage client-side SSL traffic by using the command profile clientssl and specifying its arguments. 2. Assign the profile to a virtual server, using the virtual command. Optionally, you can write an iRule that includes various commands, which dynamically modify profile settings. For more information, see the Configuration Guide for BIG-IP® Local Traffic Management. 5-2 Managing Local Application Traffic Configuring manual resumption of pool members and nodes When a monitor detects that a pool member or node is available, the BIG-IP system, by default, marks that pool member or node as being in an up state. You can change this behavior, however, so that the system does not automatically mark the pool member or node as being up when a monitor detects that the pool member or node has become available. Instead, the system puts the pool member or node in a special waiting manual resume state, and creates a log entry in the /var/log/ltm directory. A sample log entry is: Node 10.10.10.10 monitor status up awaiting man resume After the system makes the log entry, it waits for you to manually specify the pool member or node as being up. Configuring clone pools Clone pools are designed for intrusion detection. You can implement clone pools by configuring a virtual server. A clone pool receives all of the same traffic as the normal pool. You therefore use clone pools to copy traffic to intrusion detection systems. To configure a clone pool 1. Access the bigpipe shell. 2. Use the virtual command, to create or modify a virtual server, specifying a value for the clone pool argument. Configuring a last hop pool By default, the Auto Last Hop feature is enabled on the BIG-IP system. If you want to disable that feature and instead explicitly define a last hop router, you can create a last hop pool and assign it to a virtual server. To configure a last hop pool 1. Access the bigpipe shell. 2. Use the pool command to create a last hop pool that contains the router inside addresses. 3. Use the lasthop pool argument with the virtual command to assign the last hop pool to a virtual server. If you have not assigned an SSL profile to the virtual server, use the profile argument with the virtual command to assign the profile to the virtual server. BIG-IP® Command Line Interface Guide 5-3 Chapter 5 Implementing SNATs There are two basic ways to create a SNAT. You can either directly assign a translation address to one or more original IP addresses, or you can create a SNAT pool and then assign the SNAT pool to the original IP addresses. In the latter case, the BIG-IP system automatically selects a translation address from the assigned SNAT pool. Note that you can assign these types of mappings from within an iRule. To map a single translation address to an original address 1. Access the bigpipe shell. 2. Designate an IP address as a translation address, using the snat translation command. 3. Map the translation address to one or more original IP addresses, using the snat command or the rule command. To map a SNAT pool to an original address 1. Access the bigpipe shell. 2. Create a pool of translation addresses (that is, SNAT pool), using the snatpool command. 3. Map the SNAT pool to one or more original IP addresses, using either the snat command or the rule command. 5-4 Managing Local Application Traffic Controlling HTTP traffic You can configure the BIG-IP system to control HTTP traffic by configuring HTTP compression, redirecting HTTP requests, rewriting HTTP redirections, inserting and erasing HTTP headers, enabling or disabling cookie encryption and SYN cookie support, configuring the HTTP class profile, and unchunking and rechunking HTTP response data. Configuring HTTP compression To configure the BIG-IP system to compress HTTP server responses, you access the bigpipe shell, and use the profile and virtual commands. For more information about configuring HTTP compression, see Configuring HTTP compression on the BIG-IP system, on page 5-8. To configure HTTP compression 1. Access the bigpipe shell. 2. Configure the compression-related settings of an HTTP profile, using the profile http command. 3. Assign the HTTP profile to a virtual server, using the virtual command. Redirecting HTTP requests You can redirect HTTP requests by configuring an HTTP profile and specifying a fallback host within the profile. To redirect HTTP requests 1. Access the bigpipe shell. 2. Using the profile http command, create or modify an HTTP profile, specifying a value for the fallback argument. You can specify either a URI or the default fallback host, or you can specify that you want no HTTP redirection. 3. Verify that the HTTP profile you created or modified is assigned to a virtual server. Rewriting HTTP redirections You can rewrite HTTP redirections by configuring an HTTP profile and specifying that you want the BIG-IP system to rewrite certain HTTP redirections. For more information, see the Rewriting an HTTP redirection section of the Configuration Guide for BIG-IP® Local Traffic Management. BIG-IP® Command Line Interface Guide 5-5 Chapter 5 To rewrite HTTP redirections 1. Access the bigpipe shell. 2. Using the profile http command, create or modify an HTTP profile, specifying a value for the redirect rewrite argument. For example, to create a profile that only rewrites URIs matching the originally requested URI (minus an optional training slash), use the following syntax: profile http myHTTPprofile { redirect rewrite matching } 3. Verify that the HTTP profile you created or modified is assigned to a virtual server. Inserting and erasing HTTP headers You can insert headers into HTTP requests or remove headers from HTTP requests by configuring an HTTP or Fast HTTP profile. To insert or erase HTTP headers 1. Access the bigpipe shell. 2. Using the profile http command, create or modify an HTTP profile, specifying a value for either the header insert, header erase, or insert xforwarded for options. 3. Verify that the HTTP or Fast HTTP profile you created or modified is assigned to a virtual server. Tip You can also manipulate HTTP headers by configuring a Fast HTTP profile from the bigpipe shell, using the profile fasthttp command. Enabling or disabling cookie encryption You can enable or disable cookie encryption from the bigpipe shell by configuring two options of the profile http command. To enable or disable cookie encryption 1. Access the bigpipe shell. 2. Using the profile http command, create or modify an HTTP profile, specifying a value for the encrypt cookie and cookie secret options. 3. Verify that the HTTP profile you created or modified is assigned to a virtual server. 5-6 Managing Local Application Traffic Enabling or disabling SYN cookie support To manage Denial-of-Service (DoS) attacks, you can enable or disable SYN cookie support by configuring the SYN cookie option on a Fast L4 profile from the bigpipe shell. ◆ If the BIG-IP system includes Packet Velocity® ASIC (PVA), use the profile fastL4 command, specifying the hardware syncookie (enable | disable | default) option. Also, based on your requirements, set the following bigdb database variables using the db command: • pva.SynCookies.Full.ConnectionThreshold (default: 500000) • pva.SynCookies.Assist.ConnectionThreshold (default: 500000) • pva.SynCookies.ClientWindow (default: 0) Note that the hardware syncookie feature is currently available on the D84 and D88 platforms only. Setting the hardware syncookie feature on a platform other than the D84 and D88 platforms, has no effect. Also, if you set the software syncookie feature on the D84 and D88 systems without setting the hardware syncookie feature, the SYN cookie protection is handled by the software only. ◆ If the BIG-IP system does not include Packet Velocity® ASIC (PVA), use the profile fastL4 command, specifying the software syncookie (enable | disable | default) option. Configuring the HTTP Class profile The BIG-IP system includes a type of profile named an HTTP Class profile. You can use an HTTP Class profile to classify HTTP traffic based on criteria that you specify. When you classify traffic, you forward traffic to a destination based on an examination of traffic headers or content. For more information, see the Configuration Guide for BIG-IP® Local Traffic Management. If the BIG-IP system includes the Application Security Manager or WebAccelerator modules, you can configure the system to send HTTP traffic to that module before sending the traffic to its final destination. For example, you can use an HTTP Class profile to instruct a virtual server to send traffic through the BIG-IP® Application Security Manager before forwarding the traffic to a load balancing pool. For more information, see the Configuration Guide for BIG-IP® Application Security Management, and the Administrator Guide for the BIG-IP® WebAccelerator Module. BIG-IP® Command Line Interface Guide 5-7 Chapter 5 Unchunking and rechunking HTTP response data If you want to unchunk a chunked HTTP response for the purpose of inspecting the content, you can enable unchunking by configuring an HTTP profile. To configure HTTP response chunking 1. Access the bigpipe shell. 2. Using the profile http command, create or modify an HTTP profile and specify the response argument. 3. Make sure that you have assigned the HTTP profile to a virtual server, using the virtual command. Configuring HTTP compression on the BIG-IP system Compressing HTTP server responses reduces the amount of data that is transmitted to the requestor, thereby significantly reducing bandwidth usage. In a typical client-server scenario, enabling HTTP compression requires installation and configuration of compression software on the destination server. With the BIG-IP system, you can off-load HTTP compression tasks from the target servers and centralize these tasks on the BIG-IP system. Understanding compression providers The BIG-IP system utilizes compression providers to compress HTTP server responses. The compression providers are software programs and hardware cards that are installed on the system. It is important to note that you do not have to have a hardware card installed on the system for server responses to be compressed. All BIG-IP systems contain software compression providers. Table 5.1, on page 5-9 outlines the software and hardware compression providers, and the BIG-IP systems on which they are available. 5-8 Managing Local Application Traffic Type of BIG-IP system Software compression provider Hardware compression provider 6400/6800/8400 BIG-IP system software compression Always available. Only 6400/6800/8400 BIG-IP systems with a hardware card can utilize hardware compression. tmzd When a system contains a hardware card and a hardware compression license, tmzd, a software compression provider, is automatically bundled with the hardware card. In order to use tmzd, you must disable clustered multi-processing on the system. 8800 zlib Always available. tmzd Always available. When the system contains a hardware compression license and a hardware card, the card is automatically configured with a hardware compression provider. All BIG-IP 8800 systems contain a hardware card and a hardware compression license. The hardware card is automatically configured with a hardware compression provider. Table 5.1 About the compression providers on a BIG-IP system Viewing the hardware compression providers on a BIG-IP system You can view the hardware compression providers that are present on your system. To view the hardware compression providers 1. Access the bigpipe shell. 2. Type platform show. The system returns information about the platform including any hardware compression providers that are installed. Understanding compression strategy selection When using the command line interface to configure compression for a BIG-IP system, you can choose from four compression strategies (Speed, Size, Ratio, and Adaptive). The BIG-IP system uses the compression strategy that you select to determine which compression provider to use for a given HTTP response. Once an HTTP response is assigned to a compression provider, the response remains associated with that compression provider until the response is completed. The adaptive compression strategy gives you the most control over how the BIG-IP system handles compression tasks. Understanding all four of the compression strategies helps you to understand the benefits of using BIG-IP® Command Line Interface Guide 5-9 Chapter 5 adaptive compression when the system contains a hardware compression provider. The four compression strategies are described in Table 5.2 following. Compression Strategies Description Speed This is the default compression strategy. The system uses the hardware compression provider to the fullest extent possible. When the load on the system increases, and the hardware is busy, the system uses the software compression providers to compress HTTP server responses. The Speed strategy is best used for bulk compression and for limiting CPU overhead. Size The system performs as much compression in the software as possible using a ratio of TMM and Offload. When the load on the system increases, and the software is busy, the system uses the hardware compression provider to compress HTTP server responses. The Size strategy gives the best ratio at the expense of CPU overhead. Ratio The system uses a weighted Round Robin approach to decide which compression provider to use to compress data. The Ratio strategy limits CPU overhead while giving good compression ratios. For more information on configuring the Ratio strategy, see Summarizing bigdb database variables for HTTP compression, on page B-5. Adaptive The system first utilizes the software compression providers to compress HTTP server responses. It switches to the hardware compression providers based on both the gzip compression level that you set in the HTTP profile and the hardware compression provider the system contains. As load on the system increases, the system responds by reducing the desired gzip compression level (specified in the HTTP profile). The system utilizes the hardware compression providers only when the provider can deliver the specified or systematically reduced gzip compression level. The Adaptive strategy gives you the most control over how the BIG-IP system handles compression. Table 5.2 Compression strategies described Introducing adaptive compression The adaptive compression strategy specifies that the BIG-IP system uses the software and hardware compression providers in the most efficient way to provide the best quality of compression based on the available system resources. This means that the system compresses HTTP server responses based on the load on the system, directing more compression resources toward specific traffic. When adaptive compression is enabled, the system adapts to the changing traffic flow and utilizes the available compression providers by modifying how it compresses HTTP server responses. You can use adaptive compression on any system and it will have a beneficial effect. However, adaptive compression provides the most benefit on the BIG-IP 6400, 6800, and 8400 systems that contain a hardware card. This is because the default compression strategy on these systems does not always provide a desirable level of control of HTTP server response compression. 5 - 10 Managing Local Application Traffic When you want to use adaptive compression, you perform the following tasks. • Enable adaptive compression on the system. • Set bigdb database variables to fine-tune how you want the system to perform compression of the HTTP server responses. (The bigdb database variable you set are different based on the system’s hardware compression provider.) • Create an HTTP profile and set the gzip compression level. For more information on configuring adaptive compression, see Configuring adaptive compression, on page 5-12. When you enable adaptive compression, the BIG-IP system uses the bigdb database variable settings in combination with the specified gzip compression level to determine how to best utilize the software and hardware compression providers on the system as the traffic flow through the system changes. It important to understand that hardware compression providers cannot match the highest quality compression level that software compression providers perform. On the other hand, software compression providers require extensive system resources to deliver the highest quality compression. With the adaptive compression strategy, you can configure the system to utilize only the software compression providers to compress server responses at the quality level that you specify, when there are enough system resources available. When the load on the system increases, the adaptive compression strategy allows the system to incrementally decrease the quality of the compression of server responses as the load on the system increases. This frees the system resources to handle the load balancing of the increased traffic rather than using those resources to compress the server responses. When traffic reaches a peak volume, and based on the gzip compression level that you set in the HTTP profile, the system begins to handle compression using the hardware compression providers. Conversely, as the volume of traffic to the system decreases, more system resources become available for compression, and the system can again utilize the software compression providers to incrementally increase the quality of the compression of the server responses. Understanding how adaptive compression works To understand how adaptive compression works, you must understand the gzip compression level setting in the HTTP profile. For more information about creating and configuring an HTTP profile using the Configuration utility, see the Configuration Guide for BIG-IP® Local Traffic Management. When you enable adaptive compression, the system utilizes the gzip compression level that you set in the HTTP profile in different ways depending on which hardware compression provider the system contains. BIG-IP® Command Line Interface Guide 5 - 11 Chapter 5 When you create an HTTP profile, you set a gzip compression level in the range of 9 - 0. The higher the gzip compression level, the better the quality of the compression, and the more resources the system uses to reach the specified quality of compression. Setting a gzip compression level of 9 specifies that you want the system to use the optimal compression ratio when it compresses HTTP server responses. For example, you might set the gzip compression level to 9, if you are utilizing the BIG-IP system RAM cache feature to store response data. The reason for this is that the stored data in the RAM cache is continually re-used in responses, and you want the quality of the compression of that data to be very high. As the traffic flow on the BIG-IP system increases, compression quality is incrementally decreased from the gzip compression level that you set in the profile. When the gzip compression level decreases to the point where the hardware compression provider is capable of providing the specified compression level, the system uses the hardware compression providers, rather than the software compression providers to compress the HTTP server responses. This point is different on the BIG-IP 6400, 6800, and 8400 systems that contain a hardware card than it is on the BIG-IP 8800 systems. Configuring adaptive compression You use the db command to enable adaptive compression on the BIG-IP system, by typing the following command at the bigpipe shell prompt: db compression.strategy adaptive After you change a bigdb database variable using the db command, you must run the save all command. If you do not, the next time that you run the load command, the value of the bigdb database variable may be reset to the value in the stored configuration. You also use the db command to configure other bigdb database variables in order to fine-tune how the system compresses HTTP server responses. For more information on configuring adaptive compression using bigdb database variable, see Summarizing bigdb database variables for HTTP compression, on page B-5. You use the profile http command to configure the setting of the compress gzip level parameter that is used by the adaptive compression strategy. For more information on creating and configuring an HTTP profile, see profile http, on page A-198. 5 - 12 Managing Local Application Traffic Configuring adaptive compression on BIG-IP 6400, 6800, and 8400 systems When you enable adaptive compression on a BIG-IP 6400, 6800, or 8400 system that contains a hardware card, the gzip compression level setting of the HTTP profile specifies the following behavior: • When you set the gzip compression level between 9 and 2, inclusive, the software compression providers perform the server response compression based on the specified level and the load on the system. When the system reaches peak traffic load, and consequently runs low on resources to perform compression, the hardware compression provider begins to compress the server responses. When the load lessens and the resources are again available, the software compression provider again begins to compress the server responses. • When you set the gzip compression level to 1, and you enable the Compression.Adaptive.AHA.UseAtGzip1 bigdb database variable, when the system reaches peak traffic load, the hardware compression provider compresses the server responses, rather than the software compression provider doing this work. This is because the hardware compression provider on the BIG-IP 6400, 6800, and 8400 systems supports a gzip compression level of 1. • When you set the gzip compression level to 0, the system performs the minimum compression possible using the hardware compression provider. Configuring adaptive compression on BIG-IP 8800 systems When you enable adaptive compression on a BIG-IP 8800 system, the gzip compression level setting specifies the following behavior: • When you set the gzip compression level between 9 and 4, inclusive, the software compression provider performs the server response compression based on the specified level and the load on the system. When the system reaches peak traffic load, and consequently runs low on resources to perform compression, the hardware compression provider begins to compress the server responses. When the load lessens and the resources are again available, the software compression provider again begins to compress the server responses. • When you set the gzip compression level to 3 - 1, inclusive, you specify that when the system reaches peak traffic load, that you want the hardware compression provider to compress the data instead of the software compression provider. Note that the hardware compression provider on the BIG-IP 880 system supports only gzip compression levels 2 and 3. When the gzip compression level drops to 1, the quality of the hardware compression drops as well. • When you set the gzip compression level to 0 you specify that when the system reaches peak traffic load, that you want the system to perform the minimal compression possible using the hardware compression provider. BIG-IP® Command Line Interface Guide 5 - 13 Chapter 5 Viewing compression statistics You can view statistics about the BIG-IP system using the tmstat utility. Using this utility you can view information about the traffic throughput, and the compression ratio totals per hardware compression provider. To view compression statistics 1. Access the system shell. 2. Type tmstat compress. The system returns compression statistics. Figure 5.1 is an example of the results of the command tmstat compress on a system that contains a hardware compression provider. Figure 5.1 Sample results of the command tmstat compress 5 - 14 Managing Local Application Traffic Implementing HTTP and TCP optimization profiles In addition to the default http and tcp profiles, the BIG-IP system includes other HTTP- and TCP-type profiles that you can use to optimize HTTP and TCP traffic. These profiles are: • http-wan-optimized-compression • http-lan-optimized-caching • http-wan-optimized-compression-caching • tcp-lan-optimized • tcp-wan-optimized You can implement any of these profiles as is, by assigning the profile to a virtual server, or you can customize the profile to suit your needs. To customize an optimization profile 1. Access the bigpipe shell. 2. Use either the profile http or profile tcp command, specifying one of the profile names in the above list. For example, to implement a customized profile for TCP LAN traffic, use the following command, specifying only the options with values that you want to modify. Note that the tcp argument represents the type of profile, and the tcp-lan-optimized argument is the name of the profile you are customizing: bp> profile tcp tcp-lan-optimized <options> 3. Assign the customized profile to a virtual server, using the profile argument with the virtual command. BIG-IP® Command Line Interface Guide 5 - 15 Chapter 5 Authenticating application traffic You can configure the BIG-IP system to authenticate application traffic. To do this you configure the system to generate certificates, create certificate revocation lists (CRLs), revoke certificates, and associate keys and certificates using the SSL profile. You can also perform other certificate-related tasks and configure remote server authentication. Generating SSL certificates When you want the BIG-IP system to manage SSL traffic (that is, authenticate, decrypt, and encrypt SSL traffic), you must generate SSL certificates that the BIG-IP system can use as part of the authentication process. To generate SSL certificates from the BIG-IP system prompt, you can use the gencert and OpenSSL utilities. You can generate keys, certificate signing request files, certificate authority (CA) certificates that are trusted for client authentication, client certificates, certificates for web sites, and certificate revocation lists (CRLs). You can also perform a number of other certificate-related tasks. Generating CA certificates To obtain a valid certificate, you must have a private key. You can use the gencert utility to generate a key, a temporary certificate, and a certificate signing request file that you can submit to a certificate authority (CA). Note When you change any of the gencert utility defaults, you must include a key size. For example, to change the name of the organization for which you are requesting a certificate, use the following syntax: gencert -o NewCompanyName 1024 To generate a CA certificate 1. Access the BIG-IP system prompt. 2. Run the gencert utility. The following files are created and saved in the SSL directory: • ssl.csr is the certificate signing request file. • ssl.key contains the key. 5 - 16 Managing Local Application Traffic Creating client certificates For client-side authentication between a client and a BIG-IP system, you can create a certificate for that client. To create a client certificate 1. Access the BIG-IP system prompt. 2. Generate a client key. For example: openssl genrsa -rand .rand -out auser1.key 1024 3. Generate a client certificate request, using the previously-generated key. For example: openssl req -new -out auser1.req -key auser1.key 4. Generate a client certificate with or without the LDAP CRL distribution point. Note that you must use OpenSSL 0.9.8.x or newer to generate certificates with embedded distribution points that are dirname-based addresses. (dirname is a utility that strips off the trailing part of a file name, and the result is the path name of the directory that contains the file.) In the following example, the certificate is named auser1.crt. • To generate the client certificate with the LDAP CRL distribution point, use the openssl x509 command, as in the following example: openssl x509 -req -in auser1.req -out auser1.crt \ -CAkey bigmirror-ca.key -CA bigmirror-ca.crt \ -days 300 -CAcreateserial -CAserial serial \ -extensions crl_ext -extfile bigmirror-ca.ext • To generate the client certificate without the LDAP CRL distribution point, use the openssl x509 command, as in the following example: openssl x509 -req -in auser1.req -out auser1.crt \ -CAkey bigmirror-ca.key -CA bigmirror-ca.crt \ -days 300 -CAcreateserial -CAserial serial 5. Create a PKCS12 file using the above key and certificate pairs. For example: openssl pkcs12 -export -in auser1.crt -inkey \ auser1.key -out auser1.p12 -name "auser1 pkcs12" BIG-IP® Command Line Interface Guide 5 - 17 Chapter 5 Creating a certificate for a web site For server-side authentication between a web site and a BIG-IP system, you can create a certificate for that web site. To create a certificate for a web site 1. Access the BIG-IP system prompt. 2. Create a key. For example: openssl genrsa -rand .rand -out www.test.net.key 1024 3. Generate a certificate request using the key that you generated in step 1. For example: openssl req -new -key www.test.net.key -out \ www.test.net.req 4. Using the request that you generated in step 2, generate a certificate named for the web site. • If you want to generate the certificate with the LDAP CRL distribution point, use the openssl x509 command, as in the following example: openssl x509 -req -in www.test.net.req -out \ www.test.net.crt -CAkey bigmirror-ca.key -CA \ bigmirror-ca.crt -days 300 -CAcreateserial \ -CAserial serial -extensions crl_ext \ -extfile bigmirror-ca.ext • If you want to generate the certificate without the LDAP CRL distribution point, use the openssl x509 command, as in the following example: openssl x509 -req -in www.test.net.req \ -out www.test.net.crt -CAkey bigmirror-ca.key -CA bigmirror-ca.crt -days 300 -CAcreateserial \ -CAserial serial Working with certificate revocation You can use the OpenSSL utility to create a certificate revocation list (CRL). The BIG-IP system checks a CRL to see if a client or server certificate being presented for authentication has been revoked. You can also use the utility to revoke a certificate. To create a certificate revocation list 1. From the BIG-IP system prompt, create a configuration file for the serial or index option. For example: echo -e \ 'default_ca=ca\n[ca]\ndatabase=index.txt\nserial=serial' > bigmirror-ca.config 5 - 18 Managing Local Application Traffic 2. From the BIG-IP system prompt, generate a CRL that expires in thirty days. For example: openssl ca -config bigmirror-ca.config -gencrl -crldays \ 30 -keyfile bigmirror-ca.key -cert bigmirror-ca.crt \ -out bigmirror-ca.crl To revoke a certificate Revoke a client certificate, using the openssl command from the BIG-IP system prompt. For example, to revoke the client certificate auser1.crt: openssl ca -config bigmirror-ca.config -keyfile \ bigmirror-ca.key -cert bigmirror-ca.crt -revoke auser1.crt Note When you are using the CRLDP authentication module, you must ensure that the CRLs are stored in a remote LDAP database, and in ASN.1 DER format (Abstract Syntax Notation.1 Distinguished Encoding Rules). Associating keys and certificates with SSL profiles You can associate a key and a certificate with an SSL profile by using the profile command from the bigpipe shell and specifying the key and certificate file names as arguments. For more information, see the online man page for the profile command. Performing other certificate-related tasks There are a number of other SSL-certificate-related tasks that you can perform, using the OpenSSL utility. You access this utility from the BIG-IP system prompt. To verify a certificate Use this command to verify a certificate: openssl verify -CAfile bigmirror-ca.crt www.test.net.crt To view a CRL Use this command to view a CRL: openssl crl -in bigmirror-ca.crl -text -noout To view certificate information Use this command to view certificate information: openssl x509 -in www.test.net.crt -text -noout BIG-IP® Command Line Interface Guide 5 - 19 Chapter 5 To convert a certificate to PEM format Use this command to convert a certificate from PKCS12 (.P12 or.PFX) format to PEM format: openssl pkcs12 -in auser1.p12 -out auser1.pem To add a password to an RSA key Use this command to add a password to an RSA key: openssl rsa -in auser1.key -out auser1-enc.key -des3 \ -passout pass:secret To strip a password from an RSA key Use this command to strip a password from an RSA key: openssl rsa -in auser1-enc.key -out auser1.key \ -passin pass:secret Configuring remote server authentication You can configure the BIG-IP system to use a remote server for authenticating application traffic. The types of remote servers that you can use to authenticate network traffic are: • CRLDP servers • LDAP servers • RADIUS servers • TACACS+ servers • SSL Client Certificate LDAP servers • SSL OCSP responders You must create an authentication configuration object and an authentication profile for the type of remote server you want to use. For example, to use an LDAP server, you must create an LDAP configuration object and an LDAP authentication profile. You access the bigpipe shell and use the auth ldap command to create an authentication configuration object. You use the profile and virtual commands to create an authentication profile. If the remote server you want to use is a RADIUS server, an SSL OCSP responder, or a CRLDP server, you must create an additional object known as a server object. You access the bigpipe shell and use the ocsp responder or radius server command to create the server object. 5 - 20 Managing Local Application Traffic To configure the BIG-IP system for remote authentication 1. Access the bigpipe shell. 2. Create an authentication configuration object of the appropriate type, using one of the following commands: • auth crldp • auth ldap • auth radius • auth ssl cc ldap • auth ssl ocsp • auth tacacs 3. Create an authentication profile of the same type as the configuration object, using the profile command and specifying the configuration object name as one of the profile settings. 4. If the remote authentication server is an SSL OCSP responder, a RADIUS server, or a CRLDP server, create the appropriate server object. • For an SSL OCSP responder, create an SSL OCSP responder object, using the ocsp responder command. • For a RADIUS server, create a RADIUS server object, using the radius server command. • For a CRLDP server, create a CRLDP server object, using the crldp server command. 5. Associate the authentication profile with a virtual server, using the virtual command. BIG-IP® Command Line Interface Guide 5 - 21 Chapter 5 Implementing persistence You can configure the BIG-IP system to implement both session and connection persistence. Implementing session persistence To implement session persistence for connections passing through a virtual server, access the bigpipe shell and use the profile and virtual commands. You can implement these types of session persistence: • Cookie • Destination Address Affinity • Microsoft Remote Desktop Protocol (MSRDP) • Hash • Session Initiation Protocol (SIP) • Source Address Affinity • SSL • Universal To configure session persistence 1. Access the bigpipe shell. 2. Create a persistence profile, using the profile command, that corresponds to the type of persistence you want to implement. 3. Assign the persistence profile to a virtual server, using the persist and fallback persist arguments with the virtual command. Implementing connection persistence To implement connection persistence, you can add Keep-Alive headers into HTTP /1.0 headers where none exist. (By default, HTTP/1.1 connections include Keep-Alive support.) You can also enable a feature known as connection pooling, which keeps server-side connections open for re-use by other client requests. You enable Keep-Alive support and connection pooling by creating or modifying an HTTP or Fast HTTP profile, as well as a OneConnect® profile. 5 - 22 Managing Local Application Traffic To add Keep-Alive headers into HTTP requests 1. Access the bigpipe shell. 2. To ensure that HTTP connections stay open, use the profile http command and specify the oneconnect transformations argument. This ensures that the BIG-IP system inserts a Connection:Keep-Alive header into any HTTP /1.0 request that does not already contain one. 3. Make sure that you have assigned the HTTP or Fast HTTP profile to a virtual server, using the virtual command. To enable connection pooling 1. Access the bigpipe shell. 2. Using the profile oneconnect command, configure a profile for connection pooling. 3. Assign the profile to a virtual server, using the profile argument with the virtual command. Tip You can also configure connection persistence settings by configuring a Fast HTTP profile, using the profile fasthttp command at the bigpipe shell prompt. BIG-IP® Command Line Interface Guide 5 - 23 Chapter 5 Enhancing the performance of the BIG-IP system You can enhance the performance of the BIG-IP system by setting Quality of Service (QoS) and Type of Service (ToS) levels on packets, setting idle timeout values, and implementing rate shaping. Setting Link QoS and IP ToS levels on packets You can use the bigpipe utility to set QoS and ToS levels on packets. You can do this not only for all traffic targeted to a load balancing pool, but also for specific types of traffic, such as Layer 4, TCP, and UDP traffic. To set QoS and ToS levels 1. Decide whether you want to set QoS and ToS levels for traffic targeted for an entire pool or for specific types of traffic, or both. • If you want to set the QoS and ToS levels for an entire pool, access the bigpipe shell and use the pool command with one or more of the following arguments: link qos to client, link qos to server, ip tos to client, and ip tos to server. • If you want to set the QoS and ToS levels for certain types of traffic, access the bigpipe shell and use the profile command to create or modify a Fast L4, TCP, or UDP profile. 2. Verify that the pool or the profile that you created or modified is assigned to a virtual server. To do this, use the following syntax: bp> virtual <virtual server name> list Setting idle timeout values You can use the bigpipe utility to set timeout values for Layer 4, HTTP, TCP, or UDP connections that remain idle. You do this by creating or modifying a Fast L4, Fast HTTP, TCP, or UDP profile. To set idle timeout values 1. Create or modify a Fast L4, Fast HTTP, TCP, or UDP profile, by accessing the bigpipe shell and using the profile command. 2. Specify the idle timeout argument to set a timeout value. 3. Verify that the profile you created or modified is assigned to a virtual server. 5 - 24 Managing Local Application Traffic Implementing rate shaping To implement rate shaping, you must create a rate class, and then assign the rate class to a virtual server or a packet filter rule. To implement rate shaping 1. Access the bigpipe shell. 2. Create one or more rate classes, using the rate class command. 3. Assign the rate classes to a virtual server or a packet filter rule, using either the virtual command or the packet filter command. Managing health and performance monitors You can monitor the health and performance of your BIG-IP system using either pre-configured monitors or custom monitors that you create. Creating custom monitors You can create a custom monitor to monitor the health and performance of a node or of the servers that make up your load balancing pool. To do this, you access the bigpipe shell and use the monitor command. For more information, see the online man page and Appendix A, bigpipe Command Reference. Associating monitors with pools or nodes To associate a monitor with a load balancing pool or a node, you create the pool or node, and then associate a monitor with the pool or node. To associate a monitor with a pool or node 1. Access the bigpipe shell. 2. Do one of the following: • Create a load balancing pool using the pool command. • Create a node using the node command. BIG-IP® Command Line Interface Guide 5 - 25 Chapter 5 3. Do one of the following: • If you created a load balancing pool, configure the pool with the pool monitor all command, specifying the name of the monitor that you want to use to monitor the pool members. Note that you can use this command to assign the same monitor to all pool members; however, the monitor that you assign to a pool member must reside either in the current Write partition, or in partition Common. Alternatively, you can assign different monitors to individual pool members, as long as the monitor you assign to the pool member resides in the current Write partition, or in partition Common. • If you created a node, configure a node with the node monitor command, specifying the name of the monitor that you want to use to monitor the node. 4. If you created a load balancing pool, assign the pool to a virtual server, using the virtual pool command. Monitoring services You can monitor RPC, SMB, and JDBC services from the BIG-IP system prompt. Checking the health of RPC services To check the health of remote procedure call (RCP) services, you can use the industry standard rpcinfo command. Use -t to check tcp mode or -u to check udp mode. rpcinfo -n <port> -t|-u <ipaddr> <program> [<version>] Retrieving a list of SMB services To retrieve a list of services that use the server message block (SMB) protocol, you can use the industry standard smbclient command from the BIG-IP system prompt. Monitoring JDBC connections with a database You can specify the number of times to monitor a JDBC connection with a database from the bigpipe shell using the monitor <monitor name> '{ count "0" }' command. You use the default count of 0, to keep connections forever. You use a count greater than 0, to keep the connection for the specified number of uses, and then close the connection. In the following example, the Oracle monitor is closed after every use. bp> monitor <monitor_key> '{ count "1" }' In the following example, the Oracle monitor is closed after 100 uses. bp> monitor <monitor_key> '{ count "100" }' 5 - 26 Managing Local Application Traffic Configuring a monitor for manual resume To configure the manual resume feature, you access the bigpipe shell and use the monitor command with the manual resume option, changing the value from no (the default value) to yes. To configure the manual resume option For an existing custom monitor, from the bigpipe shell, use the monitor command with the manual resume option, as follows: bp> monitor <custom_monitor_name> manual resume yes Once a pool member or node that was previously down becomes available, you can then manually set the pool member or node to an up state, using the pool or node command. Manually setting pool member or node status After you configure the manual resume option on a monitor, and assign the monitor to a pool member or a node, you can then set the pool member or node status to up whenever that pool member or node becomes available. To manually mark one or all pool members as up From the bigpipe shell, using the following pool command syntax, you can manually mark as up either one pool member, or all members of a pool. Note that you can mark multiple pool members as up only when the pool members reside in the current Write partition, or in partition Common. bp> pool <pool_name> member <member_ip_address> up bp> pool <pool_name> member all up To manually mark one or all nodes as up From the bigpipe shell, using the following node command syntax, you can manually mark as up either one node, or all nodes. Note that you can mark multiple nodes as up only when the nodes reside in the current Write partition, or in partition Common. bp> node <node_ip_address> up bp> node all up Important If a user with permission to manage objects in partition Common disables a monitor that is designated as the default monitor for nodes (such as the icmp monitor), this affects all nodes on the system. Ensure that the default monitor for nodes always resides in partition Common. BIG-IP® Command Line Interface Guide 5 - 27 Chapter 5 Implementing iRules The iRules™ feature is powerful and flexible, and it significantly enhances your ability to customize the BIG-IP system. An iRule can reference any object, regardless of the partition in which the referenced object resides. For example, an iRule that resides in partition_a can contain a pool statement that specifies a pool residing in partition_b. For more information about iRules™, see http://devcentral.f5.com. To implement an iRule Write a script using the industry-standard Tools Command Language (Tcl) and the commands that the BIG-IP system provides as Tcl extensions. 1. Access the bigpipe shell. 2. Create an iRule using the rule command. You must include the name of the Tcl script and the script itself as arguments for the command. 3. Assign the iRule to a virtual server, using the virtual command in one of the following ways: • To associate multiple iRules™ with a virtual server, use this syntax: bp> virtual <virtual_server_name> rule <iRule1_name> \ <iRule2_name> ... • To remove the assignment of an iRule from a virtual server, use this syntax: bp> virtual <virtual_server_name> rule none • To remove the iRule assignments from multiple virtual servers, use the following syntax. Note that you can remove the iRule assignments only from virtual servers that reside in the current Write partition or in partition Common. bp> virtual all rule none • To associate an existing iRule with multiple virtual servers, use the following syntax. Note that you can associate an iRule only with virtual servers that reside in the current Write partition or in partition Common. bp> virtual all rule <iRule_name> Important: In this case, the iRule becomes the only iRule that is associated with each virtual server in the current Write partition. Because this command overwrites all previous iRule assignments, F5 does not recommend use of this command. 5 - 28 A bigpipe Command Reference • Introduction to command syntax • Alphabetical list of commands bigpipe Command Reference Introduction to command syntax This appendix contains the command syntax for specific BIG-IP system commands, and each bigpipe command. Use the BIG-IP system commands at the BIG-IP system prompt. Use the bigpipe commands at the bigpipe shell prompt: bp>. In this appendix, we do not include the corresponding screen prompt. For more information about the bigpipe shell see Using the bigpipe shell, on page 2-2. You can find additional information about command syntax in the online man pages. The BIG-IP product includes a complete set of online man pages for the commands that make up the bigpipe utility. You can access the online man pages for bigpipe commands in one of two ways: • From the BIG-IP system prompt, type man followed by the command name. You must use underscores between the words in the command name. For example: man stp_instance • From the bigpipe shell prompt, use the command name followed by help. Do not use underscores between the words in the command name. For example: auth crldp help Using the keyword, all When using bigpipe commands, you can globally modify or delete objects of a specified type only when all objects of that type reside in a single partition. In other words, it is important to note that when you use the keyword, all, with an object type, the action you are performing applies only to objects of the specified type in the current Write partition. For more information about partitions, see Understanding partitions and user accounts in the BIG-IP® Network and System Management Guide. Identifying command types In the See also sections of this appendix, commands are followed by an industry-standard identifying number. The types that are listed in this appendix include: • User commands, which are identified by (1), for example: arp(1) • System management commands, which are identified by (8), for example: sys-reset(8) BIG-IP® Command Line Interface Guide A-1 Appendix A Basic definitions The following are basic definitions that apply to bigpipe commands. <if name> <ip addr> ::= mgmt | <number> . <number> ::= <IPv4 address> | <IPv6 address> | <node address screen name> | \ <host name> | any | any6 | * <ip mask> ::= <IPv4 netmask> | <IPv6 netmask> | none <mac addr> ::= <six hexadecimal numbers separated by colons> <member> ::= <IPv4 address> : <service> | <IPv6 address> . <service> <name> ::= <letter> <letters, numbers, periods, hyphens, underscores> <network ip> ::= (<ip addr> [mask <ip mask> | (prefixlen | /) <number>] | \ default [inet | inet6]) <number> ::= <digit> ... | <digits> . <digits> (K | M | G) <protocol> ::= <number> | <name> | any | * <service> ::= <number> | <name> | any | * <string> ::= <any set of characters, surrounded by double quotes if includes spaces, braces, or reserved words> Any of these commands may be followed by <name list>. This indicates a list of the specified items, separated by spaces. Alphabetical list of commands The remainder of this appendix lists specific BIG-IP system commands and all of the bigpipe commands. A-2 bigpipe Command Reference arp Manages static and dynamic Address Resolution Protocol (ARP) entries in the routing table. Provides the ability to add static ARP entries to the route table. Also provides the ability to display and delete static and dynamic route mappings between IP addresses and MAC addresses, or a list of IP addresses. Syntax Use this command to create, modify, display, or delete entries in the ARP cache. Create/Modify arp <arp key list> {} arp (<arp key list> | all) [{] <arp arg list> [}] <arp key> := <ip addr> (dynamic | static) <arp arg> ::= (<mac addr> | none) arp edit Display arp (<arp key list> | all) list [all] arp (<arp key list> | all) [show [all]] arp (<arp key list> | all) ip addr [show] arp (<arp key list> | all) mac addr [show] arp (<arp key list> | all) type [show] Delete arp (<arp key list> | all) delete Description You can use the arp command to create static ARP entries for IPv4 addresses to link-layer addresses, such as ethernet MAC addresses. In addition to creating static ARP entries, you can view and delete static and dynamic ARP entries. You can also use the db command to configure how the system handles ARP entries for dynamic timeout, maximum dynamic entries, add reciprocal, and maximum retries. For more information, see db, on page A-57, or the db command online man page. BIG-IP® Command Line Interface Guide A-3 Appendix A Examples Creates an ARP mapping of the IP address 10.10.10.20 to the MAC address 00:0b:09:88:00:9a: arp 10.10.10.20 00:0b:09:88:00:9a Displays all ARP entries for the system: arp show Displays all dynamic ARP entries for the system: arp dynamic show Displays all static ARP entries for the system: arp list Displays the ARP entry for the IP address 10.10.10.20: arp 10.10.10.20 show Deletes the ARP entry for the IP address 10.10.10.20: arp 10.10.10.20 delete Deletes all static ARP entries for the system: arp static delete Deletes all ARP entries for the system: arp all delete Options You can use these options with the arp command: ◆ arp edit Displays in a text editor the running configuration of all objects created using the command arp. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. A-4 ◆ dynamic Specifies that the IP address for which you want to create an ARP entry is dynamic. A dynamic IP address is a temporary IP address. ◆ ip addr Specifies the IP address, for which you want to create an ARP entry, in one of four formats: bigpipe Command Reference • IPv4 address in dotted-quad notation, for example, 10.10.10.1 • IPv6 address, for example, 1080::8:800:200C:417A • host name, for example, www.f5.com • node screen name, for example, node1 ◆ ip addr list Specifies a list of IP addresses separated by a single space. For example, this list contains three IP addresses: 10.10.10.20 10.10.10.21 10.10.10.22. ◆ mac addr Specifies a 6-byte ethernet address in not case-sensitive hexadecimal colon notation, for example, 00:0b:09:88:00:9a. You must specify a MAC address when you create an ARP entry. ◆ static Specifies that the IP address for which you want to create an ARP entry is static and does not change. See also db(1), ndp(1), bigpipe(1) BIG-IP® Command Line Interface Guide A-5 Appendix A auth crldp Configures a Certificate Revocation List Distribution Point (CRLDP) configuration object for implementing CRLDP to manage certificate revocation. Syntax Use this command to create, modify, display, or delete a CRLDP configuration object. Create/Modify Important If you are assigned a user user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. auth crldp <auth crldp key list> {} auth crldp (<auth crldp key list> | all) [{] <auth crldp arg list> [}] <auth crldp key> ::= <name> <auth crldp arg> ::= conn timeout (<number> | immediate | indefinite) servers (<crldp server key list> | none) [add |delete] update interval <number> use issuer (enable | disable) auth crldp edit Display auth crldp [<auth crldp key list> | all] [show [all]] auth crldp [<auth crldp key list> | all] list [all] auth crldp [<auth crldp key list> | all] conn timeout [show] auth crldp [<auth crldp key list> | all] name [show] auth crldp [<auth crldp key list> | all] partition [show] auth crldp [<auth crldp key list> | all] servers [show] auth crldp [<auth crldp key list> | all] update interval [show] auth crldp [<auth crldp key list> | all] use issuer [show] Delete auth crldp (<auth crldp key list> | all) delete A-6 bigpipe Command Reference Description CRLDP authentication is a mechanism for checking certificate revocation status for client connections passing through the BIG-IP system. This module is useful when your authentication data is stored on a remote CRLDP server. You configure a CRLDP authentication module by defining a CRLDP server (using the crldp server command), creating a CRLDP configuration object (using the auth crldp command) and assigning CRLDP servers to the object, creating a CRLDP profile (using the profile auth command) and assigning the CRLDP configuration object to the profile, and assigning the CRLDP profile to a virtual server. Examples Creates a configuration object named my_auth_crldp: auth crldp my_auth_crldp {} Deletes the configuration object named my_auth_crldp: auth crldp my_auth_crldp delete Options You can use these options with the auth crldp command: ◆ auth crldp edit Displays in a text editor the running configuration of all objects created using the command auth crldp. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • connection timeout Specifies the number of seconds before the connection times out. The default is 15 seconds. • servers Specifies the CRLDP server that you want to either assign to or remove from the CRLDP configuration object. • update interval Specifies an update interval for CRL distribution points. The update interval for distribution points ensures that CRL status is checked at regular intervals, regardless of the CRL timeout value. This helps to prevent CRL information from becoming outdated before the BIG-IP system checks the status of a certificate. The default is zero, which indicates an internal default value is active. BIG-IP® Command Line Interface Guide A-7 Appendix A • use issuer Indicates whether the CRL distribution point should be extracted from the certificate of the client certificate issuer. The default is disable. See also profile auth(1), bigpipe(1) A-8 bigpipe Command Reference auth ldap Configures an LDAP configuration object for implementing remote LDAP-based client authentication. Syntax Use this command to create, modify, display, or delete an LDAP configuration object. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. auth ldap <auth ldap key list> {} auth ldap (<auth ldap key list> | all) [{] <auth ldap arg list> [}] <auth ldap key list> ::= <name> <auth ldap arg> ::= bind dn (<string> | none) bind pw (<string> | none) bind timeout <number> check host attr (enable | disable) debug (enable | disable) filter (<string> | none) group dn (<string> | none) group member attr (<string> | none) idle timeout <number> ignore authinfo unavail (enable | disable) login attr (<string> | none) scope (base | one | sub) search base dn (<string> | none) search timeout <number> servers (<string list> | none) [add | delete] service (<service> | none) ssl (enable | disable) ssl ca cert file (<string> | none) ssl check peer (enable | disable) BIG-IP® Command Line Interface Guide A-9 Appendix A ssl ciphers (<string> | none) ssl client cert (<string> | none) ssl client key (<string> | none) user template (<string> | none) version <number> warnings (enable | disable) auth ldap edit Display auth ldap [<auth ldap key list> | all] [show [all]] auth ldap [<auth ldap key list> | all] list [all] auth ldap [<auth ldap key list> | all] bind dn [show] auth ldap [<auth ldap key list> | all] bind pw [show] auth ldap [<auth ldap key list> | all] bind timeout [show] auth ldap [<auth ldap key list> | all] check host attr [show] auth ldap [<auth ldap key list> | all] debug [show] auth ldap [<auth ldap key list> | all] filter [show] auth ldap [<auth ldap key list> | all] group dn [show] auth ldap [<auth ldap key list> | all] group member attr [show] auth ldap [<auth ldap key list> | all] idle timeout [show] auth ldap [<auth ldap key list> | all] ignore authinfo unavail [show] auth ldap [<auth ldap key list> | all] login attr [show] auth ldap [<auth ldap key list> | all] name [show] auth ldap [<auth ldap key list> | all] partition [show] auth ldap [<auth ldap key list> | all] scope [show] auth ldap [<auth ldap key list> | all] search base dn [show] auth ldap [<auth ldap key list> | all] search timeout [show] auth ldap [<auth ldap key list> | all] servers [show] auth ldap [<auth ldap key list> | all] service [show] auth ldap [<auth ldap key list> | all] ssl [show] auth ldap [<auth ldap key list> | all] ssl ca cert file [show] auth ldap [<auth ldap key list> | all] ssl check peer [show] auth ldap [<auth ldap key list> | all] ssl ciphers [show] auth ldap [<auth ldap key list> | all] ssl client cert [show] auth ldap [<auth ldap key list> | all] ssl client key [show] auth ldap [<auth ldap key list> | all] user template [show] auth ldap [<auth ldap key list> | all] version [show] auth ldap [<auth ldap key list> | all] warnings [show] Delete auth ldap (<auth ldap key list> | all) delete A - 10 bigpipe Command Reference Description LDAP authentication is a mechanism for authenticating or authorizing client connections passing through the system. LDAP authentication is useful when your authentication or authorization data is stored on a remote LDAP server or a Microsoft® Windows Active Directory server, and you want the client credentials to be based on basic HTTP authentication (that is, user name and password). You configure an LDAP authentication module by creating an LDAP configuration object, creating an LDAP profile, and assigning the profile and a default iRule to the virtual server. Examples Creates a configuration object named my_auth_ldap: auth ldap my_auth_ldap Deletes the configuration object named my_auth_ldap: auth ldap my_auth_ldap delete Options You can use these options with the auth ldap command: • auth ldap edit Displays in a text editor the running configuration of all objects created using the command auth ldap. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • bind dn Specifies the distinguished name of an account to which to bind, in order to perform searches. This search account is a read-only account used to do searches. The admin account can be used as the search account. If no admin DN is specified, then no bind is attempted. This setting is only required when a site does not allow anonymous searches. If the remote server is a Microsoft Windows Active Directory server, the distinguished name must be in the form of an email address. Possible values are a user-specified string, and none. • bind pw Specifies the password for the search account created on the LDAP server. This setting is required if you use a bind DN. Possible values are a user-specified string, and none. BIG-IP® Command Line Interface Guide A - 11 Appendix A • bind timeout Specifies a bind timeout limit, in seconds. The default is 30 seconds. • check host attr Confirms the password for the bind distinguished name. This setting is optional. The default is disable. • debug Enables or disables syslog-ng debugging information at LOG DEBUG level. Not recommended for normal use. The default is disable. • filter Specifies a filter. This setting is used for authorizing client traffic. Possible values are a user-specified string, and none. • group dn Specifies the group distinguished name. This setting is used for authorizing client traffic. Possible values are a user-specified string, and none. • group member attr Specifies a group member attribute. This setting is used for authorizing client traffic. Possible values are a user-specified string, and none. • idle timeout Specifies the idle timeout, in seconds, for connections. The default is 3600 seconds. • ignore authinfo unavail Ignores the authentication information if it is not available. The default is disable. • login attr Specifies a logon attribute. Normally, the value for this setting is uid; however, if the server is a Microsoft Windows Active Directory server, the value must be the account name SAMACCOUNTNAME (not case-sensitive). Possible values are a user-specified string, and none. • scope Specifies the scope. Possible values are: base, one, and sub. The default is sub. • search base dn Specifies the search base distinguished name. You must specify a search base distinguished name when you create an LDAP configuration object. • search timeout Specifies the search timeout, in seconds. The default is 30 seconds. • servers Specifies the LDAP servers that the system must use to obtain authentication information. You must specify a server when you create an LDAP configuration object. • service Specifies the port number for the LDAP service. Port 389 is typically used for non-SSL and port 636 is used for an SSL-enabled LDAP service. A - 12 bigpipe Command Reference • ssl Enables or disables SSL. The default is disable. Note that when you use the command line interface to enable SSL for an LDAP service, the system does not change the service port number from 389 to 636, as is required. To change the port number from the command line, use the service option of this command (see above), for example, auth ldap <name> ssl enable service 636. • ssl ca cert file Specifies the name of an SSL CA certificate. Possible values are: none and specify full path. • ssl check peer Checks an SSL peer. The default is disable. • ssl ciphers Specifies SSL ciphers. Possible values are a user-specified string, and none. • ssl client cert Specifies the name of an SSL client certificate. Possible values are a user-specified string, and none. • ssl client key Specifies the name of an SSL client key. Possible values are a user-specified string, and none. • version Specifies the version number of the LDAP application. The default value is 3. • warnings Enables or disables warning messages. The default is enable. See also profile auth(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 13 Appendix A auth radius Configures a RADIUS configuration object for implementing remote RADIUS-based client authentication. Syntax Use this command to create, modify, display, or delete a RADIUS authentication configuration object. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. auth radius <auth radius key list> {} auth radius (<auth radius key list> | all) [{] <auth radius arg list> [}] <auth radius key> ::= <name> <auth radius arg> ::= accounting bug (enable | disable) client (<string> | none) debug (enable | disable) retries <number> servers (<radius server key list> | none) [add | delete] auth radius edit Display auth radius [<auth radius key list> | all] [show [all]] auth radius [<auth radius key list> | all] list [all] auth radius [<auth radius key list> | all] accounting bug [show] auth radius [<auth radius key list> | all] client [show] auth radius [<auth radius key list> | all] debug [show] auth radius [<auth radius key list> | all] name [show] auth radius [<auth radius key list> | all] partition [show] auth radius [<auth radius key list> | all] retries [show] auth radius [<auth radius key list> | all] servers [show] A - 14 bigpipe Command Reference Delete auth radius (<auth radius key list> | all) delete Description By creating a RADIUS configuration object, a RADIUS profile, and one or more RADIUS server objects, you can implement the RADIUS authentication module as the mechanism for authenticating client connections passing through the traffic management system. You use this module when your authentication data is stored on a remote RADIUS server. In this case, client credentials are based on basic HTTP authentication (that is, user name and password). You can use this configuration object in conjunction with a RADIUS profile and a RADIUS server object. To use these commands, you must first create a RADIUS server object using the radius command. Examples Creates a RADIUS configuration object named my_auth_radius: auth radius my_auth_radius {} Displays all auth radius configuration objects: auth radius all Deletes the auth radius configuration object named my_auth_radius: auth radius my_auth_radius delete Options You can use these options with the command auth radius: • accounting bug Enables or disables validation of the accounting response vector. This option should be necessary only on older servers. The default is disable. • auth radius edit Displays in a text editor the running configuration of all objects created using the command auth radius. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. BIG-IP® Command Line Interface Guide A - 15 Appendix A • client Sends a NAS-Identifier RADIUS attribute with string bar. If you do not specify a value for the Client ID setting, the system uses the pluggable authentication module (PAM) service type. You can disable this feature by specifying a blank client ID. Possible values are a user-specified string and none. • debug Enables or disables syslog-ng debugging information at LOG DEBUG level. Not recommended for normal use. The default is disable. • retries Specifies the number of authentication retries that the BIG-IP local traffic management system allows before authentication fails. The default value is 3. • servers Lists the IP addresses of the RADIUS servers that the BIG-IP local traffic management system uses to obtain authentication data. Note that for each server listed, you must create a corresponding RADIUS server object. A RADIUS server object specifies the server name, port number, RADIUS secret, and timeout value. Possible values are a user-specified list of IP addresses and none. See also profile auth(1), radius(1), bigpipe(1) A - 16 bigpipe Command Reference auth ssl cc ldap Configures an SSL client certificate configuration object for remote SSL-based LDAP authorization. Syntax Use this command to create, modify, display, or delete an SSL certificate-based LDAP configuration object. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. auth ssl cc ldap <auth ssl cc ldap key list> {} auth ssl cc ldap (<auth ssl cc ldap key list> | all) [{] <auth ssl cc ldap arg list> [}] <auth ssl cc ldap key> ::= <name> <auth ssl cc ldap arg> ::= admin dn (<string> | none) admin pw (<string> | none) cache size <number> cache timeout (<number> | immediate | indefinite) certmap base (<string> | none) certmap key (<string> | none) certmap use serial (enable | disable) group base (<string> | none) group key (<string> | none) group member key (<string> | none) role key (<string> | none) search (user | certmap | cert) secure (enable | disable) servers (<string list> | none) [add | delete] user base (<string> | none) user class (<string> | none) user key (<string> | none) BIG-IP® Command Line Interface Guide A - 17 Appendix A valid groups (<string list> | none) [add | delete] valid roles (<string list> | none) [add | delete] auth ssl cc ldap edit Display auth ssl cc ldap [<auth ssl cc ldap key list> | all] [show [all]] auth ssl cc ldap [<auth ssl cc ldap key list> | all] list [all] auth ssl cc ldap [<auth ssl cc ldap key list> | all] admin dn [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] admin pw [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] cache size [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] cache timeout [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] certmap base [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] certmap key [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] certmap use serial [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] group base [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] group key [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] group member key [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] name [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] partition [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] role key [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] search [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] secure [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] servers [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] user base [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] user class [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] user key [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] valid groups [show] auth ssl cc ldap [<auth ssl cc ldap key list> | all] valid roles [show] Delete auth ssl cc ldap (<auth ssl cc ldap key list> | all) delete Description You can use the auth ssl cc ldap command to configure SSL client certificate-based remote LDAP authorization for client traffic passing through the traffic management system. Options You can use these options with the auth ssl c ldap command: ◆ A - 18 admin dn Specifies the distinguished name of an account to which to bind, in order to perform searches. This search account is a read-only account used to bigpipe Command Reference do searches. The admin account can also be used as the search account. If no admin DN is specified, then no bind is attempted. This parameter is required only when an LDAP database does not allow anonymous searches. Possible values are a user-specified string, and none. ◆ admin pw Specifies the password for the admin account. See the admin dn option above. Possible values are a user-specified string, and none. ◆ auth ssl cc ldap edit Displays in a text editor the running configuration of all objects created using the command auth ssl cc ldap. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. ◆ cache size <number> Specifies the maximum size, in bytes, allowed for the SSL session cache. Setting this value to 0 disallows SSL session caching. The default value is 20000 bytes (that is 20KB). ◆ cache timeout <number> | immediate | indefinite Specifies the number of usable lifetime seconds of negotiable SSL session IDs. When this time expires, a client must negotiate a new session. Allowed values are: <number>, immediate, and indefinite. The default value is 300 seconds. ◆ certmap base Specifies the search base for the subtree used by the certmap search method. A typical search base is: ou=people,dc=company,dc=com. Possible values are a user-specified string, and none. ◆ certmap key Specifies the name of the certificate map found in the LDAP database. Used by the certmap search method. Possible values are a user-specified string, and none. ◆ certmap use serial Enables or disables the use of the client certificate's subject or serial number (in conjunction with the certificate's issuer) when trying to match an entry in the certificate map subtree. A setting of enable uses the serial number. A setting of disable uses the subject. The default is disable. ◆ group base Specifies the search base for the subtree used by group searches. This parameter is only used when specifying the valid groups option. The typical search base is similar to: ou=groups,dc=company,dc=com. Possible values are a user-specified string, and none. BIG-IP® Command Line Interface Guide A - 19 Appendix A ◆ group key Specifies the name of the attribute in the LDAP database that specifies the group name in the group subtree. An example of a typical key is cn (common name for the group). Possible values are a user-specified string, and none. ◆ group member key Specifies the name of the attribute in the LDAP database that specifies members (DNs) of a group. A typical key would be member. Possible values are a user-specified string, and none. ◆ role key Specifies the name of the attribute in the LDAP database that specifies a user's authorization roles. This key is used only with the valid roles option. A typical role key might be authorizationRole. Possible values are a user-specified string, and none. ◆ search Specifies the type of LDAP search that is performed based on the client's certificate. Possible values are: • user: Searches for a user based on the common name found in the certificate. • cert: Searches for the exact certificate. • certmap: Searches for a user by matching the certificate issuer and the certificate serial number or certificate. The default is user. A - 20 ◆ secure Enables or disables an attempt to use secure LDAP (LDAP over SSL). The alternative to using secure LDAP is to use insecure (clear text) LDAP. Secure LDAP is a consideration when the connection between the BIG-IP system and the LDAP server cannot be trusted. The default is disable. ◆ servers Specifies a list of LDAP servers you want to search. Possible values are a user-specified list of servers, and none. You must specify a server when you create an SSL client certificate configuration object. ◆ user base Specifies the search base for the subtree used by the user and cert search methods. A typical search base is: ou=people,dc=company,dc=com. Possible values are a user-specified string, and none. You must specify a user base when you create an SSL client certificate configuration object. ◆ user class Specifies the object class in the LDAP database to which the user must belong in order to be authenticated. ◆ user key Specifies the key that denotes a user ID in the LDAP database (for example, the common key for the user setting is uid). Possible values are a user-specified string, and none. You must always specify a user key when you create an SSL client certificate configuration object. bigpipe Command Reference ◆ valid groups Specifies a space-delimited list specifying the names of groups that the client must belong to in order to be authorized (matches against the group key in the group subtree). The client needs to be a member of only one of the groups in the list. Possible values are a user-specified string, or none. ◆ valid roles Specifies a space-delimited list specifying the valid roles that clients must have in order to be authorized. Possible values are a user-specified string, and none. See also profile auth(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 21 Appendix A auth ssl ocsp Configures an OCSP configuration object for implementing remote OCSP-based client authentication. Syntax Use this command to create, display, modify, or delete an OCSP configuration object. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. auth ssl ocsp <auth ssl ocsp key list> {} auth ssl ocsp (<auth ssl ocsp key list> | all) [{] <auth ssl ocsp arg list> [}] <auth ssl ocsp key> ::= <name> <auth ssl ocsp arg> ::= responders (<ocsp responder key list> | none) [add | delete] auth ssl ocsp edit Display auth ssl ocsp [<auth ssl ocsp key list> | all] [show] auth ssl ocsp [<auth ssl ocsp key list> | all] list [all] auth ssl ocsp [<auth ssl ocsp key list> | all] name [show] auth ssl ocsp [<auth ssl ocsp key list> | all] partition [show] auth ssl ocsp [<auth ssl ocsp key list> | all] responders [show] Delete auth ssl ocsp (<auth ssl ocsp key list> | all) delete A - 22 bigpipe Command Reference Description Online Certificate Status Protocol (OCSP) is an industry-standard protocol that offers an alternative to a certificate revocation list (CRL) when using public-key technology. A CRL is a list of revoked client certificates, which a server system can check during the process of verifying a client certificate. To use these commands, you must first create an OCSP responder object using the ocsp responder command. Options You can use the following options with the auth ssl ocsp command: ◆ auth ssl ocsp edit Displays in a text editor the running configuration of all objects created using the command auth ssl ocsp. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • partition Displays the partition within which the auth ssl ocsp object resides. • responders Specifies a list of OCSP responders that you configured using the ocsp responder command. See also profile auth(1), ocsp responder(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 23 Appendix A auth tacacs Configure a TACACS+ configuration object for implementing remote TACACS+-based client authentication. Syntax Use this command to create, modify, display, or delete a TACACS+ configuration object. Create/ Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. auth tacacs <auth tacacs key list> {} auth tacacs (<auth tacacs key list> | all) [{] <auth tacacs arg list> [}] <auth tacacs key> ::= <name> <auth tacacs arg> ::= acct all (enable | disable) debug (enable | disable) encrypt (enable | disable) first hit (enable | disable) protocol (<string> | none) secret (<string> | none) servers (<string list> | none) [add | delete] service (<string> | none) auth tacacs edit Display auth tacacs [<auth tacacs key list> | all] [show [all]] auth tacacs [<auth tacacs key list> | all] list [all] auth tacacs [<auth tacacs key list> | all] acct all [show] auth tacacs [<auth tacacs key list> | all] debug [show] auth tacacs [<auth tacacs key list> | all] encrypt [show] auth tacacs [<auth tacacs key list> | all] first hit [show] auth tacacs [<auth tacacs key list> | all] name [show] auth tacacs [<auth tacacs key list> | all] partition [show] A - 24 bigpipe Command Reference auth tacacs [<auth tacacs key list> | all] protocol [show] auth tacacs [<auth tacacs key list> | all] secret [show] auth tacacs [<auth tacacs key list> | all] servers [show] auth tacacs [<auth tacacs key list> | all] service [show] Delete auth tacacs (<name list> | all) delete Description Using a TACACS+ configuration object and profile, you can implement the TACACS+ authentication module as the mechanism for authenticating client connections passing through the BIG-IP local traffic management system. You use this module when your authentication data is stored on a remote TACACS+ server. In this case, client credentials are based on basic HTTP authentication (that is, user name and password). You configure a TACACS+ authentication module by creating a TACACS+ configuration object, creating a TACACS+ profile, and assigning the profile to a virtual server. Examples Enables encryption for TACACS+ packets: auth tacacs encrypt Provides the ability to send accounting start and stop packets to all servers: auth tacacs myauth2 myauth3 acct all enable Options You can use these options with the auth tacacs command: ◆ acct all If multiple TACACS+ servers are defined and pluggable authentication module (PAM) session accounting is enabled, sends accounting start and stop packets to the first available server or to all servers. Possible values are: • enable: Sends to first available server. • disable: Sends to all servers. The default is disable. ◆ auth tacacs edit Displays in a text editor the running configuration of all objects created using the command auth tacacs. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. BIG-IP® Command Line Interface Guide A - 25 Appendix A When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. ◆ debug Enables syslog-ng debugging information at LOG DEBUG level. Not recommended for normal use. The default is disable. ◆ encrypt Enables or disables encryption of TACACS+ packets. Recommended for normal use. The default is enable. ◆ first hit Confirms the secret key supplied for the Secret setting. This setting is required. The default is disable. ◆ partition Displays the partition within which the auth tacacs object resides. ◆ protocol Specifies the protocol associated with the value specified in the service option, which is a subset of the associated service being used for client authorization or system accounting. ◆ secret Sets the secret key used to encrypt and decrypt packets sent or received from the server. This setting is required. Possible values are a user-specified string and none. ◆ servers Specifies a host name or IP address for the TACACS+ server. This setting is required. Possible values are a user-specified string, and none. You must specify a server when you create a TACACS+ configuration object. ◆ service Specifies the name of the service that the user is requesting to be authenticated to use. Identifying the service enables the TACACS+ server to behave differently for different types of authentication requests. This setting is required. See also profile auth(1), profile http(1), bigpipe(1), shell(1) A - 26 bigpipe Command Reference bigpipe shell When typed at the BIG-IP system prompt, starts the bigpipe utility in its shell mode, and configures the shell. Modify bigpipe shell bigpipe shell [{] <shell arg list> [}] <shell arg> ::= partition <partition key> prompt <string> read partition (<partition key> | all) write partition <partition key> Display bigpipe shell prompt [show] bigpipe shell read partition [show] bigpipe shell write partition [show] Description When typed at the BIG-IP system prompt, the bigpipe shell command starts the bigpipe utility in its shell mode and presents a prompt at which you can type bigpipe commands. You can also use the bigpipe shell command from the BIG-IP system prompt to configure the shell. Examples From the BIG-IP system prompt, starts the bigpipe utility in its shell mode and presents a prompt at which you can type bigpipe commands: bigpipe shell Customizes the bigpipe shell prompt to display as F5: bigpipe shell prompt F5 For users with access to all partitions, changes the partition to which you have Write access to partition application1: bigpipe shell write partition application1 For users with access to all partitions, changes the partition to which you have Read and Write access to partition application2: bigpipe shell partition application2 BIG-IP® Command Line Interface Guide A - 27 Appendix A Options You can use these options with the bigpipe shell command: • partition Changes the partition to which you have Read and Write access to the partition you specify. This option is only available to users with access to all partitions. • prompt Specifies a string to use for the bigpipe shell prompt. The default prompt is bp>. • read partition Changes the partition to which you have Read access to the partition you specify. This option is only available to users with access to all partitions. • write partition Changes the partition to which you have Write access to the partition you specify. This option is only available to users with access to all partitions. See also partition(1), bigpipe(1) A - 28 bigpipe Command Reference class Creates, modifies, displays, or deletes classes. Syntax Use this command to configure classes. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. class <class key list> {} class (<class key list> | all) [{] <class arg list> [}] <class key list> ::= <name> <class arg list> ::= filename (<file name> | none) mode (read | rw) type (ip | string | value) (<IP class item list> | none) [add | delete] (<number list> | none) [add | delete] (<string list> | none) [add | delete] <IP class item> ::= host <ip addr> | network <ip addr> class edit Display class [<class key list> | all] [show [all]] class [<class key list> | all] list [all] class [<class key list> | all] filename [show] class [<class key list> | all] ip [show] class [<class key list> | all] mode [show] class [<class key list> | all] name [show] class [<class key list> | all] partition [show] class [<class key list> | all] string [show] class [<class key list> | all] type [show] class [<class key list> | all] value [show] BIG-IP® Command Line Interface Guide A - 29 Appendix A Delete class [<class key list> | all] delete Description Classes are lists of data that you define and use with iRules™ operators. The system includes a number of predefined lists that you can use. They are: • AOL Network • Image Extensions • Private class IP addresses The above lists are located in the file /config/profile_base.conf. The load command loads these lists; however, unless the lists are modified, the load command does not save the lists to the bigip.conf file. Classes are either internal or external. Internal classes are stored in the bigip.conf file. External classes are stored in external files that you define. Note that external classes can be very large, which is one reason why these classes are saved to external files. For example, a phone company may store a list of thousands of phone numbers in an external class. Internal classes can be one of three types of lists, an ip class item list, a string list, or a number list. Strings must be surrounded by quotation marks. Numbers can be either positive or negative. External classes are lists that specify: • A file name where the list is saved • The type, indicated by a list of ip addresses, strings, or values • A permission mode that defines access to the class as either read or rw (Read/Write) You can update the external class file by issuing the list or save commands. Note When you use the bigpipe class command at the BIG-IP system prompt, you must use escape characters around the strings in the syntax to stop the operating system from interpreting the string literally. Examples Creates an internal class named MyNewClass that contains a single IP address: class MyNewClass host 10.0.0.0 Creates an internal class named MyNewClass2 that contains a list of three network addresses: 192.1.1.0/24, 192.2.1.1, and 10.0.0.5/24: class MyNewClass2 network 192.1.1.0 mask 255.255.255.0 host 192.2.1.1 network 10.0.0.5/24 A - 30 bigpipe Command Reference Creates an internal class named AnotherNewClass that contains a list of four values: class AnotherNewClass 111 222 333 444 Modifies the internal class named AnotherNewClass by adding the value 555: class AnotherNewClass 555 add Creates an internal class named ThirdNewClass that contains a list of strings: class ThirdNewClass "aaaa" "bbbb" "cccccc" "dd" Modifies the internal class named ThirdNewClass by deleting the member aaaa from the list of strings: class ThirdNewClass "aaaa" delete Creates an external class named MyExternalClass that contains IP addresses that are stored in the MyOtherNewClass.cls file. The external class has Read and Write permissions assigned to it: class MyExternalClass type ip filename MyOtherNewClass.cls mode rw Displays the file name where the class list information is stored: class MyExternalClass filename show Options You can use these options with the class command: ◆ class edit Displays in a text editor the running configuration of all objects created using the command class. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. ◆ filename Specifies the path and file name that contains the list of data defined by the external class. ◆ mode (read | rw) Specifies a permission mode for the external class. Valid values are read and rw (read/write). ◆ name Specifies a unique string identifying the class. ◆ partition Displays the partition within which the internal or external class resides. BIG-IP® Command Line Interface Guide A - 31 Appendix A ◆ type (ip | string | value) Specifies the type of data you want to add to, modify, display, or delete from an external class. This setting is required for external classes. Specify the type by including a list of strings, values, or IP addresses. Strings must be surrounded by quotation marks. Values (numbers) can be either positive or negative. IP addresses can be in any of the following four formats: • network <ip addr> mask < ip mask> • network <ip addr> prefixlen <number> • network <ip addr> / <number> • host <ip addr> ◆ <IP class item list>, <string list>, <number list> Specifies the data you want to add to, modify, display, or delete from an internal class. This setting is required for internal classes. Strings must be surrounded by quotation marks. Numbers can be either positive or negative. See also rule(1), bigpipe(1) A - 32 bigpipe Command Reference cli Configures the bigpipe shell. Syntax Use this command to configure the bigpipe shell. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. cli [{] <cli arg list> [}] <cli arg> ::= audit (enable | disable | verbose | all) hostname lookup (enable | disable) import save <number> ip addr (name | number) service (name | number) cli edit Display cli [show [all]] cli list [all] cli audit [show] cli hostname lookup [show] cli import save [show] cli ip addr [show] cli partition [show] cli service [show] Description This command provides the ability to configure the bigpipe shell to meet your specific needs. BIG-IP® Command Line Interface Guide A - 33 Appendix A Examples Sets the audit level of the bigpipe shell to enable: cli audit enable Configures the bigpipe shell to store three backup single configuration files (config/backup.scf, /config/backup-1.scf, and /config/backup-2.scf), and to display IP addresses and services by number, for example, 192.168.10.20:80: cli import 3 ip addr number service number Options You can use these options with the cli command: ◆ audit Specifies the global audit level of the bigpipe shell. The audited commands are stored in /var/log/audit. The audit levels are: • disable The bigpipe utility does not log any commands entered by users. This is the default value. • enable The bigpipe utility audits all commands entered by users, including the commands that the merge command runs. This does not include the commands that the load and import commands run. • verbose The bigpipe utility audits all commands entered by users, including the commands that the merge command runs. The bigpipe shell also audits the commands that the load and import commands run, except for those included in the system configuration files: config_base.conf, base_monitors.conf, profile_base.conf, and daemon.conf. • all The bigpipe utility audits all the commands that are run from all sources. ◆ cli edit Displays in a text editor the running configuration of all objects created using the command cli. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only cli { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. A - 34 bigpipe Command Reference ◆ hostname lookup When enabled, specifies that the bigpipe shell accepts host names in place of IP addresses in the syntax of bigpipe commands. The default is disable. ◆ import Specifies the number of backup single configuration files that the system stores. Each time you run the import command, the bigpipe shell saves the single configuration file. For example, if you set the import parameter to 3, after you run the import command for the third time, you see three files on your system: • /config/backup.scf • /config/backup-1.scf • /config/backup-2.scf The newest backup file is /config/backup.scf. By default, the system saves only two backup single configuration files. ◆ ip addr Specifies the format with which the bigpipe shell displays an IP address. Possible values are: • name The bigpipe shell displays an IP address using a host name, for example, www.myhostname.com. This is the default value. • number The bigpipe shell displays an IP address using a numeric address, for example, 192.168.10.20. ◆ partition Displays the partition within which the object resides. ◆ service Specifies the format in which the bigpipe shell displays a service. Possible values are: • name The bigpipe shell displays a service using a host name, for example, HTTP. • number The bigpipe shell displays a service using a numeric value, for example, 192.168.10.20:80, where 80 indicates HTTP. This is the default value. See also bigpipe(1) BIG-IP® Command Line Interface Guide A - 35 Appendix A config Manages the BIG-IP system user configuration sets. Syntax Use this command to manage or display configuration data. Modify config show <file.ucs> config [support] save <file.ucs> [passphrase [<string>]] config install [all] <file.ucs> [passphrase [<string>]] config sync min config sync pull config sync [all] config check [all] Display config sync show Description The config command manages user configuration sets. A user configuration set (UCS) is the set of all configuration files that a user may edit to configure a BIG-IP system. A *.ucs file is an archive that contains all the configuration files in a UCS. The config command allows you to save the BIG-IP system configuration to a *.ucs file, install the configuration from a *.ucs file, or synchronize the configuration with the other BIG-IP system in a redundant pair. Examples Saves <file.ucs>, overwriting all configuration files, including /config/bigip.conf: config [support] save <file.ucs> [passphrase [<string>]] Unpacks and installs myconfiguration.ucs, overwriting all configuration files, including /config/bigip.conf: config install myconfiguration.ucs> Displays the status of the configuration synchronization system and the date and time the last configuration change was made: config sync show A - 36 bigpipe Command Reference Unpacks and installs <file.ucs>, overwriting all configuration files, including /config/bigip.conf: config install <file.ucs> Copies a UCS file, without the license file, from one system to another: config install all <file.ucs> [passphrase [<string>]] [excludes <file.ucs>] Note that when copying the *.ucs file, using the above command, the system: • Checks to see whether a license file exists and if so, checks whether the file is valid. If no license file exists or the license file is not valid, the bigpipe utility exits. • Sets the system host name according to the host name in the UCS file. • Saves the running configuration to the location /var/local/ucs/cs_backup.ucs. • Installs the configuration from the UCS file onto the system, excluding the license file. Saves the currently running configuration to /config/bigip.conf. Copies /config/bigip.conf to the other BIG-IP system in a redundant pair, and loads /config/bigip.conf on the other BIG-IP system: config sync min Creates a temporary UCS file and transfers it to the other BIG-IP system. Installs the UCS file on the other BIG-IP system: config sync all Runs a syntax check on the configuration files in the configuration synchronization system: config check all Use the following command to pull the configuration from the peer device and install it on the local device. This command saves the UCS file on the remote peer, then transfers the UCS file to the local system, and installs it on the local system. This command provides the ability to synchronize the configuration from the local device without having to log on to the peer device to push the configuration back: config sync pull Use the following command to configure a BIG-IP system using the UCS file of another BIG-IP system. To do this, copy the *.ucs file from a BIG-IP system, save it to the BIG-IP system that you want to configure, and then run the following command on the system that you want to configure. config install [all] file_name.ucs passphrase mypassword Options You can use these options with the config command: • install Installs the specified UCS file, overwriting the existing UCS file. BIG-IP® Command Line Interface Guide A - 37 Appendix A • save Saves the password protected configuration file that has a .ucs file extension. • sync Saves the running configuration and copies it to the other unit in the redundant system. Note that the configsync command allows you to set the parameters for the task of running the configuration synchronization. For more information, see configsync, on page A-39. • <file.ucs> Specifies the name of a UCS file that you want to install or save. See also bigpipe(1), configsync(1) A - 38 bigpipe Command Reference configsync Specifies the parameters for the task of synchronizing the configurations of two BIG-IP units in a redundant system. Syntax Use this command to set up the environment for a configuration synchronization of two BIG-IP units in a redundant system. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. configsync [{] <configsync arg list> [}] <configsync arg> ::= auto detect (enable | disable) custom peer addr (<ip addr> | none) encrypt (enable | disable) passphrase (crypt <string> | none | string | none) password (crypt <string> | none | string | none) peer update interval <number> time diff <number> user (<string> | none) configsync edit Display configsync [show [all]] configsync list [all] configsync auto detect [show] configsync custom peer addr [show] configsync encrypt [show] configsync partition [show] configsync passphrase [show] configsync password [show] configsync peer update interval [show] configsync time diff [show] configsync user [show] BIG-IP® Command Line Interface Guide A - 39 Appendix A Description You can use the configsync command to set up a the parameters for the task of synchronizing the configuration of two BIG-IP units in a redundant system. Examples Indicates that when a user with the user name admin attempts to perform a configuration synchronization between two BIG-IP systems, she will have to enter the password, 15GmA*4. configsync encrypt enable password 15GmA*4 user admin Options You can use these options with the configsync command: • auto detect Enables or disables the automatic detection of a difference in the configurations of two systems in a redundant pair. The default value is disable. • configsync edit Displays in a text editor the running configuration of all objects created using the command configsync. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only configsync { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • custom peer addr Specifies the IP address of the other BIG-IP system in a redundant pair. This is the IP address of the system to which you want to synchronize the configuration. The default value is the value of the statemirror peer addr field. • encrypt Enables or disables the encryption of the configuration synchronization action. When enabled, the system automatically requests a password when a user attempts to synchronize the configurations of two BIG-IP systems in a redundant pair. The default value is disable. • partition Displays the partition within which the configsync object resides. • passphrase When the encrypt parameter is enabled, specifies the passphrase that you must enter during a configuration synchronization of two systems in a redundant pair in order to decrypt any encrypted data. The system A - 40 bigpipe Command Reference prompts you to enter this passphrase twice. Once to create the UCS file on one unit of a redundant system, and a second time to unpack and install that UCS file on the peer unit. • password Specifies the password that is required to perform the configuration synchronization of two BIG-IP systems. By default, this value is the password for the admin user account. • peer update interval When auto detect is enabled, specifies how often the system monitors the configuration of the two units in a redundant system. The default value is 30 seconds. • time diff Specifies the maximum number of seconds of difference there can be in the time settings of the units in a redundant system before a configuration synchronization occurs. The default time difference is 600 seconds. • user Specifies the name of the user account that has the necessary permissions to run the configsync command. You must specify an existing local user account. The default is admin. It is important to note that if you change this option, F5 recommends that you also change the password option. See also bigpipe(1), config(1) BIG-IP® Command Line Interface Guide A - 41 Appendix A conn Sets idle timeout for, displays, and deletes active connections on the BIG-IP system. Syntax Use this command to set the idle timeout for, display, or delete active connections on the BIG-IP system. Create/Modify conn (<conn key list> | all) [{] <conn arg list> [}] <conn key> ::= [client (<ip addr> | <member>)] [server (<ip addr> | <member>)] \ [(any | mirror | local)] [protocol <protocol>] [age <number>] <conn arg> ::= idle timeout <number> Display conn (<conn key list> | all) [show [all]] conn (<conn key list> | all) age [show] conn (<conn key list> | all) client [show] conn (<conn key list> | all) idle timeout [show] conn (<conn key list> | all) protocol [show] conn (<conn key list> | all) server [show] Delete conn (<conn key list> | all) delete Description The conn command displays the current connections on the BIG-IP system, sets the idle timeout for a connection, or deletes the connection. You can specify the <protocol> value using either a number or a name (http, or 80). If you do not specify a port or service, the system deletes all connections with the client-side source that match just the IP address. If you do not specify an IP address, the system deletes all connections including mirrored connections. Examples Shows basic connection information for all connections: conn all show A - 42 bigpipe Command Reference Shows verbose connection information for all connections: conn all show all Shows idle timeout connection information for all connections: conn all idle timeout show Options You can use this option with the conn command: • <protocol> Specifies a port or service. See also bigpipe(1) BIG-IP® Command Line Interface Guide A - 43 Appendix A crldp server Creates a Certificate Revocation List Distribution Point (CRDLP) server object for implementing a CRLDP authentication module. Syntax Use this command to create, modify, display, or delete a CRLDP server object. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. crldp server <crldp server key list> {} crldp server (<crldp server key list> | all) [{] <crldp server arg list> [}] <crldp server key> ::= <name> <crldp server arg> ::= server (<string> | none) service (<service> | none) base dn (<string> | none) reverse dn (enable | disable) crldp server edit Display crldp server [<crldp server key list> | all] [show [all]] crldp server [<crldp server key list> | all] list [all] crldp server [<crldp server key list> | all] name [show] crldp server [<crldp server key list> | all] partition [show] crldp server [<crldp server key list> | all] server [show] crldp server [<crldp server key list> | all] service [show] crldp server [<crldp server key list> | all] base dn [show] crldp server [<crldp server key list> | all] reverse dn [show] Delete crldp server (<crldp server key list> | all) delete A - 44 bigpipe Command Reference Description CRLDP authentication is a mechanism for checking certificate revocation status for client connections passing through the BIG-IP system. This module is useful when your authentication data is stored on a remote CRLDP server. You configure a CRLDP authentication module by defining a CRLDP server (using the crldp server command), creating a CRLDP configuration object (using the auth crldp command), creating a CRLDP profile (using the profile auth command), and assigning the profile to the virtual server. Examples Creates a CRLDP server named my_crldp_server: crldp server my_auth_crldp {} Deletes the CRLDP server named my_crldp_server: crldp server my_crldp_server delete Options You can use these options with the crldp server command: • base dn Specifies the LDAP base directory name for certificates that specify the CRL distribution point in directory name (dirName) format. Used when the value of the X509v3 attribute crlDistributionPoints is of type dirName. In this case, the BIG-IP system attempts to match the value of the crlDistributionPoints attribute to the base dn value. An example of a base dn value is cn=lxxx,dc=f5,dc=com. • crldp server edit Displays in a text editor the running configuration of all objects created using the command crldp server. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • partition Displays the partition within which the crldp server object resides. • reverse dn Specifies in which order the system is to attempt to match the Base DN value to the value of the X509v3 attribute crlDistributionPoints. When enabled, the system matches the base DN from left to right, or from the BIG-IP® Command Line Interface Guide A - 45 Appendix A beginning of the DN string, to accommodate dirName strings in certificates such as C=US,ST=WA,L=SEA,OU=F5,CN=xxx. The default value is disable. • server Specifies an IP address for the CRLDP server. This setting is required. • service Specifies the port for CRLDP authentication traffic. The default service is 389. See also auth crldp(1), profile auth(1), bigpipe(1) A - 46 bigpipe Command Reference daemon Tunes the high availability functionality that is built into daemons. Syntax Use this command to modify or display daemons. Modify daemon <daemon key list> {} daemon (<daemon key list> | all) [{] <daemon arg list> [}] <daemon key> ::= <name> <daemon arg> ::= (enable | disable) heartbeat monitor (enable | disable) heartbeat monitor (reboot | restart | failover | failover restart | go active | \ no action | restart all |failover restart tm) heartbeat monitor redundant (reboot | restart | failover | failover restart | \ go active | no action | restart all | failover restart tm) heartbeat monitor stand alone (reboot | restart | failover | failover restart | \ go active | no action | restart all | failover restart tm) proc not run action (reboot | restart | failover | failover restart | go active | \ no action | restart all | failover restart tm) running (enable | disable) running timeout <number> daemon edit Display daemon [<daemon key list> | all] [show [all]] daemon [<daemon key list> | all] list [all] daemon [<daemon key list> | all] heartbeat monitor [show] daemon [<daemon key list> | all] heartbeat monitor redundant [show] daemon [<daemon key list> | all] heartbeat monitor stand alone [show] daemon [<daemon key list> | all] name [show] daemon [<daemon key list> | all] proc not run action [show] daemon [<daemon key list> | all] running [show] daemon [<daemon key list> | all] running timeout [show] Description This command provides the ability to fine-tune the daemons that provide high availability functionality. BIG-IP® Command Line Interface Guide A - 47 Appendix A Examples Enables the system to fail over and reboot due to lack of a detected heartbeat from the sod daemon: daemon sod heartbeat monitor enable Options You can use these options with the daemon command: • daemon edit Displays in a text editor the running configuration of all objects created using the command daemon. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only daemon { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • heartbeat monitor Enables or disables the heartbeat on the specified daemon, or performs an action. Typically, if a daemon does not periodically connect with its heartbeat location, it is restarted automatically. This command allows you to disable automatic restart. The daemons that supply a heartbeat are: tmm, mcpd, bigd, sod, and bcm56xxd. The default is enable. Specify the action the daemon should take if no heartbeat is detected. Possible values are reboot, restart, failover, failover restart, go active no action, restart all, and failover restart tm. The default is restart. • heartbeat monitor redundant Specify the action the daemon should take if no heartbeat is detected on the redundant heartbeat monitor. Possible values are reboot, restart, failover, failover restart, go active no action, restart all, and failover restart tm. The default is restart. • heartbeat monitor stand alone Specify the action the daemon should take if no heartbeat is detected on a standalone heartbeat monitor. Possible values are reboot, restart, failover, failover restart, go active no action, restart all, and failover restart tm. The default is restart. • proc not run action Specify the action the daemon should take if a configured traffic or system management action is not run. Possible values are reboot, restart, failover, failover restart, go active no action, restart all, and failover restart tm. The default is failover. • running Enables or disables actions configured for the traffic management and system management daemons. You can use this feature to disable the A - 48 bigpipe Command Reference action a daemon takes during failover. For example, when you want to stop a daemon and you do not want the unit to failover, you can issue the running disable command for the daemon. The default is disable. • running timeout Specify the length of time you want disabled actions to remain disabled. The default is 10 seconds. See also ha table(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 49 Appendix A daemon bigdbd Sets internal settings for the bigdbd daemon. Syntax Use this command to set the system log levels for the bigdbd daemon. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. daemon bigdbd [{] <daemon bigdbd arg list> [}] <daemon bigdbd arg> ::= loglevel (critical | error | warning | notice |\ informational | debug) daemon bigdbd edit Display daemon bigdbd [show [all]] daemon bigdbd list [all] daemon bigdbd loglevel [show] daemon bigdbd partition [show] Description You use this command to set the system log levels for the bigdbd daemon. Examples The following command sets the log level of the bigdbd daemon messages to critical. This means that the system logs only critical messages from the daemon: daemon bigdbd loglevel critical A - 50 bigpipe Command Reference Options You can use the following options with the command daemon bigdbd: • daemon bigdbd edit Displays in a text editor the running configuration of all objects created using the command daemon bigdbd. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only daemon bigdbd { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • loglevel Specifies the lowest level of bigdbd daemon messages to include in the system log. The default is warning. • partition Displays the partition within which the bigdbd daemon resides. See also bigpipe(1), daemon(1), daemon mcpd(1), daemon tmm(1) BIG-IP® Command Line Interface Guide A - 51 Appendix A daemon mcpd Sets internal settings for the mcpd daemon. Syntax Use this command to set the system log levels for the mcpd daemon. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. daemon mcpd [{] <daemon mcpd arg list> [}] <mcpd mcpd arg> ::= audit (enable | disable | verbose | all) loglevel (panic | emergency | alert | critical | error | warning | notice |\ informational | debug) daemon mcpd edit Display daemon mcpd [show [all]] daemon mcpd list [all] daemon mcpd audit log [show] daemon mcpd loglevel [show] daemon mcpd partition [show]) Description You use this command to enable auditing and to set the system log levels for the mcpd daemon. Examples The following command sets the log level of the mcpd daemon to critical. This means that the system logs critical, alert, emergency and panic messages from the daemon. daemon mcpd loglevel critical A - 52 bigpipe Command Reference Options You can use the following options with the daemon mcpd command: • audit Enables or disables auditing for the mcpd daemon, and specifies verbose or all as the auditing level. The default is disable. • daemon mcpd edit Displays in a text editor the running configuration of all objects created using the command daemon mcpd. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only daemon mcpd { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • loglevel Specifies the lowest level of mcp daemon messages to include in the system log. The default is notice. • partition Displays the partition within which the mcpd daemon resides. See also bigpipe(1), daemon(1), daemon bigdbd(1), daemon tmm(1) BIG-IP® Command Line Interface Guide A - 53 Appendix A daemon tmm Sets internal settings for the tmm daemon. Syntax Use this command to set the system log levels for the tmm daemon. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. daemon tmm [{] <daemon tmm arg list> [}] <daemon tmm arg> ::= arp loglevel (error | warning | notice | informational | debug) http compression loglevel (error | warning | notice | informational | debug) http loglevel (error | warning | notice | informational | debug) ip loglevel (warning | notice | informational | debug) layer4 loglevel (error | warning | notice | informational | debug) net loglevel (critical | error | warning | notice | informational | debug) os loglevel (emergency | alert | critical | error | warning | notice |\ informational | debug) pva loglevel (notice | informational | debug) rules loglevel (error | warning | notice | informational | debug) ssl loglevel (emergency | alert | critical | error | warning | notice |\ informational | debug) daemon tmm edit Display daemon tmm [show [all]] daemon tmm list [all] daemon tmm arp loglevel [show] daemon tmm http compression loglevel [show] daemon tmm http loglevel [show] daemon tmm ip loglevel [show] daemon tmm layer4 loglevel [show] daemon tmm net loglevel [show] daemon tmm os loglevel [show] A - 54 bigpipe Command Reference daemon tmm partition [show] daemon tmm pva loglevel [show] daemon tmm rules loglevel [show] daemon tmm ssl loglevel [show] Description You use this command to set the system log levels for the tmm daemon. Examples The following command sets the ARP message log level for the tmm daemon to error. This means that the system logs only ARP error messages from the daemon. daemon tmm arp loglevel error Options You can use the following options with the daemon tmm command: • arp loglevel Specifies the lowest level of ARP messages from the tmm daemon to include in the system log. The default is warning. • daemon tmm edit Displays in a text editor the running configuration of all objects created using the command daemon tmm. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only daemon tmm { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • http loglevel Specifies the lowest level of HTTP messages from the tmm daemon to include in the system log. The default is error. • http compression loglevel Specifies the lowest level of HTTP compression messages from the tmm daemon to include in the system log. The default is error. • ip loglevel Specifies the lowest level of IP address messages from the tmm daemon to include in the system log. The default is warning. • layer4 loglevel Specifies the lowest level of Layer 4 messages from the tmm daemon to include in the system log. The default is notice. BIG-IP® Command Line Interface Guide A - 55 Appendix A • net loglevel Specifies the lowest level of network messages from the tmm daemon to include in the system log. The default is warning. • os loglevel Specifies the lowest level of operating system messages from the tmm daemon to include in the system log. The default is notice. • partition Displays the partition within which the tmm daemon resides. • pva loglevel Specifies the lowest level of PVA messages from the tmm daemon to include in the system log. The default is informational. • rules loglevel Specifies the lowest level of iRule messages from the tmm daemon to include in the system log. The default is warning. • ssl loglevel Specifies the lowest level of SSL messages from the tmm daemon to include in the system log. The default is warning. See also bigpipe(1), daemon(1), daemon mcpd(1), daemon bigdbd(1) A - 56 bigpipe Command Reference db Displays or modifies bigdb database entries. Syntax Use this command to modify or display configuration database entries. Modify db <db key list> {} db (<db key list> | all) [{] <db arg list> [}] <db key> ::= <name> <db arg> ::= <string> db (<db key list> | all) reset db edit Display db (<db key list> | all) [show [all]] db (<db key list> | all) list [all] db (<db key list> | all) name [show] Description The db command allows you to modify and retrieve the data that is stored in the bigdb configuration database. Important After you change a bigdb database variable using the db command, you must run the save all command. If you do not, the next time that you run the load command, the value of the bigdb database variable may be reset to the value in the stored configuration. Examples Resets each database entry and setting to its default: db all reset Sets the database entry, SYN Check™ Activation Threshold, back to the default value. db Connection.SynCookies.Threshold 16384 BIG-IP® Command Line Interface Guide A - 57 Appendix A Options Use these options with the db command: • db edit Displays in a text editor the running configuration of all objects created using the command db. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • name The name of the database entry that you want to modify or display. • string The value that you want to assign to the database entry that you are modifying. When you are modifying a configuration database entry, this value is required. See also bigpipe(1) A - 58 bigpipe Command Reference dns Configures the Domain Name Service (DNS) for the BIG-IP system. Also, displays and resets statistics for the DNS profile. Syntax Use this command to configure DNS for the system. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. dns [{] <dns arg list> [}] <dns arg> ::= include (<string> | none) nameservers (<ip addr list> | none) [add | delete] search (<string list> | none) [add | delete] dns edit Display dns [show [all]] dns list [all] dns include [show] dns nameservers [show] dns partition [show] dns search [show] Description Use this command to manage configurations by server grouping, in this case, DNS servers. BIG-IP® Command Line Interface Guide A - 59 Appendix A Examples The following commands display the global statistics for the DNS profile: dns dns show Adds DNS name servers with the IP addresses, 192.168.10.20 and 192.168.10.22, to the BIG-IP system: dns nameservers 192.168.10.20 192.168.10.22 add The following command syntax adds the host names, siterequest.com, store.siterequest.com, and london.siterequest.com, to the DNS search configuration for the BIG-IP system. When DNS searches for the host, siterequest, which is not a fully qualified domain name, it uses the IP address of the first match, in this case, siterequest.com. dns search siterequest.com store.siterequest.com london.siterequest.com Options Use these options with the dns command: • dns edit Displays in a text editor the running configuration of all objects created using the command dns. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only dns { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • include Warning: Do not use this parameter without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include parameter. If you use this parameter incorrectly, you put the functionality of the system at risk. • nameservers Adds a group of DNS name servers to or deletes a group of DNS name servers from the BIG-IP system. • partition Displays the partition within which the dns object resides. • search Adds a list of domain names in a specific order. DNS uses that order when searching for host names that are not fully qualified. You can also use this option to delete domain names in the list. A - 60 bigpipe Command Reference See also bigpipe(1), profile dns(1) BIG-IP® Command Line Interface Guide A - 61 Appendix A exit Exits the bigpipe shell. Syntax Use this command to exit the bigpipe shell. Usage exit Description Use this command at the bigpipe shell prompt to exit the shell and return to the BIG-IP system prompt. Examples When you are finished running commands at the bigpipe shell prompt, type exit to exit the shell and return to the system prompt. exit See also bigpipe(1) A - 62 bigpipe Command Reference export Creates a single configuration file (SCF) that you can use to configure another BIG-IP system using the import command. Important The export command is independent of and distinct from the save all command. For more information on the save all command, see save, on page A-271. Syntax Use this command to create a single configuration file (SCF). Create/Modify export [oneline] [<file name> | -] Description You use the export command to save the running configuration in a flat, text file with the extension .scf. Examples Creates the SCF, myconfiguration.scf, which contains the running configuration of the system: export myconfiguration Note The system appends the specified file name with the extension .scf. Creates the SCF, default.scf, which contains the running configuration of the system: export /shared/default WARNING You cannot use the export command to create an SCF file named default, unless you explicitly include a path name to the file, as shown in the example above. Options Use these options with the export command: • oneline Specifies that each command in the file is written on one line without line feeds, and that there is one line feed after each command. This BIG-IP® Command Line Interface Guide A - 63 Appendix A parameter can create very long lines of text. Note that if you do not use this parameter, each command is written with line feeds between the attributes and values for readability. • <file name> Specifies the name of the SCF you are creating. The system appends this name with the extension .scf. See also bigpipe(1), import(1) A - 64 bigpipe Command Reference f5adduser Adds local user accounts to the BIG-IP system. Syntax Use this command at the BIG-IP system prompt to add one or more local users. Create f5adduser [-r <role name>|<role number>] [-n] [-s] -p <partition name> <username> ... Description You can use this command at the BIG-IP system prompt to add one or more local users. Examples Adds a user account with the user role of Manager and access to all partitions for Jim Smith: f5adduser -r manager jsmith Options You can use these options with the f5adduser command at the BIG-IP system prompt: • -r Specifies the user role you are assigning to the user. The default user role is guest. The available user roles are: • administrator • resource admin • user manager • manager • app editor • operator • guest • policy editor • -n Indicates no password for the user account. If you indicate no password, the user cannot log on until an Administrator creates a password for the account. If you do not use this option, the system prompts you to enter a password, and then to confirm that password. BIG-IP® Command Line Interface Guide A - 65 Appendix A • -s If you are creating a user account with the user role of administrator, the user is given access to the system prompt. If you are creating a user account with a user role other than administrator, the user is given access to the bigpipe shell. • -p Specify a partition name. If you do not specify a partition, the user account is valid in all partitions. See also user(1) A - 66 bigpipe Command Reference failover Configures and controls failover for a redundant system. Syntax Use this command to control the failover of a system, and to configure the failover feature for the system. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. Use this syntax to configure the failover feature for a system: failover [{] <failover arg list> [}] <failover arg> ::= active-active mode (enable | disable) custom addr (<ip addr> | none) custom peer addr (<ip addr> | none) force active (enable | disable) force standby (enable | disable) network failover (enable | disable) redundant (enable | disable) standby link down time <float> unit <number> failover edit Use this syntax to control failover of a system: failover (standby | failback) Display failover [show [all]] failover list [all] failover active-active mode [show] failover custom addr [show] failover custom peer addr [show] failover force active [show] failover force standby [show] BIG-IP® Command Line Interface Guide A - 67 Appendix A failover network failover [show] failover partition [show] failover redundant [show] failover standby link down time [show] failover unit [show] Description Failover is a process that occurs when one unit in a redundant system becomes unavailable, thereby requiring the peer unit to assume the processing of traffic originally targeted for the unavailable unit. To facilitate coordination of the failover process, each unit has a unit ID (1 or 2). You can use the command failover to switch the active unit to be the standby unit in a redundant configuration. Be careful about using the command failover to control the unit. It is provided only for special situations. The unit automatically switches between active and standby modes, without operator intervention. Examples Causes the active unit to go into the standby state, forcing the other unit in the redundant system to become active: failover standby Restores an active-active configuration after a failure: failover failback Options Use these options to control failover of the system: • failback Initiates failback for an active-active system. Failback re-establishes normal BIG-IP system processing when a previously-unavailable BIG-IP system becomes available again. • standby Specifies that the active unit fails over to a standby state, causing the standby unit to become active. Use these options to configure failover for the system: • active mode Enables or disables active mode for a unit in a redundant system. The default value is disable. • custom addr Specifies the self-IP address or management IP address on the unit that the network failover mechanism uses to listen for peer responses. When using network failover, this is a required setting. A - 68 bigpipe Command Reference • custom peer addr Specifies the self-IP address or management IP address on the peer system that the network failover mechanism uses to determine whether the peer is responsive. When using network failover, this is a required setting. • failover edit Displays in a text editor the running configuration of all objects created using the command failover. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only failover { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • force active When enabled, makes the unit prefer to be the active unit. The default value is disable. • force standby When enabled, makes the unit prefer to be the standby unit. The default value is disable. • network failover Specifies, when enabled, that this unit utilizes the network to determine the status of the peer unit. You can use network failover in addition to, or instead of, hard-wire failover. The default value is disable. • partition Displays the partition within which the failover object resides. • redundant Enables or disables redundancy for a unit in a redundant system. The default is disable. • standby link down time Specifies the amount of time, within the valid range of 0 - 10 seconds, that the interfaces are down before the unit fails over to standby. Use this setting to prompt peer switches to reset and relearn their Address Resolution Protocol (ARP) tables after a failover. The default value is 0 (zero) seconds, which disables this option. When using network failover, do not enable this feature unless you configure the custom addr and custom peer addr settings to use the management port. • unit Specifies a number for a unit in a BIG-IP redundant system. The default value is 1. BIG-IP® Command Line Interface Guide A - 69 Appendix A See also bigpipe(1), statemirror(1) A - 70 bigpipe Command Reference fasthttp Displays and resets global statistics for the Fast HTTP profile on the BIG-IP system. Syntax Use this command to display and reset statistics for the Fast HTTP profile. Modify fasthttp stats reset Display fasthttp [show [all]] Description Use this command to display and reset global statistics for the Fast HTTP profile. Examples The following commands display the global statistics for the Fast HTTP profile: fasthttp fasthttp show Resets all statistics for the Fast HTTP profile on the system: fasthttp stats reset See also profile fasthttp (1) BIG-IP® Command Line Interface Guide A - 71 Appendix A fastL4 Displays and resets statistics for the Fast Layer 4 profile on the BIG-IP system. Syntax Use this command to display and reset statistics for the Fast Layer 4 profile. Modify fastl4 stats reset Display fastl4 [show [all]] Description Display detailed Fast Layer 4 profile statistics. These statistics include connectivity statistics, errors generated, and SYN cookies used. Examples The following commands display statistics for the Fast Layer 4 profile: fastl4 fastl4 show Resets all statistics for the Fast Layer 4 profile on the system: fastl4 stats reset See also profile fastl4 (1) A - 72 bigpipe Command Reference fipscardsync Synchronizes the FIPS hardware security modules (HSMs) of a redundant system. Syntax Use this command at the BIG-IP system prompt to synchronize the FIPS HSMs of a redundant system. Modify fipscardsync peer Description Synchronizes the FIPS hardware security modules (HSMs) of a redundant system. Note that synchronizing the HSMs provides the ability to exchange keys between the units of a redundant system. Examples Run this command at the console of the active unit to synchronize the FIPS HSMs of a redundant system: fipscardsync peer See also fipsutil(1) BIG-IP® Command Line Interface Guide A - 73 Appendix A fipsutil Configures and maintains a FIPS security domain on a BIG-IP redundant system. Syntax Use this command at the console to configure and maintain a FIPS security domain for a BIG-IP redundant system. Modify fipsutil [flags] <action> [flags] ::= -d -f -v <action> ::= clean crash dump fwcheck fwupdate genpbekey init labelcheck monitor login logout postfwupdate reset scupdate test Description You can use this command to initialize the FIPS hardware security module (HSM), and to create a security officer (SO) password and a security domain name on the active unit of a BIG-IP redundant system. After you do this on the active unit, use the same security domain name and SO password to initialize and configure the other unit of the redundant system. A - 74 bigpipe Command Reference Examples Initializes the HSM, prompts you to create an SO password, and then prompts you to create a security domain name: fipsutil -f init Options You can use the following options with the fipsutil command: ◆ flags The flags include: • -d Indicates to use the default SO Password. You are not prompted to create a password. • -f Re-initializes the Nitrox FIPS board (NFB) or installs older firmware. • -v Displays verbose information about the FIPS security domain. ◆ actions The actions include: • clean Do not use this option unless F5 Networks support requests that you use it for debugging. • crash Do not use this option unless F5 Networks support requests that you use it for debugging. • dump Do not use this option unless F5 Networks support requests that you use it for debugging. • fwcheck Checks for available NFB firmware updates. • fwupdate Updates NFB firmware, if necessary. • genpbekey This option is not used. • init Initializes and logs you in to the NFB, and sets the security domain name. • labelcheck Checks to see if the FIPS card is set to the default. • login Do not use this option unless F5 Networks support requests that you use it for debugging. BIG-IP® Command Line Interface Guide A - 75 Appendix A • logout Do not use this option unless F5 Networks support requests that you use it for debugging. • monitor Do not use this option unless F5 Networks support requests that you use it for debugging. • postfwupdate Do not use this option unless F5 Networks support requests that you use it for debugging. • reset Do not use this option unless F5 Networks support requests that you use it for debugging. • scupdate Do not use this option unless F5 Networks support requests that you use it for debugging. • test Do not use this option unless F5 Networks support requests that you use it for debugging. See also fipscardsync(1) A - 76 bigpipe Command Reference ftp Displays and resets global statistics for the FTP profile on the BIG-IP system. Syntax Use this command to display and reset the statistics for the FTP profile. Modify ftp stats reset Display ftp [show [all]] Description You can use the ftp command to display and reset global statistics for the FTP profile. Examples The following commands display the global statistics for the FTP profile: ftp ftp show Resets all statistics for the FTP profile on the system. ftp stats reset See also profile ftp (1) BIG-IP® Command Line Interface Guide A - 77 Appendix A global Displays and resets global statistics for the BIG-IP system. Syntax Use this command to display or reset global statistics for the system. Display global [stats [show [all]]] Delete global stats reset Description Display and reset global system statistics. These statistics include client side, server side, PVA connections, TMM cycles, denials, CPU usage, memory, packets, authorization, and OneConnect™ information. Examples Displays all global statistics. global stats show Resets all global statistics. global stats reset See also bigpipe(1) A - 78 bigpipe Command Reference ha table Displays the settings for high availability on a system. Syntax Use this command to display high availability settings. Display <ha table key> ::= peer ha table [<ha table key list> | all] [show [all]] ha table [<ha table key list> | all] list [all] Description Displays high availability settings for the system. These settings include daemon settings and failover settings. Examples Displays all peer settings: ha table peer Displays all daemon and failover settings: ha table show Columns The HA table consists of several columns including Feature, Key, Action, En, Act, Proc, Time, and Data. • Feature Displays the high availability feature. • Key Displays the specific instance of the feature, for example which daemon's heartbeat is represented. • Action Displays the action that should be taken when the Act (take action) column is yes. • En Indicates whether the feature is enabled. • Act Indicates that you should take action. For example, if the VLAN fail-safe functionality determined that the VLAN had failed, it would set this setting to yes which would cause the daemon to reboot the BIG-IP system. BIG-IP® Command Line Interface Guide A - 79 Appendix A • Proc Indicates the process that is exclusively responsible for creating and writing to this row in the HA table. • Time The meaning of this column varies depending on the feature associated with it. Typically, this value is a timeout value. For example, the sod daemon heartbeat time is set to 20 (seconds). That means that if sod does not increment its heartbeat in 20 seconds, the BIG-IP system reboots. • Data The meaning of this column also varies depending on the feature. For daemon heartbeats, for example, this value shows the daemon incrementing the value of its heartbeat. See also daemon(1), bigpipe(1) A - 80 bigpipe Command Reference hardware Displays information about the system hardware. Syntax Use this command to display the baud rate of the system hardware. Display hardware {} hardware [{] <hardware arg list> <hardware arg> ::= baud rate <number> hardware [show [all]] hardware list [all] hardware baud rate [show] Description You can use the hardware command to display the baud rate of the system hardware. Examples The following three commands display the baud rate of the system hardware: hardware hardware show hardware baud rate See also bigpipe(1) BIG-IP® Command Line Interface Guide A - 81 Appendix A help Displays online help for bigpipe command syntax. Syntax Use this command to display the online man page for a bigpipe command. Display <command> help Description Use this command to access the online man page for the specified command. Examples Displays the online man page for the specified command: vlan help See also bigpipe(1) A - 82 bigpipe Command Reference http Displays or resets HTTP statistics on the BIG-IP system. Syntax Use this command to display or reset HTTP statistics. Modify http stats reset Display http [show [all]] Description Display and reset HTTP statistics. The statistics you can view are standard HTTP statistics, including requests, responses, Set-Cookie header insertions, and OneConnect idle connections. You can also view compression statistics (in bytes), such as the following: total, image, HTML, JS, XML, SGML, plain text, video, audio, and octet. Tip In the Compression Statistics, total bytes section of the http command output, saved indicates the ratio between the amount of content before compression and the amount of content after compression. null indicates content that is wrapped in compression headers, but is not compressed. The system wraps content in compression headers, but does not compress it when one of two situations occurs. Either the system exceeds the amount of compression (in megabytes) for which it is licensed, or the CPU saver is active. For more information about the CPU saver setting, see profile http, on page A-198. Examples Displays all HTTP statistics including compression statistics: http show all Resets all HTTP statistics to zero: http stats reset See also profile http(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 83 Appendix A httpd Configures the HTTP daemon for the BIG-IP system. Syntax Use this command to configure the httpd daemon for the system. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. httpd [{] <httpd arg list> [}] <httpd arg> ::= allow (<string list> | all | none) [add | delete] authname <string> authpamcachetimeout <number> hostnamelookups (On | Off | Double) include (<string> | none) loglevel (debug | info | notice | warn | error | crit | alert | emerg) sslcertchainfile (<string> | none) sslcertfile <string> sslcertkeyfile <string> sslciphersuite <string> ssl include (<string> | none) httpd edit Display httpd [show [all]] httpd list [all] httpd allow [show] httpd authname [show] httpd authpamcachetimeout [show] httpd hostnamelookups [show] httpd include [show] httpd loglevel [show] httpd partition [show] httpd sslcertchainfile [show] A - 84 bigpipe Command Reference httpd sslcertfile [show] httpd sslcertkeyfile [show] httpd sslciphersuite [show] httpd ssl include [show] Description You configure the HTTP daemon for the system using the httpd command. Important F5 recommends that users of the Configuration utility exit the utility before changes are made to the system using the httpd command. This is because making changes to the system using the httpd command causes a restart of the httpd daemon. Likewise, restarting the httpd daemon creates the necessity for a restart of the Configuration utility. Examples When you change the SSL key, you must also change the SSL certificate. You change the certificate/key pair using following command: httpd { sslcertfile <string> sslcertkeyfile <string> } Sets the pluggable authentication module (PAM) cache timeout to half a day (in seconds): httpd authpamcachetimeout 43200 Creates the SSL certificate file, mycert.crt, for the system: sslcertfile /etc/httpd/conf/ssl.crt/mycert.crt Replaces the existing list of hosts that can connect to the httpd daemon with the hosts in the range, 172.27.0.0/255.255.0.0: httpd allow 172.27.0.0/255.255.0.0 Options You can use the following options with the httpd command. • allow Adds or deletes IP addresses, partial IP addresses, and IP address ranges, host names, partial host names, domain names, partial domain names, and network and netmask pairs for the HTTP clients from which the httpd daemon accepts request. The default value is all. Warning: Using the value none resets the httpd daemon to allow all HTTP clients access to the system. F5 recommends that you do not use the value none with the httpd command. • authname Specifies the name for the authentication realm. The default is BIG-IP. BIG-IP® Command Line Interface Guide A - 85 Appendix A • authpamcachetimeout Specifies, in seconds, the cache timeout for PAM. The default value is 86400 seconds. • hostnamelookups The default value is Off. • include Warning: Do not use this parameter without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include parameter. If you use this parameter incorrectly, you put the functionality of the system at risk. • loglevel Specifies the minimum httpd message level to include in the system log. The default value is warn. • httpd edit Displays in a text editor the running configuration of all objects created using the command httpd. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only httpd { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • partition Displays the partition within which the httpd daemon resides. • sslcertchainfile Specifies the name of the file that contains the SSL certificate chain. The default is none. • sslcertfile Specifies the name of the file that contains the SSL certificate. The default value is /etc/httpd/conf/ssl.crt/server.crt. Note that the path to the file must start with /etc/httpd/conf/ssl.crt/ or /config/httpd/conf/ssl.crt/ unless the path is a relative path. If the path is a relative path, then it must start with conf/ssl.crt/. • sslcertkeyfile Specifies the name of the file that contains the SSL certificate key. The default value is /etc/httpd/conf/ssl.key/server.key. Note that the path to the file must start with /etc/httpd/conf/ssl.key/ or /config/httpd/conf/ssl.key/ unless the path is a relative path. If the path is a relative path, then it must start with conf/ssl.key/. When you change the key file, you must also change the certificate file. In other words, the following command does not work to change the key: httpd sslcertkeyfile <string>. Instead, you must use this command: { httpd sslcertfile <string> sslcerkeyfile <string> }. A - 86 bigpipe Command Reference • sslciphersuite Specifies the ciphers that the system uses. • ssl include Warning: Do not use this parameter without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include parameter. If you use this parameter incorrectly, you put the functionality of the system at risk. See also bigpipe(1), ntp(1), dns(1), sshd(1), snmpd(1) BIG-IP® Command Line Interface Guide A - 87 Appendix A icmp Displays and resets ICMP statistics. Syntax Use this command to display or reset ICMP statistics. Modify icmp stats reset Display icmp [show [all]]] Description Display and reset ICMP statistics. The statistics you can view are standard ICMP statics, including ICMPv4 packets and errors, and ICMPv6 packets and errors. Examples Displays all ICMP statics including compression statistics: icmp show all Resets all ICMP statistics to zero: icmp stats reset See also monitor(1), bigpipe(1) A - 88 bigpipe Command Reference import Saves a backup of the running configuration in the /var/local/scf/ directory, and then replaces the running configuration with the configuration contained in the single configuration file (SCF) that you are importing. Syntax Use this command to replace the running configuration of the system with the values contained in the SCF that you are importing. If you want to write the new running configuration to the stored configuration files, after you run the import command, you must run the save all command. If you want to modify the running configuration of the BIG-IP system, rather than replace it, you must use the merge command. For more information, see the online man page for the merge command. Create/Modify import [<file> | default | -] Description You import an SCF that was exported from another BIG-IP system after you edit the file to work on the system to which you are importing it. Examples Loads the SCF, myconfiguration.scf, on the system: import myconfiguration.scf Resets the running configuration to the factory defaults; however, this command does not rest the management IP address or the management default route: import default Options You can use the following options with the import command. • - <contents of SCF> Use this option to replace the running configuration of the system using the data in an SCF. First copy the contents of an SCF. Then type import - and press the Enter key. The system responds with a Reading... message. When the system finishes responding, on the command line, paste the contents of the SCF that you copied, and then type Ctrl-D. BIG-IP® Command Line Interface Guide A - 89 Appendix A After the command sequence runs, the system has replaced the running configuration. If you want to save the running configuration to the stored configuration files, run the save all command. Warning: F5 recommends that you do not use this option to import an SCF. Instead, F5 recommends that you use the file name, as shown in the following option. • <file> Specifies the name of the SCF that you want to import. • default Resets the running configuration of the system to the factory defaults. However, note that this option does not change the management port networking information. See also bigpipe(1), export(1) A - 90 bigpipe Command Reference interface Configures the parameters of interfaces. Syntax Use this command to modify or display interface settings. Modify interface <interface key list> {} interface (<interface key list> | all) [{] <if arg list> [}] <interface key> ::= <if name> <interface arg> ::= prefer (sfp | fixed) media fixed (auto | 10baseT half | 10baseT full | 100baseTX half | 100baseTX full |\ 1000baseT half | 1000baseT full | 1000baseSX full | 1000baseLX full | \ 10GbaseT full | 10GbaseSR full | 10GbaseLR full | 10GbaseER full) media sfp (auto | 10baseT half | 10baseT full | 100baseTX half | 100baseTX full | \ 1000baseT half | 1000baseT full | 1000baseSX full | 1000baseLX full | \ 10GbaseT full | 10GbaseSR full | 10GbaseLR full | 10GbaseER full) (enable | disable) pause (rx tx |rx | tx | tx rx | none) link type (p2p | shared | auto) edge port (true | false) auto edge (enable | disable) stp (enable | disable) stp reset media (auto | 10baseT half | 10baseT full | 100baseTX half | 100baseTX full | \ 1000baseT half | 1000baseT full | 1000baseSX full | 1000baseLX full | \ 10GbaseT full | 10GbaseSR full | 10GbaseLR full | 10GbaseER full) interface (<interface key list> | all) stats reset interface edit Display interface [<<interface key list> | all] [show [all]] interface [<<interface key list> | all] list [all] interface [<<interface key list> | all] auto edge [show] interface [<<interface key list> | all] edge port [show] interface [<<interface key list> | all] enabled [show] interface [<<interface key list> | all] errors [show] interface [<<interface key list> | all] link type [show] interface [<<interface key list> | all] name [show] BIG-IP® Command Line Interface Guide A - 91 Appendix A interface [<<interface key list> | all] prefer [show] interface [<<interface key list> | all] media [show] interface [<<interface key list> | all] media fixed [show] interface [<<interface key list> | all] media options [show] interface [<<interface key list> | all] media options sfp [show] interface [<<interface key list> | all] media sfp [show] interface [<<interface key list> | all] pause [show] interface [<<interface key list> | all] stats [show] interface [<<interface key list> | all] stp [show] Description This command displays and sets media options, duplex mode, and status for an interface. In addition, this command provides the ability to set per-interface spanning tree parameters such as link type, edge port status, automatic edge port detection, and also whether the interface participates in the spanning tree configuration. Examples Enables the interface named 1.1: interface 1.1 enable Disables the interface named 1.1: interface 1.1 disable Disables STP on the interfaces named 1.1, 1.2, and 1.3: interface 1.1 1.2 1.3 stp disable Enables auto edge detection for STP on the interfaces named 1.1, 1.2, and 1.3: interface 1.1 1.2 1.3 auto edge enable Sets the edge port attribute for STP on the interfaces named 1.1, 1.2, and 1.3: interface 1.1 1.2 1.3 edge port true Options You can use these options with the interface command: • auto edge When automatic edge port detection is enabled on an interface, the system monitors the interface for incoming STP, RSTP, or MSTP packets. If no such packets are received for a sufficient period of time (about three seconds), the interface is automatically given edge port status. When automatic edge port detection is disabled on an interface, the system never gives the interface edge port status automatically. By A - 92 bigpipe Command Reference default, automatic edge port detection is enabled on all interfaces. Any STP setting set on a per-interface basis applies to all spanning tree instances. The default is enable. • edge port Possible values are true and false. The default is true. • enable | disable Enables or disables the named interface. • errors Displays the error statistics for an interface. • interface edit Displays in a text editor the running configuration of all objects created using the command interface. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • <interface key list> Specifies a list of interface names, separated by a space. • <if name> Specifies an interface name, for example 3.1, where 3 is the physical slot number holding the network interface hardware and 1 is the physical port number of that interface on that hardware. Another example is mgmt, the name given to the management interface. • link type The spanning tree system includes important optimizations that can only be used on point-to-point links. That is, on links which connect just two bridges. If these optimizations are used on shared links, incorrect or unstable behavior may result. By default, the implementation assumes that full-duplex links are point-to-point and that half-duplex links are shared. Possible values are p2p, shared, and auto. The default is auto. • media Specifies a media type for the specified interface. The options are: auto, 10baseT half, 10baseT full, 100baseTX half, 100baseTX full, 1000baseT half, 1000baseT full, 1000baseSX full, 1000baseLX full, 10GbaseT full, 10GbaseSR full, 10GbaseLR full, and 10GbaseER full. Note that you use this option only with a non-combo port. • media fixed Specifies a media type for the specified interface. The options are: auto, 10baseT half, 10baseT full, 100baseTX half, 100baseTX full, 1000baseT half, 1000baseT full, 1000baseSX full, 1000baseLX full, BIG-IP® Command Line Interface Guide A - 93 Appendix A 10GbaseT full, 10GbaseSR full, 10GbaseLR full, and 10GbaseER full. Note that you use this option only with a combo port to specify the media type for the fixed interface. • media options Displays all media types that are available for the specified interface. • media options sfp Displays all media types that are available for the specified SFP interface. • media sfp Specifies a media type for the specified interface. The options are: auto, 10baseT half, 10baseT full, 100baseTX half, 100baseTX full, 1000baseT half, 1000baseT full, 1000baseSX full, 1000baseLX full, 10GbaseT full, 10GbaseSR full, 10GbaseLR full, and 10GbaseER full. Note that you use this option only with a combo port to specify the media type for the SFP interface. • pause Possible values are rx, rx tx, tx, tx rx, and none. The default is tx rx. • prefer Indicates which side of a combo port the interface uses. The options are fixed and SFP. The default is fixed. If you use the prefer option, use the media option to specify a media type for the interface. Note that for an SFP-only interface, the prefer option is ignored and you must use either the media or media sfp option to set the media type for the interface. • stp Enables or disables STP. If you disable STP, no STP, RSTP, or MSTP packets are transmitted or received on the interface or trunk, and spanning tree has no control over forwarding or learning on the port or the trunk. The default is enable. • stp reset Resets STP. See also mirror(1), stp(1), vlan(1), vlangroup(1), bigpipe(1) A - 94 bigpipe Command Reference ip Manages IP statistics on the BIG-IP system. Syntax Use this command to display or delete IP statistics on the BIG-IP system. Display ip [stats [show [all]]] Delete ip stats reset Description Display and reset IP statistics. The statistics you can view are standard IP statistics, including IPv4 and IPv6 packets, fragments, fragments reassembled, and errors. Examples Displays all IP statistics for the system: ip show all Resets all IP statistics to zero: ip stats reset See also bigpipe(1) BIG-IP® Command Line Interface Guide A - 95 Appendix A list Displays all objects the user has permission to view. Depending on the user’s Read partition, all objects that are not in partitions and all objects in partition Common may also display. Syntax Use this command to display objects based on your Read partition setting. Display [base] list [all] Description When the default Read partition is All, the list command displays all objects the user has permission to view. When you specify a Read partition, this command displays all objects the user has permission to view in the current partition, all objects that are not in partitions, and all objects in partition Common. Options You can use these options with the list command: • base Lists the output of the single configuration file (SCF), including the configuration of the BIG-IP system network components: MGMT port address, MGMT route, internal and external VLANs, VLAN groups, self-IP addresses, and self-allow values. • all Displays the complete system configuration. See also bigpipe(1) A - 96 bigpipe Command Reference load Replaces the running configuration with the configuration in the stored configuration files. Syntax Use this command to replace the running configuration with the configuration in the stored configuration files. Usage [base] load [<file> | - ] verify load Description You can also use the load command to replace the running configuration with the configuration stored in a specified file. If you want to modify the running configuration of the BIG-IP system, rather than replace it, you must use the merge command. For more information, see the online man page for the merge command. Examples The following command replaces the running configuration with the configuration in the stored configuration files. The configuration loads after you type Ctrl-D. load <Ctrl-D> The following command replaces the bigip.conf file with the myconfigurationfile.conf file: load myconfigurationfile.conf The base load command replaces the running configuration using the contents of the following files in the order shown: • /defaults/config_base.conf • /config/bigip_base.conf • /config/bigip_sys.conf The load command replaces the entire running configuration using the contents of the following files in the order shown: • /defaults/config_base.conf This file contains the commands, and their attributes and values, that configure the basic system information for all of the components of the BIG-IP system. When you run the base load or load commands, the BIG-IP® Command Line Interface Guide A - 97 Appendix A system resets portions of the running configuration to the values contained in this file. When you run the base save or save all commands, the system writes portions of the running configuration into this file. • /config/bigip_base.conf This file contains the commands, and their attributes and values, that configure the BIG-IP network components. When you run the base load or load commands, the system resets portions of the running configuration to the values contained in this file. When you run the base save or save all commands, the system writes portions of the running configuration into this file. • /config/bigip_sys.conf This file contains the commands, and their attributes and values, that configure the BIG-IP network components, as well as the configuration commands that are synchronized on both units of a redundant pair when you run the configuration synchronization commands. When you run the base load or load commands, the system resets portions of the running configuration to the values contained in this file. When you run the base save or save all commands, the system writes portions of the running configuration into this file. • /usr/bin/monitors/builtins/base_monitors.conf This file contains the default monitors that are delivered with the system. These monitors are the parents of all the new monitors that you add to the system. • /config/profile_base.conf This file contains the default profiles that are delivered with the system. These profiles are the parents of all the new profiles that you add to the system. • /config/daemon.conf This file contains the high-availability configuration data for all of the daemons that are delivered with the system. • /config/bigip.conf This file contains the configuration commands, and their attributes and values, that you add to the system when you configure it to meet your network and system management and local traffic management needs. It also contains the configuration commands, and their attributes and values, that are synchronized on both units of a redundant system when you run the configuration synchronization commands. When you run the load command, the system resets portions of the running configuration to the values contained in this file. When you run the save all command, the system writes portions of the running configuration into this file. • /config/bigip_local.conf This file contains the configuration commands, and their attributes and values, that you add to the system when you configure it to meet your network and system management and local traffic management needs. It also contains the configuration commands that are not synchronized on both units of a redundant pair when you run the configuration synchronization commands. These commands include the non-floating virtual addresses and the virtual addresses of the servers used by the BIG-IP® Global Traffic Manager. When you run the load command, the A - 98 bigpipe Command Reference system resets portions of the running configuration to the values contained in this file. When you run the save all command, the system writes portions of the running configuration into this file. Options You can use these options with the load command: • <file> Specifies a file name that replaces the /config/bigip.conf file. • Specifies that the BIG-IP system loads configuration commands from the standard input device after loading the configuration of the BIG-IP network components. Using this option replaces all of the values in the /config/bigip.conf file. • - <contents of SCF> Use this option to replace only the values in the /config/bigip.conf file. First copy the contents of an SCF. Then type load - and press the Enter key. The system responds with a Reading... message. When the system finishes responding, on the command line paste the contents of the SCF that you copied, and then type Ctrl-D. After the command sequence runs, the system has replaced the running configuration. To save the new values in the bigip.conf file, run the save all command. Warning: This is not the preferred way to load an SCF. F5 recommends that you use the import command. For more information, see import, on page A-89. • base Replaces the configuration of the BIG-IP system network components with the values contained in the /config/bigip_base.conf and /config/bigip_sys.conf files. • log Causes error messages to be written to /var/log/ltm, in addition to the terminal. • verify Validates the specified configuration file. See also bigpipe(1), save(1) BIG-IP® Command Line Interface Guide A - 99 Appendix A logrotate Configures log rotation for the BIG-IP system. Syntax Use this command to configure log rotation for the system. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. F5 recommends that you create a monitor in the same partition in which the object that it monitors resides. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. logrotate [{] <logrotate arg list> [}] <logrotate arg> ::= common backlogs <number> common include (<string> | none) include (<string> | none) mysql include (<string> | none) syslog include (<string> | none) tomcat include (<string> | none) wa include (<string> | none) logrotate edit Display logrotate [show [all]] logrotate list [all] logrotate common backlogs [show] logrotate common include [show] logrotate include [show] logrotate mysql include [show] logrotate partition [show] logrotate syslog include [show] logrotate tomcat include [show] logrotate wa include [show] A - 100 bigpipe Command Reference Description You can configure the system to rotate the log files after a specified length of time. This helps you to clear the hard drive of unneeded log files. Examples Specifies that the system saves seven copies of the common log files: logrotate common backlogs 7 Options You can use these options with the logrotate command: • common backlogs Specifies the number of logs that you want the system to save. Select a number from the valid range of 1 - 100. • common include Warning: Do not use this parameter without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include parameter. If you use this parameter incorrectly, you put the functionality of the system at risk. • include Warning: Do not use this parameter without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include parameter. If you use this parameter incorrectly, you put the functionality of the system at risk. • logrotate edit Displays in a text editor the running configuration of all objects created using the command logrotate. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only logrotate { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • partition Displays the partition within which the logrotate object resides. • syslog include Warning: Do not use this parameter without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include parameter. If you use this parameter incorrectly, you put the functionality of the system at risk. BIG-IP® Command Line Interface Guide A - 101 Appendix A • tomcat include Warning: Do not use this parameter without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include parameter. If you use this parameter incorrectly, you put the functionality of the system at risk. • wa include Warning: Do not use this parameter without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include parameter. If you use this parameter incorrectly, you put the functionality of the system at risk. See also bigpipe(1), ntp(1), dns(1), httpd(1), snmpd(1) A - 102 bigpipe Command Reference ltm Configures the general properties for the BIG-IP local traffic management system. Syntax Use this command to configure the general properties of the system. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. F5 recommends that you create a monitor in the same partition in which the object that it monitors resides. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. ltm [{] <ltm arg list> [}] <ltm arg> ::= adaptive reaper hiwater <number> adaptive reaper lowater <number> auto last hop (enable | disable) fastest max idle time <number> l2 cache timeout <number> maint (enable | disable) max reject rate <number> path mtu discovery (enable | disable) reject unmatched (enable | disable) share single mac (first member | global) snat packet forward (enable | disable) syncookies threshold <number> vlan keyed conn (enable | disable) ltm edit Display ltm [show [all]] ltm list [all] ltm adaptive reaper hiwater [show] ltm adaptive reaper lowater [show] ltm auto last hop [show] ltm fastest max idle time [show] BIG-IP® Command Line Interface Guide A - 103 Appendix A ltm l2 cache timeout [show] ltm maint [show] ltm max reject rate [show] ltm partition [show] ltm path mtu discovery [show] ltm reject unmatched [show] ltm share single mac [show] ltm snat packet forward [show] ltm syncookies threshold [show] ltm vlan keyed conn [show] Description You can use this command to set up the local traffic management system. Examples Specifies that the maximum rate per second at which the BIG-IP system issues reject packets (TCP RST or ICMP port unreach) is 1000 seconds: ltm max reject rate 1000 Options You can use these options with the ltm command: • adaptive reaper hiwater Specifies, in a percentage, the memory usage at which the system stops establishing new connections. Once the system meets the reaper high-water mark, the system does not establish new connections until the memory usage drops below the reaper low-water mark. The default setting is 95. To disable the adaptive reaper, set the high-water mark to 100. Note that the adaptive reaper settings help mitigate the effects of a denial-of-service attack. • adaptive reaper lowater Specifies, in percent, the memory usage at which the system silently purges stale connections, without sending reset packets (RST) to the client. If the memory usage remains above the low-water mark after the purge, then the system starts purging established connections closest to their service timeout. The default setting is 85. To disable the adaptive reaper, set the low-water mark to 100. • auto last hop Specifies that the system automatically maps the last hop for pools. The default is enable. A - 104 bigpipe Command Reference • fastest max idle time Specifies the number of seconds a node can be left idle by the fastest load balancing mode. The system sends fewer connections to a node that is responding slowly, and periodically recalculates the response time of the slow node. The default is 0 (zero), which indicates disabled. • l2 cache timeout Specifies, in seconds, the amount of time that records remain in the Layer 2 forwarding table, when the MAC address of the record is no longer detected on the network. The default is 300 seconds. • ltm edit Displays in a text editor the running configuration of all objects created using the command ltm. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only ltm { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • maint Specifies, when enabled, that the unit is in maintenance mode. In maintenance mode, the system stops accepting new connections and slowly finishes off existing connections. • max reject rate Specifies the maximum rate per second that the system issues reject packets (TCP RST or ICMP port unreach). The default value is 250 seconds. • partition Displays the partition within which the ltm object resides. • path mtu discovery Specifies, when enabled, that the system discovers the maximum transmission unit (MTU) that it can send over a path, without fragmenting TCP packets. The default is enable. • reject unmatched Specifies, when enabled, that the system returns a TCP RESET or ICMP_UNREACH packet if no virtual servers on the system match the destination address of the incoming packet. When this setting is disabled, the system silently drops the unmatched packet. The default is enable. • share single mac Specifies the MAC address that the system assigns to a VLAN. The default value is first member, which indicates that a VLAN uses the MAC address of its first unused member. The global value indicates that all of the VLANs on the system use the same MAC address. • snat packet forward Enables or disables SNAT packet forwarding. The default is disable. BIG-IP® Command Line Interface Guide A - 105 Appendix A • syncookies threshold Specifies the number of new or untrusted TCP connections that can be established before the system activates the SYN Cookies authentication method for subsequent TCP connections. The default value is 16384. • vlan keyed conn Enables or disables VLAN-keyed connections. You use VLAN-keyed connections when traffic for the same connection must pass through the system several times, on multiple pairs of VLANs (or in different VLAN groups). The default setting is enable. See also bigpipe(1) A - 106 bigpipe Command Reference mcp Displays the Master Control Program (MCP) state. Syntax Use this command to display the state of the MCP. Display mcp [show [all]] Delete mcp stats reset Note This command is not currently implemented. Description Displays the state of the MCP, whether running or inactive. Examples Displays the state of the MCP: mcp show all See also bigpipe(1) BIG-IP® Command Line Interface Guide A - 107 Appendix A memory Displays memory usage statistics. Syntax Use this command to display memory statistics. Display memory [show [all]] memory stats [show] Description Display detailed memory usage statistics. These statistics include total memory available, total memory used, and how the memory is currently allocated to objects, the size of the objects, and the maximum memory that can be allocated to a specified object. Examples Displays all memory usage information: memory show all See also bigpipe(1) A - 108 bigpipe Command Reference merge Loads the specified configuration file. This modifies the running configuration. Syntax Use this command to load the specified configuration file or data to modify the running configuration. Usage merge (<file> | -) Description The merge command loads the specified configuration file or data. This modifies the running configuration. After you run the merge command, if you want to save the modified running configuration in the stored configuration files, run the save all command. It is important to note that if you want to replace the running configuration of the BIG-IP system, rather than modify it, you use the load command. For more information, see the online man page for the load command. Options You can use these options with the merge command: • <file> Specifies the file that you want to load to modify the running configuration. • Specifies to load configuration commands from the standard input device after loading the configuration of the BIG-IP network components. • - <contents of SCF> Use this option to modify the running configuration of a system using the data in an SCF. First copy the contents of an SCF. Then type merge - and press the Enter key. The system responds with a Reading... message. When the system finishes responding, on the command line paste the contents of the SCF that you copied, and then type Ctrl-D. After the command sequence runs, the system has modified the running configuration. If you want to save the running configuration to the stored configuration files, run the save all command. Warning: F5 recommends that you do not use this option. Instead, F5 recommends that you use a file name as shown above in the first option in this list of options. BIG-IP® Command Line Interface Guide A - 109 Appendix A See also bigpipe(1), save(1) A - 110 bigpipe Command Reference mgmt Specifies network settings for the management interface (MGMT). Syntax Use this command to create or delete settings for the management interface. Create/Modify mgmt <mgmt key list> {} mgmt (<mgmt key list> | all) {} [{] <mgmt arg list> [}] <mgmt key> ::= (<ip addr> | none) <mgmt arg> ::= netmask (<ip mask> | none) mgmt edit Display mgmt [<mgmt key list> | all] [show [all]] mgmt [<mgmt key list> | all] list [all] mgmt [<mgmt key list> | all] addr [show] mgmt [<mgmt key list> | all] netmask [show] Delete mgmt (<ip addr list> | all) delete Description Specifies network settings for the management interface. The management interface is available on all switch platforms and is designed for management purposes. You can access the web-based Configuration utility and command line configuration utility through the management port. You cannot use the management interface in traffic management VLANs. You can only configure one IP address on the management interface. After you make any changes using the mgmt command, issue the following command to save the changes to the bigip_base.conf file: base save Examples Creates the IP address 10.10.10.1 on the management interface: mgmt 10.10.10.1 BIG-IP® Command Line Interface Guide A - 111 Appendix A Creates the IP address 10.10.10.1 with a netmask of 255.255.255.0 on the management interface: mgmt 10.10.10.1 netmask 255.255.255.0 Options You can use these options with the mgmt command: ◆ <ip addr list> Specifies the IP address in one of four formats: • IPv4 address in dotted-quad notation, for example, 10.10.10.1 • IPv6 address, for example, 1080::8:800:200C:417A • host name, for example, www.f5.com • node screen name, for example, node1 ◆ netmask <IP mask> Specifies the netmask for the management interface IP address. ◆ mgmt edit Displays in a text editor the running configuration of all objects that you use the command mgmt to create. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only mgmt { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on your additions. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. See also route(1), bigpipe(1), mgmt route(1) A - 112 bigpipe Command Reference mgmt route Specifies route settings for the management interface (MGMT). Syntax Use this command to create, display, or delete route settings for the management interface. Create/Modify mgmt route <mgmt route key list> {} mgmt route (<mgmt route key list> | all) [{] <mgmt route arg list> [}] <mgmt route key> ::= <network ip> <mgmt route arg> ::= (mgmt | reject) gateway (<ip addr> | none) mtu <number> mgmt route edit Display mgmt route [<mgmt route key list> | all] [show [all]] mgmt route [<mgmt route key list> | all] list [all] mgmt route [<mgmt route key list> | all] type [show] mgmt route [<mgmt route key list> | all] gateway [show] mgmt route [<mgmt route key list> | all] mtu [show] Delete mgmt route (<mgmt route key list> | all) delete Description Specifies route settings for the management interface. You must configure a route on the management interface if you want to access the management network on the system by connecting from another network. The management interface is available on all switch platforms. It is designed for management purposes. All upgrades should be installed through the management port. You can access the web-based Configuration utility and command line configuration utility through the management interface. You cannot include the management interface in traffic management VLANs. BIG-IP® Command Line Interface Guide A - 113 Appendix A Examples Sets the management interface default gateway IP address to 10.10.10.254: mgmt route default gateway 10.10.10.254 Either one of the following command sequences sets the management interface to subnet 10.10.10.0/24, and the gateway to 172.24.74.62: mgmt route 10.10.10.0 netmask 255.255.255.0 gateway 172.24.74.62 mgmt route 10.10.10.0/24 gateway 172.24.74.62 Options You can use these options with the mgmt route command: ◆ gateway Specifies that the system forwards packets to the destination through the gateway with the specified IP address. ◆ mgmt Specifies that the system forwards packets to the destination through the management interface. ◆ mgmt route edit Displays in a text editor the running configuration of all objects created using the command mgmt route. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. ◆ mtu Specifies the maximum transmission unit (MTU) for the management interface. The value of the MTU is the largest size that the BIG-IP system allows for an IP datagram passing through the management interface. ◆ network ip Specifies the network IP address, in one of four formats: • IPv4 address in dotted-quad notation, for example, 10.10.10.1 • IPv6 address, for example, 1080::8:800:200C:417A • Host name, for example, www.siterequest.com • Node screen name, for example, node1 ◆ A - 114 reject Specifies that the system drops packets that are sent to this destination. bigpipe Command Reference See also mgmt(1), bigpipe(1), route(1) BIG-IP® Command Line Interface Guide A - 115 Appendix A mirror Configures interface (port) mirroring. Syntax Use this command to create, modify, display, or delete interface mirroring. Create/Modify mirror <mirror key list> {} mirror (<mirror key list> | all) [{] <mirror arg list> [}] <mirror key> ::= <if name> <mirror arg> ::= interfaces (<interface key list> | none) [add | delete] mirror edit Display mirror [<mirror key list> | all] [show [all]] mirror [<mirror key list> | all] list [all] mirror [<mirror key list> | all] name [show] mirror [<mirror key list> | all] interfaces [show] Delete mirror (<mirror key list> | all) delete Description Use the mirror command to create, display, modify, or delete port mirroring on given interfaces. You can mirror traffic from many ports to one port. The mirror-to port is dedicated to mirroring and cannot be a VLAN or a trunk member. Examples Creates a port mirror, 1.1, that includes interfaces 1.2, 1.3, 1.4. Traffic from the interfaces 1.2, 1.3, and 1.4 is mirrored to the interface 1.1: mirror 1.1 interfaces 1.2 1.3 1.4 Adds interfaces 1.2, 1.3, 1.4 to the existing port mirror 1.1: mirror 1.1 interface 1.2 1.3 1.4 add A - 116 bigpipe Command Reference Options You can use these options with the mirror command: • add Adds interfaces to an existing port mirror. Important Be aware that if you do not use add, the list of interfaces you specify replaces the existing interfaces on the port mirror. • all Provides the ability to apply a command to all existing port mirrors. • delete Deletes interfaces from an existing port mirror. The list of interfaces you specify is deleted from the port mirror. • <interface key> Specifies an interface name, for example 3.1. • <key list> Provides the ability to apply a command to a list of existing port mirrors. • mirror edit Displays in a text editor the running configuration of all objects created using the command mirror. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. See also interface(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 117 Appendix A monitor Creates, modifies, and deletes monitor instances or templates. Syntax Use this command to create, modify, display, or delete monitor instances or monitors. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. F5 recommends that you create a monitor in the same partition in which the object that it monitors resides. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. monitor <monitor key list> {} monitor (<monitor key list> | all) [{] <monitor arg list> [}] <monitor key> ::= <name> <monitor arg> ::= <name> <string> defaults from <name> (enable | disable) accounting node <string> accounting port <string> agent <string> agent type <string> args <string> base <string> call id <string> cert <string> cipherlist <string> cmd <string> community <string> compatibility <string> count <string> cpu coefficient <string> cpu threshold <string> database <string> A - 118 bigpipe Command Reference debug <string> dest (<ip addr> | <node>) disk coefficient <string> disk threshold <string> domain <string> fault <string> filename <string> filter <string> folder <string> framed addr <string> get <string> gwm addr <string> gwm interval <string> gwm protocol <string> gwm service <string> instance <monitor instance list> interval <number> is read only key <string> mandatoryattrs <string> manual resume mem coefficient <string> mem threshold <string> method <string> metrics <string> mode <string> namespace <string> nasip <string> newsgroup <string> param name <string> param type <string> param value <string> password <string> post <string> program <string> protocol <string> recv <string> recvcolumn <string> recvdrain <string> recvrow <string> return type <string> return value <string> reverse run <string> BIG-IP® Command Line Interface Guide A - 119 Appendix A secret <string> security <string> send <string> sendpackets <string> server <string> server id <string> service <string> session id <string> snmp version <string> timeout (<number> | immediate | indefinite) timeoutpackets <string> transparent urlpath <string> username <string> version <string> <monitor instance> ::= (<monitor instance key list> | all) \ [{] <monitor instance arg list> [}] <monitor instance key> ::= (<ip addr> | <member>) <monitor instance arg> ::= (enable | disable) monitor edit WARNING Do not disable default monitors. Note If you disable a monitor instance, and then run the load command, the monitor instance is automatically enabled. Display monitor [<monitor key list> | all] [show [all]] monitor [<monitor key list> | all] list [all] monitor [<monitor key list> | all] <name> [show] monitor [<monitor key list> | all] accounting node [show] monitor [<monitor key list> | all] accounting port [show] monitor [<monitor key list> | all] agent [show] monitor [<monitor key list> | all] agent type [show] monitor [<monitor key list> | all] args [show] monitor [<monitor key list> | all] base [show] monitor [<monitor key list> | all] call id [show] monitor [<monitor key list> | all] cert [show] A - 120 bigpipe Command Reference monitor [<monitor key list> | all] cipherlist [show] monitor [<monitor key list> | all] cmd [show] monitor [<monitor key list> | all] compatibility [show] monitor [<monitor key list> | all] community [show] monitor [<monitor key list> | all] count [show] monitor [<monitor key list> | all] cpu coefficient [show] monitor [<monitor key list> | all] cpu threshold [show] monitor [<monitor key list> | all] database [show] monitor [<monitor key list> | all] debug [show] monitor [<monitor key list> | all] defaults from [show] monitor [<monitor key list> | all] dest [show] monitor [<monitor key list> | all] disk coefficient [show] monitor [<monitor key list> | all] disk threshold [show] monitor [<monitor key list> | all] domain [show] monitor [<monitor key list> | all] enabled [show] monitor [<monitor key list> | all] fault [show] monitor [<monitor key list> | all] filename [show] monitor [<monitor key list> | all] filter [show] monitor [<monitor key list> | all] flags [show] monitor [<monitor key list> | all] folder [show] monitor [<monitor key list> | all] framed addr [show] monitor [<monitor key list> | all] get [show] monitor [<monitor key list> | all] gwm addr [show] monitor [<monitor key list> | all] gwm interval [show] monitor [<monitor key list> | all] gwm protocol [show] monitor [<monitor key list> | all] gwm service [show] monitor [<monitor key list> | all] instance \ [<monitor instance key list> | all] [show] monitor [<monitor key list> | all] instance \ [<monitor instance key list> | all] addr [show] monitor [<monitor key list> | all] instance \ [<monitor instance key list> | all] enabled [show] monitor [<monitor key list> | all] interval [show] monitor [<monitor key list> | all] is read only [show] monitor [<monitor key list> | all] key [show] monitor [<monitor key list> | all] manual resume [show] monitor [<monitor key list> | all] mandatoryattrs [show] monitor [<monitor key list> | all] mem coefficient [show] monitor [<monitor key list> | all] mem threshold [show] monitor [<monitor key list> | all] method [show] monitor [<monitor key list> | all] metrics [show] monitor [<monitor key list> | all] mode [show] monitor [<monitor key list> | all] name [show] monitor [<monitor key list> | all] namespace [show] BIG-IP® Command Line Interface Guide A - 121 Appendix A monitor [<monitor key list> | all] nasip [show] monitor [<monitor key list> | all] newsgroup [show] monitor [<monitor key list> | all] param name [show] monitor [<monitor key list> | all] param type [show] monitor [<monitor key list> | all] param value [show] monitor [<monitor key list> | all] partition [show] monitor [<monitor key list> | all] password [show] monitor [<monitor key list> | all] post [show] monitor [<monitor key list> | all] program [show] monitor [<monitor key list> | all] protocol [show] monitor [<monitor key list> | all] recv [show] monitor [<monitor key list> | all] recvcolumn [show] monitor [<monitor key list> | all] recvrow [show] monitor [<monitor key list> | all] recvdrain [show] monitor [<monitor key list> | all] return type [show] monitor [<monitor key list> | all] return value [show] monitor [<monitor key list> | all] reverse [show] monitor [<monitor key list> | all] run [show] monitor [<monitor key list> | all] secret [show] monitor [<monitor key list> | all] security [show] monitor [<monitor key list> | all] send [show] monitor [<monitor key list> | all] sendpackets [show] monitor [<monitor key list> | all] server [show] monitor [<monitor key list> | all] server id [show] monitor [<monitor key list> | all] service [show] monitor [<monitor key list> | all] session id [show] monitor [<monitor key list> | all] snmp version [show] monitor [<monitor key list> | all] timeout [show] monitor [<monitor key list> | all] timeoutpackets [show] monitor [<monitor key list> | all] transparent [show] monitor [<monitor key list> | all] urlpath [show] monitor [<monitor key list> | all] username [show] monitor [<monitor key list> | all] version [show] Delete monitor (<monitor key list> | all) delete Description Monitors verify connections on pool members and nodes. A monitor can be either a health monitor or a performance monitor, designed to check the status of a pool, pool member, or node on an ongoing basis, at a set interval. If a pool member or node being checked does not respond within a specified timeout period, or the status of a pool member, or node indicates that performance is degraded, the system can redirect the traffic to another pool A - 122 bigpipe Command Reference member or node. Some monitors are included as part of the system, while other monitors are user-created. Monitors that the system provides are known as pre-configured monitors. User-created monitors are known as custom monitors. The task of implementing a monitor varies depending on whether you are using a pre-configured monitor or creating a custom monitor. If you want to implement a pre-configured monitor, you need only associate the monitor with a pool, pool member, or node. If you want to implement a custom monitor, you must first create the custom monitor, and then associate it with a pool, pool member, or node. Note To view the man page for the monitor command, you must enter man monitor at the BIG-IP system prompt. Pre-configured monitors The following monitors are pre-configured monitors: • gateway icmp • http • https • https 443 • icmp • real server • snmp dca • tcp • tcp echo • tcp half open Examples This procedure describes how to create a custom HTTP monitor. 1. Access the bigpipe shell. 2. View the variables for the default monitors, by typing the following command: monitor list all |more 3. Find a default monitor on which you want to base the new monitor and make a note of the settings that you want to change. For example, if you want to define a new monitor that is based on the default HTTP monitor, view the default HTTP monitor. The default HTTP monitor appears as follows: monitor http { BIG-IP® Command Line Interface Guide A - 123 Appendix A defaults from interval 5 timeout 16 dest *:* password recv send GET / username } From the configuration statement of the default HTTP monitor, the following settings are available: defaults from none interval 5 timeout 16 dest *.* password recv send GET / username Important: The values for the password, recv, send, and username settings are contained in quotation marks. If you want to change these values, you must place the new values in quotation marks. 4. Define the new monitor, using the following command syntax: monitor <name> '{ defaults from <monitor> <setting> <value>... }'> 5. Replace name with the name you want to use for the new monitor. 6. Replace monitor with the name of the default monitor on which you want to base the new monitor. 7. Replace setting and value with the name and value of each setting you want to change. For example, if you want to create a monitor named myhttpmonitor that has an interval of 30, a timeout of 91, and a send string of GET /test.html, you would type the following command: monitor myhttpmonitor '{ defaults from http interval 30 timeout 91 send GET /test.html }' If you decide to change the timeout for the monitor to 121, you would type the following command: monitor myhttpmonitor '{ interval 121 }' 8. Save the new monitor, by typing the following command: save For more information about configuring monitors, see the Configuration Guide for BIG-IP® Local Traffic Management. A - 124 bigpipe Command Reference Options You can use these options with the monitor command: ◆ defaults from Specifies the monitor that you want to use as the parent monitor. Your new monitor inherits all settings and values from the parent monitor specified. The new monitor will have the default settings of the monitor you specify, but you can change any of the settings. This option is required. ◆ agent Specifies an agent for use with Real Server, SNMP Base, and WMI monitors only. ◆ agent type Specifies the SNMP DCA agent type. This is the type of agent running on the server that you are monitoring with an SNMP DCA monitor. ◆ args Specifies any required command line arguments used by external monitors. ◆ base Specifies a base name, used by LDAP. ◆ cert Provides the ability to supply a certificate file to be presented to the server by an HTTPS monitor. If you do not provide the full path to the certificate file, the system adds the path /config/ssl/ssl.crt. The cert must be surrounded by quotation marks, for example, cert "client.crt", or cert "/config/ssl/ssl.crt/client.crt". The default is null, that is, no certificate is supplied. ◆ cipherlist Changes the cipher list that the HTTPS monitor uses, from the default. The default cipherlist used is: DEFAULT:+SHA:+3DES:+kEDH. The default cipher list is located in the file base_monitors.conf. ◆ cmd Specifies a command associated with metrics and metric values. Applies to Real Server and WMI monitors. ◆ community Specifies an SNMP community name. Applies to SNMP DCA monitors only. The default value is Public. ◆ compatibility Sets the SSL options to ALL for an HTTPS monitor. You can enable or disable this option. ◆ cpu coefficient Specifies an SNMP DCA CPU Coefficient. This is a CPU value used for calculating a ratio weight. ◆ cpu threshold Specifies an SNMP DCA CPU threshold. This is the highest disk threshold value allowed, used in calculating a ratio weight. BIG-IP® Command Line Interface Guide A - 125 Appendix A A - 126 ◆ database Specifies a database name, used by SQL. This is the name of the data source on the node being pinged, for example, sales or hr. ◆ debug Specifies whether the monitor provides debug mode. If the value is yes, the monitor redirects its stderr output to the file /var/log/<service> <ip addr>.<port>.log, and additional debug information is directed to stderr. ◆ dest Specifies a destination IP address. You can also set this to a node name. ◆ disk coefficient Specifies an SNMP DCA Disk coefficient. This is a disk value used for calculating a ratio weight. ◆ disk threshold Specifies an SNMP DCA Disk threshold. This is the highest disk threshold value allowed, used in calculating a ratio weight. ◆ domain Specifies a domain name, for SMTP monitors only. ◆ fault For a SOAP monitor, fault is a Boolean operator specifying whether to check for a SOAP fault. Valid values are (0, 1). When the fault parameter is specified as a value of 1, the monitor expects the successful execution it is monitoring to include a returned fault. This is useful to test for situations when a fault is expected. This tests only for the existence of a SOAP fault. Any other server error codes signal a failure of the monitor. ◆ filter Specifies a filter name, used by LDAP. ◆ folder Specifies a folder name, used by IMAP. ◆ get Gets a specified string. ◆ interval Monitor’s interval time in seconds. The default is 0. ◆ key Specifies the RSA private key to be used for client authentication. The key must be surrounded by quotation marks, for example, key "client.key". Note that if you specify a key, you must also specify a value for the cert option. For more information, see the cert option on the previous page. ◆ mem coefficient Specifies an SNMP DCA Memory coefficient. This is a memory value used for calculating a ratio weight. ◆ mem threshold Specifies an SNMP DCA Memory threshold. This is the highest disk threshold value allowed, used in calculating a ratio weight. bigpipe Command Reference ◆ method Specifies a method specification such as GET or POST. Applies to Real Server, SOAP, and WMI monitors only. ◆ metrics Specifies metrics that you want to monitor, such as CPU percentage or memory usage. Applies to Real Server and WMI monitors only. ◆ mode Sets the mode of the monitor. For example, an acceptable setting for this value is passive for an FTP monitor, or udp or tcp for a SIP monitor. ◆ monitor edit Displays in a text editor the running configuration of all objects created using the command monitor. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. ◆ name Specifies the monitor name. ◆ namespace Specifies the namespace associated with the given web service for a SOAP monitor. ◆ nasip Specifies the network access server’s IP address for a RADIUS monitor. ◆ newsgroup Specifies a newsgroup name, for NNTP monitors only. ◆ param name If the method has a parameter, specifies the name of that parameter for the SOAP monitor. ◆ param type Specifies the basic type associated with the given parameter name in a SOAP monitor. Valid values are (long, int, string, bool). ◆ param value Specifies the value of the given parameter for the SOAP monitor. ◆ partition Displays the partition within which the monitor resides. ◆ password Specifies the password for the specified user name. ◆ post Specifies a WMI and Real Server post setting. BIG-IP® Command Line Interface Guide A - 127 Appendix A ◆ protocol Specifies the protocol to use for a SOAP monitor. Valid values are http or https. ◆ recv This is an optional parameter, containing the value expected back for a particular row and column of the table retrieved by the send parameter, for example, Smith. The expected data must be of a database type that converts directly to a Java String (for example, VARCHAR). If no value is specified for this parameter, the returned data is not checked for any specific value and, as long as no discernible errors occurred (for example, data was received), the service is considered to be up. ◆ recvcolumn This option is meaningful only if the recv option is specified. It contains the column in the returned table in which the recv value is expected. ◆ recvrow This option is meaningful only if the recv option is specified. It contains the row in the returned table in which the recv value is expected. ◆ return type If a return type is to be tested, specifies the basic type of the return parameter. Valid values are: • bool (Boolean) • char • double • float • int (integer) • long • short • string ◆ return value For the SOAP monitor. If a return name is specified, this is the value to use for comparison to yield a successful service check. ◆ reverse Checks a monitor recv string reverse mode. ◆ run Runs a path name. ◆ secret Specifies a secret or shared secret, used by RADIUS. ◆ security Valid values are: • ssl: This value requests that LDAP over SSL be used. • tls: This value requests that TLS be used. A - 128 bigpipe Command Reference • none: This value (or a null value or any value that does not equal one of the above) invokes no special security. The monitor runs as the previous LDAP pinger was run. ◆ send You can use this parameter with TCP, HTTP, and HTTPS ECVs, as well as the SQL monitor. Since this may have special characters, it may require that it be enclosed with single quotation marks. If this value is null, then a valid connection suffices to determine that the service is up. In this case, the recv, recvrow, and recvcolumn options are not needed, and will be ignored even if not null. ◆ sendpackets Specifies the number of packets to send when using the UDP monitor. ◆ snmp version Specifies the SNMP version. ◆ timeout Monitor’s timeout in seconds. You can also set the timeout to immediate or indefinite. The default is 0. ◆ timeoutpackets Specifies the timeout in seconds for receiving UDP packets. ◆ transparent Specifies a monitor for transparent devices. In this mode, the node with which the monitor is associated is pinged through to the destination node. ◆ urlpath For a SOAP monitor, supplies a URL path. ◆ username Specifies a user name for services with password security. For LDAP monitors only, this is a distinguished name, that is, LDAP-format user name. See also node(1), pool(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 129 Appendix A nat Configures network address translation (NAT). Syntax Use this command to create, modify, display, or delete a NAT. Create/Modify nat <nat key list> {} nat (<nat key list> | all) [{] <nat arg list> [}] <nat key> ::= (<ip addr> | none) <ip addr> to <ip addr> (<ip addr> | none) map <ip addr> <nat arg> ::= orig addr (<ip addr> | none) (enable | disable) arp (enable | disable) unit <number> <ip addr> map <ip addr> vlans (<vlan key list> | none | all) (enable | disable) nat [<nat key list> | all] stats reset nat edit Display nat [<nat key list> | all] [show [all]] nat [<nat key list> | all] list [all] nat [<nat key list> | all] orig addr [show] nat [<nat key list> | all] trans addr [show] nat [<nat key list> | all] enabled [show] nat [<nat key list> | all] arp [show] nat [<nat key list> | all] unit [show] nat [<nat key list> | all] stats [show] nat [<nat key list> | all] to [show] nat [<nat key list> | all] map [show] nat [<nat key list> | all] vlans [show] Delete nat (<nat key list> | all) delete A - 130 bigpipe Command Reference Description A network address translation (NAT) defines a bi-directional mapping between an originating IP address, orig addr, and a translated IP address, trans addr. A primary reason for defining a NAT is to allow one of the servers in the server array behind the traffic management system to initiate communication with a computer in front of, or external to the system. Examples The node behind the system with the IP address 10.0.140.100 has a presence in front of the BIG-IP system as IP address 11.0.0.100: nat 10.0.140.100 to 11.0.0.100 Permanently deletes the NAT from the system configuration: nat 10.0.140.100 delete Additional Restrictions The nat command has the following additional restrictions: • A virtual server cannot use the IP address defined in the <trans addr> parameter. • A NAT cannot use a BIG-IP system's IP address. • A NAT cannot use an originating or translated IP address defined for and used by a SNAT or another NAT. • You must delete a NAT before you can redefine it. Options You can use these options with the nat command: • arp Enables or disables Address Resolution Protocol (ARP). • <ip addr> to <ip addr> or <ip addr> map <ip addr> Specifies the IP address that is translated or mapped, and the IP address to which it is translated or mapped. One of these settings is required when creating a NAT. ◆ nat edit Displays in a text editor the running configuration of all objects created using the command nat. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. BIG-IP® Command Line Interface Guide A - 131 Appendix A When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • orig addr Specifies the IP address from which traffic is being initiated. • trans addr Specifies the IP address that <orig addr> is translated to by the traffic management system. • vlans Specifies the name of an existing VLAN on which access to the NAT is enabled or disabled. A NAT is accessible on all VLANs by default. • unit Specifies a unit ID, currently 1 or 2 for the redundant system. The default unit ID is set to 1. See also snat(1), snat translation(1), bigpipe(1) A - 132 bigpipe Command Reference ndp Manages IPv6 neighbor discovery. Syntax Use this command to create, display, and delete IPv6 neighbor discovery. Create/Modify ndp <ndp key list> {} ndp (<ndp key list> | all) [{]}<ndp arg list> {]} <ndp key> := <ip addr> (static | dynamic) <ndp arg> := (<mac addr> | none) ndp edit Display ndp (<ndp key list> | all) [show [all]] ndp (<ndp key list> | all) list [all] ndp (<ndp key list> | all) ip addr [show] ndp (<ndp key list> | all) type [show] ndp (<ndp key list> | all) mac addr [show] Delete ndp (<ndp key list> | all) delete Description The ndp command provides the ability to display and modify the IPv6-to-Ethernet address translation tables used by the IPv6 neighbor discovery protocol. Examples Maps the IPv6 address fec0:f515::c001 to the MAC address 00:0B:DB:3F:F6:57: ndp fec0:f515::c001 00:0B:DB:3F:F6:57 Shows all static and dynamic IPv6 address-to-MAC address mapping: ndp all show BIG-IP® Command Line Interface Guide A - 133 Appendix A Options You can use these options with the ndp command: • all Displays all static and dynamic IPv6 address-to-MAC address mapping. • dynamic Displays dynamic IPv6 address-to-MAC address mapping. • <ip addr> Specifies the IPv6 address to be mapped to the MAC address. For example, fec0:f515::c001. • <mac addr> Specifies a 6-byte ethernet address in hexadecimal colon notation that is not case-sensitive. For example, 00:0b:09:88:00:9a. This option is required. ◆ ndp edit Displays in a text editor the running configuration of all objects created using the command ndp. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • static Displays static IPv6 address-to-MAC address mapping. See also arp(1), bigpipe(1) A - 134 bigpipe Command Reference node Creates, modifies, or displays node addresses and services. Syntax Use this command to create, modify, or display node addresses and services. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. node <node key list> {} node (<node key list> | all) [{] <node arg list> [}] <node key> ::= (<ip addr> | none) <node arg> ::= dynamic ratio <number> limit <number> monitor (default | <monitor key> | <monitor key> and <monitor key> \ [ and <monitor key> ...] | min <number> of <monitor key list>) ratio <number> session (enable | disable) (up | down) screen (<name> | none) node [<node key list> | all] stats reset node edit Display node [<node key list> | all] [show [all]] node [<node key list> | all] list [all] node [<node key list> | all] addr [show] node [<node key list> | all] dynamic ratio [show] node [<node key list> | all] limit [show] node [<node key list> | all] monitor [show] node [<node key list> | all] monitor state [show] node [<node key list> | all] partition [show] node [<node key list> | all] ratio [show] BIG-IP® Command Line Interface Guide A - 135 Appendix A node [<node key list> | all] screen [show] node [<node key list> | all] session [show] node [<node key list> | all] stats [show] Delete node [<node key list> | all] delete Description Displays information about nodes, and sets attributes of nodes and node IP addresses. Examples Displays information for all nodes in the system configuration: node all show Lists all nodes: node all list Removes all monitor associations from all nodes: node all monitor none Removes the default node monitor from all nodes. This command does not remove monitors that have been explicitly assigned to nodes: node * monitor none Removes all monitor associations from the node 10.10.10.15: node 10.10.10.15 monitor none Options You can use these options with the node command: • dynamic ratio Sets the dynamic ratio number for the node. Used for dynamic ratio load balancing. The ratio weights are based on continuous monitoring of the servers and are therefore continually changing. Dynamic Ratio load balancing may currently be implemented on RealNetworks RealServer platforms, on Windows platforms equipped with Windows Management Instrumentation (WMI), or on a server equipped with either the UC Davis SNMP agent or Windows 2000 Server SNMP agent. • limit Specifies the maximum number of connections allowed for the node or node address. • monitor Specifies the name of the monitor that you want to associate with the node. A - 136 bigpipe Command Reference ◆ node edit Displays in a text editor the running configuration of all objects created using the command node. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • partition Displays the partition in which the node resides. • ratio Specifies the fixed ratio value used for a node during ratio load balancing. • screen <name> | none Specifies the given name of the node, if any. • session Displays the current connections for the specified node. • up | down Marks the node up or down. See also pool(1), monitor(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 137 Appendix A ntp Configures the Network Time Protocol (NTP) daemon for the BIG-IP system. Syntax Use this command to configure the NTP servers for the system. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. ntp [{] <ntp arg list> [}] <ntp arg> ::= include (<string> | none) servers (<ip addr list> | none) [add | delete] timezone (<string> | none) ntp edit Display ntp [show [all]] ntp list [all] ntp include [show] ntp partition [show] ntp servers [show] ntp timezone [show] Description Use this command to configure the NTP servers for the system. Examples Adds the NTP server with the IP address, 192.168.1.245, to the system: ntp servers 192.168.1.245 add Replaces the existing list of NTP servers with a single host, time.f5net.com: ntp servers time.f5net.com A - 138 bigpipe Command Reference Sets the system time to Pacific Standard Time: ntp timezone “America/Los Angeles” Options You can use these options with the ntp command: • include Warning: Do not use this parameter without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include parameter. If you use this parameter incorrectly, you put the functionality of the system at risk. • ntp edit Displays in a text editor the running configuration of all objects created using the command ntp. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only ntp { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • partition Displays the partition within which the ntp object resides. • servers Adds NTP servers to or deletes NTP servers from the BIG-IP system. • timezone Specifies the time zone that you want to use for the system time. See also bigpipe(1), dns(1), httpd(1), snmpd(1), sshd(1) BIG-IP® Command Line Interface Guide A - 139 Appendix A ocsp responder Configures Online Certificate System Protocol (OCSP) responder objects. Syntax Use the command to create, modify, display, or delete an OCSP responder object. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. ocsp responder <ocsp responder key list> {} ocsp responder (<ocsp responder key list> | all) [{] <ocsp arg list> [}] <ocsp responder key> ::= <name> <ocsp responder arg> ::= ca file (<file name> | none) ca path (<file name> | none) certid digest (sha1 | md5) certs (enable | disable) chain (enable | disable) check certs (enable | disable) explicit (enable | disable) ignore aia (enable | disable) intern (enable | disable) sig verify (enable | disable) sign key (<file name> | none) sign key pass phrase (<string> | none) sign other (<file name> | none) sign digest (sha1 | md5) signer (<file name> | none) status age <number> trust other (enable | disable) url (<string> | none) va file (<file name> | none) validity period <number> A - 140 bigpipe Command Reference verify (enable | disable) verify cert (enable | disable) verify other (<string> | none) ocsp responder edit Display ocsp responder [<ocsp responder key list> | all] [show [all]] ocsp responder [<ocsp responder key list> | all] list [all] ocsp responder [<ocsp responder key list> | all] ca file [show] ocsp responder [<ocsp responder key list> | all] ca path [show] ocsp responder [<ocsp responder key list> | all] certid digest [show] ocsp responder [<ocsp responder key list> | all] certs [show] ocsp responder [<ocsp responder key list> | all] chain [show] ocsp responder [<ocsp responder key list> | all] check certs [show] ocsp responder [<ocsp responder key list> | all] explicit [show] ocsp responder [<ocsp responder key list> | all] ignore aia [show] ocsp responder [<ocsp responder key list> | all] name [show] ocsp responder [<ocsp responder key list> | all] intern [show] ocsp responder [<ocsp responder key list> | all] partition [show] ocsp responder [<ocsp responder key list> | all] sig verify [show] ocsp responder [<ocsp responder key list> | all] sign digest [show] ocsp responder [<ocsp responder key list> | all] sign key [show] ocsp responder [<ocsp responder key list> | all] sign key pass phrase [show] ocsp responder [<ocsp responder key list> | all] sign other [show] ocsp responder [<ocsp responder key list> | all] signer [show] ocsp responder [<ocsp responder key list> | all] status age [show] ocsp responder [<ocsp responder key list> | all] trust other [show] ocsp responder [<ocsp responder key list> | all] url [show] ocsp responder [<ocsp responder key list> | all] va file [show] ocsp responder [<ocsp responder key list> | all] validity period [show] ocsp responder [<ocsp responder key list> | all] verify [show] ocsp responder [<ocsp responder key list> | all] verify cert [show] ocsp responder [<ocsp responder key list> | all] verify other [show] Delete ocsp responder (<ocsp responder key list> | all) delete Description To implement the SSL OCSP authentication module, you must create the following objects: one or more OCSP responder objects, an SSL OCSP configuration object, and an SSL OCSP profile. BIG-IP® Command Line Interface Guide A - 141 Appendix A Options You can use these options with the ocsp responder command: • ca file Specifies the name of the file containing trusted CA certificates used to verify the signature on the OCSP response. • ca path Specifies the name of the path containing trusted CA certificates used to verify the signature on the OCSP response. • certid digest Specifies a specific algorithm identifier, either sha1 or md5. sha1 is newer and provides more security with a 160 bit hash length. md5 is older and has only a 128 bit hash length. The default is sha1. The cert ID is part of the OCSP protocol. The OCSP client (in this case, the BIG-IP system) calculates the cert ID using a hash of the Issuer and serial number for the certificate that it is trying to verify. • certs Enables or disables the addition of certificates to an OCSP request. The default is enable. • chain Constructs a chain from certificates in the OCSP response. The default is enable. • check certs Makes additional checks to see if the signer's certificate is authorized to provide the necessary status information. Used for testing purposes only. The default is enable. • explicit Specifies that the BIG-IP local traffic management system explicitly trusts that the OCSP response signer's certificate is authorized for OCSP response signing. If the signer's certificate does not contain the OCSP signing extension, specification of this setting causes a response to be untrusted. The default is enable. • ignore aia Causes the system to ignore the URL contained in the certificate's AIA fields, and to always use the URL specified by the responder instead. The default is disable. • intern Causes the system to ignore certificates contained in an OCSP response when searching for the signer's certificate. To use this setting, the signer's certificate must be specified with either the Verify Other or VA File setting. The default is enable. ◆ A - 142 ocsp responder edit Displays in a text editor the running configuration of all objects created using the command ocsp responder. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. bigpipe Command Reference When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • partition Displays the partition within which the ocsp responder object resides. • sig verify Checks the signature on the OCSP response. Used for testing purposes only. The default is enable. • sign key Used to sign an OCSP request. • sign key pass phrase Used to encrypt the sign key. • sign other Adds a list of additional certificates to an OCSP request. • sign digest Specifies the algorithm for signing the request, using the signing certificate and key. This parameter has no meaning if request signing is not in effect (that is, both the request signing certificate and request signing key parameters are empty). This parameter is required only when request signing is in effect. The default is sha1. • signer Specifies a certificate used to sign an OCSP request. If the certificate is specified but the key is not specified, then the private key is read from the same file as the certificate. If neither the certificate nor the key is specified, then the request is not signed. If the certificate is not specified and the key is specified, then the configuration is considered to be invalid. • status age The default is 0. • trust other Instructs the BIG-IP local traffic management system to trust the certificates specified with the Verify Other setting. The default is disable. • url Specifies the URL used to contact the OCSP service on the responder. When using the ocsp responder command, you must specify a URL. • va file Specifies the name of the file containing explicitly-trusted responder certificates. This parameter is needed in the event that the responder is not covered by the certificates already loaded into the responder's CA store. BIG-IP® Command Line Interface Guide A - 143 Appendix A • validity period Specifies the number of seconds used to specify an acceptable error range. This setting is used when the OCSP responder clock and a client clock are not synchronized, which could cause a certificate status check to fail. This value must be a positive number. The default is 300 seconds. • verify Enables or disables verification of an OCSP response signature or the nonce values. Used for debugging purposes only. The default is enable. • verify cert The default is enable. • verify other Specifies the name of the file used to search for an OCSP response signing certificate when the certificate has been omitted from the response. See also auth ssl ocsp(1), profile auth(1), bigpipe(1) A - 144 bigpipe Command Reference oneconnect Displays or resets OneConnect™ statistics for the BIG-IP system. Syntax Use this command to display or reset OneConnect™ statistics for the BIG-IP system. Display oneconnect [show [all]] Modify oneconnect stats reset Description The OneConnect™ feature optimizes the use of network connections by keeping server-side connections open and pooling them for re-use. You can use the oneconnect command to display or reset OneConnect™ statistics for the BIG-IP system. See also profile(1), profile oneconnect(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 145 Appendix A packet filter Configures packet filter rules and trusted allow lists. Syntax Use this command to create, modify, display, or delete packet filtering. Create/Modify Use this syntax to create or modify packet filter rules: packet filter (<packet filter key list> | all) [{] <packet filter arg list> [}] <packet filter key> ::= <name> <packet filter arg> ::= order <number> action (none | accept | discard | reject | continue) vlan (<vlan key> | none) log (enable | disable) rate class (<rate class key> | none) filter (<rule>) packet filter [<packet filter key list> | all] stats reset packet filter edit Use this syntax to modify the packet filter’s allow trusted lists: packet filter {} packet filter [{] <packet filter arg list> [}] <packet filter arg> ::= allow trusted <allow trusted> <allow trusted> ::= [{] <allow trusted arg list> [}] <allow trusted arg> ::= addresses (<ip addr list> | none) [add | delete] vlans (<vlan key list> | none) [add | delete] macs (<mac addr list> | none) [add | delete] packet filter <packet filter key list> {} Display packet filter [show [all]] packet filter list [all] packet filter allow trusted [show] A - 146 bigpipe Command Reference Use this syntax to display allow trusted lists: packet filter allow trusted vlans [show] packet filter allow trusted macs [show] packet filter allow trusted addresses [show] Use this syntax to display packet filter rules: packet filter [<packet filter key list> | all] [show [all]] packet filter [<packet filter key list> | all] list [all] packet filter [<packet filter key list> | all] action [show] packet filter [<packet filter key list> | all] filter [show] packet filter [<packet filter key list> | all] log [show] packet filter [<packet filter key list> | all] order [show] packet filter [<packet filter key list> | all] rate class [show] packet filter [<packet filter key list> | all] vlan [show] Delete packet filter [<packet filter key list> | all] delete Description Provides the ability to create a layer of security for the traffic management system using packet filter rules or trusted allow lists. The BIG-IP system packet filters are based on the Berkeley Software Design Packet Filter (BPF) architecture. Packet filter rules are composed of four mandatory attributes and three optional attributes. The mandatory attributes are name, order, action, and filter. The optional attributes are vlan, log, and rate class. The filter attribute you choose defines the BPF script to match for the rule. Trusted allow lists are lists of IP addresses, MAC addresses, and VLANs that you want to allow to bypass the packet filter. Important You must enable the packet filter flag using the Configuration utility, for any packet filter configuration to work. By default, the packet filter flag is disabled. BIG-IP® Command Line Interface Guide A - 147 Appendix A Trusted allow list example Create a trusted allow list that allows anything listed to bypass the packet filter. packet filter allow trusted { vlan internal1 internal2 mac 00:02:3F:3E:2F:FE} In this example, you have an administrative laptop that you want to have unrestricted access to the traffic management system. This is a laptop, and therefore it might have a different IP address from time to time. One way to solve the problem is to add a trusted MAC address. A trusted MAC address is a MAC address that passes MAC address-based authentication. This trusted allow list example shows the laptop MAC address as 00:02:3F:3E:2F:FE. Now the laptop can access the traffic management system regardless of what address it boots with or to which VLAN it is connected, as long as it is on the same physical segment as the traffic management system. Also in this example, the traffic management system is configured with a basic firewall for the internal network. This example shows a way to filter incoming traffic, and allow outgoing traffic to be unrestricted. To do this, you add trusted VLANs that represent all traffic that originated on the internal network. Note Another way to do this is to allow trusted IP addresses instead, for example, 192.168.26.0/24. Packet filter rules examples You can create a set of rules that specify what incoming traffic to accept and how to accept it. See the examples following. Example 1: Block spoofed addresses This example prevents private IP addresses from being accepted on a public VLAN. This is a way of ensuring that no one can spoof private IP addresses through the external VLAN of the system. In this example, the system logs when this happens. packet filter spoof_blocker { order 5 action discard vlan external log enable filter {( src net 172.19.255.0/24 )} } A - 148 bigpipe Command Reference Example 2: Allow restricted management access You can allow restricted SSH and HTTPS access to the traffic management system for management purposes, and keep a log of that access. However, note that this is not the same management access you can get through the management port/interface (MGMT); that interface is not affected by any packet filter configuration and if that is the only way you want to allow access to your system, this configuration is not necessary. In the first rule, shown on the next page, SSH is allowed access from a single fixed-address administrative workstation, and each access is logged. In the subsequent rule, web-based Configuration utility access is allowed from two fixed-address administrative workstations, however, access is not logged. packet filter management_ssh { order 10 action accept log enable filter {( proto TCP ) and ( src host 172.19.254.10 ) and ( dst port 22 )} } packet filter management_gui { order 15 action accept filter {( proto TCP ) and ( src host 172.19.254.2 or src host 172.19.254.10 ) and \ ( dst port 443)} } Example 3: Allow access to all virtual servers In this final example, you can verify that all of the virtual servers in your configuration are reachable from the public network. This is critical if you have decided to use a default-deny policy. A default-deny policy restricts Internet access to everything that is not explicitly permitted. This example also shows how to rate shape all traffic to the virtual server IP address with a default rate class (that can be overridden by individual virtual servers or iRules™ later). Note This example has a single virtual server IP, and it does not matter what interface the traffic is destined for. If you want to be more specific, you could specify each service port, as well (for example, HTTP, FTP, Telnet, and so on). packet filter virtuals { order 20 action accept vlan external rate class root filter {( dst host 172.19.254.80 )} } BIG-IP® Command Line Interface Guide A - 149 Appendix A Options You can use these options with the packet filter command to create packet filter rules: ◆ action Specifies the action that the packet filter rule should take. The values for action are: accept, discard, reject, continue, and none. There is no default; you must specify a value when you create a packet filter rule. ◆ filter Specifies the BPF expression to match. The filter is mandatory, however you can leave it empty. If empty, the packet filter rule matches all packets. ◆ log Enables or disables packet filter logging. If you omit this value, no logging is performed. ◆ order Specifies a sort order. The values for the sort order are all integers between 0 and 999, inclusive. No two rules may have the same sort order. There is a single, global list of rules. Each rule in the list has a relative integer sort-order. The rule with the lowest sort-order value is always evaluated first, the rule with the highest sort-order value is always evaluated last, and all other rules are evaluated in-between in order based on ascent of their sort-order value. For example, if there are five rules, numbered 500, 100, 300, 200, 201; the rule evaluation order is 100, 200, 201, 300, 500. Each packet to be filtered is compared against the list of rules in sequence, starting with the first. Evaluation of the rule list stops on the first match that has an action of accept, discard, or reject. A match on a rule with an action of none does not stop further evaluation of the rule list; the statistics count is updated and a log is generated if the rule indicates it, but otherwise rule processing continues with the next rule in the list. Rules should be sequenced for effect and efficiency by the user; generally this means: • More specific rules should be evaluated first, and thus have the lowest sort-orders. • One expression with multiple criteria is likely to evaluate more efficiently than multiple expressions each with a single criterion. This is a required setting. ◆ A - 150 packet filter edit Displays in a text editor the running configuration of all objects created using the command packet filter. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. bigpipe Command Reference When the text editor opens, if only packet filter { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. ◆ rate class Specifies the name of a rate class. The value for the rate class association is the name of any existing rate class. If omitted, no rate filter is applied. ◆ vlan Specifies the VLAN to which the packet filter rule should apply. The value for this option is any VLAN name currently in existence. If you omit this value, the rule applies to all VLANs. You can use these options with the packet filter command to create trusted allow lists: ◆ addresses Specifies a list of source IP addresses. Any traffic matching a source IP in the list is automatically allowed. This simplifies configuration of the packet filter to allow trusted internal traffic to be passed from VLAN to VLAN without a filter rule, including out to the Internet. Processing of traffic by this option occurs before rule list evaluation, making it impossible to override this option and mask out (block) certain types of traffic with a packet filter rule. This option is empty by default. ◆ macs Specifies a list of MAC addresses. The system allows any traffic matching a MAC address in the source address list. This simplifies configuration of the packet filter to allow trusted internal traffic to be passed from VLAN to VLAN without a filter rule, including out to the Internet. Processing of traffic by this option occurs before rule list evaluation, making it impossible to override this option and mask out (block) certain types of traffic with a packet filter rule. This option is empty by default. ◆ vlans Specifies a list of ingress VLANs. Any traffic matching received on a VLAN in the ingress VLAN list is automatically allowed. This simplifies configuration of the packet filter to allow trusted internal traffic to be passed from VLAN to VLAN without a filter rule, including out to the Internet. Processing of traffic by this option occurs before rule list evaluation, making it impossible to override this option and mask out (block) certain types of traffic with a packet filter rule. This option is empty by default. See also rate class(1), virtual(1), vlan(1), vlangroup(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 151 Appendix A partition Creates, modifies, and deletes administrative partitions that implement access control for the BIG-IP system users. Syntax Use this command to create, modify, and delete administrative partitions that implement access control for the BIG-IP system users. To use this command, you must have the Administrator user role assigned to your user account. Create/Modify partition <partition key list> {} partition (<partition key list> | all) [{] <partition agr list> [}] <partition key> ::= <name> <partition arg> ::= description (<string> | none) partition edit Display partition (<partition key list> | all] [show [all]] partition (<partition key list> | all] list [all] partition (<partition key list> | all] name [show] partition (<partition key list> | all] description [show] Delete partition (<partition key list> | all) delete Description An administrative partition is a logical container that you create, containing a defined set of BIG-IP system objects, such as virtual servers, pools, and profiles. When a specific set of objects resides in a partition, you can then give certain users the authority to view and manage the objects in that partition only, rather than to all objects on the BIG-IP system. This gives a finer degree of administrative control. A - 152 bigpipe Command Reference Options You can use the following options with the partition command: • description Specifies a description of the partition, for example, This partition contains local traffic management objects for managing HTTP traffic. ◆ partition edit Displays in a text editor the running configuration of all objects created using the command partition. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. See also user(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 153 Appendix A password policy Specifies the parameters of the valid passwords for the BIG-IP system. Syntax Use this command to create a password policy for the BIG-IP system in order to enforce your company's security requirements. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. password policy [{] <password policy arg list> [}] <password policy arg> ::= max days <number> min days <number> min length <number> remember <number> required lowercase <number> required numeric <number> required special <number> required uppercase <number> strict (enable | disable) warn age <number> password policy edit Display password policy [show [all]] password policy list [all] password policy max days [show] password policy min days [show] password policy min length [show] password policy required lowercase [show] password policy required numeric [show] password policy required special [show] password policy required uppercase [show] password policy partition [show] A - 154 bigpipe Command Reference password policy remember [show] password policy strict [show] password policy warn age [show] Description This command provides the ability to define the parameters of valid passwords on the BIG-IP system. Examples Creates a password policy that specifies that passwords are valid for a maximum of 90 days, and a minimum of 30 days. Also specifies that in order to be valid, a password must contain at least 6 characters, but not more than 10 characters, including 2 lowercase alpha characters, 2 uppercase alpha characters, and 1 number. Also states that the system will automatically warn users five days before their passwords expire: password policy max days 90 min days 30 min length 6 max length 10 required lowercase 2 \ required uppercase 2 required special 1 required numeric 1 warn age 5 Options You can use the following options with the password policy command. • max days Specifies the maximum number of days a password is valid. The default value is 99999. • min days Specifies the minimum number of days a password is valid. The default value is 0 (zero). • min length Specifies the minimum number of characters in a valid password. The default value is 6. • partition Displays the partition within which the password policy resides. • password policy edit Displays in a text editor the running configuration of all objects created using the command password policy. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only password policy { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. BIG-IP® Command Line Interface Guide A - 155 Appendix A • remember Specifies whether the user has configured the BIG-IP system to remember a password on a specific computer. The default value is 0 (zero). • required lowercase Specifies the number of lowercase alpha characters that must be present in a password for the password to be valid. The default value is 0 (zero). • required numeric Specifies the number of numeric characters that must be present in a password for the password to be valid. The default value is 0 (zero). • required special Specifies the number of special characters that must be present in a password for the password to be valid. The default value is 0 (zero). • required uppercase Specifies the number of uppercase alpha characters that must be present in a password for the password to be valid. The default value is 0 (zero). • strict Enables or disables the password policy on the BIG-IP system. The default value is disable. • warn age Specifies the number of days before a password expires. Based on this value, the BIG-IP system automatically warns users when their password is about to expire. The default value is 7. See also bigpipe(1), user(1), remote_users(1), remoterole(1) A - 156 bigpipe Command Reference persist Configures persistence for the system, and manages the persistence table entries on the system. Syntax Use this command to configure persistence for the system and to manage the persistence table entries on the system. For information on configuring session persistence for a virtual server, see profile persist, on page A-214. Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. Use this syntax to configure persistence on the system: persist [{] <persist arg list> [}] <persist arg> ::= dest addr limit (timeout | maxcount) dest addr max <number> proxy group (<string> | none) persist edit Use this syntax to manage the persistence table entries: persist <persist key list> {} persist <persist key list> [{] <persist arg list> [}] <persist key> ::= [pool <pool key>] [virtual <virtual key>] \ [node (<ip addr> | <node>)] [mode (none | source addr |\ dest addr | cookie | msrdp | ssl | sip | universal |\ hash)] [key (<string> | none)] [client (<ip addr> |\ none)] Display persist [<persist key list> | all] [show [all]] persist list [all] persist dest addr limit [show] persist dest addr max [show] BIG-IP® Command Line Interface Guide A - 157 Appendix A persist partition [show] persist proxy group [show] Delete persist [<persist key list> | all] delete Description You can use the persist command to configure persistence for the BIG-IP system. You can also use the persist command to manage the records in the persistence table of the system. If you specify a parameter for persist key, you must specify a mode and no other parameter than mode. Examples Displays all persistence records with a mode of source addr: persist mode source addr Displays all persistence records persisting to node 11.12.13.10:80: persist node 11.12.13.10:80 show Options You can use the following options to configure persistence for the BIG-IP system: ◆ dest addr limit Specifies that the persistence session is limited by either the number of seconds before the persistence entry times out, or by a maximum number of requests to the destination address. ◆ dest addr max Specifies the maximum number of entries that can be in the persistence table at any one time when using the destination address affinity mode and when the option dest addr limit is set to maxcount. The default value is 2048 entries. ◆ partition Displays the partition within which the persist object resides. ◆ persist edit Displays in a text editor the running configuration of all objects created using the command persist. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only persist { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. A - 158 bigpipe Command Reference Note that the default text editor is vi. ◆ proxy group Specifies a group of servers that are configured to process all of the requests from a single source address during a persistence session. You can use the following options to manage the persistence table entries: ◆ mode Specifies the type of persistence you are setting up for the system. The following options are available: • client When you specify source addr for the mode option, use this option to specify the IP address on which the session persists. • cookie Cookie persistence uses an HTTP cookie stored on a client's computer to allow the client to connect to the same server previously visited at a web site. • dest addr Also known as sticky persistence, destination address affinity persistence supports TCP and UDP protocols, and directs session requests to the same server based solely on the destination IP address of a packet. • hash Hash persistence is based on an existing iRule. • key Specifies a string for the system to use to persist a client session. • msrdp MSRDP persistence provides an efficient way of load balancing traffic and maintaining persistent sessions between Windows clients and servers that are running the Microsoft Terminal Services service. The recommended scenario for enabling the MSRDP persistence feature is to create a load balancing pool that consists of members running Windows .NET Server 2003, Enterprise Edition, or later, where all members belong to a Windows cluster and participate in a Windows session directory. • sip Session Initiation Protocol (SIP) persistence is a type of persistence available for server pools. You can configure SIP persistence for proxy servers that receive SIP messages sent through UDP. The BIG-IP system currently supports persistence for SIP messages sent through UDP, TCP, or SCTP. • source addr Also known as simple persistence, source address affinity persistence supports TCP and UDP protocols, and directs session requests to the same server based solely on the source IP address of a packet. When you specify source addr as the mode of persistence, you must specify an IP address using the client option. BIG-IP® Command Line Interface Guide A - 159 Appendix A • ssl SSL persistence is a type of persistence that tracks non-terminated SSL sessions, using the SSL session ID. Even when the client's IP address changes, the system still recognizes the connection as being persistent based on the session ID. Note that the term, non-terminated SSL sessions, refers to sessions in which the system does not perform the tasks of SSL certificate authentication and encryption/re-encryption. • universal Universal persistence allows you to write an expression that defines what to persist on in a packet. The expression, written using the same expression syntax that you use in iRules™, defines some sequence of bytes to use as a session identifier. ◆ node Indicates the node with which the client session remains persistent. ◆ pool Indicates the pool member with which the client session remains persistent. ◆ virtual Indicates the virtual server with which the client session remains persistent. See also profile persist(1), virtual(1), bigpipe(1) A - 160 bigpipe Command Reference platform Displays information about the BIG-IP system platform. Syntax Use this command to display information about the system platform, including name and number, the license level of the installed hardware SSL compression cards, the amount of installed memory, the type and speed of the CPU, the PVA type (if present), and a list of licensed and enabled modules, such as the BIG-IP® Global Traffic Manager. Display platform [show [all]] platform list [all] platform base mac [show] platform bios rev [show] Description Display platform statistics such as CPU fan speed and temperature, chassis temperature, and power supply status. Examples This command: platform show all Displays the following information: PLATFORM INFORMATION Type Chassis serial number and part number Switch board serial number and part number Host board serial number and part number Annunciator board serial number and part number BIOS Rev base MAC CPU temp and fan speed CHASSIS TEMPERATURE CHASSIS FAN status POWER SUPPLY status This command: platform base mac [show] Displays the following information: PLATFORM - base mac: 00:01:D7:2C:9F:40 BIG-IP® Command Line Interface Guide A - 161 Appendix A See also bigpipe(1) A - 162 bigpipe Command Reference pool Configures load balancing pools on the traffic management system. Syntax Use this command to create, modify, display, or delete a load balancing pool. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. pool <pool key list> {} pool <pool key list>[{] <pool arg list> [}] <pool key>::= <name> <pool arg> ::= lb method (round robin | member ratio | member least conn | member observed | \ member predictive | ratio | least conn | fastest | observed | predictive | \ dynamic ratio | fastest app resp | least sessions | member dynamic ratio | \ l3 addr | rr | node ratio) action on svcdown (none | reset | drop | reselect) min up members <number> min up members (enable | disable) min up members (reboot | restart all | failover) min active members <number> unit <number> snat (enable | disable) nat (enable | disable) ip tos to client (<number> | pass) ip tos to server (<number> | pass) link qos to client (<number> | pass) link qos to server (<number> | pass) slow ramp time <number> monitor all (none | <monitor key> | <monitor key> and <monitor key> \ [and <monitor key> ...] | min <number> of <monitor key list>) members (<pool member list> | none) [add | delete] BIG-IP® Command Line Interface Guide A - 163 Appendix A <pool member> ::= <pool member key list> [{] <pool member arg list> [}] <pool member key> ::= <node> <pool member arg> ::= limit <number> ratio <number> weight <number> priority <number> dynamic ratio <number> (up | down) session (enable | disable) monitor (default | <monitor key> | <monitor key> and <monitor key> \ [and <monitor key> ...] | min <number> of <monitor key list>) pool (<pool key list> | all) stats reset pool edit Display pool [<pool key list> | all] [show [all]] pool [<pool key list> | all] list [all] pool (<pool key list> | all) name show pool [<pool key list> | all] lb method [show] pool [<pool key list> | all] action on svcdown [show] pool [<pool key list> | all] min up members [show] pool [<pool key list> | all] min active members [show] pool [<pool key list> | all] unit [show] pool [<pool key list> | all] snat [show] pool [<pool key list> | all] nat [show] pool [<pool key list> | all] ip tos to client [show] pool [<pool key list> | all] ip tos to server [show] pool [<pool key list> | all] link qos to client [show] pool [<pool key list> | all] link qos to server [show] pool [<pool key list> | all] slow ramp time [show] pool [<pool key list> | all] monitor all [show] pool [<pool key list> | all] partition [show] pool [<pool key list> | all] members [show] pool [<pool key list> | all] stats [show] Delete pool (<pool key list> | all) delete A - 164 bigpipe Command Reference Description The pool command creates, deletes, modifies, and displays the pool definitions on the traffic management system. Pools group the member servers together to use a common load balancing algorithm. Examples Creates a pool with two members 10.2.3.11, and 10.2.3.12, where both members use the round robin load balancing method, and the default HTTP monitor checks for member availability: pool mypool { monitor all http member 10.2.3.11:http member 10.2.3.12:http } Deletes the pool mypool: (Note that all references to a pool must be removed before a pool may be deleted.) pool mypool delete Displays statistics for all pools: pool show Displays settings of pool mypool: pool mypool show Options You can use these options with the pool command: ◆ <pool key list> Specifies a list of pool names separated by a space. A pool name is a string from 1 to 31 characters, for example, new_pools. ◆ action on svcdown Specifies the action to take if the service specified in the pool is marked down. Possible values are none, reset, drop, or reselect. You can specify no action with none, you can reset the system with reset, you can drop connections using drop, or, you can reselect a node for the next packet that comes in on a Layer 4 connection if the existing connection’s service is marked down by specifying reselect. The default is none. ◆ <ip:service> Specifies an IP address and service being assigned to a pool as a member. For example, 10.2.3.12:http. ◆ ip tos to client and ip tos to server Specifies the Type of Service (ToS) level to use when sending packets to a client or server. The default is 65535. BIG-IP® Command Line Interface Guide A - 165 Appendix A ◆ lb method Specifies the load balancing mode that the system is to use for the specified pool. • dynamic ratio - Specifies a range of numbers that you want the system to use in conjunction with the ratio load balancing method. The default ratio number is 1. • fastest - Indicates that the system passes a new connection based on the fastest response of all currently active nodes in a pool. This method may be particularly useful in environments where nodes are distributed across different logical networks. • fastest app resp - Indicates that the system passes a new connection based on the fastest application response of all currently active nodes in a pool. • l3 addr - Indicates that the system passes connections sequentially to each member configured using its IP address. The IP address is a Layer 3 address. • least conn - Indicates that the system passes a new connection to the node that has the least number of current connections. • least sessions - Indicates that the system passes a new connection to the node that has the least number of current sessions. Least Sessions methods work best in environments where the servers or other equipment you are load balancing have similar capabilities. This is a dynamic load balancing method, distributing connections based on various aspects of real-time server performance analysis, such as the current number of sessions • member dynamic ratio - Indicates that the system passes a new connection to the member based on continuous monitoring of the servers, which are continually changing. This is a dynamic load balancing method, distributing connections based on various aspects of real-time server performance analysis, such as the current number of connections per node or the fastest node response time. • member least conn - Indicates that the system passes a new connection to the member that has the least number of current connections. • member observed - Indicates that the system passes connections sequentially to each member based on observed status of the member. • member predictive - Indicates that the system passes connections sequentially to each member based on a predictive algorithm. • member ratio - Specifies a ratio number that you want the system to use in conjunction with the ratio load balancing method. The default ratio number is 1. • node ratio - Specifies a ratio number that you want the system to use in conjunction with the ratio load balancing method. The default ratio number is 1. • observed - Indicates that the system passes connections sequentially to each node based on observed status of the member. A - 166 bigpipe Command Reference • predictive - Indicates that the system passes connections sequentially to each node based on a predictive algorithm. • rr - Indicates that the system passes connections sequentially to each member. Round Robin is the default load balancing method. ◆ link qos to client and link qos to server Specifies the Quality of Service (QoS) level to use when sending packets to a client or server. The default is 65535. ◆ min active members Specifies the minimum number of members that must remain available for traffic to be confined to a priority group when using priority-based activation. The default is 0. ◆ min up members Enables or disables this feature. The default is disable. You can also specify the minimum number of members that must remain up for traffic to be confined to a priority group when using priority-based activation. If the number specified is exceeded, the action specified happens. The default is 0. You can also specify the action taken if the min up members number is exceeded. The actions you can specify are reboot to reboot the unit, restart all to restart the load balancing system, or failover to fail over to another unit. The default is failover. ◆ monitor all Creates a monitor rule for the pool. You can specify a monitor rule that marks the pool down if the specified number of monitors are not successful. ◆ nat Enables or disables NAT connections for the pool. ◆ partition Displays the partition within which the pool resides. ◆ pool edit Displays in a text editor the running configuration of all objects created using the command pool. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. ◆ priority Specifies a priority that you want to assign to a pool member, to ensure that traffic is directed to that member before being directed to a member of a lower priority. BIG-IP® Command Line Interface Guide A - 167 Appendix A ◆ slow ramp time Provides the ability to cause a pool member that has just been enabled, or marked up, to receive proportionally less traffic than other members in the pool. The proportion of traffic the member accepts is determined by how long the member has been up in comparison to the slow ramp time set for the pool. For example, if a pool using round robin has a slow ramp time of 60 seconds, and the pool member has been up for only 30 seconds, it receives approximately half the amount of new traffic as other pool members that have been up for more than 60 seconds. At 45 seconds, it receives approximately three quarters of the new traffic. Slow ramp time is particularly useful for least connections load balancing mode. The default is 0. ◆ snat Enables or disables SNAT connections for the pool. ◆ unit Specifies the unit number used by this pool in an active-active redundant system. See also monitor(1), node(1), virtual(1), bigpipe(1) A - 168 bigpipe Command Reference profile Displays profile settings, resets statistics, or deletes a profile. Syntax Use this command to display profile settings, reset statistics, or delete a profile. Modify <profile key> ::= <name> profile [<profile key list> | all] stats reset profile edit Display profile [<profile key list> | all] [show [all]] profile [<profile key list> | all] list [all] profile [<profile key list> | all] name [show] Delete profile (<profile key list> | all) delete Description Use this command to display or delete existing profiles. You can also reset statistics for an existing profile or display the configuration for a profile. Examples Displays all profiles on the system. Includes all system profiles. profile all show Options You can use these options with the profile command: ◆ profile edit Displays in a text editor the running configuration of all objects created using the command profile. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. BIG-IP® Command Line Interface Guide A - 169 Appendix A See also profile auth(1), profile clientssl(1), profile fastl4(1), profile fastthttp(1), profile ftp(1), profile http(1), profile oneconnect(1), profile persist(1), profile serverssl(1), profile statistics(1), profile stream(1), profile tcp(1), profile udp(1), bigpipe(1) A - 170 bigpipe Command Reference profile auth Configures a type of authentication profile. Syntax Use this command to create, modify, display, or delete a type of authentication profile. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. profile auth <profile auth key list> {} profile auth (<profile auth key list> | all) [{] <auth profile arg list> [}] <auth auth key> ::= <name> <auth profile arg> ::= config (<name> | default) credential source (http basic auth | default) defaults from (<profile auth key> | none) mode (enable | disable | default) type (ldap | radius | ssl cc ldap | ssl ocsp | tacacs | generic | ssl crldp | \ default) rule (<rule key> | none | default) idle timeout (<number> | immediate | indefinite | default) profile auth [<profile auth key list> | all] stats reset profile auth edit Display profile auth [<profile auth key list> | all] [show [all]] profile auth [<profile auth key list> | all] list [all] profile auth [<profile auth key list> | all] config [show] profile auth [<profile auth key list> | all] credential source [show] profile auth [<profile auth key list> | all] defaults from [show] profile auth [<profile auth key list> | all] idle timeout [show] profile auth \ [<profile auth key list> | all] mode [show] profile auth [<profile auth key list> | all] name [show] BIG-IP® Command Line Interface Guide A - 171 Appendix A profile auth [<profile auth key list> | all] partition [show] profile auth [<profile auth key list> | all] rule [show] profile auth [<profile auth key list> | all] stats [show] profile auth [<profile auth key list> | all] type [show] Delete profile auth (<profile auth key list> | all) delete Description Create, modify, display, or delete an authentication profile. An authentication profile is an object that specifies the type of authentication module you want to implement, a parent profile, and the configuration object. For example, you can use the profile auth command to create a TACACS+ profile (see example following). You can either use the default profile that the BIG-IP local traffic management system provides for each type of authentication module, or create a custom profile. The types of authentication profiles you can create with the profile auth command are: LDAP, SSL CC LDAP, RADIUS, TACACS+, SSL OCSP, and CRLDP. Examples Creates a profile named mytacacs_profile for TACACS+ authentication: profile auth mytacacs_profile { config mytacacs_profile config credential source http basic auth defaults from tacacs \ mode enable type tacacs rule myrule1 idle timeout 60 } Example of auth module implementation For example, to configure the LDAP authentication module, create the following objects. 1. Create an LDAP configuration object using the auth ldap command. 2. Create an LDAP profile, in which you specify the authentication module type as LDAP, specify a parent profile (either the default ldap profile or another custom profile that you created), and reference the LDAP configuration object. Use the command profile auth (described in this page). 3. Configure the virtual server to reference the custom LDAP profile, using the virtual command. A - 172 bigpipe Command Reference Options You can use these options with the profile auth command: ◆ config Specifies the name of the authentication profile that you are creating. You can specify an LDAP, RADIUS, TACACS+, SSL client certificate, SSL OCSP, or CRLDP configuration object. This setting is required. ◆ credential source Specifies the credential source as http basic auth or default. For LDAP, RADIUS, and TACACS+, specify http basic auth for the credential source. For SSL client certificate or SSL OCSP specify default. ◆ defaults from Specifies the name of the default authentication profile from which you want your custom profile to inherit settings. This setting is required. ◆ idle timeout Sets the idle timeout for the auth profile. The options are a number, immediate, indefinite, or default. The default is 300 seconds. ◆ mode Specifies the profile mode. The options are enable, disable, or default. The default is enable. ◆ partition Displays the partition in which the authentication profile resides. ◆ profile auth edit Displays in a text editor the running configuration of all objects created using the command profile auth. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. ◆ rule Specifies the name of the default rule or custom rule that corresponds to the authentication method you want to use. ◆ type Specifies the type of authentication profile that you want use. The following types are available: • generic - Unlike the other authentication profile types, when you are using the command line interface to create a generic authentication profile, you must manually create or edit a pluggable authentication module (PAM) configuration file. The name of this configuration file for a given authentication profile is /etc/pam.d/tmm_{name} where {name} is the value of the profile instance's name. The bigpipe utility displays an informational message to this effect, specifying the actual file to create or edit when you manipulate a generic authentication profile. F5 recommends that you have expertise with PAM before you use this advanced feature. BIG-IP® Command Line Interface Guide A - 173 Appendix A • ldap - An LDAP authentication module is a mechanism for authenticating or authorizing client connections passing through a traffic management system. This module is useful when your authentication or authorization data is stored on a remote LDAP server or a Microsoft Windows Active Directory server, and you want the client credentials to be based on basic HTTP authentication (that is, user name and password). You configure an LDAP authentication module by creating an LDAP configuration object, and creating an LDAP profile. • radius - By creating a RADIUS profile and one or more RADIUS server objects, you can implement the RADIUS authentication module as the mechanism for authenticating client connections passing through the BIG-IP local traffic management system. You use this module when your authentication data is stored on a remote RADIUS server. In this case, client credentials are based on basic HTTP authentication (that is, user name and password). To implement the RADIUS authentication module, you must create the following objects: one or more high-level RADIUS server objects, a RADIUS configuration object, and a RADIUS profile. After you create these objects, you must assign the RADIUS profile to a virtual server. • ssl cc ldap - Using an SSL client certificate LDAP configuration object and profile, you can implement the SSL client certificate LDAP authentication module as the mechanism for authorizing client connections passing through a traffic management system. In this case, client credentials are based on SSL certificate credentials instead of user name and password. LDAP client authorization is based not only on SSL certificates, but also on user groups and roles that you define. • ssl crldp - A Certificate Revocation List Distribution Point (CRLDP) authentication module is a mechanism for handling certificate revocations on a network, for client connections passing through the BIG-IP system. To implement the CRLDP authentication module, you must create the following objects: One or more high-level CRLDP server objects, a CRLDP configuration object, and a CRLDP profile. After you create these objects, you must assign the RADIUS profile to a virtual server. • ssl ocsp - Online Certificate Status Protocol (OCSP) is an industry-standard protocol that offers an alternative to a certificate revocation list (CRL) when using public-key technology. A CRL is a list of revoked client certificates, which a server system can check during the process of verifying a client certificate. The BIG-IP local traffic management system supports both CRLs and the OCSP protocol. To implement the SSL OCSP authentication module, you must create the following objects: one or more high-level SSL OCSP responder objects, an SSL OCSP configuration object, and an SSL OCSP profile. After you create these objects, you must assign the SSL OCSP profile to a virtual server. • tacacs - Using a TACACS+ profile, you can implement the TACACS+ authentication module as the mechanism for authenticating client connections passing through a traffic A - 174 bigpipe Command Reference management system. You use this module when your authentication data is stored on a remote TACACS+ server. In this case, client credentials are based on basic HTTP authentication (that is, user name and password). You configure a TACACS+ authentication module by creating a TACACS+ configuration object, and then creating a TACACS+ profile. See also auth crldp(1), auth ldap(1), auth radius(1), auth ssl cc ldap(1), auth ssl ocsp(1), auth tacacs(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 175 Appendix A profile clientssl Configures a Client SSL profile. Syntax Use this command to create, display, modify, or delete a Client SSL profile. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. profile clientssl <profile clientssl key list> {} profile clientssl (<profile clientssl key list> | all) \ [{] <profile clientsll arg list> [}] <profile clientssl key> ::= <name> <profile clientssl arg> ::= defaults from (<profile clientssl key> | none) mode (enable | disable | default) key (<file name> | none | default) cert (<file name> | none | default) chain (<file name> | none | default) ca file (<file name> | crl file (<file name> | none | default) none | default) client cert ca (<file name> | ciphers (<string> | none | default) none | default) options (microsoft sess id bug | MICROSOFT_SESS_ID_BUG | netscape challenge bug | \ NETSCAPE_CHALLENGE_BUG | netscape reuse cipher change bug |\ NETSCAPE_REUSE_CIPHER_CHANGE_BUG | sslref2 reuse cert type bug | \ SSLREF2_REUSE_CERT_TYPE_BUG | microsoft big sslv3 buffer | \ MICROSOFT_BIG_SSLV3_BUFFER | msie sslv2 rsa padding | MSIE_SSLV2_RSA_PADDING | \ ssleay 080 client dh bug | SSLEAY_080_CLIENT_DH_BUG | tls d5 bug | TLS_D5_BUG | \ tls block padding bug | TLS_BLOCK_PADDING_BUG | dont insert empty fragments | \ DONT_INSERT_EMPTY_FRAGMENTS | all bugfixes | ALL_BUGFIXES | passive close | \ PASSIVE_CLOSE | no session resumption on renegotiation | \ NO_SESSTION_RESUMPTION_ON_RENEGOTIATION | single dh use | SINGLE_DH_USE | \ ephemeral rsa | EPHEMERAL_RSA | cipher server preference | \ A - 176 bigpipe Command Reference CIPHER_SERVER_PREFERENCE | tls rollback bug | TLS_ROLLBACK_BUG | no sslv2 | \ NO_SSLv2 | no sslv3 | NO_SSLv3 | no tlsv1 | NO_TLSv1 | pks1 check 1 | \ PKCS1_CHECK_1 | pkcs1 check 2 | PKCS1_CHECK_2 | netscape ca dn bug | \ NETSCAPE_CA_DN_BUG | netscape demo cipher change bug | \ NETSCAPE_DEMO_CIPHER_CHANGE_BUG | default) modssl methods (enable | disable | default) cache size (<number> | default) cache timeout (<number> | indefinite | default) renegotiate period (<number> | indefinite | default) renegotiate size (<number>[MB|mb] | indefinite | default) renegotiate max record delay (<number> | indefinite | default) peer cert mode (request | require | ignore | auto | default) authenticate (once | always | default) authenticate depth (<number> | default) unclean shutdown (enable | disable | default) strict resume (enable | disable | default) nonssl (enable | disable | default) passphrase (<string> | none | default) handshake timeout (<number> | indefinite | default) alert timeout (<number> | immediate | indefinite | default) profile clientssl [<profile clientssl key list> | all] stats reset profile clientssl edit Display profile clientssl [<profile clientssl key list> | all] [show [all]] profile clientssl [<profile clientssl key list> | all] list [all] profile clientssl [<profile clientssl key list> | all] alert timeout [show] profile clientssl [<profile clientssl key list> | all] authenticate [show] profile clientssl [<profile clientssl key list> | all] authenticate depth [show] profile clientssl [<profile clientssl key list> | all] ca file [show] profile clientssl [<profile clientssl key list> | all] cache size [show] profile clientssl [<profile clientssl key list> | all] cache timeout [show] profile clientssl [<profile clientssl key list> | all] cert [show] profile clientssl [<profile clientssl key list> | all] chain [show] profile clientssl [<profile clientssl key list> | all] ciphers [show] profile clientssl [<profile clientssl key list> | all] client cert ca [show] profile clientssl [<profile clientssl key list> | all] crl file [show] profile clientssl [<profile clientssl key list> | all] defaults from [show] profile clientssl [<profile clientssl key list> | all] handshake timeout [show] profile clientssl [<profile clientssl key list> | all] key [show] profile clientssl [<profile clientssl key list> | all] mode [show] profile clientssl [<profile clientssl key list> | all] modssl methods [show] profile clientssl [<profile clientssl key list> | all] name [show] profile clientssl [<profile clientssl key list> | all] nonssl [show] BIG-IP® Command Line Interface Guide A - 177 Appendix A profile clientssl [<profile clientssl key list> | all] options [show] profile clientssl [<profile clientssl key list> | all] partition [show] profile clientssl [<profile clientssl key list> | all] passphrase [show] profile clientssl [<profile clientssl key list> | all] peer cert mode [show] profile clientssl [<profile clientssl key list> | all] renegotiate max record delay [show] profile clientssl [<profile clientssl key list> | all] renegotiate period [show] profile clientssl [<profile clientssl key list> | all] renegotiate size [show] profile clientssl [<profile clientssl key list> | all] stats [show] profile clientssl [<profile clientssl key list> | all] strict resume [show] profile clientssl [<profile clientssl key list> | all] unclean shutdown [show] Delete profile clientssl (<profile clientssl key list> | all) delete Description This command provides the ability to create a custom Client SSL profile. Client-side profiles allow the traffic management system to handle authentication and encryption tasks for any SSL connection coming into a traffic management system from a client system. You implement this type of profile by using the default profile, or creating a custom profile based on the default clientssl profile and modifying its settings. All default profiles are stored in the file /config/profile_base.conf. Examples Creates a Client SSL profile named myclientsslprofile using the system defaults: profile clientssl myclientsslprofile { mode enable } Arguments Several command arguments are available for use with this command. • defaults from Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile specified. • mode Specifies the profile mode, which enables or disables SSL processing. The options are enable, disable, or default. The default is enable. • key Specifies the name of a key file that you generated and installed on the system. When selecting this option, type a key file name or use the default key name default.key. The default key name is default.key. • cert Specifies the name of the certificate installed on the traffic management system for the purpose of terminating or initiating an SSL connection. You can specify the default certificate name, which is default.crt. A - 178 bigpipe Command Reference • chain Specifies or builds a certificate chain file that a client can use to authenticate the profile. To use the default chain name, specify default. • ca file Specifies the certificate authority (CA) file name. To use the default CA file name, specify default. Configures certificate verification by specifying a list of client or server CAs that the traffic management system trusts. • crl file Specifies the certificate revocation list file name. To use the default certificate revocation file name, specify default. • client cert ca Specifies the client cert certificate authority name. To use the client cert certificate authority name, specify default. • ciphers Specifies a cipher name. To use the default ciphers, specify default. Options Several options are available, including some industry-related workarounds: ◆ [MICROSOFT SESS ID BUG] This option handles a Microsoft session ID problem. ◆ [NETSCAPE CHALLENGE BUG] This option handles the Netscape® challenge problem. ◆ [NETSCAPE REUSE CIPHER CHANGE BUG] This option handles a defect within Netscape-Enterprise/2.01 (https://merchant.neape.com), only appears when you are connecting through SSLv2/v3 then reconnecting through SSLv3. In this case, the cipher list changes. First, a connection is established with the RC4-MD5 cipher list. If it is then resumed, the connection switches to using the DES-CBC3-SHA cipher list. However, according to RFC 2246, (section 7.4.1.3, cipher suite) the cipher list should remain RC4-MD5. As a workaround, you can attempt to connect with a cipher list of DES-CBC-SHA:RC4-MD5 and so on. For some reason, each new connection uses the RC4-MD5 cipher list, but any re-connection attempts to use the DES-CBC-SHA cipher list. Thus Netscape, when reconnecting, always uses the first cipher in the cipher list. ◆ [SSLREF2 REUSE CERT TYPE BUG] This option handles the SSL reuse certificate type problem. ◆ [MICROSOFT BIG SSLV3 BUFFER] This option enables a workaround for communicating with older Microsoft applications that use non-standard SSL record sizes. BIG-IP® Command Line Interface Guide A - 179 Appendix A A - 180 ◆ [MSIE SSLV2 RSA PADDING] This option enables a workaround for communicating with older Microsoft applications that use non-standard RSA key padding. This option is ignored for server-side SSL. ◆ [SSLEAY 080 CLIENT DH BUG] This option enables a workaround for communicating with older SSLeay-based applications that specify an incorrect Diffie-Hellman public value length. This option is ignored for server-side SSL. ◆ [TLS D5 BUG] This option is a workaround for communicating with older TLSv1-enabled applications that specify an incorrect encrypted RSA key length. This option is ignored for server-side SSL. ◆ [TLS BLOCK PADDING BUG] This option enables a workaround for communicating with older TLSv1-enabled applications that use incorrect block padding. ◆ [DONT INSERT EMPTY FRAGMENTS] This option disables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. These ciphers cannot be handled by certain broken SSL implementations. This option has no effect for connections using other ciphers. ◆ [ALL BUGFIXES] This option enables all of the above defect workarounds. It is usually safe to use the All bugfixes Enabled option to enable the defect workaround options when you want compatibility with broken implementations. Note that if you edit the configuration in the web-based configuration utility, the ALL BUGFIXES syntax is expanded into each individual option. ◆ [TLS ROLLBACK BUG] This option disables version rollback attack detection. During the client key exchange, the client must send the same information about acceptable SSL/TLS protocol levels as it sends during the first hello. Some clients violate this rule by adapting to the server's answer. For example, the client sends an SSLv2 hello and accepts up to SSLv3.1 (TLSv1), but the server only understands up to SSLv3. In this case, the client must still use the same SSLv3.1 (TLSv1) announcement. Some clients step down to SSLv3 with respect to the server's answer and violate the version rollback protection. This option is ignored for server-side SSL. ◆ [SINGLE DH USE] This option creates a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using strong primes, for example, when using DSA-parameters. If strong primes were used, it is not strictly necessary to generate a new DH key during each handshake, but it is recommended. Enable the Single DH use option, whenever temporary/ephemeral DH parameters are used. bigpipe Command Reference ◆ [EPHEMERAL RSA] This option uses ephemeral (temporary) RSA keys when doing RSA operations. According to the specifications, this is only done when an RSA key can only be used for signature operations (namely under export ciphers with restricted RSA key length). By setting this option, you specify that ephemeral RSA keys are always used. This option breaks compatibility with the SSL/TLS specifications, and may lead to interoperability problems with clients. Therefore, F5 does not recommend it. You should use ciphers with EDH (ephemeral Diffie-Hellman) key exchange instead. This option is ignored for server-side SSL. ◆ [CIPHER SERVER PREFERENCE] When choosing a cipher, use this option to all the server's preferences instead of the client’s references. When this option is not set, the SSL server always follows the client's references. When this option is set, the SSLv3/TLSv1 server chooses by using its own references. Due to the different protocol, for SSLv2 the server sends its list of preferences to the client and the client always chooses. ◆ [PKCS1 CHECK 1] This debugging option deliberately manipulates the PKCS1 padding used by SSL clients in an attempt to detect vulnerability to particular SSL server vulnerabilities. F5 does not recommend this option for normal use. The system ignores this option for client-side SSL. ◆ [PKCS1 CHECK 2] This debugging option deliberately manipulates the PKCS1 padding used by SSL clients in an attempt to detect vulnerability to particular SSL server vulnerabilities. F5 does not recommend this option for normal use. The system ignores this option for client-side SSL. ◆ [NETSCAPE CA DN BUG] This option handles a defect regarding the system crashing or hanging. If the system accepts a Netscape Navigator® browser connection, demands a client cert, has a non-self-signed CA that does not have its CA in Netscape Navigator, and the browser has a certificate, the system becomes unavailable. This option works for Netscape Navigator versions 3.x and 4.xbeta. ◆ [NETSCAPE DEMO CIPHER CHANGE BUG] This option deliberately manipulates the SSL server session resumption behavior to mimic that of certain Netscape servers (see the Netscape reuse cipher change bug workaround description). F5 does not recommend this option for normal use. The system ignores this option for server-side SSL. ◆ [NO SSLv2] Do not use the SSLv2 protocol. ◆ [NO SSLv3] Do not use the SSLv3 protocol. ◆ [NO TLSv1] Do not use the TLSv1 protocol. BIG-IP® Command Line Interface Guide A - 181 Appendix A ◆ [NO SESSION RESUMPTION ON RENEGOTIATION] When performing renegotiation as an SSL server, this option always starts a new session (that is, session resumption requests are only accepted in the initial handshake). This option is ignored for server-side SSL. ◆ [PASSIVE CLOSE] Indicates how to handle industry-related workarounds. • none - Choose this option if you want to disable all workarounds. F5 does not recommend this option. • default - Specifies the value, all bugfixes enabled, which enables a set of industry-related miscellaneous workarounds related to SSL processing. A - 182 ◆ modssl methods Enables or disables ModSSL methods. This setting enables or disables ModSSL method emulation. This setting should be enabled when OpenSSL methods are inadequate. For example, you can enable this when you want to use SSL compression over TLSv1. ◆ cache size Specifies the SSL session cache size. For client-side profiles only, you can configure timeout and size values for the SSL session cache. Because each profile maintains a separate SSL session cache, you can configure the values on a per-profile basis. ◆ cache timeout Specifies the SSL session cache timeout value. This specifies the number of usable lifetime seconds of negotiated SSL session IDs. The default timeout value for the SSL session cache is 300 seconds. Acceptable values are integers greater than or equal to 5. You can also set this value to indefinite. ◆ renegotiate period Specifies the Renegotiate Period setting to renegotiate an SSL session based on the number of seconds that you specify. ◆ renegotiate size Specifies the Renegotiate Size setting forces the traffic management system to renegotiate an SSL session based on the size, in megabytes, of application data that is transmitted over the secure channel. ◆ renegotiate max record delay The Renegotiate Max Record Delay setting forces the traffic management system to renegotiate an SSL session based on the maximum number of SSL records that can be received while waiting for the client to initiate the renegotiation. If the maximum number of SSL records is received, the traffic management system closes the connection. This setting applies to client-side profiles only. ◆ peer cert mode Specifies the peer certificate mode. Options are request, require, ignore, auto, or default. bigpipe Command Reference ◆ authenticate Specifies frequency of authentication. Options are once, always, or default. ◆ authenticate depth Specifies the authenticate depth. This is the client certificate chain maximum traversal depth. ◆ unclean shutdown By default, the SSL profile performs unclean shutdowns of all SSL connections, which means that underlying TCP connections are closed without exchanging the required SSL shutdown alerts. If you want to force the SSL profile to perform a clean shutdown of all SSL connections, you can disable the default setting. ◆ strict resume Specifies enable to prevent an SSL session from being resumed after an unclean shutdown. The default option is disable, which causes the SSL profile to allow uncleanly shut down SSL sessions to be resumed. Conversely, when the enable option is set, the SSL profile refuses to resume SSL sessions after an unclean shutdown. ◆ nonssl Specifies enable to allow non-SSL connections to pass through the traffic management system as clear text. ◆ passphrase Specifies the key passphrase if required. ◆ handshake timeout Specifies the handshake timeout in seconds. You can also specify indefinite, or default. ◆ alert timeout Specifies the alert timeout in seconds. You can also specify immediate, indefinite, or default. ◆ partition Displays the partition within which the clientssl profile resides. ◆ profile clientssl edit Displays in a text editor the running configuration of all objects created using the command profile clientssl. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. See also profile(1), profile serverssl(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 183 Appendix A profile dns Configures a domain name service (DNS) profile. Syntax Use this command to create, modify, display, or delete a DNS profile. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. profile dns <profile dns key list> {} profile dns (<profile dns key list> | all) [{] <profile dns arg list> [}] <profile dns key> ::= <name> <profile dns arg> ::= defaults from (<profile dns key> | none) gtm (enable | disable | default) Modify profile dns (<profile dns key list> | all) stats reset profile dns edit Display profile dns (<profile dns key list> | all) [show [all]] profile dns (<profile dns key list> | all) list [all] profile dns (<profile dns key list> | all) defaults from [show] profile dns (<profile dns key list> | all) gtm [show] profile dns (<profile dns key list> | all) name [show] profile dns (<profile dns key list> | all) partition [show] profile dns (<profile dns key list> | all) stats [show] Delete profile dns (<profile dns key list> | all) delete Description This command provides the ability to define the behavior of DNS traffic. A - 184 bigpipe Command Reference Examples Creates a DNS profile named mydnsprofile that inherits its settings from the system default DNS profile: profile dns mydnsprofile {} Options You can use these options with the profile dns command: • defaults from Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile specified. • name Specifies the name of the profile. • gtm Indicates whether to allow the BIG-IP global traffic management system to handle DNS resolution for DNS queries and responses that contain wide IP names. The options are enable, disable, and default (that is, accept the default from the parent profile). The default is enable. • partition Displays the partition within which the profile resides. • profile dns edit Displays in a text editor the running configuration of all objects created using the command profile dns. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. See also dns(1), profile(1), virtual(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 185 Appendix A profile fasthttp Configures a Fast HTTP profile. Syntax Use this command to create, modify, display, or delete a Fast HTTP profile. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. profile fasthttp <profile fasthttp key list> {} profile fasthttp (<profile fasthttp key list> | all) [{] <fasthttp profile arg list> [}] <profile fasthttp key> ::= <name> <profile fasthttp arg> ::= client close timeout (<number> | immediate | indefinite | default) conn pool idle timeout override (<number> | disable | indefinite | default) conn pool max reuse (<number> | default) conn pool max size (<number> | default) conn pool min size (<number> | default) conn pool replenish (enable | disable | default) conn pool step (<number> | default) defaults from (<profile fasthttp key list> | none) force http10 response (enable | disable | default) header insert (<string> | none | default) http11 close workarounds (enable | disable | default) idle timeout (<number> | immediate | indefinite | default) insert xforwarded for (enable | disable | default) layer7 (enable | disable | default) max header size (<number> | default) max requests (<number> | default) mss override (<number> | default) reset on timeout (enable | disable | default) server close timeout (<number> | immediate | indefinite | default) unclean shutdown (enable | disable | fast | default) A - 186 bigpipe Command Reference profile fasthttp [<profile fasthttp key list> | all] stats reset profile fasthttp edit Display profile fasthttp [<profile fasthttp key list> | all] [show [all]] profile fasthttp [<profile fasthttp key list> | all] list [all] profile fasthttp [<profile fasthttp key list> | all] defaults from [show] profile fasthttp [<profile fasthttp key list> | all] client close timeout [show] profile fasthttp [<profile fasthttp key list> | all] conn pool idle timeout [show] profile fasthttp [<profile fasthttp key list> | all] conn pool max reuse [show] profile fasthttp [<profile fasthttp key list> | all] conn pool max size [show] profile fasthttp [<profile fasthttp key list> | all] conn pool min size [show] profile fasthttp [<profile fasthttp key list> | all] conn pool replenish [show] profile fasthttp [<profile fasthttp key list> | all] conn pool step [show] profile fasthttp [<profile fasthttp key list> | all] force http10 response [show] profile fasthttp [<profile fasthttp key list> | all] header insert [show] profile fasthttp [<profile fasthttp key list> | all] http11 close workarounds [show] profile fasthttp [<profile fasthttp key list> | all] idle timeout [show] profile fasthttp [<profile fasthttp key list> | all] insert xforwarded for [show] profile fasthttp [<profile fasthttp key list> | all] layer7 [show] profile fasthttp [<profile fasthttp key list> | all] max header size [show] profile fasthttp [<profile fasthttp key list> | all] max requests [show] profile fasthttp [<profile fasthttp key list> | all] mss override [show] profile fasthttp [<profile fasthttp key list> | all] name [show] profile fasthttp [<profile fasthttp key list> | all] partition [show] profile fasthttp [<profile fasthttp key list> | all] reset on timeout [show] profile fasthttp [<profile fasthttp key list> | all] server close timeout [show] profile fasthttp [<profile fasthttp key list> | all] stats [show] profile fasthttp [<profile fasthttp key list> | all] unclean shutdown [show] Delete profile fasthttp (<name list> | all) delete Description The Fast HTTP profile provides the ability to accelerate certain HTTP connections such as banner ads. Examples Creates a Fast HTTP profile named myfasthttpprofile that inherits its settings from the system default fasthttp profile: profile fasthttp myfasthttpprofile {} BIG-IP® Command Line Interface Guide A - 187 Appendix A Options You can use the following options with the profile fasthttp command: A - 188 ◆ defaults from Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile specified. ◆ client close timeout Specifies the number of seconds after which the system closes a client connection, when the system either receives a client FIN packet or sends a FIN packet. This setting overrides the idle timeout setting. The default setting is 5. ◆ conn pool idle timeout override Specifies the number of seconds after which a server-side connection in a OneConnect™ pool is eligible for deletion, when the connection has no traffic. This setting overrides the idle timeout that you specify. The default is 0 seconds, which disables the override setting. ◆ conn pool max reuse Specifies the maximum number of times that the system can re-use a current connection. The default setting is 0. ◆ conn pool max size Specifies the maximum number of connections to a load balancing pool. A setting of 0 specifies that a pool can accept an unlimited number of connections. The default setting is 2048. ◆ conn pool min size Specifies the minimum number of connections to a load balancing pool. A setting of 0 specifies that there is no minimum. The default setting is 10. ◆ conn pool replenish The default is enable. When this setting is enabled, the system replenishes the number of connections to a load balancing pool to the number of connections that existed when the server closed the connection to the pool. When disabled, the system replenishes the connection that was closed by the server, only when there are fewer connections to the pool than the number of connections set in the conn pool min size connections option. See the conn pool min size option above. ◆ conn pool step Specifies the increment in which the system makes additional connections available, when all available connections are in use. The default setting is 4. ◆ force http10 response Specifies whether to rewrite the HTTP version in the status line of the server to HTTP 1.0 to discourage the client from pipelining or chunking data. The default is disable. ◆ header insert Specifies a string that the system inserts as a header in an HTTP request. If the header exists already, the system does not replace it. bigpipe Command Reference ◆ http11 close workarounds Enables or disables HTTP 1.1 close workarounds. The default is disable. ◆ idle timeout Specifies the number of seconds after which a connection is eligible for deletion, when the connection has no traffic. The default is 300 seconds. ◆ insert xforwarded for Specifies whether the system inserts the XForwarded For header in an HTTP request with the client IP address, to use with connection pooling. • enable: Specifies that the system inserts the XForwarded For header with the client IP address. • disable: Specifies that the system does not insert the XForwarded For header. ◆ layer7 When enabled, the system parses HTTP data in the stream. Disable this setting if you want to use the performance HTTP profile to shield against denial-of-service attacks against non-HTTP protocols. The default setting is enable. ◆ max header size Specifies the maximum amount of HTTP header data that the system buffers before making a load balancing decision. The default setting is 32768. ◆ max requests Specifies the maximum number of requests that the system can receive on a client-side connection, before the system closes the connection. A setting of 0 specifies that requests are not limited. The default is 0. ◆ mss override Specifies a maximum segment size (MSS) override for server-side connections. The default setting is 0, which corresponds to an MSS of 1460. You can specify any integer between 536 and 1460. ◆ partition Displays the partition within which the profile resides. ◆ profile fasthttp edit Displays in a text editor the running configuration of all objects created using the command profile fasthttp. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. ◆ reset on timeout When enabled, the system sends a TCP RESET packet when a connection times out, and deletes the connection. The default is enable. BIG-IP® Command Line Interface Guide A - 189 Appendix A ◆ server close timeout Specifies the number of seconds after which the system closes a client connection, when the system either receives a client FIN packet or sends a FIN packet. This setting overrides the idle timeout setting. The default setting is 5. ◆ unclean shutdown Specifies how the system handles closing a connection. The default is enable, which allows unclean shutdown of a client connection. Use disable to prevent unclean shutdown of a client connection. Fast specifies that the system sends a RESET packet to close the connection only if the client attempts to send further data after the response has completed. Default specifies to use the setting from the parent profile. See also profile(1), virtual(1), bigpipe(1) A - 190 bigpipe Command Reference profile fastl4 Configures a Fast Layer 4 profile. Syntax Use this command to create, modify, display, or delete a Fast Layer 4 profile. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. profile fastL4 <profile fastL4 key list> {} profile fastL4 (<profile fastL4 key list> | all) [{] <profile fastL4 arg list> [}] <profile fastL4 key> ::= <name> <profile fastL4 arg> ::= defaults from (<profile fastL4 key> | none) idle timeout (<number> | immediate | indefinite | default) mss override (<number> | default) pva acceleration (none | assist | full | default) reassemble fragments (enable | disable | default) reset on timeout (enable | disable | default) tcp close timeout (<number> | immediate | indefinite | default) tcp timestamp (preserve | strip | rewrite | default) tcp wscale (preserve | strip | default) tcp generate isn (enable | disable | default) tcp strip sack (enable | disable | default) ip tos to client (<num> | pass | default) ip tos to server (<num> | pass | default) link qos to client (<num> | pass | default) link qos to server (<num> | pass | default) tcp handshake timeout (<number> | immediate | indefinite | default) rtt from client (enable | disable | default) rtt from server (enable | disable | default) loose initiation (enable | disable | default) loose close (enable | disable | default) BIG-IP® Command Line Interface Guide A - 191 Appendix A hardware syncookie (enable | disable | default) software syncookie (enable | disable | default) profile fastL4 [<profile fastL4 key list> | all] stats reset profile fastL4 edit Display profile fastL4 [<profile fastL4 key list> | all] [show [all]] profile fastL4 [<profile fastL4 key list> | all] list [all] profile fastL4 [<profile fastL4 key list> | all] defaults from [show] profile fastL4 [<profile fastL4 key list> | all] hardware syncookie [show] profile fastL4 [<profile fastL4 key list> | all] idle timeout [show] profile fastL4 [<profile fastL4 key list> | all] ip tos to client [show] profile fastL4 [<profile fastL4 key list> | all] ip tos to server [show] profile fastL4 [<profile fastL4 key list> | all] link qos to client [show] profile fastL4 [<profile fastL4 key list> | all] link qos to server [show] profile fastL4 [<profile fastL4 key list> | all] loose close [show] profile fastL4 [<profile fastL4 key list> | all] loose initiation [show] profile fastL4 [<profile fastL4 key list> | all] max segment override [show] profile fastL4 [<profile fastL4 key list> | all] mss override [show] profile fastL4 [<profile fastL4 key list> | all] name [show] profile fastL4 [<profile fastL4 key list> | all] partition [show] profile fastL4 [<profile fastL4 key list> | all] pva acceleration [show] profile fastL4 [<profile fastL4 key list> | all] reassemble fragments [show] profile fastL4 [<profile fastL4 key list> | all] reset on timeout [show] profile fastL4 [<profile fastL4 key list> | all] rtt from client [show] profile fastL4 [<profile fastL4 key list> | all] rtt from server [show] profile fastL4 [<profile fastL4 key list> | all] software syncookie [show] profile fastL4 [<profile fastL4 key list> | all] stats [show] profile fastL4 [<profile fastL4 key list> | all] tcp generate isn [show] profile fastL4 [<profile fastL4 key list> | all] tcp strip sack [show] profile fastL4 [<profile fastL4 key list> | all] tcp timestamp [show] profile fastL4 [<profile fastL4 key list> | all] tcp wscale [show] profile fastL4 [<profile fastL4 key list> | all] tcp handshake timeout [show] profile fastL4 [<profile fastL4 key list> | all] tcp close timeout [show] Delete profile fastL4 (<profile fastL4 key list> | all) delete Description The fastl4 profile is the default profile used by the system when you create a basic configuration for non-UDP traffic. Any changes you make to an active fastL4 profile (one that is in use by a virtual server) take affect after the idle A - 192 bigpipe Command Reference timeout value has passed. That means new connections are affected by the profile change immediately. However, old connections need to be aged out by the idle timeout value or closed for the new values to take effect. Examples Creates a custom Fast Layer 4 profile named myfastl4profile that inherits its settings from the system default fastl4 profile: profile fastl4 myfastl4profile {} Options You can use these options with the profile fastL4 command: ◆ defaults from Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile specified. ◆ idle timeout Specifies an idle timeout in seconds. You can also specify immediate, indefinite, or default. This setting specifies the number of seconds that a connection is idle before the connection is eligible for deletion. When you specify an idle timeout for the Fast L4 profile, the value needs to be greater than the bigdb database variable Pva.Scrub time in msec for it to work properly. The default is 300 seconds. ◆ mss override Specifies a maximum segment size (MSS) override for server-side connections. The default setting is disable, which corresponds to an MSS of 1460. Disable specifies that the system does not use an MSS override. To choose a different value than the default, specify any integer between 536 and 1460 bytes. Note that this is also the MSS advertised to a client when a client first connects. ◆ partition Displays the partition within which the Fast L4 profile resides. ◆ profile fastl4 edit Displays in a text editor the running configuration of all objects created using the command profile fastl4. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. ◆ pva acceleration Specifies the Packet Velocity® ASIC acceleration mode. The options are none, assist, full, or default. ◆ reassemble fragments Specifies whether to reassemble fragments. The options are enable, disable, or default. This option is enabled by default. BIG-IP® Command Line Interface Guide A - 193 Appendix A A - 194 ◆ reset on timeout Specifies whether you want to reset connections on timeout. The options are enable, disable, or default. This option is enabled by default. ◆ tcp close timeout Specifies an TCP close timeout in seconds. You can also specify immediate, indefinite, or default. The default is 5 seconds. ◆ tcp timestamp Specifies how you want to handle the TCP timestamp. The options are preserve, strip, rewrite, or default. Preserve is the default setting for this option. ◆ tcp wscale Specifies how you want to handle the TCP window scale. The options are preserve, strip, rewrite, or default. The default setting for this option is preserve TCP window scale. ◆ tcp generate isn Specifies whether you want to generate TCP sequence numbers on all SYNs that conform with RFC1948, and allow timestamp recycling. This option is disabled by default. ◆ tcp strip sack Specifies whether you want to block the TCP SackOK option from passing to server on an initiating SYN. This option is disabled by default. ◆ ip tos to client Specifies an IP ToS number for the client side. This setting specifies the Type of Service level that the traffic management system assigns to UDP packets when sending them to clients. The default is 65535, which indicates, do not modify UDP packets. ◆ ip tos to server Specifies an IP ToS number for the server side. This setting specifies the Type of Service level that the traffic management system assigns to UDP packets when sending them to servers. The default is 65535, which indicates, do not modify UDP packets. ◆ link qos to client Specifies a Link QoS (VLAN priority) number for the client side. This setting specifies the Quality of Service level that the system assigns to UDP packets when sending them to clients. The default is 65535, which indicates, do not modify UDP packets. ◆ link qos to server Specifies a Link QoS (VLAN priority) number for the server side. This setting specifies the Quality of Service level that the system assigns to UDP packets when sending them to servers. The default is 65535, which indicates, do not modify UDP packets. ◆ tcp handshake timeout Specifies a TCP handshake timeout in seconds. You can also specify immediate, indefinite, or default. The default is 5 seconds. bigpipe Command Reference ◆ rtt from client Enables or disables the TCP timestamp options to measure the round trip time to the client. The default is disable. ◆ rtt from server Enables or disables the TCP timestamp options to measure the round trip time to the server. The default is disable. ◆ loose initiation Specifies that the system initializes a connection when it receives any TCP packet, rather than requiring a SYN packet for connection initiation. The default is disable. ◆ loose close Specifies that the system closes a loosely-initiated connection when the system receives the first FIN packet from either the client or the server. The default is disable. ◆ partition Displays the partition within which the profile resides. ◆ hardware syncookie Enables or disables hardware SYN cookie support when PVA10 is present on the system. Note that when you set the hardware syncookie option to enable, you may also want to set the following bigdb database variables using the db command, based on your requirements: • pva.SynCookies.Full.ConnectionThreshold (default: 500000) • pva.SynCookies.Assist.ConnectionThreshold (default: 500000) • pva.SynCookies.ClientWindow (default: 0) The default is disable. ◆ software syncookie Enables or disables software SYN cookie support when PVA10 is not present on the system. The default is disable. See also profile(1), virtual(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 195 Appendix A profile ftp Configures an FTP profile. Syntax Use this command to create, modify, display, or delete an FTP profile. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. profile ftp <profile ftp key list> {} profile ftp (<profile ftp key list> | all) [{] <profile ftp arg list> [}] <profile ftp key> ::= <name> <profile ftp arg> ::= defaults from (<profile ftp key> | none) translate extended (enable | disable | default) data port (<service> | none | default) security (enable | disable | default) profile ftp [<profile ftp key list> | all] stats reset profile ftp edit Display profile ftp [<profile ftp key list> | all] [show [all]] profile ftp [<profile ftp key list> | all] list [all] profile ftp [<profile ftp key list> | all] data port [show] profile ftp [<profile ftp key list> | all] defaults from [show] profile ftp [<profile ftp key list> | all] name [show] profile ftp [<profile ftp key list> | all] partition [show] profile ftp [<profile ftp key list> | all] security [show] profile ftp [<profile ftp key list> | all] stats [show] profile ftp [<profile ftp key list> | all] translate extended [show] Delete profile ftp (<profile ftp key list> | all) delete A - 196 bigpipe Command Reference Description Manages a profile for FTP traffic. Examples Creates a custom FTP profile named myftpprofile that inherits its settings from the system default FTP profile: profile ftp myftpprofile { } Options You can use these options with the profile ftp command: • data port Specifies a service for the data channel port used for this FTP profile. The default port is 20. • defaults from Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile specified. • partition Displays the partition within which the profile resides. • profile ftp edit Displays in a text editor the running configuration of all objects created using the command profile ftp. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. • security Enables secure FTP traffic for the BIG-IP® Application Security Manager. You can set the security option only if the system is licensed for the BIG-IP® Application Security Manager. • translate extended This setting is enabled by default, and thus, automatically translates RFC2428 extended requests EPSV and EPRT to PASV and PORT when communicating with IPv4 servers. See also profile(1), virtual(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 197 Appendix A profile http Creates, modifies, displays, or deletes an HTTP profile. Syntax Use this command to create, modify, display, or delete an HTTP profile. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. profile http <profile http key list> {} profile http (<profile http key list> | all) [{] <HTTP profile arg list> [}] <profile http key> ::= <name> <profile http arg> ::= defaults from (<profile http key> | none) adaptive parsing (enable | disable | default) basic auth realm (<string> | none | default) compress (enable | disable | selective | default) compress browser workarounds (enable | disable | default) compress buffer size (<number> | default) compress content type exclude ((<string list> | none) [add | delete] | default) compress content type include ((<string list> | none) [add | delete] | default) compress cpu saver (enable | disable | default) compress cpu saver high (<number> | default) compress cpu saver low (<number> | default) compress gzip level (<number> | default) compress gzip memory level (<number>(K|k) | default) compress gzip window size (<number>(K|k) | default) compress http 1.0 (enable | disable | default) compress keep accept encoding (enable | disable | default) compress min size (<number> | default) compress prefer (deflate | gzip | default) compress uri exclude ((<string list> | none) [add | delete] | default) compress uri include ((<string list> | none) [add | delete] | default) compress vary header (enable | disable | default) A - 198 bigpipe Command Reference cookie secret (<string> | none | default) fallback (<string> | none | default) fallback status ((<string list> | none) [add | delete] | default) header insert (<string> | none) header erase (<string> | none | default) insert xforwarded for (enable | disable | default) lws separator (cr | lf | sp | none | default) lws width (<number> | default) max header size (<number> | default) max requests (<number> | default) oneconnect transformations (enable | disable | default) pipelining (enable | disable | default) ramcache (enable | disable | default) ramcache aging rate (<number> | default) ramcache entry (<ramcache info key list> | none) [add | delete] | default) ramcache ignore client cache control (none | max age | all | default) ramcache insert age header (enable | disable | default) ramcache max age (<number> | default) ramcache max entries (<number> | default) ramcache max object size (<number> | default) ramcache min object size (<number> | default) ramcache size (<number>[mb | MB] | default) ramcache uri exclude (<string list> | none) [add | delete] | default) ramcache uri include (<string list> | none) [add | delete] | default) ramcache uri pinned (<string list> | none) [add | delete] | default) redirect rewrite (none | all | matching | nodes | default) response (unchunk | rechunk | preserve chunk | selective chunk | default) response headers allowed ((<string list> | none) [add | delete] | default) <ramcache info key> ::= exact max response <number> uri (<string> | none) host (<string> | none) profile http [<profile http key list> | all] stats reset profile http edit Display profile http [<profile http key list> | all] [show [all]] profile http [<profile http key list> | all] list [all] profile http [<profile http key list> | all] defaults from <show> profile http [<profile http key list> | all] name <show> profile http [<profile http key list> | all] adaptive parsing [show] profile http [<profile http key list> | all] basic auth realm [show] profile http [<profile http key list> | all] compress [show] profile http [<profile http key list> | all] compress browser work arounds [show] profile http [<profile http key list> | all] compress keep accept encoding [show] profile http [<profile http key list> | all] compress buffer size [show] BIG-IP® Command Line Interface Guide A - 199 Appendix A profile http [<profile http key list> | all] compress cpu saver [show] profile http [<profile http key list> | all] compress cpu saver high [show] profile http [<profile http key list> | all] compress cpu saver low [show] profile http [<profile http key list> | all] compress gzip level [show] profile http [<profile http key list> | all] compress gzip memory level [show] profile http [<profile http key list> | all] compress gzip window size [show] profile http [<profile http key list> | all] compress http 1.0 [show] profile http [<profile http key list> | all] compress keep accept encoding [show] profile http [<profile http key list> | all] compress min size [show] profile http [<profile http key list> | all] compress prefer [show] profile http [<profile http key list> | all] compress content type exclude [show] profile http [<profile http key list> | all] compress content type include [show] profile http [<profile http key list> | all] compress uri exclude [show] profile http [<profile http key list> | all] compress uri include[show] profile http [<profile http key list> | all] compress vary header [show] profile http [<profile http key list> | all] cookie secret [show] profile http [<profile http key list> | all] encrypt cookies [show] profile http [<profile http key list> | all] fallback [show] profile http [<profile http key list> | all] fallback status [show] profile http [<profile http key list> | all] header erase [show] profile http [<profile http key list> | all] header insert [show] profile http [<profile http key list> | all] insert xforwarded for [show] profile http [<profile http key list> | all] lws separator [show] profile http [<profile http key list> | all] lws width [show] profile http [<profile http key list> | all] max header size [show] profile http [<profile http key list> | all] max requests [show] profile http [<profile http key list> | all] oneconnect transformations [show] profile http [<profile http key list> | all] partition [show] profile http [<profile http key list> | all] pipelining [show] profile http [<profile http key list> | all] ramcache [show] profile http [<profile http key list> | all] ramcache aging rate [show] profile http [<profile http key list> | all] ramcache entry [<ramcache info key list> | \ all] [show] profile http [<profile http key list> | all] ramcache ignore client cache control [show] profile http [<profile http key list> | all] ramcache insert age header [show] profile http [<profile http key list> | all] ramcache max age [show] profile http [<profile http key list> | all] ramcache max entries [show] profile http [<profile http key list> | all] ramcache max object size [show] profile http [<profile http key list> | all] ramcache min object size [show] profile http [<profile http key list> | all] ramcache size [show] profile http [<profile http key list> | all] ramcache uri exclude [show] profile http [<profile http key list> | all] ramcache uri include [show] profile http [<profile http key list> | all] ramcache uri pinned [show] profile http [<profile http key list> | all] redirect rewrite [show] A - 200 bigpipe Command Reference profile http [<profile http key list> | all] response [show] profile http [<profile http key list> | all] response headers allowed [show] profile http [<profile http key list> | all] stats [show] Delete profile http (<profile http key list> | all) ramcache entry (<ramcache info key> | all) \ delete profile http (<profile http key list> | all) delete Description Use the default HTTP profile to create a custom HTTP profile. This default profile includes default values for any of the properties and settings related to managing HTTP traffic. When you create a custom HTTP profile, you can use the default settings, or you can change their values to suit your needs. This profile contains the configuration settings for compression and RAM Cache. The BIG-IP system installation includes these HTTP-type profiles: • http • http-lan-optimized-caching • http-wan-optimized-compression • http-wan-optimized-compression-caching You can modify the settings of these profiles, or create new HTTP-type profiles using any of these existing profiles as parent profiles. Examples Creates a custom HTTP profile named myhttpprofile that inherits its settings from the system default http profile: profile http myhttpprofile { } Replaces the header in the profile named myhttpprofile with the default header: profile http myhttpprofile header insert default Displays RAM cache entries for the profile named my_rc_profile: profile http my_rc_profile ramcache entry show Options You can use these options with the profile http command: ◆ adaptive parsing Enables or disables adaptive parsing. BIG-IP® Command Line Interface Guide A - 201 Appendix A ◆ basic auth realm Specifies a quoted string for the basic authentication realm. You can also specify none or default. The value of the Basic Auth Realm setting is a string that you provide. The system sends this string to a client whenever authorization fails. ◆ compress Specifies the compression mode. The options are enable, disable, selective, and default. Note that the data compression feature compresses HTTP server responses, and not client requests. ◆ compress browser workarounds Enables or disables browser workarounds. The default is disable. Enabling this attribute causes turns of compression on server responses when any of the following conditions are detected: • If the client browser is Netscape Navigator version 4.0x, compression is turned off. Note that Netscape advertises that the browser can handle compression, but it does not handle compression gracefully. In this case, F5 disables compression entirely for that class of browser. • If the client browser is Netscape Navigator version 4.x (4.10 and beyond) and the server response Content-Type is neither text/html or text/plain, compression is turned off. This class of Netscape browsers can handle plain text and HTML just fine, but there are known issues with other types of content. • If the client browser is Microsoft Internet Explorer (any version), the server response Content-Type is either text/css or application/x-javascript, and the clients connection is over SSL, compression is turned off. The Microsoft article ID for this problem is 825057. • If the client browser is Microsoft Internet Explorer (any version), the server response Content-Type is either text/css or application/x-javascript, and the server set the header Cache-Control to no-cache, compression is turned off. The Microsoft article ID for this problem is 327286. A - 202 ◆ compress buffer size Specifies the maximum number of uncompressed bytes that the system buffers before determining whether or not to compress the response. Useful when the headers of a server response do not specify the length of the response content. The default value is 4096. ◆ compress content type exclude Excludes a specified list of content types from compression of HTTP Content-Type responses. Use a string list to specify a list of content types you want to compress. ◆ compress content type include Specifies a list of content types for compression of HTTP Content-Type responses. Use a string list to specify a list of content types you want to compress. bigpipe Command Reference ◆ compress cpu saver Specifies the CPU saver setting. When the CPU saver is enabled, the system monitors the percent of CPU usage and adjusts compression rates automatically when the CPU usage reaches the percentage defined in the cpu saver low or the cpu saver high options. The default setting is enable. ◆ compress cpu saver high Specifies the percent of CPU usage at which the system starts automatically decreasing the amount of content being compressed, as well as the amount of compression which the system is applying. The default setting is 90 percent. ◆ compress cpu saver low Specifies the percent CPU usage at which the system resumes content compression at the user-defined rates. The default is 75 percent. ◆ compress gzip level Specifies a value that determines the amount of memory that the system uses when compressing a server response. The default is 8. ◆ compress gzip memory level Specifies a value that determines the amount of memory that the system uses when compressing a server response. The default value is 8. ◆ compress gzip window size Specifies the number of bits in the window size that the system uses when compressing a server response. The default is 16 bits. ◆ compress http 1.0 Enables or disables compression of HTTP/1.0 server responses. ◆ compress min size Specifies the minimum length in bytes of a server response that is acceptable for compressing that response. The length in bytes applies to content length only, not headers. The default setting is 1024. ◆ compress prefer Specifies the type of compression that is preferred by the system. The options are deflate, gzip, or default. ◆ compress uri exclude Disables compression on a specified list of HTTP Request-URI responses. Use a regular expression to specify a list of URIs you do not want to compress. ◆ compress uri include Enables compression on a specified list of HTTP Request-URI responses. Use a regular expression to specify a list of URIs you want to compress. ◆ compress vary header Enables or disables the insertion of a Vary header into cacheable server responses. The default is enable. ◆ cookie secret Specifies a passphrase for the cookie encryption. BIG-IP® Command Line Interface Guide A - 203 Appendix A A - 204 ◆ defaults from Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile specified. ◆ encrypt cookies Encrypts specified cookies that the BIG-IP system sends to a client system. ◆ fallback Specifies an HTTP fallback host. HTTP redirection allows you to redirect HTTP traffic to another protocol identifier, host name, port number, or URI path. For example, if all members of the targeted pool are unavailable (that is, the members are disabled, marked as down, or have exceeded their connection limit), the system can redirect the HTTP request to the fallback host, with the HTTP reply Status Code 302 Found. For details about how to configure this string, refer to the Configuration Guide for BIG-IP® Local Traffic Management. ◆ fallback status Specifies one or more three-digit status codes that can be returned by an HTTP server. ◆ header erase Specifies the header string that you want to erase from an HTTP request. You can also specify none or default. ◆ header insert Specifies the header string that you want to insert into an HTTP request. You can also specify none or default. An optional setting in an HTTP profile is HTTP header insertion. The HTTP header being inserted can include a client IP address. Including a client IP address in an HTTP header is useful when a connection goes through a secure network address translation (SNAT) and you need to preserve the original client IP address. The format of the header insertion that you specify must be a quoted string. When you assign the configured HTTP profile to a virtual server, the system then inserts the header specified by the profile into any HTTP request that the system sends to a pool or pool member. ◆ insert xforwarded for When using connection pooling, which allows clients to make use of other client requests' server-side connections, you can insert the X-Forwarded-For header and specify a client IP address. ◆ keep accept encoding Enables or disables keep accept encoding. When enabled, causes the target server, rather than the BIG-IP local traffic management system, to perform the data compression. ◆ lws separator Specifies the linear white space separator that the system should use between HTTP headers when a header exceeds the maximum width specified by the lws width setting. The options are cr, lf, or sp. ◆ lws width Specifies the maximum number of columns allowed for a header that is inserted into an HTTP request. See also the lws separator option above. bigpipe Command Reference ◆ max header size Specifies the maximum header size. ◆ oneconnect transformations Enables the system to perform HTTP header transformations for the purpose of keeping server-side connections open. This feature requires configuration of a OneConnect™ profile. ◆ partition Displays the partition within which the profile resides. ◆ pipelining Enables HTTP/1.1 pipelining. This allows clients to make requests even when prior requests have not received a response. In order for this to succeed, however, destination servers must include support for pipelining. ◆ profile http edit Displays in a text editor the running configuration of all objects created using the command profile http. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. ◆ ramcache Enables or disables the RAM Cache feature. The default setting is disable. Note that you cannot insert a cookie on an HTTP RESPONSE when the RAM Cache is enabled and the document is cacheable. ◆ ramcache aging rate Specifies how long the system considers the cached content to be valid. The default is 3600 seconds. ◆ ramcache entry Specifies the following information about a ramcache entry: • exact max response Specifies the maximum number of responses allowed to utilize the cached entry. • URI Specifies the URI from which the entry was cached. • host Specifies the host from which the entry was cached. ◆ ramcache ignore client cache control Specifies if you want to ignore cache disabling headers sent by clients. You can set this to none, max age, or all. ◆ ramcache insert age header When enabled, inserts Age and Date headers in the response. ◆ ramcache max age Specifies how long the system considers the cached content to be valid. The default is 3600 seconds. BIG-IP® Command Line Interface Guide A - 205 Appendix A ◆ ramcache max entries Specifies the maximum number of entries that can be in the RAM cache. The default is 0, which means that the system does not limit the maximum entries. ◆ ramcache max object size Specifies the largest object that the system considers eligible for caching. The default setting is 50000 bytes. ◆ ramcache min object size Specifies the smallest object that the system considers eligible for caching. The default setting is 500 bytes. ◆ ramcache size Specifies the maximum size for the RAM cache. When the cache reaches the maximum size, the system starts removing the oldest entries. The default setting is 100 megabytes. ◆ ramcache uri exclude Configures a list of URIs to exclude in the RAM Cache. A value of none specifies that URI pinning is not activated. The default setting is none. ◆ ramcache uri include Configures a list of URIs to include in the RAM Cache. A value of none specifies that URI pinning is not activated. The default setting is none. ◆ ramcache uri pinned Specifies whether the system retains or excludes certain URIs in the RAM cache. The pinning process forces the system either to cache URIs that typically are ineligible for caching, or to not cache URIs that typically are eligible for caching. ◆ redirect rewrite Specifies which of the application HTTP redirects the system rewrites to HTTPS. Use this feature when the application is generating HTTP redirects that send the client to HTTP (a non-secure channel) when you want the client to continue accessing the application using HTTPS (a secure channel). This is a common occurrence when using client-side SSL processing on a BIG-IP system. • all Specifies to rewrite to HTTPS all application redirects. • matching Specifies to rewrite to HTTPS only application redirects that match the original URI exactly. • nodes If the URI contains a node IP address, instead of a host name, specifies that the system rewrites the node IP address to the virtual server IP address. • none Specifies that the system does not rewrite to HTTPS any application HTTP redirects. This is the default value. • default Specifies to use the default value for this parameter, which is none. A - 206 bigpipe Command Reference ◆ response Specifies how to handle chunked and unchunked requests and responses. • unchunk If the request or response is chunked, this option unchunks the request or response, and processes the HTTP content, and passes the request or response on as unchunked. The Keep-Alive value for the Connection header is not supported, and therefore the system sets the value of the header to Close. If the request or response is unchunked, the BIG-IP local traffic management system processes the HTTP content and passes the request or response on untouched. • rechunk If the request or response is chunked, the system unchunks the request or response, processes the HTTP content, re-adds the chunk trailer headers, and then passes the request or response on as chunked. Any chunk extensions are lost. If the request or response is unchunked, the system adds transfer encoding and chunking headers on egress. • preserve chunk Specifies that the system processes the HTTP content, and sends the response to the client unchanged. • selective chunk If the request or response is chunked, the system unchunks the request or response, processes the HTTP content, re-adds the chunk trailer headers, and then passes the request or response on as chunked. Any chunk extensions are lost. If the request is unchunked, the system processes the HTTP content and then passes the request or response on untouched. • default Indicates to use the value in the default http profile. ◆ response headers allowed Specifies headers that the BIG-IP system allows in an HTTP response. See also profile(1), virtual(1), profile fasthttp(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 207 Appendix A profile httpclass Configures an HTTP Class type of profile. Syntax Use this command to create an HTTP class profile, redirect HTTP traffic to HTTPS using the same virtual server, and redirect HTTP traffic without changing the URL in the browser. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. profile httpclass <profile httpclass key list> {} profile httpclass (<profile httpclass key list> | all) [{] \ <profile httpclass arg list> [}] <profile httpclass key> ::= <name> <profile httpclass arg> ::= asm (enable | disable | default) cookies ((<regex/glob list> | none) [add | delete] | default) defaults from (<profile httpclass key> | none) headers ((<regex/glob list> | none) [add | delete] | default) hosts ((<regex/glob list> | none) [add | delete] | default) paths ((<regex/glob list> | none) [add | delete] | default) pool (<poolkey> | none | default) redirect (<string> | none | default) url rewrite (<string> | none | default) wa (enable | disable | default) <regex/glob> :: [glob | regex] <string> profile httpclass [<profile httpclass key list> | all] stats reset profile httpclass edit Display profile httpclass [<profile httpclass key list> | all] [show [all]] profile httpclass [<profile httpclass key list> | all] list [all] A - 208 bigpipe Command Reference profile httpclass [<profile httpclass key list> | all] asm <show> profile httpclass [<profile httpclass key list> | all] cookies <show> profile httpclass [<profile httpclass key list> | all] defaults from <show> profile httpclass [<profile httpclass key list> | all] headers <show> profile httpclass [<profile httpclass key list> | all] hosts <show> profile httpclass [<profile httpclass key list> | all] name <show> profile httpclass [<profile httpclass key list> | all] partition <show> profile httpclass [<profile httpclass key list> | all] paths <show> profile httpclass [<profile httpclass key list> | all] pool <show> profile httpclass [<profile httpclass key list> | all] redirect <show> profile httpclass [<profile httpclass key list> | all] stats [show] profile httpclass [<profile httpclass key list> | all] url rewrite <show> profile httpclass [<profile httpclass key list> | all] wa <show> Delete profile httpclass (<profile httpclass key list> | all) delete Description Use this command to create an HTTP class profile, redirect HTTP traffic to HTTPS using the same virtual server, and redirect HTTP traffic without changing the URL in the browser. Examples Creates an HTTP class profile named myhttpclassprofile that inherits its settings from the system default HTTP Class profile: profile httpclass myhttpclassprofile { } Options You can use the following options with the profile httpclass command: • asm Enables application security management. You can set the asm option only if the system is licensed for the BIG-IP® Application Security Manager. The options are enable, disable, and default. • cookies Specifies how the system routes all incoming HTTP traffic for the web application, based on cookie headers. • defaults from Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile specified. • headers Specifies how the system routes incoming HTTP traffic for the web application, based on HTTP headers and values. BIG-IP® Command Line Interface Guide A - 209 Appendix A • hosts Specifies how the system routes incoming HTTP traffic, based on host information. • partition Displays the partition within which the profile resides. • paths Specifies how the system routes all incoming HTTP traffic for the web application, based on URI paths. • pool Specifies a local traffic pool to which the system sends the HTTP traffic. The options are <pool key>, none, and default. • profile httpclass edit Displays in a text editor the running configuration of all objects created using the command profile httpclass. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. • redirect Specifies a URL to which the system redirects the traffic. The options are none, <string>, and default. • url rewrite Specifies the TCL expression that the system uses to rewrite the request URI that is forwarded to the server without sending an HTTP redirect to the client. The options are none, <string>, and default. • wa Specifies web acceleration. You can set the wa option only if the system is licensed for the BIG-IP WebAccelerator Module. The options are enable, disable, and default. See also profile(1), profile http(1) A - 210 bigpipe Command Reference profile oneconnect Creates, modifies, displays, or deletes a OneConnect™ profile. Syntax Use this command to create, modify, display, or delete a OneConnect™ profile. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. profile oneconnect <profile oneconnect key list> {} profile oneconnect (<profile oneconnect key list> | all) \ [{] <profile oneconnect arg list> [}] <profile oneconnect key> ::= <name> <profile oneconnect arg> ::= defaults from (<<profile oneconnect key> | none) idle timeout override (<number> | disable | indefinite | default) max size (<number> | default) max age (<number> | default) max reuse (<number> | default) source mask (<ip mask> | none | default) profile oneconnect [<<profile oneconnect key list> | all] stats reset profile oneconnect edit Display profile oneconnect [<profile oneconnect key list> | all] [show [all]] profile oneconnect [<profile oneconnect key list> | all] list [all] profile oneconnect [<profile oneconnect key list> | all] defaults from [show] profile oneconnect [<profile oneconnect key list> | all] idle timeout override [show] profile oneconnect [<profile oneconnect key list> | all] max size [show] profile oneconnect [<profile oneconnect key list> | all] max age [show] profile oneconnect [<profile oneconnect key list> | all] max reuse [show] profile oneconnect [<profile oneconnect key list> | all] name [show] profile oneconnect [<profile oneconnect key list> | all] partition [show] BIG-IP® Command Line Interface Guide A - 211 Appendix A profile oneconnect [<profile oneconnect key list> | all] source mask [show] profile oneconnect [<profile oneconnect key list> | all] stats [show] Delete profile oneconnect (<profile oneconnect key list> | all) delete Description Create a OneConnect™ profile that optimizes connections by improving client performance and increasing server capacity. Examples Creates a OneConnect™ profile named myOCprofile that inherits its settings from the system default OneConnect profile: profile oneconnect myOCprofile { } Options You can use the following options with the profile oneconnect command: • defaults from Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile specified. • idle timeout override Specifies the number of seconds that a connection is idle before the connection flow is eligible for deletion. Possible values are disable, indefinite, or a numeric value that you specify. The default is disable. • max size Specifies the maximum number of connections that the system holds in the connection reuse pool. If the pool is already full, then the server-side connection closes after the response is completed. The default setting is 10000. • max age Specifies the maximum age in number of seconds allowed for a connection in the connection reuse pool. For any connection with an age higher than this value, the system removes that connection from the reuse pool. The default maximum age is 86400. • max reuse Specifies the maximum number of times that a server-side connection can be reused. The default is 1000. • partition Displays the partition within which the profile resides. • profile oneconnect edit Displays in a text editor the running configuration of all objects created using the command profile oneconnect. You can edit the value of any A - 212 bigpipe Command Reference parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. • source mask Specifies a source IP mask. The system applies the value of this setting to the source address to determine its eligibility for reuse. A mask of 0 causes the system to share reused connections across all clients. A host mask, that is, all 1 values in binary, causes the system to share only those reused connections originating from the same client IP address. The default mask is 0.0.0.0. See also profile(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 213 Appendix A profile persist Configures a persistence profile. Syntax Use this command to create, modify, display, or delete a persistence profile. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. profile persist <profile persist key list> {} profile persist (<profile persist key list> | all) [{] <persistence profile arg list> [}] <profile persist key>::= <name> <persistence profile arg> ::= defaults from (<profile persist key> | none) mode (none | source addr | dest addr | cookie | ssl | msrdp | universal | hash |\ sip | default) rule (<rule key> | none | default) sip info (<string> | none | default) timeout (<number> | immediate | indefinite | default) mask (<ip mask> | none) cookie mode (insert | rewrite | passive | hash | default | none) cookie expiration ([<number>d] [<hh>:<mm>:<ss>] | default) cookie hash offset (<number> | default) cookie hash length (<number> | default) cookie name (<string> | none | default) mirror (enable | disable | default) msrdp session directory (enable | disable | default) map proxies (enable | disable | default) across pools (enable | disable | default) across services (enable | disable | default) across virtuals (enable | disable | default) profile persist edit A - 214 bigpipe Command Reference Display profile persist [<profile persist key list> | all] [show [all]] profile persist [<profile persist key list> | all] list [all] profile persist [<profile persist key list> | all] defaults from [show] profile persist [<profile persist key list> | all] across pools [show] profile persist [<profile persist key list> | all] across services [show] profile persist [<profile persist key list> | all] across virtuals [show] profile persist [<profile persist key list> | all] cookie expiration [show] profile persist [<profile persist key list> | all] cookie hash length [show] profile persist [<profile persist key list> | all] cookie hash offset [show] profile persist [<profile persist key list> | all] cookie mode [show] profile persist [<profile persist key list> | all] cookie name [show] profile persist [<profile persist key list> | all] map proxies [show] profile persist [<profile persist key list> | all] mask [show] profile persist [<profile persist key list> | all] mirror [show] profile persist [<profile persist key list> | all] mode [show] profile persist [<profile persist key list> | all] msrdp session directory [show] profile persist [<profile persist key list> | all] name [show] profile persist [<profile persist key list> | all] partition [show] profile persist [<profile persist key list> | all] rule [show] profile persist [<profile persist key list> | all] sip info [show] profile persist [<profile persist key list> | all] timeout [show] Delete profile persist (<profile persist key list> | all) delete Description A persistence profile is a pre-configured object that automatically enables persistence when you assign the profile to a virtual server. Using a persistence profile avoids having to write an iRule to implement a type of persistence. Each type of persistence that the traffic management system offers includes a corresponding default persistence profile. These persistence profiles each contain settings and setting values that define the behavior of the system for that type of persistence. You can either use the default profile, or create a custom profile based on the default. Examples Creates a custom persistence profile named mypersistprofile that inherits its settings from the default Cookie persistence profile: profile persist mypersistprofile { defaults from cookie } BIG-IP® Command Line Interface Guide A - 215 Appendix A Creates a SIP persistence profile named mysippersistenceprofile that persists on Call-ID: profile persist mysippersistenceprofile sip info Call-ID Options You can use these options with the profile persist command: ◆ across pools Enables or disables persistence across pools. When enabled, specifies that the BIG-IP system can use any pool that contains this persistence entry. Persistence across all pools causes the traffic management system to maintain persistence for all connections requested by the same client, regardless of which pool hosts each individual connection initiated by the client. The default is disable. ◆ across services Enables or disables persistence across services. When enabled, this setting specifies that all persistent connections from a client IP address that go to the same virtual IP address also go to the same node. The default is disable. ◆ across virtuals Enables or disables persistence across virtual servers. When enabled, specifies that all persistent connections from a client IP address that go to the same virtual IP address also go to the same node. Persistence across all virtual servers causes the traffic management system to maintain persistence for all connections requested by the same client, regardless of which virtual server hosts each individual connection initiated by the client. The default is disable. ◆ cookie expiration Specifies the cookie expiration date in the format <number> <hh>:<mm>:<ss>. The default is 0 seconds. ◆ cookie hash length Specifies the cookie hash length. The length is the number of bytes to use when calculating the hash value. The default is 0 bytes. ◆ cookie hash offset Specifies the cookie hash offset. The offset is the number of bytes in the cookie to skip before calculating the hash value. The default is 0 bytes. ◆ cookie mode Specifies the cookie mode for cookie persistence. The default is insert. Options are: none, insert, rewrite, passive, hash, and default. • insert If you specify HTTP cookie insert method within the profile, the information about the server to which the client connects is inserted in the header of the HTTP response from the server as a cookie. The cookie is named BIGipServer <pool name>, and it includes the address and port of the server handling the connection. The expiration A - 216 bigpipe Command Reference date for the cookie is set, based on the timeout configured on the traffic management system. HTTP cookie insert method is the default value for the cookie mode setting. • rewrite Specifies cookie rewrite mode. HTTP cookie rewrite mode requires you to set up the cookie created by the server. For HTTP cookie rewrite mode to succeed, there needs to be a blank cookie coming from the web server for the system to rewrite. For web servers that are Apache server variants, you can add the cookie to every web page header by adding the following entry to the httpd.conf file of the web server: Header add Set-Cookie BIGipCookie=0000000000000000000000000... (Note that the cookie must contain a total of 120 zeros.) • passive If you specify HTTP cookie passive mode, the system does not insert or search for blank Set-Cookie headers in the response from the server. This method does not try to set up the cookie. With this method, the server provides the cookie, formatted with the correct server information and timeout. • hash If you specify cookie hash mode, the hash mode consistently maps a cookie value to a specific node. When the client returns to the site, the system uses the cookie information to return the client to a given node. With this mode, the web server must generate the cookie. The system does not create the cookie automatically, as it does with insert mode. • default Indicates that you want to use the settings from the parent profile. ◆ cookie name Specifies the cookie name. Type the name of an HTTP cookie being sent by the Web site. This could be something like Apache or SSLSESSIONID. The name depends on the type of web server your site is running. This attribute is used by cookie hash mode. ◆ defaults from Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile specified. ◆ map proxies Enables or disables the map proxies attribute. The default setting for the map proxies for the persistence variable is enable. The AOL® proxy addresses are hard-coded. This enables you to use client IP address persistence with a simple persist mask, but forces all AOL clients to persist to the same server. All AOL clients persist to the node that was picked for the first AOL client connection received. The default is disable. ◆ mask Specifies an IP mask. This is the mask used by simple persistence for connections. BIG-IP® Command Line Interface Guide A - 217 Appendix A ◆ mirror Enables or disables mirroring of persistence date. The default is disable. ◆ mode Specifies the persistence mode. The default is none. This setting is required. The options are: none, source addr, dest addr, cookie, ssl, msrdp, universal, hash, sip, or default. • source addr Also known as simple persistence, source address affinity persistence supports TCP and UDP protocols, and directs session requests to the same server based solely on the source IP address of a packet. • dest addr Also known as sticky persistence, destination address affinity persistence supports TCP and UDP protocols, and directs session requests to the same server based solely on the destination IP address of a packet. • cookie Cookie persistence uses an HTTP cookie stored on a client computer to allow the client to reconnect to the same server previously visited at a web site. • ssl SSL persistence is a type of persistence that tracks non-terminated SSL sessions, using the SSL session ID. Even when the client's IP address changes, the BIG-IP local traffic management system still recognizes the connection as being persistent based on the session ID. Note that the term non-terminated SSL sessions refers to sessions in which the traffic management system does not perform the tasks of SSL certificate authentication and encryption/re-encryption. • msrdp Microsoft Remote Desktop persistence tracks sessions between clients and servers running Microsoft Remote Desktop Protocol (MSRDP). • universal Universal persistence allows you to write an expression that defines what to persist on in a packet. The expression, written using the same expression syntax that you use in iRules™, defines some sequence of bytes to use as a session identifier. • hash Hash persistence allows you to create a persistence hash based on an existing iRule. • sip SIP persistence load balances all of the SIP communications in a SIP session to the same SIP server based on SIP header field information. • default Specify default if you want to use the default system profile settings for persistence mode. A - 218 bigpipe Command Reference ◆ msrdp session directory Enables or disables the MSRDP session directory option for MSRDP persistence. Enable this option to implement Windows Terminal Server persistence for those Windows servers on which the Session Directory service is not available. The default is enable. ◆ partition Displays the partition within which the profile resides. ◆ profile persist edit Displays in a text editor the running configuration of all objects created using the command profile persist. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. ◆ rule Specifies a rule name if you are using a rule for universal persistence. ◆ sip info Specifies the SIP header field on which you want SIP sessions to persist. The default is Call-ID. Your options include, but are not limited to the following header fields: • Call-ID: Specifies to persist on the ID of the call. The Call-ID is a globally unique identifier of a call. • SIP-ETag: Specifies to persist on the SIP-ETag. • To: Specifies to persist on the destination of the SIP session. • From: Specifies to persist on the origin of the SIP session. • Subject: Specifies to persist on the subject of the SIP session. Before you can use the sip info option of the profile persist command, you must create a SIP profile (using the profile sip command). Then, you must assign both profiles to the same virtual server. ◆ timeout Specifies the timeout. Possible values are default, immediate, indefinite, or a numeric value that you specify. This is the simple persistence timeout. The default is 180 seconds. The timeout value that you specify allows the BIG-IP system to free up resources associated with old persistence entries, without having to test each inbound packet for one of the different types of final messages. A default timeout value exists, which is 180 seconds. If you change the timeout value, F5 recommends that the value be no lower than the default. See also profile(1), virtual(1), rule(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 219 Appendix A profile rtsp Configures a Real Time Streaming Protocol (RTSP) profile. Syntax Use this command to create, modify, display, or delete an RTSP profile. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. profile rtsp <profile rtsp key list> {} profile rtsp (<profile rtsp key list> | all) [{] <profile rtsp arg list> [}] <profile rtsp key> ::= <name> <profile rtsp arg> ::= defaults from (<profile rtsp key> | none) idle timeout (<number> | immediate | indefinite | default) max header size (<number> | default) max queued data (<number> | default) multicast redirect (enable | disable | default) proxy (none | external | internal | default) proxy header (<string> | none | default) real http persistence (enable | disable | default) rtcp service (<service> | none | default) rtp service (<service> | none | default) session reconnect (enable | disable | default) unicast redirect (enable | disable | default) profile rtsp [<profile rtsp key list> | all] stats reset profile rtsp edit Display profile rtsp [<profile rtsp key list> | all] [show [all]] profile rtsp [<profile rtsp key list> | all] list [all] profile rtsp [<profile rtsp key list> | all] defaults from [show] profile rtsp [<profile rtsp key list> | all] idle timeout [show] profile rtsp [<profile rtsp key list> | all] max header size [show] A - 220 bigpipe Command Reference profile rtsp [<profile rtsp key list> | all] max queued data [show] profile rtsp [<profile rtsp key list> | all] multicast redirect [show] profile rtsp [<profile rtsp key list> | all] partition [show] profile rtsp [<profile rtsp key list> | all] proxy [show] profile rtsp [<profile rtsp key list> | all] proxy header [show] profile rtsp [<profile rtsp key list> | all] real http persistence [show] profile rtsp [<profile rtsp key list> | all] rtcp service [show] profile rtsp [<profile rtsp key list> | all] rtp service [show] profile rtsp [<profile rtsp key list> | all] session reconnect [show] profile rtsp [<profile rtsp key list> | all] stats [show] profile rtsp [<profile rtsp key list> | all] unicast redirect [show] Delete profile rtsp [<profile rtsp key list> | all] delete Description Manages a profile for RTSP traffic. Examples Creates a custom RTSP profile named myrtspprofile that inherits its settings from the system default RTSP profile: profile rtsp myrtspprofile { } Options You can use these options with the profile rtsp command: • defaults from Specifies the profile that you want to use as the parent profile. Your new profile inherits all of the settings and values from the specified parent profile. • idle timeout Specifies the number of seconds that a connection is idle before the connection is eligible for deletion. You can also specify immediate, indefinite or default. The default is 300 seconds. • max header size Specifies the maximum size of an RTSP request or response header that the RTSP filter allows before dropping the connection. The default is 4096 bytes. • max queued data Specifies the maximum amount of data that the RTSP filter buffers before dropping the connection. The default is 32768 bytes. BIG-IP® Command Line Interface Guide A - 221 Appendix A • multicast redirect Specifies whether to enable or disable multicast redirect. When enabled, the client can select the destination to which to stream data. The default value is disable. • partition Displays the partition within which the profile resides. • profile rtsp edit Displays in a text editor the running configuration of all objects created using the command profile rtsp. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. • proxy Specifies whether the RTSP filter is associated with an RTSP proxy configuration. The default value is none. • proxy header When a proxy is set, specifies the name of the header in the RTSP proxy configuration that is passed from the client-side virtual server to the server-side virtual server. Note that the name of the header must begin with X-. • real http persistence Specifies whether to enable or disable real HTTP persistence. When enabled, the RTSP filter automatically persists Real Networks RTSP over HTTP using the RTSP port. The default value is enable. If you disable this parameter, you can override the default behavior with an iRule. • rtcp service The Real Time Control Protocol (RTCP) allows monitoring of the real-time data delivery. This parameter specifies the number of the port to use for the RTCP service. • rtp service The Real Time Protocol (RTP) provides data transport functions suitable for applications transmitting real-time data. This parameter specifies the number of the port to use for the RTP service. • session reconnect Specifies whether to enable or disable session reconnect. When enabled, the RTSP filter persists the control connection, which is being resumed, to the correct server. The default value is disable. • unicast redirect Specifies whether to enable or disable unicast redirect. When enabled, the client can select the destination to which to stream data. The default value is disable. See also profile(1), virtual(1), bigpipe(1) A - 222 bigpipe Command Reference profile sctp Configures a Stream Control Transmission Protocol (SCTP) profile. Syntax Use this command to create, modify, display, or delete an SCTP profile. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. profile sctp <profile sctp key list> {} profile sctp (<profile sctp key list> | all) [{] <profile sctp arg list> [}] <profile sctp key> ::= <name> <profile sctp arg> ::= cookie expiration (<number> | default) defaults from (<profile sctp key> | none) heartbeat (<number> | default) idle timeout (<number> | immediate | indefinite | default) in streams (<number> | default) init max retries (<number> | default) ip tos (<number> | pass | default) link qos (<number> | pass | default) out streams (<number> | default) proxy buffer high (<number> | default) proxy buffer low (<number> | default) recv chunks (<number> | default) recv ordered (enable | disable | default) recv window (<number> | default) reset on timeout (enable | disable | default) secret (<string> | none | default) send buffer (<number> | default) send max retries (<number> | default) send partial (enable | disable | default) tcp shutdown (enable | disable | default) trans chunks (<number> | default) BIG-IP® Command Line Interface Guide A - 223 Appendix A profile sctp [<profile sctp key list> | all] stats reset profile sctp edit Display profile sctp [<profile sctp key list> | all] [show [all]] profile sctp [<profile sctp key list> | all] list [all] profile sctp [<profile sctp key list> | all] cookie expiration [show] profile sctp [<profile sctp key list> | all] defaults from [show] profile sctp [<profile sctp key list> | all] heartbeat [show] profile sctp [<profile sctp key list> | all] idle timeout [show] profile sctp [<profile sctp key list> | all] in streams [show] profile sctp [<profile sctp key list> | all] init max retries [show] profile sctp [<profile sctp key list> | all] ip tos [show] profile sctp [<profile sctp key list> | all] link qos [show] profile sctp [<profile sctp key list> | all] out streams [show] profile sctp [<profile sctp key list> | all] partition [show] profile sctp [<profile sctp key list> | all] proxy buffer high [show] profile sctp [<profile sctp key list> | all] proxy buffer low [show] profile sctp [<profile sctp key list> | all] recv chunks [show] profile sctp [<profile sctp key list> | all] recv ordered [show] profile sctp [<profile sctp key list> | all] recv window [show] profile sctp [<profile sctp key list> | all] reset on timeout [show] profile sctp [<profile sctp key list> | all] secret [show] profile sctp [<profile sctp key list> | all] send buffer [show] profile sctp [<profile sctp key list> | all] send max retries [show] profile sctp [<profile sctp key list> | all] send partial [show] profile sctp [<profile sctp key list> | all] stats [show] profile sctp [<profile sctp key list> | all] tcp shutdown [show] profile sctp [<profile sctp key list> | all] trans chunks [show] Delete profile sctp (<profile sctp key list> | all) delete Description Manages a profile for SCTP traffic. Examples Creates a custom SCTP profile named mysctpprofile that inherits its settings from the system default SCTP profile: profile sctp mysctpprofile { } A - 224 bigpipe Command Reference Options You can use these options with the profile sctp command: • cookie expiration Specifies how many seconds the cookie is valid. The default is 60 seconds. • defaults from Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile specified. • heartbeat Specifies the number of seconds to wait before sending a heartbeat chunk. The default is 30 seconds. • idle timeout Specifies the number of seconds without traffic before a connection is eligible for deletion. The default is 300 seconds. • in streams Specifies the number of inbound streams. The default is 2. • init max retries Specifies the maximum number of retries to establish a connection. The default is 4. • ip tos Specifies the type of IP service set in packets sent to peer. The default is 0. • link qos Specifies the link quality of service set in sent packets. The default is 0. • out streams Specifies the number of outbound streams. The default is 2. • partition Displays the partition within which the profile resides. • profile sctp edit Displays in a text editor the running configuration of all objects created using the command profile sctp. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. • proxy buffer high Specifies the proxy buffer level after which the system closes the receive window. The default is 16384. • proxy buffer low Specifies the proxy buffer level after which the system opens the receive window. The default is 4096. • recv chunks Specifies the size (in chunks) of the rx_chunk buffer. The default is 256. BIG-IP® Command Line Interface Guide A - 225 Appendix A • recv ordered When enabled, the system delivers messages to the application layer in order. The default is enable. • recv window Specifies the size (in bytes) of the receive window. Prorate this value to the Receive Chunks value. The default is 65536. • reset on timeout When enabled, the system resets a connection when the connection times out. The default is enable. • secret Specifies the internal secret string that the system uses for HTTP Message Authenticated Code (HMAC) cookies. • send buffer Specifies the size in bytes of the buffer. The default is 65536. • send max retries Specifies the maximum number of times the system tries again to send data. The default is 8. • send partial When enabled, the system accepts partial application data. The default is enable. • tcp shutdown When enabled, the system emulates the closing of a TCP connection. The default is enable. • trans chunks Specifies the size (in chunks) of the tx_chunk buffer. The default is 256. See also profile(1), bigpipe(1), profile rtsp(1), profile sip(1) A - 226 bigpipe Command Reference profile serverssl Configures a Server SSL profile. Syntax Use this command to create, modify, display, or delete a Server SSL profile. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. profile serverssl <profile serverssl key list> {} profile serverssl (<profile serverssl key list> | all) [{] [}] <profile serverssl arg list> <profile serverssl key> ::= <name> <profile serverssl arg> ::= defaults from (<profile serverssl key> | none) mode (enable | disable | default) key (<file name> | none | default) cert (<file name> | none | default) chain (<file name> | none | default) ca file (<file name> | none | default) crl file (<file name> | none | default) ciphers (<string> | none | default) passphrase (<string> | none | default) options ([MICROSOFT_SESS_ID_BUG] [NETSCAPE_CHALLENGE_BUG][NETSCAPE_REUSE_CIPHER_CHANGE_BUG] [SSLREF2_REUSE_CERT_TYPE_BUG][MICROSOFT_BIG_SSLV3_BUFFER] [MSIE_SSLV2_RSA_PADDING] [SSLEAY_080_CLIENT_DH_BUG] [TLS_D5_BUG] [TLS_BLOCK_PADDING_BUG] [DONT_INSERT_EMPTY_FRAGMENTS] [ALL_BUGFIXES] [TLS_ROLLBACK_BUG] [SINGLE_DH_USE] [EPHEMERAL_RSA] [CIPHER_SERVER_PREFERENCE] [PKCS1_CHECK_1] [PKCS1_CHECK_2] [NETSCAPE_CA_DN_BUG] [NETSCAPE_DEMO_CIPHER_CHANGE_BUG] [NO_SSLv2] [NO_SSLv3] [NO_TLSv1] [NO_SESSION_RESUMPTION_ON_RENEGOTIATION] [PASSIVE_CLOSE] | none | default) modssl methods (enable | disable | default) renegotiate period (<number> | immediate | indefinite | default) renegotiate size (<number>[MB|mb] | indefinite | default) peer cert mode (require | ignore | default) authenticate (once | always | default) BIG-IP® Command Line Interface Guide A - 227 Appendix A authenticate depth (<number> | default) authenticate name (<string> | default) unclean shutdown (enable | disable | default) strict resume (enable | disable | default) handshake timeout (<number> | immediate | indefinite | default) alert timeout (<number> | immediate | indefinite | default) cache size (<number> | default) cache timeout (<number> | immediate | indefinite | default) profile serverssl [<profile serverssl key list> | all] stats reset profile serverssl edit Display profile serverssl [<profile serverssl key list> | all] [show [all]] profile serverssl [<profile serverssl key list> | all] list [all] profile serverssl [<profile serverssl key list> | all] name [show] profile serverssl [<profile serverssl key list> | all] defaults from [show] profile serverssl [<profile serverssl key list> | all] mode [show] profile serverssl [<profile serverssl key list> | all] key [show] profile serverssl [<profile serverssl key list> | all] cert [show] profile serverssl [<profile serverssl key list> | all] chain [show] profile serverssl [<profile serverssl key list> | all] ca file [show] profile serverssl [<profile serverssl key list> | all] crl file [show] profile serverssl [<profile serverssl key list> | all] ciphers [show] profile serverssl [<profile serverssl key list> | all] options [show] profile serverssl [<profile serverssl key list> | all] modssl methods [show] profile serverssl [<profile serverssl key list> | all] renegotiate period [show] profile serverssl [<profile serverssl key list> | all] renegotiate size [show] profile serverssl [<profile serverssl key list> | all] peer cert mode [show] profile serverssl [<profile serverssl key list> | all] authenticate [show] profile serverssl [<profile serverssl key list> | all] authenticate depth [show] profile serverssl [<profile serverssl key list> | all] authenticate name [show] profile serverssl [<profile serverssl key list> | all] unclean shutdown [show] profile serverssl [<profile serverssl key list> | all] strict resume [show] profile serverssl [<profile serverssl key list> | all] passphrase [show] profile serverssl [<profile serverssl key list> | all] handshake timeout [show] profile serverssl [<profile serverssl key list> | all] alert timeout [show] profile serverssl [<profile serverssl key list> | all] cache size [show] profile serverssl [<profile serverssl key list> | all] cache timeout [show] profile serverssl [<profile serverssl key list> | all] stats [show] profile serverssl [<profile serverssl key list> | all] partition [show] Delete profile serverssl (<profile serverssl key list> | all) delete A - 228 bigpipe Command Reference Description Server-side profiles allow the traffic management system to handle encryption tasks for any SSL connection being sent from a local traffic management system to a target server. A server-side SSL profile is able to act as a client by presenting certificate credentials to a server when authentication of the local traffic management system is required. You implement this type of profile by using the default profile, or creating a custom profile based on the Server SSL profile template and modifying its settings. Examples Creates a custom Server SSL profile named myserversslprofile that inherits its settings from the system default serverssl profile: profile serverssl myserversslprofile { } Arguments Several arguments are available for use with this command. ◆ ca file Specifies the certificate authority (CA) file name or indicates the system uses the certificate authority file name from the parent profile. Configures certificate verification by specifying a list of client or server CAs that the traffic management system trusts. ◆ cert Specifies the certificate file name or indicates the system uses the certificate file name from the parent profile. Specifies the name of the certificate installed on the traffic management system for the purpose of terminating or initiating an SSL connection. The default is default.crt. ◆ chain Specifies the chain name or indicates the system uses the chain name from the parent profile. Specifies or builds a certificate chain file that a client can use to authenticate the profile. ◆ ciphers Specifies a cipher name or indicates the system uses the default ciphers from the parent profile. ◆ crl file Specifies the certificate revocation list file name or indicates the system uses the certificate revocation file name from the parent profile. ◆ defaults from Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile specified. BIG-IP® Command Line Interface Guide A - 229 Appendix A ◆ key Specifies the key file name or indicates the system uses the key file name from the parent profile. Specifies the name of the key installed on the traffic management system for the purpose of terminating or initiating an SSL connection. The default key file name is default.key. ◆ mode Specifies the profile mode. The options are enable, disable, or default. Enables or disables SSL processing. The default is enable. Options These options are available, including some industry-related workarounds: A - 230 ◆ alert timeout Specifies the alert timeout in seconds. You can also specify immediate, indefinite, or default. The default is 60 seconds. ◆ authenticate Specifies frequency of authentication. Options are once, always, or default. ◆ authenticate depth Specifies the client certificate chain maximum traversal depth. ◆ authenticate name Specifies a Common Name (CN) that is embedded in a server certificate. The system authenticates a server based on the specified CN. ◆ cache size Specifies the SSL session cache size. For client-side profiles only, you can configure timeout and size values for the SSL session cache. Because each profile maintains a separate SSL session cache, you can configure the values on a per-profile basis. ◆ cache timeout Specifies the SSL session cache timeout value, which is the usable lifetime seconds of negotiated SSL session IDs. The default is 300 seconds. Acceptable values are integers greater than or equal to 5. You can also set this value to immediate or indefinite. ◆ handshake timeout Specifies the handshake timeout in seconds. You can also specify immediate, indefinite, or default. ◆ modssl methods Enables or disables ModSSL method emulation. Use enable when OpenSSL methods are inadequate. For example, you can enable ModSSL method emulation when you want to use SSL compression over TLSv1. ◆ partition Displays the partition within which the profile resides. ◆ passphrase Specifies the key passphrase, if required. bigpipe Command Reference ◆ peer cert mode Specifies the peer certificate mode. Options are require, ignore, and default. ◆ profile serverssl edit Displays in a text editor the running configuration of all objects created using the command profile serverssl. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. ◆ renegotiate period Specifies the number of seconds from the initial connect time after which the system renegotiates an SSL session. The default is indefinite meaning that you do not want the system to renegotiate SSL sessions. Each time the session renegotiation is successful, a new connection is started. Therefore, the system attempts to renegotiate the session again, in the specified amount of time following the successful session renegotiation. For example, setting the Renegotiate Period to 3600 seconds triggers session renegotiation at least once an hour. ◆ renegotiate size Specifies a throughput size, in bytes, of SSL renegotiation. This setting forces the traffic management system to renegotiate an SSL session based on the size, in megabytes, of application data that is transmitted over the secure channel. The default is indefinite specifying that you do not want a throughput size. ◆ strict resume You can enable or disable the resumption of SSL sessions after an unclean shutdown. The default is disable, which indicates that the SSL profile refuses to resume SSL sessions after an unclean shutdown. ◆ unclean shutdown By default, the SSL profile performs unclean shutdowns of all SSL connections, which means that underlying TCP connections are closed without exchanging the required SSL shutdown alerts. If you want to force the SSL profile to perform a clean shutdown of all SSL connections, you can disable the default setting. ◆ [ALL BUGFIXES] This option enables all of the above defect workarounds. It is usually safe to use the All bugfixes Enabled option to enable the defect workaround options when compatibility with broken implementations is desired. Note that if you edit the configuration in the web-based configuration utility, the ALL BUGFIXES syntax is expanded into each individual option. ◆ [CIPHER SERVER PREFERENCE] When choosing a cipher, this option uses the server's preferences instead of the client references. When this option is not set, the SSL server always follows the client's references. When this option is set, the BIG-IP® Command Line Interface Guide A - 231 Appendix A SSLv3/TLSv1 server chooses by using its own references. Due to the different protocol, for SSLv2 the server sends its list of preferences to the client and the client always chooses. A - 232 ◆ [DONT INSERT EMPTY FRAGMENTS] This option disables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. These ciphers cannot be handled by certain broken SSL implementations. This option has no effect for connections using other ciphers. ◆ [EPHEMERAL RSA] This option uses ephemeral (temporary) RSA keys when doing RSA operations. According to the specifications, this is only done when an RSA key can only be used for signature operations (namely under export ciphers with restricted RSA key length). By setting this option, you specify that you want to use ephemeral RSA keys always. This option breaks compatibility with the SSL/TLS specifications and may lead to interoperability problems with clients. Therefore, F5 does not recommend this option. You should use ciphers with EDH (ephemeral Diffie-Hellman) key exchange instead. This option is ignored for server-side SSL. ◆ [MICROSOFT BIG SSLV3 BUFFER] This option enables a workaround for communicating with older Microsoft applications that use non-standard SSL record sizes. ◆ [MICROSOFT SESS ID BUG] This option handles a Microsoft session ID problem. ◆ [MSIE SSLV2 RSA PADDING] This option enables a workaround for communicating with older Microsoft applications that use non-standard RSA key padding. This option is ignored for server-side SSL. ◆ [NETSCAPE CA DN BUG] This option handles a defect regarding the system crashing or hanging. If the system accepts a Netscape Navigator browser connection, demands a client cert, has a non-self-signed CA that does not have its CA in Netscape, and the browser has a certificate, the system crashes or hangs. ◆ [NETSCAPE CHALLENGE BUG] This option handles the Netscape challenge problem. ◆ [NETSCAPE DEMO CIPHER CHANGE BUG] This option deliberately manipulates the SSL server session resumption behavior to mimic that of certain Netscape servers (see the Netscape reuse cipher change bug workaround description). F5 does not recommend this option for normal use. It is ignored for server-side SSL. ◆ [NETSCAPE REUSE CIPHER CHANGE BUG] This option handles a defect within Netscape-Enterprise/2.01 (https://merchant.neape.com), only appearing when connecting through SSLv2/v3 then reconnecting through SSLv3. In this case, the cipher list changes. bigpipe Command Reference First, a connection is established with the RC4-MD5 cipher list. If it is then resumed, the connection switches to using the DES-CBC3-SHA cipher list. However, according to RFC 2246, (section 7.4.1.3, cipher suite) the cipher list should remain RC4-MD5. As a workaround, you can attempt to connect with a cipher list of DES-CBC-SHA:RC4-MD5 and so on. For some reason, each new connection uses the RC4-MD5 cipher list, but any re-connection attempts to use the DES-CBC-SHA cipher list. Thus Netscape, when reconnecting, always uses the first cipher in the cipher list. ◆ [NO SESSION RESUMPTION ON RENEGOTIATION] When performing renegotiation as an SSL server, this option always starts a new session (that is, session resumption requests are only accepted in the initial handshake). The system ignores this option for server-side SSL. ◆ [NO SSLv2] Do not use the SSLv2 protocol. ◆ [NO SSLv3] Do not use the SSLv3 protocol. ◆ [NO TLSv1] Do not use the TLSv1 protocol. ◆ [PASSIVE CLOSE] Specifies how to handle passive closes. • none Choose this option if you want to disable all workarounds. F5 does not recommend this option. • default Specifies the value, all bugfixes enabled, which enables a set of industry-related miscellaneous workarounds related to SSL processing. ◆ [PKCS1 CHECK 1] This debugging option deliberately manipulates the PKCS1 padding used by SSL clients in an attempt to detect vulnerability to particular SSL server vulnerabilities. F5 does not recommend this option for normal use. The system ignores this option for client-side SSL. ◆ [PKCS1 CHECK 2] This debugging option deliberately manipulates the PKCS1 padding used by SSL clients in an attempt to detect vulnerability to particular SSL server vulnerabilities. F5 does not recommend this option for normal use. The system ignores this option for client-side SSL. ◆ [SINGLE DH USE] This option creates a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using strong primes (for example. when using DSA-parameters). If strong primes were used, it is BIG-IP® Command Line Interface Guide A - 233 Appendix A not strictly necessary to generate a new DH key during each handshake, but it is recommended. You should enable the Single DH Use option whenever temporary or ephemeral DH parameters are used. ◆ [SSLEAY 080 CLIENT DH BUG] This option enables a workaround for communicating with older SSLeay-based applications that specify an incorrect Diffie-Hellman public value length. This option is ignored for server-side SSL. ◆ [SSLREF2 REUSE CERT TYPE BUG] This option handles the SSL reuse certificate type problem. ◆ [TLS BLOCK PADDING BUG] This option enables a workaround for communicating with older TLSv1-enabled applications that use incorrect block padding. ◆ [TLS D5 BUG] This option is a workaround for communicating with older TLSv1-enabled applications that specify an incorrect encrypted RSA key length. This option is ignored for server-side SSL. ◆ [TLS ROLLBACK BUG] This option disables version rollback attack detection. During the client key exchange, the client must send the same information about acceptable SSL/TLS protocol levels as it sends during the first hello. Some clients violate this rule by adapting to the server's answer. For example, the client sends an SSLv2 hello and accepts up to SSLv3.1 (TLSv1), but the server only processes up to SSLv3. In this case, the client must still use the same SSLv3.1 (TLSv1) announcement. Some clients step down to SSLv3 with respect to the server's answer and violate the version rollback protection. The system ignores this option for server-side SSL. See also profile(1), profile clientssl(1), bigpipe(1) A - 234 bigpipe Command Reference profile sip Configures a Session Initiation Protocol (SIP) profile. Syntax Use this command to create, modify, display, or delete a SIP profile. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. profile sip <profile sip key list> {} profile sip (<profile sip key list> | all) [{] <profile sip arg list> [}] <profile sip key> ::= <name> <profile sip arg> ::= defaults from (<profile sip key> | none) insert record route (enable | disable | default) insert via (enable | disable | default) max size (<number> | default) secure via (enable | disable | default) terminate bye (enable | disable | default) profile sip [<profile sip key list> | all] stats reset profile sip edit Display profile sip [<profile sip key list> | all] [show [all]] profile sip [<profile sip key list> | all] list [all] profile sip [<profile sip key list> | all] edit profile sip [<profile sip key list> | all] defaults from [show] profile sip [<profile sip key list> | all] insert record route [show] profile sip [<profile sip key list> | all] insert via [show] profile sip [<profile sip key list> | all] max size [show] profile sip [<profile sip key list> | all] name [show] profile sip [<profile sip key list> | all] partition [show] BIG-IP® Command Line Interface Guide A - 235 Appendix A profile sip [<profile sip key list> | all] secure via [show] profile sip [<profile sip key list> | all] stats [show] profile sip [<profile sip key list> | all] terminate bye [show] Description This command provides the ability to create a SIP profile. Examples Creates a SIP profile named mysipprofile using the system defaults: profile sip mysipprofile { } Creates a SIP profile named mysipprofile that leaves a connection open following the completion of a BYE transaction: profile sip mysipprofile { terminate bye disable } Options You can use the following options with the profile sip command: ◆ defaults from Specifies the profile that you want to use as the parent profile. Your new profile inherits all of the settings and values from the specified parent profile. The default is sip. ◆ insert record route Enables or disables the insertion of a Record-Route header, which indicates the next hop for the following SIP request messages. The default is disable. ◆ insert via Enables or disables the insertion of a Via header, which indicates where the message originated. The response message uses this routing information. The default is disable. ◆ max size Specifies the maximum SIP message size that the BIG-IP system accepts. The default is 64000 bytes. ◆ partition Displays the partition within which the profile resides. ◆ profile sip edit Displays in a text editor the running configuration of all objects created using the command profile sip. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. A - 236 bigpipe Command Reference ◆ secure via Enables or disables the insertion of a Secure Via header, which indicates where the message originated. When you are using SSL/TLS (over TCP) to create a secure channel with the server node, use this setting to configure the BIG-IP system to insert a Secure Via header into SIP requests. The default is disable. ◆ terminate bye Enables or disables the termination of a connection when a BYE transaction finishes. Use this parameter with UDP connections only, not with TCP connections. The default is enable. See also bigpipe(1), profile(1), profile persist(1) BIG-IP® Command Line Interface Guide A - 237 Appendix A profile stats Creates, modifies, displays, or deletes a Statistics profile. Syntax Use this command to create, modify, display, or delete a Statistics profile. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. profile stats <profile stats key list> {} profile stats (<profile stats key list> | all) [{] <profile stats arg list> [}] <profile stats key> ::= <name> <profile stats arg> ::= defaults from (<profile stats key> | none) field<i> (<name> | none | default) (i=1-32) profile stats [<profile stats key list> | all] stats reset profile stats edit Display profile stats [<profile stats key list> | all] [show [all]] profile stats [<profile stats key list> | all] list [all] profile stats [<profile stats key list> | all] name [show] profile stats [<profile stats key list> | all] defaults from [show] profile stats [<profile stats key list> | all] field<i> [show] Delete profile stats [<profile stats key list> | all] delete Description Use the stats profile to create a custom Statistics profile. A - 238 bigpipe Command Reference Examples Lists all available custom statistics fields: profile stats all list Options You can use these options with the profile stats command: • defaults from Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile. • field Specifies the field identifier. This is a number from 1 to 32. • partition Displays the partition within which the profile resides. ◆ profile stats edit Displays in a text editor the running configuration of all objects created using the command profile stats. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. See also profile(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 239 Appendix A profile stream Configures a Stream profile. Syntax Use this command to create, modify, display, or delete a Stream profile. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. profile stream <profile stream key list> {} profile stream (<profile stream key list | all) [{] <profile stream arg list> [}] <profile stream key> ::= <name> <profile stream arg> ::= defaults from (<profile stream key> | none) target (<string> | none | default) source (<string> | none | default) profile stream [<profile stream key list> | all] stats reset profile stream edit Display profile stream [<profile stream key list> | all] [show [all]] profile stream [<profile stream key list> | all] list [all] profile stream [<profile stream key list> | all] defaults from [show] profile stream [<profile stream key list> | all] name [show] profile stream [<profile stream key list> | all] partition [show] profile stream [<profile stream key list> | all] target [show] profile stream [<profile stream key list> | all] stats [show] profile stream [<profile stream key list> | all] source [show] Delete profile stream (<profile stream key list> | all) delete A - 240 bigpipe Command Reference Description You can use the Stream profile to search and replace strings within a data stream, such as a TCP connection. Examples Creates a custom Stream profile named mystreamprofile that inherits its settings from the system default stream profile: profile stream mystreamprofile { } Options You can use these options with the profile stream command: • defaults from Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile specified. • partition Displays the partition within which the profile resides. ◆ profile stream edit Displays in a text editor the running configuration of all objects created using the command profile stream. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. ◆ target Specifies the string you want to rewrite. You can also specify default if you want to use the default system profile value. • source Specifies the string that is used to rewrite the target string. You can also specify default if you want to use the default stream profile value. See also profile(1), virtual(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 241 Appendix A profile tcp Configures a TCP profile. Syntax Use this command to create, modify, display, or delete a TCP profile. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. profile tcp <profile tcp key list> {} profile tcp (<profile tcp key list | all) [{] <profile tcp arg list> [}] <profile tcp key> ::= <name> <profile tcp arg> ::= defaults from (<profile tcp key> | none) abc (enable | disable | default) ack on push (enable | disable | default) bandwidth delay (enable | disable | default) close wait (<number> | immediate | indefinite | default) cmetrics cache (enable | disable | default) congestion control (reno | newreno | scalable | highspeed | none | default) deferred accept (enable | disable | default) delayed acks (enable | disable | default) dsack (enable | disable | default) ecn (enable | disable | default) fin wait (<number> | immediate | indefinite | default) idle timeout (<number> | indefinite | default) ip tos (<number> | default) keep alive interval (<number> | default) limited transmit (enable | disable | default) link qos (<number> | default) max retrans (<number> | default) max retrans syn (<number> | default) md5 sign (enable | disable | default) md5 sign passphrase (<string> | none | default) A - 242 bigpipe Command Reference nagle (enable | disable | default) proxy buffer high (<number> | default) proxy buffer low (<number> | default) proxy mss (enable | disable | default) proxy options (enable | disable | default) recv window (<number> | default) reset on timeout (enable | disable | default) rfc1323 (enable | disable | default) selective acks (enable | disable | default) send buffer (<number> | default) slow start (enable | disable | default) time wait (<number> | immediate | indefinite | default) time wait recycle (enable | disable | default) profile tcp [<profile tcp key list> | all] stats reset profile tcp edit Display profile tcp [<profile tcp key list> | all] [show all]] profile tcp [<profile tcp key list> | all] name [show] profile tcp [<profile tcp key list> | all] defaults from [show] profile tcp [<profile tcp key list> | all] abc [show] profile tcp [<profile tcp key list> | all] ack on push [show] profile tcp [<profile tcp key list> | all] bandwidth delay [show] profile tcp [<profile tcp key list> | all] close wait [show] profile tcp [<profile tcp key list> | all] cmetrics cache [show] profile tcp [<profile tcp key list> | all] congestion control [show] profile tcp [<profile tcp key list> | all] deferred accept [show] profile tcp [<profile tcp key list> | all] delayed acks [show] profile tcp [<profile tcp key list> | all] dsack [show] profile tcp [<profile tcp key list> | all] ecn [show] profile tcp [<profile tcp key list> | all] fin wait [show] profile tcp [<profile tcp key list> | all] idle timeout [show] profile tcp [<profile tcp key list> | all] ip tos [show] profile tcp [<profile tcp key list> | all] keep alive interval [show] profile tcp [<profile tcp key list> | all] limited transmit [show] profile tcp [<profile tcp key list> | all] link qos [show] profile tcp [<profile tcp key list> | all] max retrans [show] profile tcp [<profile tcp key list> | all] max retrans syn [show] profile tcp [<profile tcp key list> | all] md5 sign [show] profile tcp [<profile tcp key list> | all] md5 sign passphrase [show] profile tcp [<profile tcp key list> | all] nagle [show] profile tcp [<profile tcp key list> | all] partition [show] profile tcp [<profile tcp key list> | all] proxy buffer high [show] profile tcp [<profile tcp key list> | all] proxy buffer low [show] BIG-IP® Command Line Interface Guide A - 243 Appendix A profile tcp [<profile tcp key list> | all] proxy mss [show] profile tcp [<profile tcp key list> | all] proxy options [show] profile tcp [<profile tcp key list> | all] recv window [show] profile tcp [<profile tcp key list> | all] reset on timeout [show] profile tcp [<profile tcp key list> | all] rfc1323 [show] profile tcp [<profile tcp key list> | all] selective acks [show] profile tcp [<profile tcp key list> | all] send buffer [show] profile tcp [<profile tcp key list> | all] slow start [show] profile tcp [<profile tcp key list> | all] stats [show] profile tcp [<profile tcp key list> | all] time wait [show] profile tcp [<profile tcp key list> | all] time wait recycle [show] Delete profile tcp (<profile tcp key list> | all) delete Description The TCP profile is a configuration tool for managing TCP network traffic. Many of the TCP profile settings are standard SYSCTL types of settings, while others are unique to the traffic management system. For most of the TCP profile settings, the default values usually meet your needs. The specific settings that you might want to change are: Reset on Timeout, Idle Timeout, IP ToS, and Link QoS. The BIG-IP system installation includes these TCP-type profiles: tcp, tcp-lan-optimized, and tcp-wan-optimized. You can modify the settings of these profiles, or create new TCP-type profiles using any of these existing profiles as parent profiles. Examples Creates a custom TCP profile named mystcpprofile that inherits its settings from the system default tcp profile: profile tcp mytcpprofile { } Options You can use these options with the profile tcp command: A - 244 ◆ abc When enabled, increases the congestion window by basing the increase amount on the number of previously unacknowledged bytes that each ACK covers. The default is enable. ◆ ack on push When enabled, significantly improves performance to Windows and MacOS peers who are writing out on a very small send buffer. The default is disable. bigpipe Command Reference ◆ bandwidth delay When enabled, the system attempts to calculate the optimal bandwidth to use to contact the client, based on throughput and round-trip time, without exceeding the available bandwidth. The default is enable. ◆ close wait Specifies the number of seconds that a connection remains in a LAST-ACK state before quitting. A value of 0 represents a term of forever (or until the matrix of the FIN state). The default is 5 seconds. You can also specify immediate, indefinite, or default. ◆ cmetrics cache When enabled, specifies that the system uses a cache for storing congestion metrics. The default is enable. ◆ congestion control Specifies the algorithm to use to share network resources among competing users to reduce congestion. The default is New Reno. The options are: • High Speed: Specifies that the system uses a more aggressive, loss-based algorithm. • New Reno: Specifies that the system uses a modification to the Reno algorithm that responds to partial acknowledgements when SACKs are unavailable. • None: Specifies that the system does not use a network-congestion-control mechanism, even when congestion occurs. • Reno: Specifies that the system uses an implementation of the TCP Fast Recovery algorithm, which is based on the implementation in the BSD Reno release. • Scalable: Specifies that the system uses a TCP algorithm modification that adds a scalable, delay-based and loss-based component into the Reno algorithm. ◆ defaults from Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile. ◆ deferred accept When enabled, the system defers allocation of the connection chain context until the client response is received. This setting is useful for dealing with 3-way handshake DOS attacks. The default is disable. ◆ delayed acks When enabled, the traffic management system allows coalescing of multiple ACK responses. The default is enable. ◆ dsack When enabled, specifies the use of the Selective ACKs (SACK) option to acknowledge duplicate segments. The default is disable. BIG-IP® Command Line Interface Guide A - 245 Appendix A A - 246 ◆ ecn When enabled, the system uses the TCP flags CWR and ECE to notify its peer of congestion and congestion counter-measures. The default is disable. ◆ fin wait Specifies the number of seconds that a connection is in the FIN-WAIT or closing state before quitting. The default is 5 seconds. A value of 0 represents a term of forever (or until the matrix of the FIN state). You can also specify immediate, indefinite, or default. ◆ idle timeout Specifies the number of seconds that a connection is idle before the connection is eligible for deletion. You can also specify indefinite or default. The default is 300 seconds. ◆ ip tos Specifies the Type of Service level that the traffic management system assigns to TCP packets when sending them to clients. ◆ keep alive interval Specifies the keep alive probe interval, in seconds. The default is 1800 seconds. ◆ limited transmit When enabled, the system uses limited transmit recovery revisions for fast retransmits (as specified in RFC 3042) to reduce the recovery time for connections on a lossy network. The default is enable. ◆ link qos Specifies the Quality of Service level that the system assigns to TCP packets when sending them to clients. ◆ max retrans Specifies the maximum number of retransmissions of data segments that the system allows. ◆ max retrans syn Specifies the maximum number of retransmissions of SYN segments that the system allows. ◆ md5 sign Specifies, when enabled, that the system uses RFC2385 TCP-MD5 signatures to protect TCP traffic against intermediate tampering. The default is disable. ◆ md5 sign passphrase Specifies, when enabled, a plaintext passphrase which may be between 1 and 80 characters in length, and is used in a shared-secret scheme to implement the spoof-prevention parts of RFC2385. ◆ nagle Specifies, when enabled, that the system applies Nagle's algorithm to reduce the number of short segments on the network. The default setting is enable. Note that for interactive protocols such as Telnet, rlogin, or SSH, F5 recommends disabling this setting on high-latency networks, to improve application responsiveness. bigpipe Command Reference ◆ partition Displays the partition within which the profile resides. ◆ profile tcp edit Displays in a text editor the running configuration of all objects created using the command profile tcp. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. ◆ proxy buffer high Specifies the highest level at which the receive window is closed. The default is 16384. ◆ proxy buffer low Specifies the lowest level at which the receive window is closed. The default is 4096. ◆ proxy mss When enabled, the system advertises the same mss to the server as was negotiated with the client. The default is enable. ◆ proxy options When enabled, the system advertises an option, such as a time-stamp to the server only if it was negotiated with the client. The default is enable. ◆ recv window Specifies the size of the receive window, in bytes. The default value is 4096 bytes. ◆ reset on timeout Specifies whether to reset connections on timeout. ◆ rfc1323 When enabled, the system uses the timestamp and window-scaling extensions for TCP (as specified in RFC 1323) to enhance high-speed network performance. The default is enable. ◆ selective acks When enabled, the system negotiates RFC2018-compliant Selective Acknowledgements with peers. The default is enable. ◆ send buffer Specifies the size of the buffer, in bytes. The default is 8192 bytes. ◆ slow start When enabled, the system uses larger initial window sizes (as specified in RFC 3390) to help reduce round trip times. The default is enable. ◆ time wait Specifies the number of seconds that a connection is in the TIME-WAIT state before closing. You can also specify immediate, indefinite, or default. The default is 2 seconds. BIG-IP® Command Line Interface Guide A - 247 Appendix A ◆ time wait recycle Specifies whether the system recycles the connection when a SYN packet is received in a TIME-WAIT state. The default is enable. See also profile(1), virtual(1), bigpipe(1) A - 248 bigpipe Command Reference profile udp Configures a UDP profile. Syntax Use this command to create, modify, display, or delete a UDP profile. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. profile udp <profile udp key list> {} profile udp (<profile udp key list> | all) [{] <profile udp arg list> [}] <profile udp key> ::= <name> <UDP profile arg> ::= defaults from (<profile udp key> | none) idle timeout (<number> | immediate | indefinite | default) ip tos (<number> | default) link qos (<number> | default) datagram lb (enable | disable | default) allow payload (enable | disable | default) profile udp [<profile udp key list> | all] stats reset profile udp edit Display profile udp [<profile udp key list> | all] [show [all]] profile udp [<profile udp key list> | all] list [all] profile udp [<profile udp key list> | all] defaults from [show] profile udp [<profile udp key list> | all] allow payload [show] profile udp [<profile udp key list> | all] datagram lb [show] profile udp [<profile udp key list> | all] idle timeout [show] profile udp [<profile udp key list> | all] ip tos [show] profile udp [<profile udp key list> | all] link qos [show] profile udp [<profile udp key list> | all] name [show] profile udp [<profile udp key list> | all] partition [show] profile udp [<profile udp key list> | all] stats [show] BIG-IP® Command Line Interface Guide A - 249 Appendix A Delete profile udp (<profile udp key list> | all) delete Description The UDP profile is a configuration tool for managing UDP network traffic. Examples Creates a custom UDP profile named myudpprofile that inherits its settings from the system default udp profile: profile udp myudpprofile { } Options You can use these options with the profile udp command: • allow payload Provides the ability to allow the passage of datagrams that contain header information, but no essential data. The default is disable. • datagram lb Provides the ability to load balance UDP datagram by datagram. The default is disable. • defaults from Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile. • idle timeout Specifies the number of seconds that a connection is idle before the connection is eligible for deletion. You can also specify immediate, indefinite, or default. The default is 60 seconds. • ip tos Specifies the Type of Service level that the traffic management system assigns to UDP packets when sending them to clients. • link qos Specifies the Quality of Service level that the system assigns to UDP packets when sending them to clients. • partition Displays the partition within which the profile resides. ◆ profile udp edit Displays in a text editor the running configuration of all objects created using the command profile udp. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. A - 250 bigpipe Command Reference See also profile(1), virtual(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 251 Appendix A pva Displays or resets Packet Velocity® ASIC statistics for the BIG-IP system. Syntax Use this command to display or reset Packet Velocity® ASIC statistics. Display <pva key> ::= (<number>.<number> | none) pva [<pva key list> | all] [show all]] Modify pva [<pva key list> | all] stats reset Description Display or reset Packet Velocity® ASIC statistics for the BIG-IP system. See also bigpipe(1) A - 252 bigpipe Command Reference radius server Creates, modifies, displays, or deletes a RADIUS server object for RADIUS authentication. Syntax Use this command to create, modify, display, or delete a RADIUS server. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. radius server <radius server key list> {} radius server (<radius server key list> | all) [{] <radius server arg list> [}] <radius server key> ::= <name> <radius server arg> ::= server (<string> | none) service (<service> | none) secret (<string> | none) timeout (<number> | immediate | indefinite) radius server edit Display radius server [<radius server key list> | all] [show [all]] radius server [<radius server key list> | all] list [all] radius server [<radius server key list> | all] name [show] radius server [<radius server key list> | all] server [show] radius server [<radius server key list> | all] service [show] radius server [<radius server key listt> | all] secret [show] radius server [<radius server key list> | all] timeout [show] radius server [<radius server key list> | all] partition [show] Delete radius server (<radius server key list> | all) delete BIG-IP® Command Line Interface Guide A - 253 Appendix A Description Creates, modifies, or deletes the RADIUS server. Note that you must also create an auth radius profile to use a RADIUS server. Examples Lists the configuration for all RADIUS server objects on the system: radius server all list Creates a RADIUS server object named myserver2 with the secret of mysecret, an IP address of 12.12.10.4 on port 80, and a timeout of 65 seconds: radius server myserver2 secret \mysecret\ server \12.12.10.4\ service 80 timeout 65> Options You can use these options with the radius server command: • partition Displays the partition in which the RADIUS server resides. • radius server edit Displays in a text editor the running configuration of all objects created using the command radius server. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • secret Sets the secret key used to encrypt and decrypt packets sent or received from the server. This setting is required. • server The host name or IP address of the RADIUS server. This setting is required. • service Specifies the port for RADIUS authentication traffic. The default is port 1812. • timeout Specifies the timeout value in seconds. The default is 3 seconds. You can also specify immediate or indefinite. A - 254 bigpipe Command Reference See also auth_radius(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 255 Appendix A rate class Configures rate classes. Syntax Use this command to create, modify, display, or delete a rate class. Create/Modify rate class <rate class key list> {} rate class (<rate class key list> | all) [{] <rate class arg list> [}] <rate class key> ::= <name> <rate class arg> ::= rate <number>[bps | K[bps] | M[bps] | G[bps]] ceiling <float>[bps | K[bps] | M[bps] | G[bps]] burst <float>[K | M | G] parent (<rate class key> | none) type (sfq | pfifo) direction (to client | to server | any) rate class [<rate class key list> | all] stats reset rate class edit Display rate class [<rate class key list> | all] [show [all]] rate class [<rate class key list> | all] list [all] rate class [<rate class key list> | all] rate [show] rate class [<rate class key list> | all] burst [show] rate class [<rate class key list> | all] ceiling [show] rate class [<rate class key list> | all] cname [show] rate class [<rate class key list> | all] direction [show] rate class [<rate class key list> | all] parent [show] rate class [<rate class key list> | all] stats [show] rate class [<rate class key list> | all] type [show] Delete rate class (<rate class key list> | all) delete Description A rate class is a rate-shaping policy that you want to assign to a type of traffic, such as Layer 3 traffic that specifies a certain source, destination, or service. More specifically, a rate class defines the number of bits per second A - 256 bigpipe Command Reference that the system allows per connection and the number of packets in a queue. You configure rate shaping by creating a rate class and then assigning the rate class to a packet filter, a virtual server, or from within an iRule. Examples Creates the rate class myRTclass with a rate of 500 Mbps: rate class myRTclass { rate 500M } Deletes the rate class myRTclass: rate class myRTclass delete Options You can use these options with the rate class command: • burst Specifies the maximum number of bytes that traffic is allowed to burst beyond the base rate. You can configure the rate in kilobits per second (Kbps), megabits per second (Mbps), or gigabits per second (Gbps). • ceiling Similar to the base rate, specifies how far beyond the base rate traffic is allowed to flow when bursting. This number sets an absolute limit. No traffic can exceed this rate. You can configure the rate in bits per second (bps), kilobits per second (Kbps), megabits per second (Mbps), or gigabits per second (Gbps). • direction Specifies the direction of traffic to which the rate class is applied. Possible values are to client, to server, or any. • parent Specifies the rate class used to create a custom rate class. A custom rate class borrows bandwidth from a parent class. Note that borrowing bandwidth affects the base rate, ceiling rate, and queue discipline. • rate class edit Displays in a text editor the running configuration of all objects created using the command rate class. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • rate Specifies the maximum throughput rate allowed for traffic handled by the rate class. Packets that exceed the specified number are dropped. This BIG-IP® Command Line Interface Guide A - 257 Appendix A setting is required. You can configure the rate in bits per second (bps), kilobits per second (Kbps), megabits per second (Mbps), or gigabits per second (Gbps). • type The two options for type are sfq or pfifo. Stochastic Fair Queueing (SFQ) is a queueing method that queues traffic under a set of many lists, choosing the specific list based on a hash of the connection information. This results in traffic from the same connection always being queued in the same list. SFQ then dequeues traffic from the set of the lists in a round-robin fashion. The overall effect is that fairness of dequeueing is achieved because one connection cannot control the queue at the exclusion of another. If the rate class has a parent class, the default queueing discipline is that of the parent class. If the rate class has no parent class, then the default value is sfq. The Priority FIFO (PFIFO) queueing method queues all traffic under a set of five lists based on the Type of Service (ToS) field of the traffic. Four of the lists correspond to the four possible ToS values (Minimum delay, Maximum throughput, Maximum reliability, and Minimum cost). The fifth list represents traffic with no ToS value. The Priority FIFO method processes these five lists in a way that preserves the meaning of the ToS field as much as possible. For example, a packet with the ToS field set to Minimum cost might yield dequeuing to a packet with the ToS field set to Minimum delay. See also packet filter(1), rule(1), virtual(1), bigpipe(1) A - 258 bigpipe Command Reference remote users Configures the default user role, partition access, and console access for all remotely authenticated user accounts that have not been added as local user accounts on the BIG-IP system. Note To assign a different access to a specific remote user, you must create a local user account for that user. For more information, see user, on page A-337. Syntax Use this command to configure the default parameters for all of the remote user accounts on the BIG-IP system as a group. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. remote users [{] <remote users arg list> [}] <remote users arg> ::= default partition (<string> | none) default role (administrator | resource admin | user manager | manager | app editor \ | operator | guest | policy editor | none) remote console access (enable | disable) remote users edit Display remote users [show [all]] remote users list [all] remote users default partition [show] remote users default role [show] remote users partition [show] remote users remote console access [show] BIG-IP® Command Line Interface Guide A - 259 Appendix A Description Use this command to configure the default parameters for all of the remote user accounts on the BIG-IP system as a group. Examples For all remote users, sets the default partition access to partition Common, the default user role to none, and the default remote console access to disable: remoteusers default partition Common default role none remote console access disable Options You can use the following options with the remote users command. • default partition Specifies the default partition for all remote user accounts. The default partition is Common. • default role Specifies the default user role for all remote user accounts. The default value is none. The available user roles are: • administrator • resource admin • user manager • app editor • operator • guest • policy editor • partition Displays the partition within which the remote users object resides. • remote console access Enables or disables the default console access for all remote user accounts. The default value is disable. • remote users edit Displays in a text editor the running configuration of all objects created using the command remote users. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only remote users { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. A - 260 bigpipe Command Reference See also bigpipe(1), user(1), remoterole(1) BIG-IP® Command Line Interface Guide A - 261 Appendix A remoterole Creates a file (/config/bigip/auth/remoterole) that an LDAP or Active Directory server reads to determine the specific access rights to grant to groups of remotely authenticated users. Syntax Use this command to grant access to a specific group of remotely authenticated users. Create Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. remoterole [{] <remoterole arg list> [}] <remoterole arg> ::= role info (<role info list> | none) [add | delete] <role info> ::= (<role info key list> | all) [{] <role info arg list> [}] <role info key> ::= <name> <role info arg> ::= attribute (<string> | none) console (enable | disable) deny (enable | disable) line order <number> role (administor | resource admin | user manager | manager | app editor | \ operator | guest | policy editor | none) user partition (<string> | none) remoterole edit Display remoterole [show [all]] remoterole list [all] remoterole role info [<role info key list> | all] [show] remoterole role info [<role info key list> | all] attribute [show] remoterole role info [<role info key list> | all] console [show] remoterole role info [<role info key list> | all] deny [show] A - 262 bigpipe Command Reference remoterole role info [<role info key list> | all] line order [show] remoterole role info [<role info key list> | all] partition [show] remoterole role info [<role info key list> | all] role [show] remoterole role info [<role info key list> | all] user partition [show] Description Use this command to grant access to a specific group of remotely authenticated users without having to create a local user account on the BIG-IP system for each user in the group. Examples Creates the first line of the /config/bigip/auth/remoterole file, and grants the Manager user role in partition_A to the group of remote users named mygroupofusers: remoterole role info mygroupofusers { line order 1000 role manager user partition partition_A attribute "application administrators" } Options You can use the following options with the remoterole command. • attribute Specifies the name of the group of remotely authenticated users for whom you are configuring specific access rights to the BIG-IP system. This value is required. • console Enables or disables console access for the specified group of remotely authenticated users. The default value is disable. • deny Enables or disables remote access for the specified group of remotely authenticated users. The default value is disable. • line order Specifies the order of the lines in the file, /config/bigip/auth/remoterole. The LDAP and Active Directory servers read this file line by line. The order of the information is important; therefore, F5 recommends that you set the first line at 1000. This allows you, in the future, to insert lines before the first line. This value is required. • partition Displays the partition within which the remoterole object resides. • role Specifies the user role that you want to grant to the specified group of remotely authenticated users. The default value is none. The available user roles are: • administrator • resource admin BIG-IP® Command Line Interface Guide A - 263 Appendix A • user manager • app editor • operator • guest • policy editor • remoterole edit Displays in a text editor the running configuration of all objects created using the command remoterole. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only remoterole { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. ◆ user partition Specifies the partition to which you are assigning access to the specified group of remotely authenticated users. The default value is Common. See also bigpipe(1), user(1), remote_users(1) A - 264 bigpipe Command Reference route Configures routes for traffic management. Syntax Use this command to create, display, or delete a traffic route. Create route <route key list> {} route (<route key list> | all) [{] <route arg list> [}] <route key> ::= (<ip addr> [mask <ip mask> | (prefixlen / ) <number>] | default [inet | inet6] (connected | dynamic | static) <route arg> ::= gateway (<ip addr> | none) mtu <number> pool (<pool key> | none) vlan (<vlan key> | none) (reject) route edit Display route [<route key list> | all] [show [all]] route [<route key list> | all] list [all] route [<route key list> | all] dest [all] route [<route key list> | all] gateway [show] route [<route key list> | all] mtu [show] route [<route key list> | all] pool [show] route [<route key list> | all] source [show] route [<route key list> | all] type [show] route [<route key list> | all] vlan [show] Delete route (<route key list> | all | inet | inet6) delete Description Configure static routes for the system, including default routes. When configuring a static route, you can specify a gateway (that is, the next- or last-hop router) to be an IP address, a VLAN name, or the name of a pool of routers. BIG-IP® Command Line Interface Guide A - 265 Appendix A Examples Sets the route 12.12.3.0/24 on the VLAN named internal: route 12.12.3.0/24 vlan internal Options You can use the following options with the route command. Note The options gateway, vlan, pool, and reject are mutually exclusive. You can use only one of these options at a time, and at least one of these options is required when using the route command. • default Sets the default routing type to IPv4 (inet) or IPv6 (inet6). • gateway Specifies a gateway address for the system. • ip addr Creates an IP address/netmask route. You can also specify the route using CIDR notation, such as 12.12.3.0/24. • mtu Sets a specific maximum transition unit (MTU). • pool Specifies a routing pool. A routing pool contains several routes. • reject Rejects packets coming from the specified route. • route edit Displays in a text editor the running configuration of all objects created using the command route. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • vlan Specifies the VLAN name for the route. See also mgmt(1), bigpipe(1), mgmt route(1), pool(1), vlan(1), vlangroup(1) A - 266 bigpipe Command Reference rtsp Displays or resets Real Time Streaming Protocol (RTSP) statistics for the BIG-IP system. Syntax Use this command to display or reset RTSP statistics for the system. Display rtsp [show [all]] Modify rtsp stats reset Description Displays or resets RTSP statistics for the system. Examples Displays all RTSP statistics for the system: rtsp show all See also bigpipe(1), profile rtsp (1) BIG-IP® Command Line Interface Guide A - 267 Appendix A rule Creates, modifies, deletes, and displays iRules™ for traffic management system configuration. Syntax Use this command to create, modify, display, or delete an iRule. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. rule <rule key list> {} rule (<rule key list> | all) [{] <rule arg list> [}] <rule key> ::= <name> <rule arg> ::= <iRule> rule edit Display rule [<rule key list> | all] [show [all]] rule [<rule key list> | all] list [all] rule [<rule key list> | all] definition [show] rule [<rule key list> | all] name [show] rule [<rule key list> | all] partition [show] Delete rule (<rule key list> | all) delete Description iRules™ can direct traffic not only to specific pools, but also to individual pool members, including port numbers and URI paths, either to implement persistence or to meet specific load balancing requirements. The syntax that you use to write iRules™ is based on the Tools Command Language (Tcl) programming standard. Thus, you can use many of the standard Tcl A - 268 bigpipe Command Reference commands, plus a robust set of extensions that the BIG-IP local traffic management system provides to help you further increase load balancing efficiency. For information about standard Tcl syntax, see http://tmml.sourceforge.net/doc/tcl/index.html. For a list of Tcl commands that have been disabled within the traffic management system and therefore cannot be used in the traffic management system, see the Configuration Guide for BIG-IP® Local Traffic Management. This guide is available at http://tech.f5.com. Examples In this example, the iRule my_Rule includes the event declaration CLIENT_ACCEPTED, as well as the iRule command IP::remote_addr. In this case, the IP address that the iRule command returns is that of the client, because the default context of the event declaration CLIENT_ACCEPTED is clientside: rule my_Rule '{ when CLIENT_ACCEPTED { if [[IP::remote_addr] == 10.1.1.80] { pool myPool }}}' This example shows the iRule my_Rule2, which includes the event declaration SERVER_CONNECTED, as well as the iRule command IP::remote_addr. In this case, the IP address that the iRule command returns is that of the server, because the default context of the event declaration SERVER_CONNECTED is serverside: rule my_Rule2 '{ when SERVER_CONNECTED { if { [IP::remote_addr] == 10.1.1.80 } { pool my_pool2 }}}' In this example, the iRule my_Rule3 includes the event declaration CLIENT_ACCEPTED, as well as the iRule command IP::remote_addr. In this case, the IP address 10.1.1.80 is directed to the pool named blackhole, while traffic originating from other addresses is directed to the pool normalService. Instead of one IP address, you could also specify a class that contains IP addresses that you want to send to the blackhole pool: rule my_Rule3 '{ when CLIENT_ACCEPTED { if [[IP::remote_addr] == 10.1.1.80] { pool blackhole } else { pool normalService }}}' Options You can use the following options with the rule command: • partition Displays the partition in which the rule resides. • rule edit Displays in a text editor the running configuration of all objects created using the command rule. You can edit the value of any parameter BIG-IP® Command Line Interface Guide A - 269 Appendix A displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. See also persist(1), pool(1), profile(1), rate class(1), snat(1), bigpipe(1) A - 270 bigpipe Command Reference save Writes the running configuration into the stored configuration files. Syntax Use this command to write the running configuration into the stored configuration files. Modify save save all [base] save Description Use this command to save the running configuration of the BIG-IP system. Options You can use the following options with the save command. Important When you want to save to the stored configuration files the changes that you make to the system, F5 recommends that you use the save all command. ◆ base save Saves only the portions of the running configuration that reside in these stored configuration files: • /config/bigip_base.conf • /config/bigip_sys.conf ◆ save Saves only the portions of the running configuration that reside in these stored configuration files: • /config/bigip.conf • /config/bigip_local.conf • /config/bigip_sys.conf ◆ save all Saves the entire running configuration into these stored configuration files: • /config/bigip.conf • /config/bigip_local.conf • /config/bigip_base.conf • /config/bigip_sys.conf BIG-IP® Command Line Interface Guide A - 271 Appendix A See also bigpipe(1), load(1) A - 272 bigpipe Command Reference sctp Displays or resets Stream Control Transmission Protocol (SCTP) statistics for the BIG-IP system. Syntax Use this command to display or reset SCTP statistics for the system. Display sctp [show [all]] Modify sctp stats reset Description Displays or resets SCTP statistics for the system. Examples Displays all SCTP statistics for the system: sctp show all See also bigpipe(1), profile sctp (1) BIG-IP® Command Line Interface Guide A - 273 Appendix A self Configures a self IP address for a VLAN. Syntax Use this command to create, modify, display, and delete a self IP address. Create/Modify self <self key list> {} self (<self key list> | all) [{] <self arg list> [}] <self key> ::= (<ip addr> | none) <self arg> ::= vlan (<vlan key> | none) netmask (<ip mask> | none) unit <number> floating (enable | disable) allow (default | all | none | <protocol/service list>) [add | delete] <protocol/service> ::= (proto <protocol list> | (tcp | udp) <service list>) self edit Display self [<self key list> | all] list [all] self [<self key list> | all] [show [all]] self [<self key list> | all] addr [show] self [<self key list> | all] allow [show] self [<self key list> | all] floating [show] self [<self key list> | all] netmask [show] self [<self key list> | all] unit [show] self [<self key list> | all] vlan [show] Delete self (<self key list> | all) delete Description A self IP address is an IP address that is assigned to the system. Self IP addresses are part of the configuration of the BIG-IP network components. You must define at least one self IP address for each VLAN. A - 274 bigpipe Command Reference Examples Adds the self IP address 10.10.10.24 to the VLAN named internal: self 10.10.10.24 vlan internal Enables a floating IP address on the external VLAN. The floating attribute makes this virtual address available to whichever unit of a redundant system is active at a given time. In other words, when the standby unit becomes the active unit, it uses this virtual address. Only one of the units in a redundant system can use the floating IP address at any given time. self 10.1.1.1 vlan external netmask 255.255.0.0 floating enable Options You can use the following options with the self command. • addr Specifies the self IP address for a VLAN. • allow Specifies the type of protocol/service that the VLAN handles. • floating Enables or disables a floating self IP address for the VLAN. A floating self IP address is an additional self IP address for a VLAN that serves as a shared address by both units of a BIG-IP redundant system. • netmask Specifies a netmask for the self IP address for the VLAN. • self edit Displays in a text editor the running configuration of all objects created using the command self. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • unit Specifies the unit number in a redundant system. • vlan Specifies the VLAN for which you are setting a self IP address. This setting is required. See also vlan(1), vlangroup(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 275 Appendix A self allow Configures the default allow list for all self IP addresses on the BIG-IP system. Syntax Use this command to delete, modify, or display the default allow list for all self IP addresses on the BIG-IP system. The default allow list displays which service and protocol ports allow connections from outside the system. Connections made to a service or protocol port that is not on the list are refused. Modify self allow {} self allow [{] <self allow arg list> [}] <self allow arg> ::= default (<protocol/service list> | all | none) [add | delete] <protocol/service> ::= proto <protocol> | (tcp | udp) <service> self allow edit Display self allow list [all] self allow [show [all]] self allow default [show] Delete self allow delete Description Use this command to modify, display, or delete the default allow list for all self IP addresses on the BIG-IP system. Examples Sets the default allow list for all self IP addresses on the system to the system default: self allow default tcp 22 53 161 443 4353 udp 53 161 520 1026 4353 proto 89 Sets the default allow list for all self IP addresses on the system to TCP: self allow default tcp 55 Displays the default allow list for all self IP addresses on the system: self allow default A - 276 bigpipe Command Reference Options You can use the following options with the self allow command: ◆ default Specifies to set the default allow list to one of the following: • all Specifies all protocols and services allow connections from outside the system. Use this option to open the system to complete access. • none Specifies that no protocols or services allow connections from outside the system. • protocol/service list Specifies a list of protocols/services that allow connections from outside the system. ◆ delete Deletes the default self allow list. ◆ self allow edit Displays in a text editor the running configuration of all objects created using the command self allow. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. See also vlan(1), vlangroup(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 277 Appendix A shell Displays information about, and customizes the bigpipe shell. Syntax Use this command to customize the bigpipe shell, and display information about the shell. Modify shell {} shell [{] <shell arg list> [}] <shell arg> ::= history <number> prompt <string> read partition <name> write partition <name> partition <name> shell edit Display shell [show [all]] shell list [all] shell history [show] shell prompt [show] shell read partition [show] shell write partition [show] shell partition [show] Description When typed at the BIG-IP system prompt, the bigpipe shell command starts the bigpipe utility in its shell mode and presents a prompt at which you can type bigpipe commands. You can also use the bigpipe shell command from the BIG-IP system prompt to configure the shell. Once the bigpipe utility is started in its shell mode, you can use the shell command to configure the shell. Examples Customizes the bigpipe shell prompt to display as F5>: shell prompt F5> Displays the bigpipe shell prompt, and the Read and Write partitions: shell list A - 278 bigpipe Command Reference Specifies to save up to 100 commands in the bigpipe shell history: shell history 100 Displays the maximum number of commands that the bigpipe shell saves in the shell history file, $HOME/.bphistory-<user>. shell history show For users with access to all partitions, changes the partition to which you have Write access to the partition named Application1: shell write partition Application1 For users with access to all partitions, changes the partition to which you have Read and Write access to the partition named Application2: shell partition Application2 Options You can use these options with the shell command: • history Specifies the maximum number of commands that the bigpipe shell saves in the shell history file, $HOME/.bphistory-<user>. The default value is 50. A value of 0 (zero) specifies that the bigpipe shell does not save any commands in history. • prompt Specifies a string to use for the bigpipe shell prompt. The default prompt is bp>. • read partition Changes the partition to which you have Read access to the partition you specify. This option is only available to users with access to all partitions. • write partition Changes the partition to which you have Write access to the partition you specify. This option is only available to users with access to all partitions. • partition Changes the partition to which you have Read and Write access to the partition you specify. This option is only available to users with access to all partitions. ◆ shell edit Displays in a text editor the running configuration of all objects created using the command shell. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. See also partition(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 279 Appendix A snat Configures secure network address translation (SNAT). Syntax Use this command to create, modify, display, or delete a SNAT. Create/Modify snat <snat key list> {} snat (<snat key list> | all) [{] <snat arg list> [}] <snat key> ::= <name> <snat arg> ::= mirror (enable | disable) (none | automap) origins (<ip addr list> | none) [add | delete] translation <snat translation key> snatpool (<snatpool key> | none) vlans (<vlan key list> | none | all) (enable | disable) <orig IP> ::= <IP addr> [mask <ip mask>] snat [<snat key list> | all] stats reset snat edit Display snat [<snat key list> | all] [show [all]] snat [<snat key list> | all] list [all] snat [<snat key list> | all] mirror [show] snat [<snat key list> | all] name [show] snat [<snat key list> | all] origins [show] snat [<snat key list> | all] snatpool [show] snat [<snat key list> | all] stats [show] snat [<snat key list> | all] translation [show] snat [<snat key list> | all] type [show] snat [<snat key list> | all] vlans [show] Delete snat (<snat key list> | all) delete A - 280 bigpipe Command Reference Description The snat command creates, deletes, sets properties on, and displays information about SNATs. A SNAT defines the relationship between an externally visible IP address, SNAT IP, or translated address, and a group of internal IP addresses, or originating addresses, of individual servers at your site. Examples Creates the SNAT mysnat that translates the address of connections that originate from the address 10.1.1.3 to the translation address 11.1.1.3: snat mysnat { origin 10.1.1.3 translation 11.1.1.3 } Options You can use these options with the snat command: • automap Turns on SNAT automapping. This setting can only be used when snatpool and translation are not used. • mirror Enables or disables mirroring of SNAT connections. • origin Specifies an originating IP address. Note that originating addresses are behind the unit. This setting is required. • snatpool Specifies the name of a SNAT pool. This setting can only be used when automap and translation are not used. • snat edit Displays in a text editor the running configuration of all objects created using the command snat. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • translation Specifies a translated IP address. Note that translated addresses are outside the traffic management system. This setting can only be used when automap and snatpool are not used. • type Displays the type of SNAT. The types are automap, snatpool, and translation. BIG-IP® Command Line Interface Guide A - 281 Appendix A • vlan Specifies the name of the VLAN to which you want to assign the SNAT. The default is vlans all enable. See also nat(1), snat translation(1), snatpool(1), virtual(1), bigpipe(1) A - 282 bigpipe Command Reference snat translation Configures an explicit SNAT translation address. Syntax Use this command to create, modify, display, or delete an explicit SNAT translation address. Create/Modify snat translation <snat translation key list> {} snat translation (<snat translation key list> | all) [{] <snat translation arg list> [}] <snat translation key> ::= (<ip addr> | none) <snat translation arg> ::= (enable | disable) unit <number> arp (enable | disable) limit <number> tcp timeout (<number> | indefinite) udp timeout (<number> | indefinite) ip timeout (<number> | immediate | indefinite) snat translation [<snat translation key list> | all] stats reset snat translation edit Display snat translation [<snat translation key list> | all] [show [all]] snat translation [<snat translation key list> | all] list [all] snat translation [<snat translation key list> | all] addr [show] snat translation [<snat translation key list> | all] arp [show] snat translation [<snat translation key list> | all] enabled [show] snat translation [<snat translation key list> | all] ip timeout [show] snat translation [<snat translation key list> | all] limit [show] snat translation [<snat translation key list> | all] stats[show] snat translation [<snat translation key list> | all] tcp timeout [show] snat translation [<snat translation key list> | all] udp timeout [show] snat translation [<snat translation key list> | all] unit [show] Delete snat translation (<snat translation key list> | all) delete BIG-IP® Command Line Interface Guide A - 283 Appendix A Description Explicitly defines the properties of a SNAT translation address. Examples Disables Address Resolution Protocol (ARP) on all SNAT translation addresses: snat translation all arp disable Options You can use these options with the snat translation command: • arp Indicates whether or not the system responds to ARP requests or sends gratuitous ARPs. The default is enable. • ip timeout Specifies the number of seconds that IP connections initiated using a SNAT address are allowed to remain idle before being automatically disconnected. Possible values are immediate, indefinite, or a number that you specify. • limit Specifies the number of connections a translation address must reach before it no longer initiates a connection. The default value of 0 indicates that the setting is disabled. • snat translation edit Displays in a text editor the running configuration of all objects created using the command snat translation. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • tcp timeout Specifies the number of seconds that TCP connections initiated using a SNAT address are allowed to remain idle before being automatically disconnected. Possible values are immediate, indefinite, or a number that you specify. The default setting is indefinite. • udp timeout Specifies the number of seconds that UDP connections initiated using a SNAT address are allowed to remain idle before being automatically disconnected. Possible values are immediate, indefinite, or a number that you specify. The default setting is indefinite. A - 284 bigpipe Command Reference • unit Specifies the unit number in a redundant system. See also nat(1), snat(1), snatpool(1), virtual(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 285 Appendix A snatpool Configures a SNAT pool. Syntax Use this command to create, modify, display, or delete a SNAT pool. Create/Modify snatpool <snatpool key list> {} snatpool (<snatpool key list> | all) [{] <snatpool arg list> [}] <snatpool key> ::= <name> <snatpool arg> ::= members (<snatpool translation key list> | none) [add | delete] <snat translation key> ::= (<ip addr> | none) snatpool [<snatpool key list> | all] stats reset snatpool edit Display snatpool [<snatpool key list> | all] [show [all]] snatpool [<snatpool key list> | all] list [all] snatpool [<snatpool key list> | all] members [show] snatpool [<snatpool key list> | all] name [show] snatpool [<snatpool key list> | all] stats [show] Delete snatpool (<snatpool key list> | all) delete Description A SNAT pool is a pool of translation addresses that you can map to one or more original IP addresses. Translation addresses in a SNAT pool are not self-IP addresses. You can simply create a SNAT pool and then assign it as a resource directly to a virtual server. This eliminates the need for you to explicitly define original IP addresses to which to map translation addresses. Examples Creates the SNAT pool mysnatpool1 that contains the translation addresses (members) 11.12.11.24 and 11.12.11.25: snatpool mysnatpool1 { members 11.12.11.24 11.12.11.25 } A - 286 bigpipe Command Reference Deletes the SNAT pool named mysnatpool1: snatpool mysnatpool1 delete Options You can use the following options with the snatpool command: • members Specifies to add a translation address to or delete a translation address from a SNAT pool. • snatpool edit Displays in a text editor the running configuration of all objects created using the command snatpool. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. See also nat(1), snat(1), snat translation(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 287 Appendix A snmpd Configures the simple network management protocol (SNMP) daemon for the BIG-IP system. Syntax Use this command to configure the snmpd daemon for the system. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. snmpd [{] <snmpd arg list> [}] <snmpd arg> ::= agent address (<string list> | none) [add | delete] agenttrap (enable | disable) allow (<string list> | none) [add | delete] authtrapenable (enable | disable) bigip traps (enable | disable) community (<community list> | none) [add | delete] disk (<disk list> | none) [add | delete] include (<string> | none) l2forward vlan (<vlan key> | none | all) [add | delete] load max1 <number> load max15 <number> load max5 <number> proc (<proc list> | none) [add | delete] syscontact (<string> | none) syslocation (<string> | none) sysservices <number> trap2sink (<trap2sink list> | none) [add | delete] trapcommunity (<string> | none) trapsess (<trapsess list> | none) [add | delete] trapsink (<trapsink list> | none) [add | delete] trapsource (<ip addr> | none) usmuser (<usmuser list> | none) [add | delete] <community> ::= (<community key list> | all) [{] <community arg list> [}] A - 288 bigpipe Command Reference <community key> ::= <name> <community arg> ::= access (ro | rw) community name (<string> | none) ipv6 (enable | disable) oid (<string> | none) source (<string> | none) <disk> ::= (<disk key list> | all) [{] <disk arg list> [}] <disk key> ::= <name> <disk arg> ::= minspace <number> minspace type (size | percent) path (<string> | none) <proc> ::= (<proc key list> | all) [{] <proc arg list> [}] <proc key> ::= <name> <proc arg> ::= max (<string> | none) min <number> process (<string> | none) <trapsink> ::= (<trapsink key list> | all) [{] <trapsink arg list> [}] <trapsink key> ::= <name> <trapsink arg> ::= community (<string> | none) host (<ip addr> | <host name> | none) port <number> <trap2sink> ::= (<trap2sink key list> | all) [{] <trap2sink arg list> [}] <trap2sink key> ::= <name> <trap2sink arg> ::= community (<string> | none) host (<ip addr> | <host name> | none) port <number> <trapsess> ::= (<trapsess key list> | all) [{] <trapsess arg list> [}] <trapsess key> ::= <name> <trapsess arg> ::= auth password (crypt <string> | none | string | none) auth protocol (MD5 | SHA | NONE) community (<string> | none) engine id (<string> | none) BIG-IP® Command Line Interface Guide A - 289 Appendix A host (<ip addr> | <host name> | none) port <number> privacy password (crypt <string> | none | string | none) privacy protocol (DES | NONE) security level (noAuthNoPriv | authNoPriv | authPriv) security name (<string> | none) version (1 | 2c | 3) <usmuser> ::= (<usmuser key list> | all) [{] <usmuser arg list> [}] <usmuser key> ::= <name> <usmuser arg> ::= access (ro | rw) auth password (crypt <string> | none | string | none) auth protocol (MD5 | SHA | NONE) oid (<string> | none) privacy password (crypt <string> | none | string | none) privacy protocol (DES | NONE) security level (noAuthNoPriv | authNoPriv | authPriv) username (<string> | none) snmpd edit Display snmpd [show [all]] snmpd list [all] snmpd agent address [show] snmpd agenttrap [show] snmpd allow [show] snmpd authtrapenable [show] snmpd bigip traps [show] snmpd community [<community key list> | all] [show] snmpd community [<community key list> | all] access [show] snmpd community [<community key list> | all] community name [show] snmpd community [<community key list> | all] ipv6 [show] snmpd community [<community key list> | all] oid [show] snmpd community [<community key list> | all] partition [show] snmpd community [<community key list> | all] source [show] snmpd disk [<disk key list> | all] [show] snmpd disk [<disk key list> | all] minspace [show] snmpd disk [<disk key list> | all] minspace type [show] snmpd disk [<disk key list> | all] partition [show] snmpd disk [<disk key list> | all] path [show] snmpd include [show] snmpd l2forward vlan [show] snmpd load max1 [show] A - 290 bigpipe Command Reference snmpd load max15 [show] snmpd load max5 [show] snmpd partition [show] snmpd proc [<proc key list> | all] [show] snmpd proc [<proc key list> | all] max [show] snmpd proc [<proc key list> | all] min [show] snmpd proc [<proc key list> | all] partition [show] snmpd proc [<proc key list> | all] process [show] snmpd syscontact [show] snmpd syslocation [show] snmpd sysservices [show] snmpd trap2sink [<trap2sink key list> | all] [show] snmpd trap2sink [<trap2sink key list> | all] community [show] snmpd trap2sink [<trap2sink key list> | all] host [show] snmpd trap2sink [<trap2sink key list> | all] partition [show] snmpd trap2sink [<trap2sink key list> | all] port [show] snmpd trapcommunity [show] snmpd trapsess [<trapsess key list> | all] [show] snmpd trapsess [<trapsess key list> | all] auth password [show] snmpd trapsess [<trapsess key list> | all] auth protocol [show] snmpd trapsess [<trapsess key list> | all] community [show] snmpd trapsess [<trapsess key list> | all] engine id [show] snmpd trapsess [<trapsess key list> | all] host [show] snmpd trapsess [<trapsess key list> | all] partition [show] snmpd trapsess [<trapsess key list> | all] port [show] snmpd trapsess [<trapsess key list> | all] privacy password [show] snmpd trapsess [<trapsess key list> | all] privacy protocol [show] snmpd trapsess [<trapsess key list> | all] security level [show] snmpd trapsess [<trapsess key list> | all] security name [show] snmpd trapsess [<trapsess key list> | all] version [show] snmpd trapsink [<trapsink key list> | all] [show] snmpd trapsink [<trapsink key list> | all] community [show] snmpd trapsink [<trapsink key list> | all] host [show] snmpd trapsink [<trapsink key list> | all] partition [show] snmpd trapsink [<trapsink key list> | all] port [show] snmpd trapsource [show] snmpd usmuser [<usmuser key list> | all] [show] snmpd usmuser [<usmuser key list> | all] access [show] snmpd usmuser [<usmuser key list> | all] auth password [show] snmpd usmuser [<usmuser key list> | all] auth type [show] snmpd usmuser [<usmuser key list> | all] oid [show] snmpd usmuser [<usmuser key list> | all] partition [show] snmpd usmuser [<usmuser key list> | all] privacy password [show] snmpd usmuser [<usmuser key list> | all] privacy protocol [show] BIG-IP® Command Line Interface Guide A - 291 Appendix A snmpd usmuser [<usmuser key list> | all] username [show] Description Use this command to configure the snmpd daemon for the system. Important F5 recommends that users of the Configuration utility exit the utility before changes are made to the system using the command snmpd. This is because making changes to the system using the command snmpd causes a restart of the snmpd daemon. Likewise, restarting the snmpd daemon creates the necessity for a restart of the Configuration utility. Examples Specifies that the person who administers the snmpd daemon for the system can be reached using the email address, admin@company.com: snmpd syscontact admin@company.com Specifies that the physical location of the system is the central office: snmpd syslocation "central office" Disables agent traps: snmpd agenttrap disable Adds a range of SNMP clients to the /etc/hosts.allow file: snmpd allow 10.10.0.0/255.255.240.0 Adds the SNMP version 2c trapsess, ts1, to the system. The IP address of ts1 is 192.168.1.245 and the community that has access to ts1 is public: snmpd trapsses ts1 { host 192.168.1.245 community public } Adds the SNMP version 2 trapsink, number1, to the system. The host of number1 is 10.20.5.11, the port is 162, and the community that has access to number1 is public. snmpd trap2sink number1 { community public host 10.20.5.11 port 162 } Adds an SNMP version 3 trapsess, ts2, to the system: snmpd trapsess ts2 { host 192.168.1.246 community public auth protocol MD5 \ auth password myAuthPassword engine id 80001030204 security level authNoPriv \ security name mySecurityName version 3 } Creates a community specification, named community1, for the BIG-IP system. community1 includes a community, named mycommunity, that provides read-only access to the host at 192.168.1.126. This host cannot be an IPv6 address. The oid for this community is 5: snmpd community community1 { community name mycommunity access ro source 192.168.1.246\ oid 5 ipv6 disable } A - 292 bigpipe Command Reference Replaces the default community specification for the BIG-IP system. Using this command, the default community includes a community, named public, that provides read-only access to the default host. The oid for this community is 1: snmpd community default { community name public source default oid 1 access ro } Deletes the default community for the BIG-IP system: snmpd community default delete Disables monitoring of the snmpd load average on the BIG-IP system: snmpd load max1 0 load max5 0 load max15 0 Options You can use the following commands with the snmpd command: ◆ agent address Indicates that the SNMP agent listens on the specified address. F5 recommends that you do not change this setting without fully understanding the impact of the change. ◆ agenttrap Specifies, when enabled, that snmpd sends traps, for example, start/stop traps. The default setting is enable. ◆ allow Adds or deletes IP addresses for the SNMP clients from which the snmpd daemon accepts requests. An SNMP client is a system that runs the SNMP manager software for the purpose of remotely managing the BIG-IP system. The default value is 127. ◆ authtrapenable Specifies, when enabled, the snmpd daemon generates authentication failure traps. The default setting is disable. ◆ bigip traps Specifies, when enabled, that the BIG-IP system sends device warning traps to the trap destinations. The default value is enable. ◆ community Adds or deletes a community. Note that you must include a community key, and you must enclose the attributes in braces. The options are additive, and include: • access Specifies the community access level to the MIB. The options are ro (Read-Only community), and rw (Read-Write community). The default value is ro. • community name Specifies the name of the community that you are adding or deleting. This setting is required. The default value is public. • ipv6 Enables or disables IPv6 addresses for the community that you are adding or deleting. The default value is disable. BIG-IP® Command Line Interface Guide A - 293 Appendix A • oid Specifies to restrict access for the community to every object below the specified object identifier (OID) for the record. • source Specifies the source addresses with the specified community name that can access the management information base (MIB). The default value is default, which means allow any source address to access the MIB. ◆ disk Checks the disks mounted at the specified path for available disk space. The options are: • minspace type Specifies a minimum disk space measurement type of either size (in kBs) or percent. Please note that the minspace setting is based on the this setting. • minspace Specifies the minimum disk space threshold in either kBs or percentage based on the minspace type setting. If the available disk space is less than this amount, the associated entry in the 1.3.6.1.4.1.2021.9.1.100 MIB table is set to (1) and a descriptive error message is returned to queries of 1.3.6.1.4.1.2021.9.1.101. • path Specifies the path to the disk that the system checks for disk space. ◆ include Warning: Do not use this parameter without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include parameter. If you use this parameter incorrectly, you put the functionality of the system at risk. ◆ l2forward vlan Specifies the VLANs for which you want the snmpd daemon to expose Layer 2 forwarding information. Layer 2 forwarding is the means by which frames are exchanged directly between hosts, with no IP routing required. • none This is the default value; it means this parameter is not set. Important: The default is not the same as setting the l2forward vlan parameter to the string "none," which indicates that you do not want the snmpd daemon to expose Layer 2 forwarding for any VLAN. • <vlan key> Specifies the names of the VLANs for which the snmpd daemon exposes Layer 2 forwarding information. The snmpd daemon overwrites the value of the sysL2ForwardAttrVlan object identifier (OID) with the specified VLAN names. Once you set this parameter, users cannot change the value of the sysL2FowardAttrVlan OID using the SNMP set method. A - 294 bigpipe Command Reference • all Specifies that the snmpd daemon exposes Layer 2 forwarding information for all VLANs. Warning: When you set this parameter to all, the system can create a very large table of statistics, and potentially affect system performance. ◆ load max1 Specifies the maximum 1-minute load average of the machine. If the load exceeds this threshold, the associated entry in the 1.3.6.1.4.1.2021.10.1.100 MIB table is set to (1) and a descriptive error message is returned to queries of 1.3.6.1.4.1.2021.10.1.101. Note that when you specify a 0 (zero) for all three of the load max1, load max5, and load max15 options, the system does not monitor the load average. ◆ load max15 Specifies the maximum 15-minute load average of the machine. If the load exceeds this threshold, the associated entry in the 1.3.6.1.4.1.2021.10.1.100 MIB table is set to (1) and a descriptive error message is returned to queries of 1.3.6.1.4.1.2021.10.1.101. Note that when you specify a 0 (zero) for all three of the load max1, load max5, and load max15 options, the system does not monitor the load average. ◆ load max5 Specifies the maximum 5-minute load average of the machine. If the load exceeds this threshold, the associated entry in the 1.3.6.1.4.1.2021.10.1.100 MIB table is set to (1) and a descriptive error message is returned to queries of 1.3.6.1.4.1.2021.10.1.101. Note that when you specify a 0 (zero) for all three of the load max1, load max5, and load max15 options, the system does not monitor the load average. ◆ partition Displays the partition within which the snmpd daemon resides. ◆ proc Specifies to check the machine to determine if the specified process is running. An error flag (1) and a description message are passed to the 1.3.6.1.4.1.2021.2.1.100 and 1.3.6.1.4.1.2021.2.1.101 MIB columns (respectively) if the specified program is not found in the process table as reported by /bin/ps -e. F5 recommends that you do not modify or delete system processes; however, you can add, modify, or delete user-defined processes. • max Specifies the maximum number of instances of the process that can run. If min and max settings are not specified, the max setting is 1 by default. The maximum is infinity. BIG-IP® Command Line Interface Guide A - 295 Appendix A • min Specifies the minimum number of instances of the process that can run. If max setting is specified, but min setting is not specified, the min setting is 1 by default. • process Specifies the name of the process for which you are checking. The maximum length for a process name is 16 characters. ◆ snmpd edit Displays in a text editor the running configuration of all objects created using the command snmpd. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only snmpd { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. ◆ syscontact Specifies the name of the person who administers the snmpd daemon for this system. ◆ syslocation Describes this system's physical location. ◆ sysservices Specifies the value of the system.sysServices.0 object. ◆ trap2sink Adds or deletes an SNMP version 2 trap destination. Note that you must include a trap2sink key, and you must enclose the attributes in braces. • community Specifies the community name for the trap destination that you are adding or deleting. • host Specifies the IP address or the FQDN for the trap2sink host that you are adding or deleting. Note that you must configure the DNS Server on the BIG-IP system. You can use the dns command to do this. • port Specifies the port for the trap destination that you are adding or deleting. The default setting is 162. ◆ A - 296 trapcommunity Specifies the common community name for the trap destination. bigpipe Command Reference ◆ trapsess Adds or deletes an SNMP trap destination. Note that you must include a trapsess key, and you must enclose the attributes in braces. • auth password Specifies the authentication password only for an SNMP version 3 trap. Note that if you enter an authentication password, the auth protocol option cannot equal NONE. • auth protocol Specifies the authentication method only for an SNMP version 3 trap. The default value is NONE. You must use capital letters for the following authentication methods: • MD5 Specifies that the system uses the MD5 algorithm to authenticate the user. This option is valid only for SNMP version 3. • SHA Specifies that the system uses the secure hash algorithm (SHA) to authenticate the user. This option is valid only for SNMP version 3. • NONE Specifies that user does not require authentication. Note that if you use this option, you do not use the auth password option. This option is not valid for SNMP version 3. • engine id Specifies the authoritative security engine ID for SNMP version 3. • host Specifies the IP address or the FQDN for the trapsess host that you are adding or deleting. Note that you must configure the DNS Server on the BIG-IP system. You can use the dns command to do this. This setting is required. • port Specifies the port for the trapsess destination. The default setting is 162. • privacy password Specifies the privacy pass phrase to use for encrypted SNMP version 3 messages. Note that if you enter a privacy password, the privacy protocol option cannot equal NONE. Use this setting to set only SNMP version 3 traps. BIG-IP® Command Line Interface Guide A - 297 Appendix A • privacy protocol Specifies the encryption protocol to use to deliver authentication information for this trapsess. The default value is NONE. Use this setting to set only SNMP version 3 traps. You must use the specified case for the following options exactly: • DES Specifies that the system encrypts the user information using DES (Data Encryption Standard). This option is valid only for SNMP version 3. • NONE Specifies that the system does not encrypt the user information. Note that if you use this option, you do not use the privacy password option. • security level Specifies the security level for the trapsess. The default value is noAuthNoPriv. Use this setting to set only SNMP version 3 traps. You must use the specified case for the following options exactly: • noAuthNoPriv Specifies that if the system cannot authenticate the user, the system does not grant the user access to the system. This setting is required if the SNMP version is other than version 3. • authNoPriv Specifies that the SNMP trap destination uses the auth protocol setting, but not the privacy protocol setting. Note that if you use this option, auth protocol cannot be NONE, and auth password must be set. This option is valid only for SNMP version 3. • authPriv Specifies that the SNMP trap destination uses both the authentication protocol setting and the privacy protocol setting. Note that if you use this option, auth protocol cannot be set to NONE, and privacy protocol cannot be set to NONE. This option is valid only for SNMP version 3. • security name Specifies the security name the system uses to authenticate SNMP version 3 messages. • version Specifies to which SNMP version the trap destination applies. The default value is 2c. A - 298 bigpipe Command Reference ◆ trapsink Adds or deletes an SNMP version 1 trap destination. • community Specifies the community name for the trap destination. • host Specifies the IP address or the FQDN for the trapsink host that you are adding or deleting. Note that you must configure the DNS Server on the BIG-IP system. You can use the dns command to do this. • port Specifies the port for the trapsink destination. ◆ trapsource Specifies the source of the SNMP trap. The default value is none. ◆ usmuser Adds or deletes a user for which you are setting an SNMP access level for SNMP version 3. Note that you must include a usmuser key, and you must enclose the attributes in braces. The options are additive and include: • access Specifies the user access level to the MIB. The default value is ro (Read Only). • authpassword Specifies the user’s authentication password. Note that if you enter an authentication password, the auth type option cannot equal NONE. • auth protocol Specifies the authentication method for this user. This setting is required. You must use capital letters for the following authentication methods: • MD5 Specifies that the system uses the MD5 algorithm to authenticate the user. • SHA Specifies that the system uses the secure hash algorithm (SHA) to authenticate the user. • NONE Specifies that user does not require authentication. • oid Specifies an object identifier (OID) for the record. • privacy password Specifies the password for the user. Note that if you enter a privacy password, the privacy protocol option cannot equal NONE. BIG-IP® Command Line Interface Guide A - 299 Appendix A • privacy protocol Specifies the encryption protocol to use to deliver authentication information for this user. Note that if you enter a privacy protocol, the auth type option cannot equal NONE. This setting is required. You must use capital letters for the following authentication methods: • DES Specifies that the system encrypts the user information using DES. This option is valid only for SNMP version 3. • NONE Specifies that the system does not encrypt the user information. Note that if you use this option, you do not use the privacy password option. • security level Specifies the security level for the user. The default value is noAuthNoPriv. Use this setting to set only SNMP version 3 traps. You must use the specified case for the following options exactly: • noAuthNoPriv Specifies that if the user cannot be authenticated, the system does not grant access to the system. This setting is required if the SNMP version is other than version 3. • authNoPriv Specifies that the SNMP trap destination uses the auth protocol setting, but not the privacy protocol setting. Note that if you use this option, auth protocol cannot be NONE, and auth password must be set. This option is valid only for SNMP version 3. • authPriv Specifies that the SNMP trap destination uses the authentication protocol setting and the privacy protocol setting. Note that if you use this option, auth protocol cannot be set to NONE, and privacy protocol cannot be set to NONE. This option is valid only for SNMP version 3. • username Specifies the name of the user who is using SNMP version 3 to access the MIB. This setting is required. See also bigpipe(1), httpd(1), ntp(1), dns(1), sshd(1) A - 300 bigpipe Command Reference sshd Configures the Secure Shell (SSH) daemon for the BIG-IP system. Syntax Use this command to configure the sshd daemon on the system. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. Note You must enter the values for the loglevel argument using the exact case shown below. In other words, to assign a log level of ERROR, you use the syntax: sshd loglevel ERROR. sshd [{] <sshd arg list> [}] <sshd arg> ::= allow (<string list> | none) [add | delete] banner (enable | disable) banner text (<string> | none) inactivity timeout <number> include (<string> | none) login (enable | disable) loglevel (QUIET | FATAL | ERROR | INFO | VERBOSE | DEBUG | DEBUG1 | DEBUG2 | DEBUG3) sshd edit Display sshd [show [all]] sshd list [all] sshd allow sshd banner [show] sshd banner text [show] sshd inactivity timeout [show] sshd include [show] sshd login [show] BIG-IP® Command Line Interface Guide A - 301 Appendix A sshd loglevel [show] sshd partition [show] Description Use the sshd command to configure a secure channel between the BIG-IP system and other devices. Important F5 recommends that users of the Configuration utility exit the utility before changes are made to the system using the sshd command. This is because making changes to the system using the sshd command causes a restart of the sshd daemon. Likewise, restarting the sshd daemon creates the necessity for a restart of the Configuration utility. Examples Creates an initial range of IP addresses (192.168.0.0 with a netmask of 255.255.0.0) that are allowed to log on to the system: sshd allow 192.168.0.0/255.255.0.0 Adds the IP address, 192.168.1.245, to the existing list of IP addresses that are allowed to log on to the system: sshd allow 192.168.1.245 add Enables SSH logon to the system: sshd login enable Sets an inactivity timeout of 60 minutes for SSH logons to the system: sshd inactivity timeout 3600 Sets the sshd message log level to ERROR: sshd loglevel ERROR Note In the following examples, the banner text can be composed of multiple lines, but you must type (double) quotation marks around the text, and type apostrophes (single quotation marks) outside the (double) quotation marks. Enables the display of an SSH banner upon logon, and sets the contents of that banner to: NOTICE: Improper use of this computer is prohibited. sshd banner enable banner text ‘"NOTICE: Improper use of this computer may result in prosecution!"’ Creates a three-line banner that displays when a user attempts to log on to a system using SSH. sshd banner enable banner text ‘”Attention: This system is private. Illegal use is punishable by law. “’ A - 302 bigpipe Command Reference Options You can use the following options with the sshd command: • allow Adds a server to or removes a server from the /etc/hosts.allow file. Use this option to either add servers to the BIG-IP system that are allowed to access the system, or delete these servers from the system. Warning: Using the value none resets the sshd daemon to allow all servers access to the system. F5 recommends that you do not use the value none with the sshd command. • banner Enables or disables the display of the banner text field when a user logs in to the system using SSH. The default value is disable. • banner text When banner is enabled, specifies the text to include in the banner that displays when a user attempts to log on to the system. • inactivity timeout Specifies the number of seconds before inactivity causes an SSH session to log off. The default value is 0 (zero) seconds, which indicates that inactivity timeout is disabled. • include Warning: Do not use this parameter without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include parameter. If you use this parameter incorrectly, you put the functionality of the system at risk. • login Enables or disables SSH logons to the system. The default is enable. • loglevel Specifies the minimum sshd message level to include in the system log. You must enter the following values in capital letters: • DEBUG - DEBUG3 Indicates that the minimum sshd message level that the system logs is the specified debugging level. • ERROR Indicates that the minimum sshd message level that the system logs is error. • FATAL Indicates that the minimum sshd message level that the system logs is fatal. • INFO Indicates that the minimum sshd message level that the system logs is informational. • QUIET Indicates that the system does not log sshd messages. • VERBOSE Indicates that the system logs all sshd messages. BIG-IP® Command Line Interface Guide A - 303 Appendix A • partition Displays the partition within which the sshd daemon resides. ◆ sshd edit Displays in a text editor the running configuration of all objects that you use the command sshd to create. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only sshd { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on your additions. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. See also bigpipe(1), ntp(1), dns(1), httpd(1), snmpd(1) A - 304 bigpipe Command Reference ssl Displays or resets Secure Sockets Layer (SSL) statistics for the BIG-IP system. Syntax Use this command to display or reset SSL statistics for the system. Display ssl [show [all]] Modify ssl stats reset Description Displays or resets SSL statistics for the system. Examples Displays all SSL statistics for the system: ssl show all See also bigpipe(1) BIG-IP® Command Line Interface Guide A - 305 Appendix A statemirror Configures connection mirroring for a BIG-IP unit that is part of a redundant system. Syntax Use this command to enable and configure connection mirroring for the system. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. statemirror [{] <statemirror arg list> [}] <statemirror arg> ::= addr (<ip addr> | none) peer addr (<ip addr> | none) secondary addr (<ip addr> | none) secondary peer addr (<ip addr> | none) state (enable | disable) statemirror edit Display statemirror [show [all]] statemirror list [all] statemirror addr [show] statemirror partition [show] statemirror peer addr [show] statemirror secondary addr [show] statemirror secondary peer addr [show] statemirror state [show] A - 306 bigpipe Command Reference Description You use this command to configure connection mirroring on a system that is part of a redundant pair in a high availability system. Connection mirroring is the process of duplicating connections from the active system to the standby system. Enabling this setting ensures a higher level of connection reliability, but it may also have an impact on system performance. Examples Enables and configures connection mirroring for a high availability system in which one BIG-IP system has an IP address of 192.168.10.10 and its peer has an IP address of 192.168.10.20. statemirror state enable addr 192.168.10.10 peer addr 192.168.10.20 Re-enables connection mirroring for a system for which connection mirroring was disabled. statemirror state enable Options You can use the following options with the statemirror command: • addr Specifies the primary self-IP address on this unit to which the peer unit mirrors its connections. This is a required setting. • partition Displays the partition within which the statemirror object resides. • peer addr Specifies the primary self-IP address on the peer unit to which this unit mirrors its connections. This is a required setting. • secondary addr Specifies another self-IP address on this unit to which the peer unit mirrors its connections when the primary address is unavailable. • secondary peer addr Specifies another self-IP address on the peer unit to which this unit mirrors its connections when the primary peer address is unavailable. • state Enables or disables connection mirroring. The default is enable. ◆ statemirror edit Displays in a text editor the running configuration of all objects that you use the command statemirror to create. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. BIG-IP® Command Line Interface Guide A - 307 Appendix A When the text editor opens, if only statemirror { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on your additions. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. See also bigpipe(1), failover(1) A - 308 bigpipe Command Reference stop Discontinues command continuation. Syntax Use this command to discontinue command continuation. Usage stop Description If you type any command using an unbalanced opening brace, the bigpipe shell stores the command entered up to that point. The shell stores any subsequent commands in a similar way until you type a command that closes all open braces, or you type the stop command. Examples Suppose you type the auth radius command, with an opening brace, but no closing brace: bp> auth radius rad-1 { The shell does nothing. At this point, you can continue to type more options for the auth radius command: debug enable retries 4 The shell continues to gather the syntax for the command. When finished typing, you can either type a command containing a closing brace (}), in which case the shell runs the full command sequence that you typed, or you can type: stop The shell presents an empty prompt: bp> BIG-IP® Command Line Interface Guide A - 309 Appendix A stp Configures spanning tree protocols on the system. Syntax Use this command to modify or display an RSTP, MSTP, or STP configuration. Modify stp {} stp [{] <stp arg list> [}] <stp arg> ::= config name (<string> | none) config revision <number> forward delay <number> hello <number> max age <number> max hops <number> mode (stp | rstp | mstp | disable | passthru) transmit hold <number> stp edit Display stp [show [all]] stp list [all] stp config name [show] stp config revision [show] stp forward delay [show] stp hello [show] stp max age [show] stp max hops [show] stp mode [show] stp transmit hold [show] Description Provides the ability to configure spanning tree protocols for the traffic management system. Spanning tree protocols are Layer 2 protocols for preventing bridging loops. The system supports multiple spanning tree protocol (MSTP), rapid spanning tree protocol (RSTP), and spanning tree protocol (STP). A - 310 bigpipe Command Reference Examples Sets the STP mode to passthru. Passthru mode forwards spanning tree bridge protocol data units (BPDUs) received on any interface to all other interfaces: stp mode passthru Sets the STP mode to disable. No STP, RSTP, or MSTP packets are transmitted or received on the interface or trunk, and the spanning tree algorithm exerts no control over forwarding or learning on the port or the trunk: stp mode disable Options You can use these options with the stp command: ◆ config name Specifies the configuration name (1 - 32 characters in length) only when the spanning tree mode is MSTP. The default configuration name is a string representation of a globally-unique MAC address belonging to the traffic management system. The MSTP standard introduces the concept of spanning tree regions, which are groups of adjacent bridges with identical configuration names, configuration revision levels, and assignments of VLANs to spanning tree instances. ◆ config revision Specifies the revision level of the MSTP configuration only when the spanning tree mode is MSTP. The specified number must be in the range 0 to 65535. The default is 0. ◆ forward delay In the original Spanning Tree Protocol, the forward delay parameter controlled the number of seconds for which an interface was blocked from forwarding network traffic after a reconfiguration of the spanning tree topology. This parameter has no effect when RSTP or MSTP are used, as long as all bridges in the spanning tree use the RSTP or MSTP protocol. If any legacy STP bridges are present, then neighboring bridges must fall back to the old protocol, whose reconfiguration time is affected by the forward delay value. The default forward delay value is 15, and the valid range is 4 to 30. ◆ hello Specifies the time interval in seconds between the periodic transmissions that communicate spanning tree information to the adjacent bridges in the network. The default is 2 seconds, and the valid range is 1 to 10. The default hello time is optimal in virtually all cases. Changing the hello time is not recommended. BIG-IP® Command Line Interface Guide A - 311 Appendix A ◆ max age Specifies the number of seconds for which spanning tree information received from other bridges is considered valid. The default is 20 seconds, and the valid range is 6 to 40 seconds. ◆ max hops Specifies the maximum number of hops an MSTP packet may travel before it is discarded. Use this option only when the spanning tree mode is MSTP. The number of hops must be in the range of 1 to 255 hops. The default number of hops is 20. ◆ mode Specifies one of three spanning tree modes: • stp STP mode is supported for legacy systems. If STP is detected in the network, the traffic management system changes to STP mode even when the mode option is set to rstp or mstp. • rstp The default mode is RSTP, or rapid spanning tree protocol. RSTP converges to a fully-connected state quickly. • mstp MSTP mode supports multiple spanning tree instances. The spanning tree instances operate independently of one another. Each instance asserts control over one or more VLANs, called the members of the spanning tree instance. STP and RSTP do not support multiple spanning tree instances. They support only a single instance (instance 0), which contains all VLANs. • disabled Disabled mode discards spanning tree bridge protocol data units (BPDUs) received on any interface. • passthru Passthru mode forwards spanning tree bridge protocol data units (BPDUs) received on any interface to all other interfaces. Essentially, passthru mode makes the traffic management system transparent to spanning tree BPDUs. ◆ stp edit Displays in a text editor the running configuration of all objects that you use the command stp to create. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only stp { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on your additions. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. A - 312 bigpipe Command Reference ◆ transmit hold Specifies the absolute limit on the number of spanning tree protocol packets the traffic management system may transmit on a port in any hello time interval. It is used to ensure that spanning tree packets do not unduly load the network even in unstable situations. The default is 6 packets, and the valid range is 1 to 10 packets. See also interface(1), stp instance(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 313 Appendix A stp instance Configures an STP configuration instance. Syntax Use this command to create, modify, display, or delete an STP configuration instance. Create/Modify stp instance <stp instance key list> {} stp instance (<stp instance key list> | all) [{] <stp instance arg list> [}] <stp instance key> ::= <number> <stp instance arg> ::= vlans (<vlan key list> | none) [add | delete] priority <number> interfaces (<stp interface list> | none) [add | delete] trunks (<stp interface list> | none) [add | delete] <stp interface key> ::= <interface> <trunk> <stp interface arg> ::= external path cost <number> internal path cost <number> priority <number> stp instance (<stp instance key list> | all) stats reset stp edit Display stp instance [<stp instance key list> | all] [show [all]] stp instance [<stp instance key list> | all] list [all] stp instance [<stp instance key list> | all] interfaces [show] stp instance [<stp instance key list> | all] priority [show] stp instance [<stp instance key list> | all] stats [show] stp instance [<stp instance key list> | all] trunk [show] stp instance [<stp instance key list> | all] vlans [show] Delete stp instance (<stp instance key list> | all) delete A - 314 bigpipe Command Reference Description Creates, modifies, and displays an STP configuration instance. Examples Displays all STP instances on the system: stp instance show Lists the configuration information for all STP instances: stp instance list All members are removed from the instance, and then the instance itself is deleted. Spanning tree instance 0 (the Common and Internal Spanning Tree) cannot be deleted. This command may be used only in MSTP mode: stp instance 2 delete Options You can use these options with the stp instance command: ◆ vlan Specifies a list of VLAN names. ◆ priority Specifies the priority number. Each bridge in a spanning tree instance has a priority value. The relative values of the bridge priorities control the topology of the spanning tree chosen by the protocol. The bridge with the lowest priority value (numerically) becomes the root of the spanning tree. Priority values vary from 0 to 61440 in increments of 4096. ◆ interface path cost Specifies the interface internal or external path cost number. Each network interface has an associated path cost within each spanning tree instance. The path cost represents the relative cost of sending network traffic through that interface. In calculating the spanning tree, the algorithm tries to minimize the total path cost between each point of the tree and the root bridge. By manipulating the path costs of different interfaces it is possible to steer traffic toward paths that are faster, more reliable, and/or more economical. Path costs can take values in the range 1 to 200,000,000. The default path cost for an interface is based on the interface's maximum speed, not its actual speed. In MSTP mode there are two kinds of path cost: external and internal. The external path cost applies only to spanning tree instance 0, the Common and Internal Spanning Tree (CIST). It is used to calculate the cost to reach an adjacent spanning tree region. Independently, internal path costs can be set for each spanning tree instance (including instance 0) in MSTP mode. The internal path costs are used to calculate the costs of reaching adjacent bridges within the same spanning tree region. BIG-IP® Command Line Interface Guide A - 315 Appendix A ◆ interface priority Specifies the interface priority number. Each network interface has an associated priority within each spanning tree instance. The relative values of the interface priorities influence which interfaces are chosen to carry network traffic. All other things being equal, interfaces with numerically lower priority values are favored to carry traffic. Interface priorities take values in the range 0 to 240 in increments of 16. The default interface priority is 128, the middle of the valid range. ◆ stp instance edit Displays in a text editor the running configuration of all objects that you use the command stp instance to create. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only stp instance { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on your additions. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. ◆ trunk path cost Specifies the trunk internal or external path cost number. In MSTP mode there are two kinds of path cost: external and internal. The external path cost applies only to spanning tree instance 0, the Common and Internal Spanning Tree (CIST). It is used to calculate the cost to reach an adjacent spanning tree region. Independently, internal path costs can be set for each spanning tree instance (including instance 0) in MSTP mode. The internal path costs are used to calculate the costs of reaching adjacent bridges within the same spanning tree region. ◆ trunk priority Specifies the trunk priority number. Each network trunk has an associated priority within each spanning tree instance. The relative values of the trunk priorities influence which trunks are chosen to carry network traffic. All other things being equal, trunks with numerically lower priority values are favored to carry traffic. Trunk priorities take values in the range 0 to 240 in increments of 16. The default trunk priority is 128, the middle of the valid range. See also interface(1), stp(1), bigpipe(1) A - 316 bigpipe Command Reference stream Displays or resets global stream statistics for the BIG-IP system. Syntax Use this command to display or reset global stream statistics for the system. Modify stream stats reset Display stream [show [all]] Description Displays or resets stream statistics for the system. Examples Displays the global stream statistics for the system: stream show Resets all global stream statistics on the system: stream stats reset See also bigpipe(1) BIG-IP® Command Line Interface Guide A - 317 Appendix A sys-icheck Identifies unintended modifications to BIG-IP system files. Syntax Use this command at the BIG-IP system prompt to identify any unintended modifications to BIG-IP system files. Note that a hot fix (patch) is an intended modification that will not be identified by the sys-icheck command. Usage sys-icheck [options] Options You can use these options with the sys-icheck command. • -h Use this option to show help for the sys-reset command. • -w Use this option to report Warn issues, as well as the default, Error issues. • -i Use this option to report Info and Warn issues, as well as the default, Error issues. Description The sys-icheck command identifies any unintended modifications to BIG-IP system files and returns Error issues. Use the options to report Warn or Info issues, as well. Examples Runs the sys-icheck utility, and returns Info, Error, and Warn issues: sys-reset -i See also sys-reset(8) A - 318 bigpipe Command Reference sys-reset Returns the configuration of the system to the factory default (installation time) state. Syntax Use this command at the BIG-IP system prompt to return the configuration of the system to the factory default (installation time) state. Usage sys-reset [options] Options You can use these options with the sys-reset command. • -h Use this option to show help for the sys-reset command. • -p Use this option to ignore all applied hot fixes. • -s Use this option to prevent the /shared file system from being changed. • -u Use this option to ignore unrecoverable file errors. Description The sys-reset command runs the sys-icheck utility, and if there are no system integrity issues, returns the system to the factory default state. Note that if you have applied hot fixes (patches) to your system, you must specify an override option for sys-reset to run. Examples Runs the sys-reset command to restore the system to the factory default state ignoring any hot fixes that have been applied to the system: sys-reset -p Runs the sys-reset command to restore the system to the factory default state without changing the /shared file system. sys-reset -s See also sys-icheck(8) BIG-IP® Command Line Interface Guide A - 319 Appendix A syslog Configures the system log, /var/run/config/syslog-ng.conf. Syntax Use this command to configure the system log. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. syslog [{] <syslog arg list> [}] <syslog arg> ::= authpriv from (emerg | alert | crit | err | warning | notice | info | debug) authpriv to (emerg | alert | crit | err | warning | notice | info | debug) cron from (emerg | alert | crit | err | warning | notice | info | debug) cron to (emerg | alert | crit | err | warning | notice | info | debug) daemon from (emerg | alert | crit | err | warning | notice | info | debug) daemon to (emerg | alert | crit | err | warning | notice | info | debug) include (<string> | none) kern from (emerg | alert | crit | err | warning | notice | info | debug) kern to (emerg | alert | crit | err | warning | notice | info | debug) local ip (<ip addr> | none) mail from (emerg | alert | crit | err | warning | notice | info | debug) mail to (emerg | alert | crit | err | warning | notice | info | debug) messages from (emerg | alert | crit | err | warning | notice | info | debug) messages to (emerg | alert | crit | err | warning | notice | info | debug) remote port <number> remote server (<ip addr> | none) userlog from (emerg | alert | crit | err | warning | notice | info | debug) userlog to (emerg | alert | crit | err | warning | notice | info | debug) syslog edit Display syslog [show [all]] syslog list [all] syslog authpriv from [show] A - 320 bigpipe Command Reference syslog authpriv to [show] syslog cron from [show] syslog cron to [show] syslog daemon from [show] syslog daemon to [show] syslog include [show] syslog kern from [show] syslog kern to [show] syslog local ip [show] syslog mail from [show] syslog mail to [show] syslog messages from [show] syslog messages to [show] syslog partition [show] syslog remote port [show] syslog remote server [show] syslog userlog from [show] syslog userlog to [show] Description Use this command to configure the system log. Examples Resets the message range of the security/authorization messages that are included in the system log to messages with a level of warning, error, critical, alert, and emergency: syslog authpriv from warning Options You can use the following options with the syslog command: • authpriv from Specifies the lowest level of security/authorization messages to include in the log. The default value is notice. • authpriv to Specifies the highest level of messages about user authentication to include in the log. The default value is emerg. • cron from Specifies the lowest level of messages about time-based scheduling to include in the log. The default value is warning. • cron to Specifies the highest level of messages about time-based scheduling to include in the log. The default value is emerg. BIG-IP® Command Line Interface Guide A - 321 Appendix A • daemon from Specifies the lowest level of messages about daemon performance to include in the log. The default value is notice. • daemon to Specifies the highest level of messages about daemon performance to include in the log. The default value is emerg. • include Warning: Do not use this parameter without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include parameter. If you use this parameter incorrectly, you put the functionality of the system at risk. • kern from Specifies the lowest level of kern messages to include in the log. The default value is notice. • kern to Specifies the highest level of kern messages to include in the log. The default value is emerg. • local ip Specifies the IP address of the interface that the syslog-ng utility binds with in order to log messages to a remote host. For example, if you want the syslog-ng utility to log messages to a remote host that is connected to a VLAN, you set this parameter to the self IP address of the VLAN. • mail from Specifies the lowest level of mail log messages to include in the log. The default value is notice. • mail to Specifies the highest level of mail log messages to include in the log. The default value is emerg. • messages from Specifies the lowest level of system messages to include in the log. The default value is notice. • messages to Specifies the highest level of system messages to include in the log. The default value is warning. • remote port Specifies the port number of a remote server to which the Syslog utility sends messages. The default value is 514. • remote server Specifies the IP address of a remote server to which the Syslog utility sends messages. The default value is none. • syslog edit Displays in a text editor the running configuration of all objects that you use the command syslog to create. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. A - 322 bigpipe Command Reference When the text editor opens, if only syslog { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on your additions. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. • userlog from Specifies the lowest level of user account messages to include in the log. The default value is notice. • userlog to Specifies the highest level of user account messages to include in the log. The default value is emerg. See also bigpipe(1) BIG-IP® Command Line Interface Guide A - 323 Appendix A system Sets up the BIG-IP system. Syntax Use this command to set up the BIG-IP system. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. system [{] <system arg list> [}] <system arg> ::= archive encrypt (on | on request | off) auth source type (local | ldap | radius | activedirectory | tacacs) console inactivity timeout <number> custom addr (<ip addr> | none) failsafe action (failover | reboot | restart all | failover restart tm) gui setup (enable | disable) host addr mode (mgmt | statemirror | custom) hostname (<string> | none) hosts allow include (<string> | none) lcd display (enable | disable) net reboot (enable | disable) quiet boot (enable | disable) remote host (<remote host list> | none) [add | delete] <remote host> ::= (<remote host key list> | all) [{] <remote host arg list> [}] <remote host key> ::= <name> <remote host arg> ::= addr (<ip addr> | none) hostname (<string> | none) system edit Displays system [show [all]] system list [all] A - 324 bigpipe Command Reference system edit system archive encrypt [show] system auth source type [show] system console inactivity timeout [show] system custom addr [show] system failsafe action [show] system gui setup [show] system host addr mode [show] system hostname [show] system hosts allow include [show] system lcd display [show] system net reboot [show] system partition [show] system quiet boot [show] system remote host [<remote host key list> | all] [show] system remote host [<remote host key list> | all] addr [show] system remote host [<remote host key list> | all] hostname [show] Description You use this command to set up the general properties of the BIG-IP system. Examples Sets up the BIG-IP system using the system defaults. system {} Resets all statistics for the system. system stats reset Sets up a remote host named bigip151 with an IP address of 172.27.226.151 and a host name of bigip151.saxon.net: system remote host bigip151 { addr 172.27.226.151 hostname bigip151.saxon.net } Options You can use these options with the system command: ◆ archive encrypt Specifies whether the system archive encryption feature is set to on, off, or on request. The default value is on request. Note that you must configure the system archive encrypt option in conjunction with the configsync encrypt and configsync passphrase options. The reason for this is when you perform a configuration synchronization of two BIG-IP units in a redundant system, the process involves saving a *.ucs file from one system onto the peer system, and then installing the saved file on the peer system. You use the system archive encrypt option to indicate whether the process of saving the *.ucs file creates an BIG-IP® Command Line Interface Guide A - 325 Appendix A encrypted or unencrypted file. For example, you can set the configsync encrypt option to enable, and configure a passphrase using the configsync passphrase option. If you use the default value, on request, for the system archive encrypt option, then when a user saves the *.ucs file, and provides the passphrase, the *.ucs file is encrypted. If the user does not provide the passphrase, the *.ucs file is not encrypted. ◆ auth source type Specifies the default user authorization source. The default value is local. When user accounts that access the BIG-IP system reside on a remote server, the value of auth source type is the type of server that you are using for authentication, for example, ldap. ◆ console inactivity timeout Specifies the number of seconds of inactivity before the console is locked. The default value is 0. This means that no timeout is set. ◆ custom addr Indicates a user-specified IP address for the BIG-IP system. The default value is none. It is important to note that you must set the host addr mode option to custom, if you want to specify an IP address using custom addr. For more information, see the host addr mode option, following. ◆ failsafe action Specifies the action that the system takes when the switch board fails. The default is failover restart tm. • failover Specifies that the active unit fails over to its peer. • reboot Specifies that after the active unit fails over to its peer, it reboots while the peer processes the traffic. • restart all Specifies that the system restarts all system services. • failover restart tm Specifies that the active unit fails over to its peer and restarts the traffic management service. ◆ gui setup Enables or disables the Setup utility in the browser-based Configuration utility. The default value is enable. When you configure a BIG-IP system using the command line interface, disable this option. Disabling the gui setup option of the system command allows your system administrators to use the browser-based Configuration utility without having to run the Setup utility. ◆ A - 326 host addr mode Specifies the type of host address assigned to the system. The default value is mgmt, which indicates that the host address is the management port of the system. bigpipe Command Reference If you use the statemirror option, then the host address of the system is shared by the other unit in a redundant system. In case of system failure, the traffic to the other system is routed to this system. If you use the custom option, you must specify a custom IP address for the system using the custom addr option. For more information, see the custom addr option, above. ◆ hostname Specifies a local name for the BIG-IP system. The default value is bigip1. ◆ hosts allow include Warning: Do not use this parameter without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include parameter. If you use this parameter incorrectly, you put the functionality of the system at risk. ◆ lcd display Enables or disables the system menu to display on the LCD panel on the front of the BIG-IP system. The default is enable. ◆ net reboot Enables or disables the network reboot feature. The default is disable. If you enable this feature and then reboot the system, the system boots from an ISO image on the network, rather than from an internal media drive. Use this option only when you want to install software on the system, for example, for an upgrade or a re-installation. Note that this setting reverts to disabled after you reboot the system a second time. ◆ partition Displays the partition within which the system object resides. ◆ quiet boot Enables or disables the quiet boot feature. The default is enable. If you enable this feature, the system suppresses informational text on the console during the boot cycle. ◆ remote host Adds a remote host to or removes a remote host from the /etc/hosts file. The default value is none. You must enter both an IP address and a fully qualified domain name (FQDN) or alias for each host that you want to add to the file. • system edit Displays in a text editor the running configuration of all objects that you use the command system to create. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if only system { } displays, you can type parameters and values between the braces. When you exit the editor, the BIG-IP system modifies the running configuration based on your additions. You must run the save all command to save this change to the stored configuration files. BIG-IP® Command Line Interface Guide A - 327 Appendix A Note that the default text editor is vi. See also bigpipe(1) A - 328 bigpipe Command Reference tcp Displays or resets TCP statistics for the BIG-IP system. Syntax Use this command to display or reset TCP statistics for the BIG-IP system. Modify tcp stats reset Display tcp [show [all]] Description Display or reset TCP statistics for the system. Examples Resets TCP statistics for the system: tcp stats reset See also bigpipe(1) BIG-IP® Command Line Interface Guide A - 329 Appendix A tmm Displays or resets statistics about the tmm daemon. Syntax Use this command to display or reset statistics about the tmm daemon. Create/Modify tmm [<tmm key list> | all] stats reset <tmm key> ::= (<number>.<number> | none) Display tmm [<tmm key list> | all] [show [all]] Description You use this command to view or reset statistics about the Traffic Management Microkernel (tmm) daemon. The purpose of this daemon is to direct all application traffic passing through the BIG-IP system. Options You can use the following option with the tmm command: • stats reset Resets the statistics for the tmm daemon. See also bigpipe(1) A - 330 bigpipe Command Reference trunk Configures a trunk, with link aggregation. Syntax Use this command to create, modify, display, or delete a trunk. Create/Modify trunk <trunk key list> {} trunk (<trunk key list> | all) [{] <trunk arg list> [}] <trunk key> ::= <name> <trunk arg> ::= interfaces (<interface key list> | none) [add | delete] lacp (enable | disable) lacp mode (active | passive) lacp timeout (short | long) distribution (src dest mac | dest mac | src dest ip | src dest port | index) policy (auto | max bw) stp (enable | disable) stp reset (enable | disable) trunk [<trunk key list> | all] stats reset trunk edit Display trunk [<trunk key list> | all] [show [all]] trunk [<trunk key list> | all] list [all] trunk [<trunk key list> | all] distribution [show] trunk [<trunk key list> | all] interfaces [show] trunk [<trunk key list> | all] lacp [show] trunk [<trunk key list> | all] lacp mode [show] trunk [<trunk key list> | all] lacp timeout [show] trunk [<trunk key list> | all] name [show] trunk [<trunk key list> | all] policy [show] trunk [<trunk key list> | all] stats [show] trunk [<trunk key list> | all] stp [show] trunk [<trunk key list> | all] stp reset [show] Delete trunk (<trunk key list> | all) delete BIG-IP® Command Line Interface Guide A - 331 Appendix A Description Link aggregation allows multiple physical links to be treated as one logical link. It is also referred to as trunking. The main objective of link aggregation is to provide increased bandwidth at a lower cost, without having to upgrade hardware. The bandwidth of the aggregated trunk is the sum of the capacity of individual member links. Thus it provides an option for linearly incremental bandwidth as opposed to bandwidth options available through physical layer technology. The traffic management system supports link aggregation control protocol (LACP). When a trunk is created, LACP is disabled by default. In this mode, no control packets are exchanged and the member links carry traffic as long as the physical layer is operational. In the event of physical link failure, an LACP member is removed from the aggregation. It should be noted that both endpoints of the trunk should have identical LACP configuration in order to work properly. A mixed configuration where one endpoint is LACP enabled and other LACP disabled is not valid. Examples Creates a trunk named mytrunk that includes the interfaces 1.1, 1.2, and 1.3: trunk mytrunk { interface 1.1 1.2 1.3 } Enable LACP on the trunk named mytrunk: trunk mytrunk lacp enable Enable active LACP mode on the trunk mytrunk: trunk mytrunk lacp mode active Options You can use these options with the trunk command: A - 332 ◆ distribution Specifies the method of frame distribution. The options are src dest mac, dest mac, or src dest ip. When frames are transmitted on a trunk, they are distributed across the working member links. The distribution function ensures that the frames belonging to a particular conversation are neither mis-ordered nor duplicated at the receiving end. Distribution is done by calculating a hash value based on source and destination addresses carried in the frame, and associating the hash value with a link. All frames with a particular hash value are transmitted on the same link, thereby maintaining frame order. ◆ interfaces Specifies a list of interface names separated by spaces. ◆ lacp Indicates whether to enable or disable Link Aggregation Control Protocol (LACP). bigpipe Command Reference ◆ lacp mode Sets the LACP mode to active or passive. • In active mode, LACP packets are transmitted periodically, regardless of peer systems control value. • In passive mode, LACP packets are not transmitted periodically, unless peer system's control value is active. ◆ lacp timeout Sets the LACP timeout to short or long. The default value is long. • When you use the short timeout value, LACP packets are exchanged every second. • When you use the long timeout value, LACP packets are exchanged every 30 seconds. ◆ policy Sets the LACP policy to auto or max bw (maximum bandwidth). Link aggregation is allowed only when all the interfaces are operating at the same media speed and connected to the same partner aggregation system. When there is a mismatch among configured members due to configuration errors or topology changes (auto-negotiation), link selection policy determines which links become working members and form the aggregation. • With auto link selection, the lowest numbered operational link is chosen as the reference link. All the members that have the same media speed and are connected to the same partner as that of the reference link are declared as working members, and they are aggregated. The other configured members do not carry traffic. • With max bw link selection, a subset of links that gives maximum aggregate bandwidth to the trunk is added to the aggregation. ◆ stp Enables or disables spanning tree protocols (STP). ◆ stp reset Enables or disables STP reset. ◆ trunk edit Displays in a text editor the running configuration of all objects created using the command trunk. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. BIG-IP® Command Line Interface Guide A - 333 Appendix A See also interface(1), vlan(1), vlangroup(1), bigpipe(1) A - 334 bigpipe Command Reference udp Displays or resets all UDP statistics for the system. Syntax Use this command to display or reset all UDP statistics for the system. Modify udp stats reset Display udp [show [all]] Description Displays or resets all UDP statistics for the system. Examples Displays the UDP statistics for the system: udp stats show See also bigpipe(1) BIG-IP® Command Line Interface Guide A - 335 Appendix A unit Displays the unit ID for the unit, or peer unit, in a redundant system. Syntax Use this command to display the unit ID of a unit in a redundant system. Display unit [peer] [show] Description Displays the unit ID for the unit, or peer unit, in a redundant system. Examples Displays the unit number of the peer unit in the redundant system: unit peer show Displays the unit number of the unit in the redundant system: unit show See also ha table(1), bigpipe(1) A - 336 bigpipe Command Reference user Configures user accounts for managing the BIG-IP system. Syntax Use this command to create, display, modify, or delete user accounts on the BIG-IP system. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. user <user key list> {} user (<user key list> | all) [{] <user arg list> [}] <user key> ::= <name> <user arg> ::= <name> password (<old password> <new password>) description <string> shell (<file name> | none) role (administrator | resource admin | user manager | manager | \ app editor | operator | guest | policy editor | none) in (<partition key> | all) user edit You can create user accounts where the user names differ only by case-sensitivity (for example, david and DAVID.) F5 Networks may re-instate case-sensitivity in a future release. Note that there are restrictions on reserved user names. For example, admin and root are reserved names. You cannot create a user account using any variation of these two names, such as Admin or ADMIN. Note Only users with the Administrator or Resource Admin user role can save user accounts. Therefore, if you have a user role other than one of these, and you are creating or modifying user accounts, when you are done with your work, you must contact an Administrator or Resource Admin to save the user accounts to the bigip.conf file. BIG-IP® Command Line Interface Guide A - 337 Appendix A Display user [<user key list> | all] [show [all]] user [<user key list> | all] list [all] user [<user key list> | all] role [show] user [<user key list> | all] name [show] user [<user key list> | all] password [show] user [<user key list> | all] description [show] user [<user key list> | all] home [show] user [<user key list> | all] shell [show] user [<user key list> | all] partition [show] Delete user (<user key list> | all) delete Description The user command allows you to create, display, modify, or delete user accounts. Examples Creates a new user in the pm_users partition: shell write partition pm_users user nwinters password none none role guest in all Changes the password for the nwinters account from none to h411pass: user nwinters password none h411pass Displays all the user accounts and the user role and partition to which each account is assigned: user show Options You can use these options with the user command: • user edit Displays in a text editor the running configuration of all objects created using the command user. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. Note that the default text editor is vi. • user <name> Specifies the name of the user account you are configuring. • role <role name> in <partition key> Specifies the user role you want to assign to the user account and the partition that the user account can access. The available user roles are A - 338 bigpipe Command Reference administrator, resource admin, user manager, app editor, manager, operator, guest, and policy editor. You can indicate that you do not want to assign a user role to the user account by using the option none. • partition Displays the partition within which the user account resides. • password <old password> <new password> Changes the password for a user account, by specifying the old and the new password. • description <string> Describes the user account. • home <string> Displays the home directory for the user account. The home directory is based on the user name. • shell (<file name> | none) Specifies the shell to which the user has access. Valid file names are bpsh (bigpipe shell), false (no shell), or bash (an unrestricted system prompt). Important: You can assign access to the bash shell only to users with the Administrator or Resource Admin user role. However, F5 recommends that you do not give bash shell access to users with the Resource Admin user role unless they use the tcpdump, ssldump, or qkview utilities, or manage certificate and key files using the console. Instead, F5 recommends that you give these users bpsh shell access. See also bigpipe(1), remote users(1), remoterole(1) BIG-IP® Command Line Interface Guide A - 339 Appendix A version Displays software version information for the system. Syntax Use this command to display the software version information for the system. Display version [show [all]] version list [all] Description Displays detailed licensing and version information for the system, including kernel version, BIG-IP software version, installed hot fixes, and a list of licensed features. Examples Displays detailed licensing and version information for the system: version See also bigpipe(1) A - 340 bigpipe Command Reference virtual Configures a virtual server. Syntax Use this command to create, modify, display, or delete a virtual server. Create/Modify Important If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the bigpipe shell command to set your Write partition to the partition in which you want to create the object. For more information, see the Configuring Administrative Partitions and Managing User Accounts chapters in the BIG-IP® Network and System Management Guide. virtual <virtual key list> {} virtual (<virtual key list> | all) [{] <virtual arg list> [}] <virtual key> ::= <name> <virtual arg> ::= (enable | disable) auth (<profile auth key list> | none) [add | delete] clone pools (<clone pool name/type list> | none) [add | delete] cmp (enable | disable) cmp processor (<number>.<number> | none) destination <node> fallback persist (<profile persist key> | none) (ip forward | l2 forward | reject) ip protocol (<protocol> | any | * | none) httpclass (<profile httpclass key list> | none) [add | delete] lasthop pool (<pool key> | none) limit <number> mask (<ip mask> | none) mirror (enable | disable) persist (<profile persist key list> | none) [add | delete] pool (<pool key> | none) profiles (<virtual server profile list> | none) [add | delete] rate class (<rate class key> | none) rules (<rule key list> | none) [add | delete] snat (automap | none) snatpool (<snatpool key> | none) BIG-IP® Command Line Interface Guide A - 341 Appendix A translate address (enable | disable) translate service (enable | disable) vlans (<vlan key list> | none | all) (enable | disable) <virtual server profile> ::= <virtual server profile key list> {[} virtual server profle arg list> {]} <virtual server profile key> ::= <profile http key> <virtual server profile arg> ::= (clientside | serverside) virtual [<virtual key list> | all] stats reset virtual edit Display virtual [<virtual key list> | all] [show [all]] virtual [<virtual key list> | all] list [all] virtual [<virtual key list> | all] auth [show] virtual [<virtual key list> | all] clone pools [show virtual [<virtual key list> | all] cmp [show] virtual [<virtual key list> | all] cmp processor [show] virtual [<virtual key list> | all] cmp mode [show] virtual [<virtual key list> | all] destination [show] virtual [<virtual key list> | all] enabled [show] virtual [<virtual key list> | all] fallback persist [show] virtual [<virtual key list> | all] httpclass [show] virtual [<virtual key list> | all] ip protocol [show] virtual [<virtual key list> | all] limit [show] virtual [<virtual key list> | all] lasthop pool [show] virtual [<virtual key list> | all] mask [show] virtual [<virtual key list> | all] mirror [show] virtual [<virtual key list> | all] name [show] virtual [<virtual key list> | all] partition [show] virtual [<virtual key list> | all] persist [show] virtual [<virtual key list> | all] pool [show] virtual [<virtual key list> | all] profiles [show] virtual [<virtual key list> | all] rate class [show] virtual [<virtual key list> | all] rules [show] virtual [<virtual key list> | all] snat [show] virtual [<virtual key list> | all] snatpool [show] virtual [<virtual key list> | all] stats [show] virtual [<virtual key list> | all] translate address [show] virtual [<virtual key list> | all] translate service [show] virtual [<virtual key list> | all] type [show] virtual [<virtual key list> | all] vlans [show] A - 342 bigpipe Command Reference Delete virtual (<virtual key list> | all) delete Description The virtual command creates, deletes, modifies properties on, and displays information about virtual servers. Virtual servers are externally visible IP addresses that receive client requests, and instead of sending the requests directly to the destination IP address specified in the packet header, sends the requests to any of several content servers that make up a load balancing pool. Virtual servers also apply various behavioral settings to multiple traffic types, enable persistence for multiple traffic types, and direct traffic according to user-written iRules™. For more information see, the Configuration Guide for BIG-IP® Local Traffic Management. Examples Create a virtual server named myV20, which uses the source address persistence method: virtual myV20 { destination 11.11.11.12:* persist source addr pool myPool } Replaces the profile associated with the virtual server vs_fast14_http4. Note that to replace the profile associated with a virtual server, you must enclose the name of the new profile in braces: virtual vs_fastl4_http4 {profile udp} Delete the virtual servers named myV4, myV5, myV6, myV7, myV8, myV9, and myV10: virtual myV4 myV5 myV6 myV7 myV8 myV9 myV10 delete Options You can use these options with the virtual command: • auth Specifies a list of authentication profile names separated by spaces that the virtual server uses to manage authentication. • clone pools Specifies clone pools that the virtual server uses to replicate either client-side traffic (that is, prior to address translation) or server-side traffic (that is, after address translation) to a member of the specified clone pool. This feature is used for intrusion detection. • cmp Enables or disables clustered multi-processor (CMP) acceleration. This feature applies to certain platforms only. The default is enable. • cmp mode Displays the CMP mode for a virtual server. BIG-IP® Command Line Interface Guide A - 343 Appendix A • cmp processor Specifies the processor for CMP acceleration. This feature applies to certain platforms only. • destination Specifies the IP address and service on which the virtual server listens for connections. • (enable | disable) Specifies the state of the virtual server. The default is enable. Note that when you disable a virtual server, the virtual server no longer accepts new connection requests. However, it allows current connections to finish processing before going to a down state. • fallback persist Specifies a fallback persistence profile for the virtual server to use when the default persistence profile is not available. • httpclass Specifies a list of httpclass profiles, separated by spaces, with which the virtual server works to increase the speed at which the virtual server processes HTTP requests. • (ip forward | l2 forward | reject) Specifies whether to enable IP forwarding or Layer 2 (L2) forwarding, or to reject forwarding for the virtual server. IP forwarding allows the virtual server to simply forward packets directly to the destination IP address specified in the client request. • ip protocol Specifies the IP protocol for which you want the virtual server to direct traffic. Sample protocol names are TCP and UDP. Note that you do not use this setting when creating an httpclass virtual server. • lasthop pool Specifies the name of the last hop pool that you want the virtual server to use to direct reply traffic to the last hop router. • limit Specifies the maximum number of concurrent connections you want to allow for the virtual server. • mask Specifies the netmask for a network virtual server only. This setting is required for a network virtual server. The netmask clarifies whether the host bit is an actual zero or a wildcard representation. • mirror Enables or disables state mirroring. You can use state mirroring to maintain the same state information in the standby unit that is in the active unit, allowing transactions such as FTP file transfers to continue as though uninterrupted. The default is enable. • name Specifies a unique name for the virtual server. This setting is required. • partition Displays the name of the partition within which the virtual server resides. A - 344 bigpipe Command Reference • persist Specifies a list of profiles separated by spaces that the virtual server uses to manage connection persistence. • pool Specifies a default pool to which you want the virtual server to automatically direct traffic. • profiles Specifies a list of profiles for the virtual server to use to direct and manage traffic. • rate class Specifies the name of an existing rate class you that you the virtual server to use to enforce a throughput policy for incoming network traffic. • rules Specifies a list of iRules™ separated by spaces that customizes the virtual server to direct and manage traffic. • snat Indicates to enable SNAT automap for the virtual server. • snatpool Specifies the name of an existing SNAT pool that you want the virtual server to use to implement selective and intelligent SNATs. • translate address Enables or disables address translation for the virtual server. Turn address translation off for a virtual server if you want to use the virtual server to load balance connections to any address. This option is useful when the system is load balancing devices that have the same IP address. • translate service Enables or disables port translation. Turn port translation off for a virtual server if you want to use the virtual server to load balance connections to any service. • vlan (enable | disable) Specifies a list of names of external VLANs from which you want the virtual server to accept traffic. Indicates whether or not the VLAN is enabled or disabled. The default is vlans all enable. • virtual edit Displays in a text editor the running configuration of all objects created using the command virtual. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. BIG-IP® Command Line Interface Guide A - 345 Appendix A See also pool(1), profile auth(1), profile persist(1), rule(1), vlan(1), vlangroup(1), bigpipe(1) A - 346 bigpipe Command Reference virtual address Configures virtual addresses. Syntax Use this command to enable, disable, display, or delete a virtual address. Modify virtual address <virtual address key list> {} virtual address (<virtual address key list> | all) [{] <virtual address arg list> [}] <virtual address key> ::= (<ip addr> | none) <virtual address arg> ::= (enable | disable) arp (enable | disable) floating (enable | disable) limit <number> mask (<ip mask> | none) route advertisement (enable | disable) server (all | any | none) unit <number> virtual address [<virtual address key list> | all] stats reset virtual address edit Display virtual address [<virtual address key list> | all] [show [all]] virtual address [<virtual address key list> | all] list [all] virtual address [<virtual address key list> | all] address [show] virtual address [<virtual address key list> | all] arp [show] virtual address [<virtual address key list> | all] floating [show] virtual address [<virtual address key list> | all] enabled [show] virtual address [<virtual address key list> | all] limit [show] virtual address [<virtual address key list> | all] mask [show] virtual address [<virtual address key list> | all] partition [show] virtual address [<virtual address key list> | all] route advertisement [show] virtual address [<virtual address key list> | all] server [show] virtual address [<virtual address key list> | all] stats [show] virtual address [<virtual address key list> | all] unit [show] Delete virtual address (<virtual address key list> | all) delete BIG-IP® Command Line Interface Guide A - 347 Appendix A Description Provides the ability to enable, disable, display and delete virtual addresses. You can also list the virtual address configuration. Examples Disables the virtual address 10.10.10.20: virtual address 10.10.10.20 disable Deletes the virtual address 10.10.10.20: virtual address 10.10.10.20 delete Lists the configuration information for the virtual server 10.10.10.25: virtual address 10.10.10.25 list Options You can use these options with the virtual address command: • arp Enables or disables ARP for the specified virtual address. The default is enable. • (enable | disable) Enables or disables the specified virtual address. The default is enable. • floating Enables or disables floating self IP addresses for the specified virtual address. The default is enable. A floating self IP address is an additional self IP address for a VLAN that serves as a shared address by both units of a BIG-IP redundant system. • limit Sets a concurrent connection limit in seconds for one or more virtual servers. The default is 0 seconds. • mask Sets the netmask or one or more network virtual servers only. This setting is required for network virtual servers. • partition Displays the partition within which the virtual address resides. • route advertisement Enables or disables route advertisement for the specified virtual address. The default is disable. • server Specifies the server that uses the specified virtual address. The options are none, any, or all. • unit Specifies the unit number of a redundant pair that uses the specified virtual address. The default is 0. A - 348 bigpipe Command Reference • virtual address edit Displays in a text editor the running configuration of all objects created using the command virtual address. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. See also virtual(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 349 Appendix A vlan Configures a virtual local area network (VLAN). Syntax Use this command to create, modify, display, or delete a VLAN. Create/Modify vlan <vlan key list> {} vlan (<vlan key list> | all) [{] <vlan arg list> [}] <vlan key> ::= <name> <vlan arg> ::= tag <number> interfaces (<interface list> | none) [add | delete] interfaces [tagged] (<interface list> | none) [add | delete] trunks (<trunk list> | none) [add | delete] trunks [tagged] (<trunk list> | none) [add | delete] failsafe (enable | disable) failsafe (restart | failover | failover restart | go active | no action | reboot | restart all | failover abort tm) timeout (<number> | immediate | indefinite) mac masq (<mac addr> | none) fdb (<l2 forward list> | none) [add | delete] learning (enable | disable forward | disable drop) mtu <number> source check (enable | disable) <l2 forward> ::= <l2 forward key list> [{] <l2 forward arg list> [}] <l2 forward key> ::= <mac addr> (dynamic | static) <l2 forward arg> ::= (dynamic | static) interface <interface> trunk <trunk> vlan edit Display vlan [<vlan key list> | all] [show [all]] vlan [<vlan key list> | all] list [all] vlan [<vlan key list> | all] failsafe [show] vlan [<vlan key list> | all] fdb [show] A - 350 bigpipe Command Reference vlan [<vlan key list> | all] interfaces [show] vlan [<vlan key list> | all] interfaces tagged [show] vlan [<vlan key list> | all] learning [show] vlan [<vlan key list> | all] mac masq [show] vlan [<vlan key list> | all] mtu [show] vlan [<vlan key list> | all] name [show] vlan [<vlan key list> | all] source check [show] vlan [<vlan key list> | all] tag [show] vlan [<vlan key list> | all] timeout [show] vlan [<vlan key list> | all] trunks [show] vlan [<vlan key list> | all] trunks tagged [show] Delete vlan (<vlan key list> | all) delete Description This command creates, displays and modifies settings for VLANs. VLANs are part of the configuration of the BIG-IP network components. VLANs can be based on either ports or tags. When creating a VLAN, a tag value for the VLAN is automatically chosen unless you specify a tag value on the command line. VLANs can have both tagged and untagged interfaces. You can add an interface to a single VLAN as an untagged interface. You can also add an interface to multiple VLANs as a tagged interface. Examples Create the VLAN myvlan that includes the interfaces 1.2, 1.3, and 1.4: vlan myvlan interface 1.2 1.3 1.4 Delete the VLAN named myvlan: vlan myvlan delete> Options You can use these options with the vlan command: ◆ failsafe Enables a fail-safe mechanism that causes the active unit to fail over to a redundant unit when loss of traffic is detected on a VLAN, and traffic is not restored during the failover timeout period for that VLAN. The default action set with VLAN fail-safe is restart all. When the fail-safe mechanism is triggered, all the daemons are restarted and the unit fails over. The default is disable. BIG-IP® Command Line Interface Guide A - 351 Appendix A ◆ fdb Specifies the forwarding database. You can edit the Layer 2 forwarding table to enter static MAC address assignments. The forwarding database has an entry for each node in the VLAN and associates the MAC address of that node with the traffic management system. ◆ interfaces Specifies a list of interfaces that you want to assign to the VLAN. ◆ interfaces tagged Specifies a list of tagged interfaces. A tagged interface is an interface that you assign to a VLAN in a way that causes the system to add a VLAN tag into the header of any frame passing through that interface. Use tagged interfaces when you want to assign a single interface to multiple VLANs. ◆ learning Specifies whether switch ports placed in the VLAN are configured for switch learning, forwarding only, or dropped. Possible values are: enable, disable forward, or disable drop. The default is enable. ◆ mac masq Configures a shared MAC masquerade address. You can share the media access control (MAC) masquerade address between units in a redundant system. This has the following advantages: • Increased reliability and failover speed, especially in lossy networks • Interoperability with switches that are slow to respond to the network changes • Interoperability with switches that are configured to ignore network changes A - 352 ◆ mtu Sets a specific maximum transition unit (MTU) for the VLAN. The default is 1500. ◆ source check Specifies that only connections that have a return route in the routing table are accepted. The default is disable. ◆ tag Specifies a number that the system adds into the header of any frame passing through the VLAN. ◆ timeout Specifies the number of seconds that an active unit can run without detecting network traffic on this VLAN before it initiates a failover. The default is 90 seconds. ◆ trunks Specifies a list of trunks. A trunk is a combination of two or more interfaces and cables configured as one link. bigpipe Command Reference ◆ trunks tagged Specifies a list of tagged trunks. A tagged trunk is a trunk that you assign to a VLAN in a way that causes the system to add a VLAN tag into the header of any frame passing through the trunk. Use tagged trunks when you want to assign a single trunk to multiple VLANs. • vlan edit Displays in a text editor the running configuration of all objects created using the command vlan. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. See also interface(1), self(1), vlangroup(1), virtual(1), bigpipe(1) BIG-IP® Command Line Interface Guide A - 353 Appendix A vlangroup Configures a VLAN group. Syntax Use this command to create, modify, display, or delete a VLAN group. Create/Modify vlangroup <vlangroup key list> {} vlangroup (<vlangroup key list> | all) [{] <vlangroup arg list> [}] <vlangroup key> ::= <name> <vlangroup arg> ::= bridge all (enable | disable) bridge in standby (enable | disable) mac masq (<mac addr> | none) members (<vlan key list> | none) [add | delete] proxy excludes (<ip list> | none) [add | delete] tag <number> transparency (opaque | translucent | transparent) vlan group edit Display vlangroup [<vlangroup key list> | all] [show [all]] vlangroup [<vlangroup key list> | all] list [all] vlangroup [<vlangroup key list> | all] bridge all [show] vlangroup [<vlangroup key list> | all] bridge in standby [show] vlangroup [<vlangroup key list> | all] mac masq [show] vlangroup [<vlangroup key list> | all] members [show] vlangroup (<vlangroup key list> | all) proxy excludez [show] vlangroup [<vlangroup key list> | all] tag [show] vlangroup [<vlangroup key list> | all] transparency [show] Delete vlangroup (<vlangroup key list> | all) delete Description The vlangroup command defines a VLAN group, which is a grouping of two or more VLANs belonging to the same IP network for the purpose of allowing Layer 2 packet forwarding between those VLANs. A - 354 bigpipe Command Reference The VLANs between which the packets are to be passed must be on the same IP network, and they must be grouped using the vlangroup command. For example: vlangroup network11 { vlans add internal external } Sets the global VLAN group proxy exclusion list: vlangroup all [{] proxy excludes <ip addr list> [add | delete ] [}] Examples Creates a VLAN group named myvlangroup that consists of VLANs named vlan1 and vlan2: vlangroup myvlangroup member vlan1 vlan2 Shows the statistics for all elements of the specified VLAN group: vlangroup myvlangroup show Deletes the specified VLAN group named myvlangroup: vlangroup myvlangroup delete Options You can use these options with the vlangroup command: ◆ bridge all When enabled, specifies that the VLAN group forwards all frames, including non-IP traffic. The default is disable. ◆ bridge in standby When enabled, specifies that the VLAN group forwards packets, even when the system is the standby unit in a redundant system. Note that this setting is designed for deployments in which the VLAN group exists on only one of the units. If that does not match your configuration, using this setting may cause adverse effects. The default is enable. ◆ mac masq Specifies a MAC address to be used with a redundant system. This is a 6-byte ethernet address in not case-sensitive hexadecimal colon notation, for example, 00:0b:09:88:00:9a. ◆ members The names of the VLANs you want to add to the VLAN group. ◆ proxy excludes Specifies the IP addresses that you want to include in the proxy ARP exclusion list. If you use VLAN groups, you must configure a proxy ARP forwarding exclusion list. F5 recommends that you configure this feature if you use VLAN groups with a redundant system. The reason is that both units need to communicate directly with their gateways and the back-end nodes. Creating a proxy ARP exclusion list prevents traffic from being proxied through the active unit due to proxy ARP. This traffic needs to be sent directly to the destination, not proxied. BIG-IP® Command Line Interface Guide A - 355 Appendix A ◆ tag Specifies a number to be the tag for the VLAN. A VLAN tag is an identification number the system inserts into the header of a frame that indicates the VLAN to which the destination device belongs. Use VLAN tags when a single interface forwards traffic for multiple VLANs. ◆ transparency Specifies the level of exposure of remote MAC addresses within VLAN groups. Possible values are: opaque, translucent, or transparent. The default is translucent. • Use opaque when you have a Cisco router in the network sending CDP packets to the system. Because opaque VLAN groups require a source and destination MAC address and CDP packets do not contain a source and destination MAC address, the CDP packets are not forwarded through the VLAN group. This mode changes the MAC address to the MAC address assigned to the VLAN group. A proxy ARP with Layer 3 forwarding. • Use transparent when you want to leave the MAC address unchanged by the traffic management system. Layer 2 forwarding with the original MAC address of the remote system preserved across VLANs. • Use translucent when you want to use the real MAC address of the requested host with the locally unique bit toggled. Layer 2 forwarding with locally-unique bit, toggled in ARP response across VLANs. • vlangroup edit Displays in a text editor the running configuration of all objects created using the command vlangroup. You can edit the value of any parameter displayed. When you exit the editor, the BIG-IP system modifies the running configuration based on your changes. To save your changes to the stored configuration files, run the save all command. When the text editor opens, if it is empty, you can type bigpipe command syntax in the editor to create any type of object. When you exit the editor, the BIG-IP system modifies the running configuration based on the syntax you entered. You must run the save all command to save this change to the stored configuration files. Note that the default text editor is vi. See also interface(1), self(1), vlan(1), virtual(1), bigpipe(1) A - 356 B Configuring bigdb Database Variables • Introducing the bigdb database • Summarizing bigdb database variables for redundant system administration • Summarizing bigdb database variables for user account administration • Summarizing bigdb database variables for event logging • Summarizing bigdb database variables for HTTP compression • Configuring RAM Cache by setting a bigdb database variable • Configuring the MAC address of a VLAN using bigdb database variables • Configuring debugging for the system using bigdb database variables • Configuring the PVA10 Syn Cookie feature with bigdb database variables • Configuring dynamic routing with bigdb database variables Configuring bigdb Database Variables Introducing the bigdb database Every BIG-IP system includes a bigdb database. The bigdb database holds a set of bigdb database variables, which define the behavior of various aspects of the BIG-IP system. For example, the bigdb database variable Failover.FailbackDelay indicates, for an active-active system, when the failed unit becomes active again, and the number of seconds that you want the system to wait before failback occurs. You can change the value of a bigdb database variable in two ways: ◆ The Configuration utility When you use the Configuration utility to configure various BIG-IP system features, you are actually resetting bigdb database variable values. In this case, the bigdb database variables are invisible to users. For more information, see the Configuration Guide for BIG-IP® Local Traffic Management and the BIG-IP® Network and System Management Guide. ◆ The db command You can reset bigdb database variable values directly using the db command. This command is useful if you prefer not to use the Configuration utility to configure a BIG-IP system feature, or if configuration of a particular aspect of BIG-IP system behavior is not available through the Configuration utility. For more information on using the db command, see Appendix A, bigpipe Command Reference, and specifically, db, on page A-57. The syntax for displaying and setting bigdb database variables is: db all list db <key name> <value> This appendix contains information about bigdb database variables that you can configure manually. The bigdb database variables in the following sections are not automatically set by the Configuration utility, and are not editable using the db command. WARNING F5 recommends that you do not manually reset bigdb database variables without assistance from the F5 Technical Support team. This is because some bigdb database variables are configured automatically, and others are updated when scripts that update the system are run. BIG-IP® Command Line Interface Guide B-1 Appendix B Summarizing bigdb database variables for redundant system administration There are several bigdb database variables that you can use to configure and manage a redundant system. These variables pertain to the following redundant-system features: • Failover • Connection mirroring • Configuration synchronization Using failover bigdb database variables The bigdb database variables that you can manually configure for failover are shown in Table B.1. These variables are listed in alphabetical order. bigdb Database Variable Name Default Value Description Failover.DbgFile /var/log/sodlog Specifies the file into which the sod service logs the failover debug information. Failover.FailbackDelay 60 For an active-active system, when the failed unit becomes active again, specifies the number of seconds that you want the system to wait before failback occurs. Failover.FailedStandbyActive disable Controls whether a standby unit with a failover condition becomes active when the peer unit fails. Possible values are enable and disable. Failover.ManFailBack disable If using active-active mode, specifies that the system should wait until the surviving unit receives a command before surrendering resources to a rebooted machine. Possible values are enable and disable. Failover.MemoryRestartPercent 97 Defines the amount of memory usage that causes the BIG-IP system to reboot. Failover.PrintPeerState disable Specifies that the failover daemon (/sbin/sod) should write the state of its connection (hard-wired or network) to its peer. The system writes this information to the failover daemon's debug log file. Possible values are enable and disable. Failover.UseTty00 disable Specifies that the failover daemon should use /dev/tty00 for hard-wired failover. Possible values are enable and disable. Failover.UseTty01 disable Specifies that the failover daemon should use /dev/tty01 for hard-wired failover. Possible values are enable and disable. Table B.1 bigdb database variables pertaining to failover B-2 Configuring bigdb Database Variables Using connection mirroring bigdb database variables The bigdb database variable that you can manually configure for connection mirroring is shown in Table B.2. bigdb Database Variable Name Default Value Description StateMirror.PeerListenPort 1028 Defines the port on which the BIG-IP system listens for connections from the active unit. Table B.2 bigdb database variable pertaining to connection mirroring Using configuration synchronization bigdb database variables The bigdb database variables that you can manually configure for synchronizing configuration data are shown in Table B.3. These variables are listed in alphabetical order. bigdb Database Variable Name Default Value Description Configsync.LocalConfigTime 0 Specifies the most recent date and time that the configuration of the current unit changed. Configsync.LocalSyncedTime 0 Specifies the date and time that the configuration of this unit was synchronized with the peer unit. Configsync.PeerConfigTime 0 Specifies the most recent date and time that the configuration of the peer unit changed. Configsync.PeerState unknown Defines whether the peer’s synchronization state is known. Possible values are known and unknown. Configsync.PeerUpdatedTime 0 Specifies the date and time that this unit successfully informed its peer of a configuration change on this unit. Configsync.State -1 Specifies the configuration state of this box. Possible values are: -1 - Uninitiated or disabled config state. 0 - Synchronized. 1 - Configuration on current unit was modified. Recommend configuration synchronization to peer unit. 2 - Configuration on peer unit was modified. Recommend configuration synchronization from peer unit. 3 - Configuration modified on both units. Manual intervention required. Table B.3 bigdb database variables pertaining to configuration synchronization BIG-IP® Command Line Interface Guide B-3 Appendix B Summarizing bigdb database variables for user account administration You can manually configure a set of bigdb database variables to manage administrative user accounts for a BIG-IP system. These variables and their descriptions appear in Table B.4, and are listed in alphabetical order. bigdb Database Variable Name Default Value Description User.AcceptedEULA none Specifies fields that the Setup utility populates. Possible values are none, internal, non-production, and production. Users.LocalOnly root,admin Specifies those user accounts that must reside locally on the BIG-IP system and therefore cannot reside on a remote authentication server. Users.Name.[user name] 127 Specifies a numeric value for any user account that is not root, admin, or support. Table B.4 bigdb database variables pertaining to user accounts Summarizing bigdb database variables for event logging The bigdb database variables that you can manually configure to set the minimum log level on local traffic and authentication events are shown in Table B.5. These variables are listed in alphabetical order. bigdb Database Variable Name Default Value Description log.config.level Notice Sets the minimum log level for MCP events related to configuring the Traffic Management Microkernel (TMM). log.ipnet.level Notice Sets the minimum log level for events related to packets discarded due to exceptional circumstances, such as bad checksums or unhandled protocol versions. Table B.5 bigdb database variables pertaining to setting log levels B-4 Configuring bigdb Database Variables Summarizing bigdb database variables for HTTP compression You can manually configure a set of bigdb database variables to manage the way that the BIG-IP system handles the compression of HTTP server responses. These variables and their descriptions appear in Table B.6, and are listed in alphabetical order. bigdb Database Variable Name Default Value Compression.Adaptive.AHA.UseAtGzip1 Disable Description Use only with the Compression.Strategy bigdb database variable set to adaptive. When disabled, the hardware compression provider performs server response compression only when the software compression providers are fully utilized. When enabled, and the gzip Compression level parameter in the HTTP profile is set to 1, the system uses the hardware card to compress response data at gzip level 1. Compression.Adaptive.AllowNullCompression Disable Use only with the Compression.Strategy bigdb database variable set to adaptive. F5 does not recommend that you enable this setting. When enabled, the system reduces the gzip level to 0 (zero) when the peak load for the system is reached. When the system reaches a 0 (zero) gzip level, the software compression providers do not perform compression. Instead, the hardware compression provider performs compression of server responses. Compression.Adaptive.MaxReduction 10 Use only with the Compression.Strategy bigdb database variable set to adaptive. This variable specifies that the system can reduce all gzip Compression levels (9 - 0) to 0 (zero) as the load increases on the system. If you want to restrict the adaptive compression and you do not want the system to decrease the quality of the compression of the response data below a specific point, change the value of this bigdb database variable. Compression.Hardware.Ratio 4 Use only with the Compression.Strategy bigdb database variable set to ratio. This ratio defines how each compressible response is load balanced between compression devices. Compression.Offload.Ratio 4 Use only with the Compression.Strategy bigdb database variable set to ratio. This ratio defines how each compressible response is load balanced between compression devices. Table B.6 bigdb database variables pertaining to HTTP data compression BIG-IP® Command Line Interface Guide B-5 Appendix B bigdb Database Variable Name Default Value Compression.Providerbusy 100 Specifies that up to 100 requests can be pending for a compression provider (software or hardware) before the system utilizes a different compression provider. It is important to note that the system uses this number to determine how much to reduce the compression level of a server response given the overall load on the system. Compression.Strategy speed Sets the way that the system directs traffic flow. Possible values are speed, size, ratio, and adaptive: Description adaptive - The system first uses the software compression providers to compress HTTP server responses. The system switches to the hardware compression providers based on both the gzip Compression level parameter set in the HTTP profile and the hardware compression provider the system contains. speed - The system uses the hardware to the fullest extent possible. The speed value is best used for bulk compression and for limiting CPU overhead. size - The system performs as much compression in the software as possible. Normally, the system uses a ratio of TMM and Offload. When both are busy, compression is performed in the hardware. The size value gives the best ratio at the expense of CPU overhead. ratio - The system uses the four bigdb database variables Compression.AHA.Ratio, Compression.Octeon.Ratio, Compression.Offload.Ratio, and Compression.TMM.Ratio, with the goal of limiting CPU overhead while giving good compression ratios. Compression.TMM.Ratio 1 Use only with the Compression.Strategy bigdb database variable set to ratio. This ratio defines how each compressible response is load balanced between compression devices. Table B.6 bigdb database variables pertaining to HTTP data compression B-6 Configuring bigdb Database Variables Configuring RAM Cache by setting a bigdb database variable You can fine-tune the RAM Cache implementation by changing settings in the bigdb database. F5 recommends that you change these settings only while under the direction of an F5 support representative. The following bigdb database variable setting is available for the RAM Cache feature. bigdb Database Variable Name Default Value Description RamCache.MaxMemoryPercent 50 Defines the percentage of TMM memory that is available to all RAM Cache instances. This means that the RAM Cache size is represented by this statement: ramcacheprofile1 + ramcacheprofile2 + ramcacheprofile3 must not equal more than Total Memory times the Ramcache.MaxMemoryPercent divided by 100. Note: Changes to this setting take effect only after restarting the BIG-IP system services, including the TMM service. Table B.7 bigdb database variable pertaining to the HTTP RAM Cache feature Configuring the MAC address of a VLAN using bigdb database variables By default, the MAC address that the BIG-IP system assigns to a VLAN self-IP address is the MAC address of the lowest-numbered interface associated with that VLAN. You can change this behavior by configuring the bigdb database variable Vlan.MacAssignment. bigdb Database Variable Name Default Value Description Vlan.MacAssignment The MAC address of the lowest-numbered interface associated with the VLAN. Specifies the MAC address that is associated with the VLAN. Table B.8 bigdb database variable pertaining to the MAC address that is associated with a VLAN BIG-IP® Command Line Interface Guide B-7 Appendix B Configuring debugging for the system using bigdb database variables You can configure debugging for the BIG-IP system by changing settings in the bigdb database. F5 recommends that you change these settings only while under the direction of an F5 support representative. WARNING Enabling debugging fills your log file with numerous additional entries. The following bigdb database variable settings are available for debugging. bigdb Database Variable Name Default Value Description Bigd.Debug Disable Enables or disables debugging for the bigd daemon. Failover.Debug Disable Enables or disables debugging for the Failover feature. GTM.DebugProbeLogging Disable When enabled, the gtmd and big3d daemons log all of the probing messages they receive and send to /var/log/gtm. It is important to note that enabling this bigdb database variable creates a large number of debug messages; therefore, F5 recommends that you disable this bigdb database variable when debugging is complete. Table B.9 bigdb database variables pertaining to debugging the system B-8 Configuring bigdb Database Variables bigdb Database Variable Name Default Value Description Log.Lacpd.DebugMask Disable Enables or disables debugging for specific components of the lacpd service. Set the values in Log.Lacpd.DebugMask bigdb database variable to the following to turn on debugging for the specified component: MACHINE: 1 POLICY: PORT: 2 4 LAG: 8 CONFIG: 16 HAL: 32 PDU: Log.Stpd.DebugStr Disable 64 SEQUENCE: 128 TIMER: 256 Enables or disables debugging for specific components of the stpd service. Set the values in the Log.Stpd.DebugStr bigdb database variable to the value in the left column in order to turn on debugging for the specified component in the right column: h switch hardware operations i inbound packets l link state changes m MCP messages and management operation M subscribe to all MCP classes n port name-to-number mappings o outbound packets p overdue packets r role transitions s state transitions t clock ticks u updtrolesBridge() v verbose packet contents A all of the above Table B.9 bigdb database variables pertaining to debugging the system BIG-IP® Command Line Interface Guide B-9 Appendix B Configuring the PVA10 Syn Cookie feature with bigdb database variables You can configure the Packet Velocity® ASIC 10 (PVA10) Syn Cookie feature by changing settings in the bigdb database. F5 recommends that you change these settings only while under the direction of an F5 support representative. You use the following bigdb database variable settings to configure this feature. bigdb Database Variable Name Default Value Description Pva.SynCookies.ConnectionThreshold 0 packets/second Sets the threshold at which PVA10 Syn Cookie protection is activated on the system. Pva.SynCookies.SynRateThreshold 200,000 packets/second Sets the unanswered Syn packet rate threshold. When the system’s unanswered Syn packet rate is smaller than this threshold, and also smaller than the value of Pva.SynCookies.ConnectionThreshold, the system automatically turns off PVA10 Syn Cookie protection. Table B.10 bigdb database variables pertaining to configuring the PVA10 Syn Cookie feature B - 10 Configuring bigdb Database Variables Configuring dynamic routing with bigdb database variables You can ensure that after failover the BIG-IP system continues to route connections to the newly active unit by changing settings in the bigdb database. F5 recommends that you change these settings only while under the direction of an F5 support representative. You can use the following bigdb database variable settings to configure dynamic routing. bigdb Database Variable Name Default Value Description zebOS.rip.router.GoActiveCmd No default value For RIP routing, sets the value of the offset list, including the access list and the offset type. The zebos active command inserts the value of this bigdb database variable into the ZebOS.conf file. zebOS.rip.router.GoStandbyCmd No default value For RIP routing, sets the value of the offset list, including the access list and the offset type. The zebos standby command inserts the value of this bigdb database variable into the ZebOS.conf file. zebos.ospf.interfaces.GoActiveCmd no ip ospf cost For Open Shortest Path First (OSPF) routing, defines the statements that the BIG-IP system adds, after a failover, to the runtime configuration of the active unit in a redundant system that is configured in interface mode. zebos.ospf.interfaces.GoStandbyCmd ip ospf cost 65535 For OSPF routing, defines the statements that the BIG-IP system adds, after a failover, to the runtime configuration of the standby unit in a redundant system that is configured in interface mode. zebos.ospf.router.GoActiveCmd no summary-address 0.0.0.0/0 For OSPF routing, defines the statements that the BIG-IP system adds, after a failover, to the runtime configuration of the active unit in a redundant pair that is configured in router mode. zebos.ospf.router.GoStandbyCmd summary-address 0.0.0.0/0 not-advertise For OSPF routing, defines the statements that the BIG-IP system adds, after a failover, to the runtime configuration of the standby unit in a redundant pair that is configured in router mode. Table B.11 bigdb database variables pertaining to configuring routing BIG-IP® Command Line Interface Guide B - 11 Appendix B B - 12 Glossary Glossary address resolution protocol Address Resolution Protocol (ARP) is an industry-standard protocol that determines a host’s Media Access Control (MAC) address based on its IP address. administrative partition An administrative partition is a logical container that you create, containing a defined set of BIG-IP system objects, such as virtual servers, pools, and profiles. See also pool, profile, and virtual server. allow list An allow list displays which service and protocol ports allow connections from outside the system. ARP See address resolution protocol. authentication Authentication is the process of verifying a user’s identity when the user is attempting to log on to a system. authentication profile An authentication profile is a configuration tool that you use to implement a PAM authentication module. Types of authentication modules that you can implement with an authentication profile are: LDAP, RADIUS, TACACS+, SSL Client Certificate LDAP, and OCSP. See also profile. bigdb Every BIG-IP system includes a bigdb database. The bigdb database holds a set of bigdb database variables, which define the behavior of various aspects of the BIG-IP system. bigpipe The BIG-IP system includes a tool known as the bigpipe utility. It consists of an extensive set of commands that you can use to manage the BIG-IP system. bigtop The bigtop utility is a statistical monitoring utility that ships on the BIG-IP system. This utility provides real-time statistical information. BIG-IP® Command Line Interface Guide Glossary - 1 Glossary certificate A certificate is an online credential signed by a trusted certificate authority and used for SSL network traffic as a method of authentication. certificate authority (CA). A certificate authority is an external, trusted organization that issues a signed digital certificate to a requesting computer system for use as a credential to obtain authentication for SSL network traffic. See also certificate authority. certificate authority A certificate authority is an external, trusted organization that issues a signed digital certificate to a requesting computer system for use as a credential to obtain authentication for SSL network traffic. See also certificate. certificate revocation list A certificate revocation list (CRL) is a list that an authenticating system checks to see if the SSL certificate that the requesting system presents for authentication has been revoked. See also certificate. certificate verification Certificate verification is the part of an SSL handshake that verifies that a client’s SSL credentials have been signed by a trusted certificate authority. See also certificate. class A class is a list of data that you define and use with iRules™ operators. Internal classes are stored in the bigip.conf file. External classes are stored in external files that you define. clone pool A clone pool replicates all traffic coming into it and sends that traffic to a duplicate pool. See also pool. configuration object A configuration object is a user-created object that the BIG-IP system uses to implement a PAM authentication module. There is one type of configuration object for each type of authentication module that you create. Configuration utility The Configuration utility is the browser-based application that you use to configure the BIG-IP system. connection persistence Connection persistence is an optimization technique whereby a network connection is intentionally kept open for the purpose of reducing handshaking. Glossary - 2 Glossary cookie persistence Cookie persistence is a mode of persistence where the BIG-IP system stores persistent connection information in a cookie. CRL See certificate revocation list. current partition When a user logs in, the system determines the default current partition (usually the Common partition) based on the user’s account. If the user’s account grants permission to access more than one partition, the user can change the current partition, and can also change the default current partition. See also administrative partition. custom monitor A custom monitor is a user-created monitor. See also monitor. custom profile A custom profile is a profile that you create. A custom profile can inherit its default settings from a parent profile that you specify. See also profile. default-deny policy A default-deny policy restricts Internet access to everything that is not explicitly permitted. failover Failover is the process whereby a standby unit in a redundant system takes over when a software failure or a hardware failure is detected on the active unit. See also redundant system. floating IP address An IP address assigned to a VLAN and shared between two computer systems is known as a floating IP address. See also VLAN (virtual local area network). hash persistence Hash persistence allows you to create a persistence hash based on an existing iRule. See also iRule. health monitor A health monitor checks a node to see if it is up and functioning for a given service. If the node fails the check, it is marked down. Different monitors exist for checking different services. See also monitor. BIG-IP® Command Line Interface Guide Glossary - 3 Glossary HTTP redirect An HTTP redirect sends an HTTP 302 Object Found message to clients. You can configure a pool with an HTTP redirect to send clients to another node or virtual server if the members of the pool are marked down. See also virtual server and pool. ICMP See internet control message protocol. interface A physical port on a BIG-IP system is called an interface. internet control message protocol Internet Control Message Protocol (ICMP) is an Internet communications protocol used to determine information about routes to destination addresses. iRule An iRule is a user-written script that controls the behavior of a connection passing through the BIG-IP system. iRules™ are an F5 Networks feature and are frequently used to direct certain connections to a non-default load balancing pool. However, iRules can perform other tasks, such as implementing secure network address translation and enabling session persistence. last hop A last hop is the final hop a connection takes to get to the BIG-IP system. You can allow the BIG-IP system to determine the last hop automatically to send packets back to the device from which they originated. You can also specify the last hop manually by making it a member of a last hop pool. See also pool. Layer 1 through Layer 7 Layers 1 through 7 refer to the seven layers of the Open System Interconnection (OSI) model. Thus, Layer 2 represents the data-link layer, Layer 3 represents the IP layer, and Layer 4 represents the transport layer (TCP and UDP). Layer 7 represents the application layer, handling traffic such as HTTP and SSL. LDAP See lightweight directory access protocol. LDAP authentication module An LDAP authentication module is a user-created module that you implement on an BIG-IP system to authenticate client traffic using a remote LDAP server. See also lightweight directory access protocol. Glossary - 4 Glossary lightweight directory access protocol Lightweight Directory Access Protocol (LDAP) is an Internet protocol that email programs use to look up contact information from a server. load balancing method A load balancing method is a method of determining how to distribute connections across a load balancing pool. See also pool. local traffic management Local traffic management is the process of managing network traffic that comes into or goes out of a local area network (LAN), including an intranet. MAC Media Access Control (MAC) is a protocol that defines the way workstations gain access to transmission media, and is most widely used in reference to LANs. For IEEE LANs, the MAC layer is the lower sublayer of the data link layer protocol. MAC address A MAC address is used to represent hardware devices on an Ethernet network. See also MAC. management interface The management interface is a special port on the BIG-IP system, used for managing administrative traffic. Named MGMT, the management interface does not forward user application traffic, such as traffic slated for load balancing. management route A management route is a route that forwards traffic through the special management (MGMT) interface. See also management interface. master control program daemon service The Master Control Program Daemon (MCPD) service manages the configuration data on a BIG-IP system. MCPD See master control program daemon service. MGMT See management interface. BIG-IP® Command Line Interface Guide Glossary - 5 Glossary monitor The BIG-IP system uses monitors to determine whether nodes are up or down. There are several different types of monitors, and they use various methods to determine the status of a server or service. monitor association A monitor association is an association that a user makes between a health or performance monitor and a pool, pool member, or node. See also monitor. NAT (network address translation) A Network Address Translation (NAT) is an alias IP address that identifies a specific node managed by the BIG-IP system to the external network. network virtual server A network virtual server is a virtual server whose IP address has no bits set in the host portion of the IP address (that is, the host portion of its IP address is 0). There are two kinds of network virtual servers: those that direct client traffic based on a range of destination IP addresses, and those that direct client traffic based on specific destination IP addresses that the BIG-IP system does not recognize. See also virtual server. node A node address is the IP address associated with one or more nodes. This IP address can be the real IP address of a network server, or it can be an alias IP address on a network server. non-terminated SSL session A non-terminated SSL session is a session in which the system does not perform the tasks of SSL certificate authentication, encryption and re-encryption. See also secure sockets layer. OCSP See online certificate status protocol. OCSP responder An OCSP responder is an external server used for communicating SSL certificate revocation status to an authentication server such as the BIG-IP system. See also online certificate status protocol. OneConnect The F5 Networks OneConnect™ feature optimizes the use of network connections by keeping server-side connections open and pooling them for re-use. Glossary - 6 Glossary online certificate status protocol Online Certificate Status Protocol (OCSP) is a protocol that authenticating systems can use to check on the revocation status of digitally-signed SSL certificates. The use of OCSP is an alternative to the use of a CRL. See also certificate revocation list. packet rate The packet rate is the number of data packets per second processed by a server. partition See administrative partition. persistence profile A persistence profile is a pre-configured object that automatically enables persistence when you assign the profile to a virtual server. See also profile. pool A pool is composed of a group of network devices (called members). The BIG-IP system load balances requests to the nodes within a pool based on the load balancing method and persistence method you choose when you create the pool or edit its properties. pool member A pool member is a server that is a member of a load balancing pool. See also pool. pre-configured monitor A pre-configured monitor is a monitor that the BIG-IP system provides. See also monitor. profile A profile is a configuration tool containing settings for defining the behavior of network traffic. The BIG-IP system contains profiles for managing FastL4, HTTP, TCP, FTP, SSL, and RTSP traffic, as well as for implementing persistence and application authentication. profile setting A profile setting is a configuration attribute within a profile that has a value associated with it. You can configure a profile setting to customize the way that the BIG-IP system manages a type of traffic. See also profile. QoS level See quality of service level. BIG-IP® Command Line Interface Guide Glossary - 7 Glossary quality of service level The Quality of Service (QoS) level is a means by which network equipment can identify and treat traffic differently based on an identifier. Essentially, the QoS level specified in a packet enforces a throughput policy for that packet. See also type of service level. rate class A rate class determines the volume of traffic allowed through a rate filter. rate shaping Rate shaping is a type of extended IP filter. Rate shaping uses the same IP filter method but applies a rate class, which determines the volume of network traffic allowed. redundant system A redundant system is a pair of units that are configured for failover. In a redundant system, there are two units, one running as the active unit and one running as the standby unit. If the active unit fails, the standby unit takes over and manages connection request. secure sockets layer Secure Sockets Layer (SSL) is a network communications protocol that uses public-key technology as a way to transmit data in a secure manner. self IP address A self IP address is an IP address that is assigned to the system. Self IP addresses are part of the base configuration. You must define at least one self IP address for each VLAN. SIP persistence SIP persistence is a type of persistence used for servers that receive Session Initiation Protocol (SIP) messages sent through UDP. SIP is a protocol that enables real-time messaging, voice, data, and video. SNAT (secure network address translation) A SNAT is a feature you can configure on the BIG-IP system. A SNAT defines a routable alias IP address that one or more nodes can use as a source IP address when making connections to hosts on the external network. SNAT pool A SNAT pool is a pool of translation addresses that you can map to one or more original IP addresses. Translation addresses in a SNAT pool are not self-IP addresses. See also pool. Glossary - 8 Glossary spanning tree protocol Defined by IEEE, Spanning Tree Protocol (STP) is a protocol that provides loop resolution in configurations where one or more external switches are connected in parallel with the BIG-IP system. SSH SSH is a protocol for secure remote logon and other secure network services over a non-secure network. SSL See secure sockets layer. SSL persistence SSL persistence is a type of persistence that tracks non-terminated SSL sessions, using the SSL session ID. See also secure sockets layer. SSL profile An SSL profile is a configuration tool that you use to terminate and initiate SSL connections from clients and servers. See also secure sockets layer and profile. STP See spanning tree protocol. TACACS Terminal Access Controller Access Control System (TACACS) is an older authentication protocol common to UNIX systems. TACACS allows a remote access server to forward a user’s logon password to an authentication server. See also TACACS+. TACACS+ TACACS+ is an authentication mechanism designed as a replacement for the older TACACS protocol. There is little similarity between the two protocols, however, and they are therefore not compatible. See also TACACS. Tcl See tools command language. TMM service See traffic management microkernel service. tools command language Tools Command Language (Tcl) is an industry-standard scripting language. On the BIG-IP system, users use Tcl to write iRules™. See also iRule. BIG-IP® Command Line Interface Guide Glossary - 9 Glossary ToS level See type of service level. traffic management microkernel service The Traffic Management Microkernel (TMM) service is the process running on the BIG-IP system that performs most traffic management for the product. trunking Trunking is link aggregation that allows multiple physical links to be treated as one logical link. The main objective of link aggregation is to provide increased bandwidth at a lower cost, without having to upgrade hardware. The bandwidth of the aggregated trunk is the sum of the capacity of individual member links. Thus it provides an option for linearly incremental bandwidth as opposed to bandwidth options available through physical layer technology. The traffic management system supports link aggregation control protocol (LACP). trusted MAC address A trusted MAC address is a MAC address that passes MAC address-based authentication. See also MAC address. type of service level The Type of Service (ToS) level is another means, in addition to the QoS level, by which network equipment can identify and treat traffic differently based on an identifier. See also quality of service level. user role A user role is a type and level of access that you assign to a BIG-IP system user account. By assigning user roles, you can control the extent to which BIG-IP system administrators can view or modify the BIG-IP system configuration. virtual address A virtual address is an IP address associated with one or more virtual servers managed by the BIG-IP system. virtual server A virtual server is a specific combination of virtual address and virtual port, associated with a content site that is managed by an BIG-IP system or other type of host server. Glossary - 10 Glossary VLAN (virtual local area network) A VLAN is a logical grouping of interfaces connected to network devices. You can use a VLAN to logically group devices that are on different network segments. Devices within a VLAN use Layer 2 networking to communicate and define a broadcast domain. VLAN group A VLAN group is a logical container that includes two or more distinct VLANs. VLAN groups are intended for load balancing traffic in a Layer 2 network, when you want to minimize the reconfiguration of hosts on that network. See also VLAN (virtual local area network). BIG-IP® Command Line Interface Guide Glossary - 11 Glossary Glossary - 12 Index Index /etc/init.d/syslog-ng script 3-5 802.3ad link aggregation 3-1 A access control 3-8 active script 4-24 active-active mode updating fail-over daemon B-1 active-active mode, updating fail-over daemon B-1 adaptive compression 5-9 configuring 5-12 configuring on 6400, 6800, and 8400 5-13 configuring on 8800 5-13 introducing 5-10 adaptive compression strategy 5-11 additional information in bigpipe online man pages 1-3 in Tcl reference books 1-3 in the BIG-IP Network and System Management Guide 1-5 in the BIG-IP Quick Start Instructions 1-5 in the Configuration Guide for BIG-IP Local Traffic Management 1-5 in the Configuration Worksheet 1-5 in the Installation, Licensing, and Upgrades for BIG-IP Systems guide 1-5 in the Linux syslog-ng man page 1-3 in the Platform Guide 1-5 on Configuration utility Welcome screen 1-8 on tech.f5.com 1-8 admin user account 4-17, 4-18 Administrator role 4-17 Administrator user role 4-2 application traffic, managing 5-2 arp command 2-6, A-3 ARP protocol customizing base network components 3-1 ASN.1 DER format 5-19 auditing user access 4-23 auth crldp command 2-6, 5-21, A-6 auth ldap command 2-6, 5-20, A-9 auth radius command 2-6, A-14 auth ssl cc ldap command 2-6, 5-21, A-17 auth ssl ocsp command 2-6, 5-21, A-22 auth tacacs command 2-6, 5-21, A-24 authorized_keys file 3-7 auto last hop feature 5-3 B backup of product image, creating 4-36 base network components 3-1 base network configuration, customizing 3-1 bcm56xxd service, handling failure of 4-24 bigd service, handling failure of 4-24 bigdb database 4-30 BIG-IP® Command Line Interface Guide bigdb database variable printing 4-32 setting value of 4-31 viewing value of 4-30 bigdb database variable attributes, defined 4-31 BIG-IP Application Security Manager 1-1, 5-7 BIG-IP Global Traffic Manager 1-1 BIG-IP Link Controller 1-1 BIG-IP Local Traffic Manager 1-1 BIG-IP Network and System Management Guide 1-5 BIG-IP Quick Start Instructions 1-5 bigip.conf 4-6 bigip_base.conf 4-6 bigip_local.conf 4-7 bigip_sys.conf 4-7 bigpipe command 2-7 bigpipe shell about command completion 2-4 about command continuation 2-4 about command history 2-2 about escape feature 2-6 about grep functionality 2-5 about the command edit feature 2-3 about the log file 2-3 about the prompt 2-1 controlling 2-2 customizing 2-5 using 2-2 using command continuation A-309 bigpipe shell command and command syntax A-27 invoking the bigpipe shell 4-3 bigpipe shell prompt, customizing 2-5 bigpipe utility 4-25, 5-24 and command list 2-6 and command syntax 2-1 defined 1-2 displaying protocol statistics 4-26 introducing 2-1 using for local traffic management 5-1 using online man pages 1-3 using to manage BIG-IP system 4-3 bigstart command 1-2, 4-2, 4-27, 4-28, 4-33 bigstart utility 4-27 bigtop command 4-2, 4-29, 4-30 bigtop utility and command options 4-29 and running 4-27 and runtime commands 4-30 defined 1-2 exiting 4-30 bit activity, displaying 4-29 byte activity, displaying 4-29 Index - 1 Index C CA certificates, generating 5-16 certificate association 5-19 certificate information, viewing 5-19 certificate revocation lists See CRLs. certificate signing request files, generating 5-16 certificate verification 5-19 certificates, revoking 5-18 chunking 5-8 class command 2-7, A-29 cli audit command 2-4, 2-7 cli command A-33 cli import save command 4-11 client authentication 5-16 client certificates, creating 5-17 Client SSL profile 5-1 clone pools, configuring 5-3 command completion 2-4 command continuation 2-4, A-309 command editing 2-3 command history 2-2 command summary 2-6 command syntax, identifying 1-6 commands See individual command entries. Common partition 4-17 compression providers hardware 5-9, B-6 software 5-9, B-6 compression providers, understanding 5-8 compression strategies described 5-10 understanding 5-9 compression, configuring 5-5 config command 2-7, 4-2, A-36 config utility, defined 1-2 configsync command 2-7, A-39 configuration files, defined 4-6 Configuration Guide for BIG-IP Local Traffic Management 1-5 configuration information, storing 4-30 configuration synchronization, using bigdb database variables B-3 Configuration utility about Welcome screen 1-8 and bigdb database variables B-1 using online help 1-8 Configuration Worksheet 1-5 conn command 2-7, A-42 connection mirroring, using bigdb database variables B-3 connection persistence, configuring 5-22 connection pooling 5-22 connection processing 4-25 cookie 5-6 cookie encryption, enabling or disabling 5-6 Index - 2 cookie persistence 5-22 cookie secret 5-6 CRLDP authentication module 5-19 crldp server command 2-7, 5-21, A-44 CRLDP servers 5-20 CRLs creating 5-18 generating viewing 5-19 current partition, defined 4-19 custom monitors 5-25 custom profiles 5-2 D daemon bigdbd command A-50 daemon command 2-7, 4-24, A-47 daemon mcpd command A-52 daemon tmm command A-54 daemon_bigdbd command 2-7 daemon_mcpd command 2-7 daemon_tmm command 2-7 daemons, listed 4-24 data compression, configuring 5-5 db command 2-7, 4-30, 5-7, A-57, B-1 default partition 4-20 default profiles 5-2 default SNATs 4-26 default unit IDs 4-25 denial-of-service (DoS) attacks, managing 5-7 Destination Address Affinity persistence 5-22 dirname-based addresses 5-17 dns command 2-7, A-59 dynamic routing, using bigdb database variables B-11 E edit feature See individual command entries. using 2-3 email, sending 4-32 embedded distribution points 5-17 encrypted remote logging and prerequisites 3-3 and tasks 3-4 encrypted tunnels, opening and closing 3-5 escape feature, using in the bigpipe shell 2-6 event logging, using bigdb database variables B-4 events, tracking 4-32 exit command 2-2, 2-7, A-62 export command 2-7, 4-10, 4-11, A-63 F f5active script 4-24 f5adduser command 2-7, 4-22, A-65 f5standby script 4-24 Index failover and bigdb database variables B-2 configuring user-defined scripts 4-24 locating directory 4-24 failover command 2-7, A-67 fallback hosts 5-5 Fast HTTP profile 5-6, 5-22 Fast L4 profile 5-24 fasthttp command 2-7, 4-26, A-71 fastL4 command A-72 fastl4 command 2-7, 4-26, A-71 FFP-supported platforms 3-8 filters, for packets 3-8 find_keys command 4-35 finding help 1-8 fipscardsync command 4-3, A-73 fipsutil command 4-2, A-74 formatting conventions 1-6 ftp command 2-7, 4-26, A-77 FTP profile 5-1 G gencert utility defined 1-2 running 5-16 using to generate a temporary certificate and request file 5-16 using to generate SSL certificates and keys 5-1 genconf utility, using to generate a key 5-1 genkey utility, using to generate SSL certificates 5-1 global command 2-7, 4-26, A-78 grep functionality 2-5 gzip Compression level 5-11, B-5 H ha table command 2-7, A-79 halt command 4-3 hardware command 2-7, A-81 hardware compression provider 5-9 hardware compression providers viewing 5-9 hardware syncookie feature 5-7 headers, inserting and erasing 5-6 health monitors, associating 5-25 help command 2-7, 4-3, A-82 help, finding 1-8 hostname command 4-3 hosts file 4-8 hosts.allow file 4-8 hosts.deny file 4-8 HTTP Class profile 5-7 http command 2-8, 4-26, A-83 HTTP compression 5-8 configuring 5-5 using bigdb database variables B-5 BIG-IP® Command Line Interface Guide HTTP headers, inserting and erasing 5-6 HTTP profile 5-1, 5-22 HTTP redirections, rewriting 5-5 HTTP requests, redirecting 5-5 HTTP response chunking 5-8 HTTP traffic, optimizing using profiles 5-15 httpd command 2-8, A-84 httpd configuration file 4-7 I icmp command 2-8, 4-26, A-88 import command 2-8, 4-11, A-89 import default command 4-15 Installation, Licensing, and Upgrades for BIG-IP Systems 1-5 interface command 2-8, A-91 interfaces, customizing base network components 3-1 internal trunk distribution 3-8 ip command 2-8, 4-26, A-95 iRules and SNATs 5-4 and Tcl commands 1-2 associating with virtual servers 5-28 implementing 5-28 modifying profile settings 5-2 J JDBC connections, monitoring 5-26 JDBC services, monitoring 5-26 K Keep-Alive headers 5-22 key association 5-19 keys, generating 5-16, 5-17 L last hop routers 5-3 Layer 4 profile 5-1 LDAP CRL distribution point 5-18 LDAP servers 5-20 less file page utility 4-32 licenses, viewing 4-35 Linux syslog-ng man page 1-3 list command 2-8, A-96 load and save commands, compared 4-4 load balancing pool, associating with monitors 5-25 load balancing, setting up basic configuration 5-2 load command 2-8, 4-11, 4-27, A-97 local traffic management 5-1 log file 2-3 managing 3-1, 4-32 resizing 4-33 Index - 3 Index log information, sending 3-3 logrotate command 2-8, A-100 ltm command 2-8, A-103 M MAC address configuration, using bigdb database variables B-7 management port adding routes 3-8 configuring 4-17 managing network traffic 5-2 managing the size of the log file 3-1 manual resume, configuring for monitors 5-27 marking node up 5-27 marking pool member up 5-27 mcp command 2-8, A-107 MCPD service handling failure of 4-24 restarting 4-27 memory command 2-8, A-108 merge command 2-8, A-109 messages, logging to remote machine 3-6 mgmt command 2-8, 4-17, A-111 MGMT port, configuring 4-17 mgmt route command 2-8, A-113 mirror command 2-8, A-116 monitor command 2-8, 5-25, 5-26, 5-27, A-118 monitoring JDBC connections 5-26 monitors associating with pools or nodes 5-25 configuring manual resumption 5-27 creating custom 5-25 using pre-configured 5-25 MSRDP persistence 5-22 N nat command 2-8, A-130 ndp command 2-8, A-133 netsnmp.conf file 4-8 network management tasks, performing 3-1 node command 2-8, 4-35, 5-25, 5-26, 5-27, A-135 nodes configuring manual resumption 5-3 marking up 5-27 removing and returning to service 4-34 removing from service 4-34 removing individual nodes from service 4-35 returning individual nodes to service 4-35 returning to service 4-34 setting status manually 5-27 viewing 4-35 ntp command 2-8, A-138 ntp.conf file 4-8 Index - 4 O ocsp responder command 2-8, 5-20, 5-21, A-140 oneconnect 5-23 oneconnect command 2-9, 4-26, A-145 online help 1-8 online man pages about 1-3 accessing from the shell prompt 1-3, A-1 accessing from the system prompt 1-3, A-1 open connections 5-23 opening brace, using in command syntax 2-5 OpenSSL 0.9.8.x 5-17 openssl utility 1-3, 5-1, 5-16, 5-17, 5-18, 5-19 openssl.conf 4-7, 4-8 P packet activity, displaying 4-29 packet filter command 2-9, 3-8, 5-25, A-146 packet filter rules 5-25 packet filters customizing base network components 3-1 Packet Velocity ASIC 10 (PVA10) Syn Cookie feature, and bigdb database variables B-10 pager notifications, activating 4-32 partition command 2-9, 4-18, A-152 partitions about Common 4-17 about current 4-19 about Read partition 4-19 about Write partition 4-19 accessing 4-18 changing current 4-18 creating 4-18 creating and managing 4-17 defined 4-17 setting default 4-20 password policy command 2-9, A-154 passwords, adding and stripping 5-19 PEM format conversion 5-19 persist command 2-9, A-157 persistence 5-22 persistence types 5-22 PKCS12 file, creating 5-17 platform command 2-9, A-161 Platform Guide 1-5 pool assignation 5-26 pool command 2-9, 5-2, 5-3, 5-24, 5-25, 5-27, A-163 pool members configuring manual resumption 5-3 marking up 5-27 removing from service 4-34 returning to service 4-34 setting status manually 5-27 Index pre-configured monitors 5-25 printdb command 4-3 product image creating a back up of 4-36 restoring from a snapshot file 4-37 profile auth command 2-9, A-171 profile clientssl command 2-9, 5-2, A-176 profile command 2-9, 5-2, 5-19, 5-20, 5-21, 5-24, A-169 profile dns command 2-9, A-184 profile fasthttp command 2-9, 5-6, 5-23, A-186 profile fastl4 command 2-9, 5-7, A-191 profile ftp command 2-9, A-196 profile http command 2-9, 5-5, 5-6, 5-8, 5-12, 5-15, 5-23, A-198 profile httpclass command 2-9, A-208 profile oneconnect command 2-9, 5-23, A-211 profile persist command 2-9, A-214 profile rtsp command 2-9, A-220 profile sctp command 2-9, A-223 profile serverssl command 2-9 profile settings, modifying 5-2 profile sip command 2-9, A-235 profile stats command 2-9 profile stream command 2-9 profile tcp command 2-9, 5-15 profile udp command 2-10 profiles, using to set timeout values 5-24 protocol statistics, displaying 4-26 pva command 2-10 Q Quality of Service (QoS) levels, setting 5-24 quit command 2-2, 2-10 R radius server command 2-10, 5-20, 5-21 RADIUS servers 5-20 RAM Cache implementation, using bigdb database variables B-7 rate class command 2-10, 5-25 rate shaping 5-25 rateclass.conf 4-8 RCP services, checking health of 5-26 Read access 4-18 Read partition 4-19 real-time statistics, displaying 4-29 reboot command 4-3 redirections, rewriting 5-5 redundant system configuration 4-23 references to other documents, identifying 1-6 refresh interval, resetting 4-29 remote hosts, and logging 3-3 remote logging tasks 3-4 remote logging, encrypted 3-3 remote server authentication 5-20 BIG-IP® Command Line Interface Guide remote users command A-259 remoterole command 2-10, A-262 requests, redirecting 5-5 resize-logFS script 4-33 Resource Admin user role 4-2 Root account 4-2, 4-27 route command 2-10, 3-8 route keys 3-8 route mgmt command 3-8 routes about the routes file 4-8 adding, configuring, and removing 3-8 customizing base network components 3-1 RPC services, monitoring 5-26 rpcinfo command 5-26 RSA keys 5-19 rtsp command 2-10, A-267 rule command 2-10, 5-4, 5-28 running configuration, defined 4-4 S save command 2-10, 4-11, A-271 scripts using active 4-24 using f5active 4-24 using f5standby 4-24 using resize-logFS 4-33 using standby 4-24 sctp command 2-10, 4-3, A-273 self allow command 2-10 self command 2-10 self IP addresses and unit IDs 4-24, 4-25 customizing base network components 3-1 server authentication 5-18 server certificates, creating 5-18 Server SSL profile 5-1 server-side connections 5-22 service failure 4-24 services, listed 4-24 session persistence 5-22 Setup utility 3-1 shell command defined 2-10 man page for A-278 setting Read partition 4-19 setting Write partition 4-19 shell prompt, accessing online man pages from 1-3, A-1 simultaneous connection processing 4-25 single configuration file creating 4-12 defined 4-9 using to configure a system 4-13 using to restore a system 4-14 SIP persistence 5-22 Index - 5 Index SIP profile A-235 SMB services monitoring 5-26 retrieving list of 5-26 smbclient command 5-26 snapshot file using to restore a product image 4-38 viewing information about 4-37 snapshot list command 4-37 snapshot utility about 4-36 using to restore a product image 4-37 snat command 2-10, 5-4, A-280 SNAT pools, creating 5-4 snat translation command 2-10, 5-4, A-283 snatpool command 2-10, 5-4, A-286 SNATs and unit IDs 4-24, 4-25 associating with unit IDs 4-26 creating 5-4 snmpd command 2-10, A-288 snmpd.conf 4-8 snmpd.conf file 4-8 sod service, handling failure of 4-24 software compression provider 5-9 software syncookie feature 5-7 solution examples, about 1-6 Source Address Affinity persistence 5-22 Spanning Tree Protocol, customizing base network components 3-1 ssh command 3-5, 4-3 SSH connection, establishing 3-4 SSH identity, copying 3-7 ssh syntax 3-4 SSH tunnel, and logging 3-3 sshd command 2-10, A-301 sshd_config file 4-8 SSL certificates, generating 5-16 SSL Client Certificate LDAP servers 5-20 ssl command 2-10, 4-26, A-305 SSL OCSP responders 5-20 SSL persistence 5-22 SSL traffic management 5-16 ssl.csr 5-16 ssl.key 5-16 standby script 4-24 statemirror command 2-10, A-306 statistics displaying 4-26 displaying real-time 4-29 status, setting manually 5-27 stop command 2-2, 2-10, A-309 stored configuration, defined 4-4 Index - 6 stp command 2-10, A-310 stp instance command 2-11, A-314 STP protocol 3-1 stream command 2-11, 4-26, A-317 style conventions 1-6 support, technical 1-8 switch interfaces, adding routes 3-8 sys-icheck command 4-3, A-318 syslog command 2-11 man page for A-320 using to set up remote message logging 3-6 Syslog messages, samples of 4-32 syslog utility managing log files 4-32 syslog.conf file 4-32 syslog-ng configuration file 4-9 syslog-ng script, editing 3-5 syslog-ng service, restarting 3-7 syslog-ng utility, configuring 3-3 sys-reset command 4-3, A-319 system command 2-11, A-324, A-329 system configuration state 4-4 system licenses, viewing 4-35 system management components 4-1 system management tools 4-2 system prompt accessing online man pages from 1-3, A-1 identifying command syntax 1-7 system, setting up basic load balancing 5-2 system-auth file 4-7 system-supplied profiles 5-2 T TACACS+ servers 5-20 Tcl commands 5-28 Tcl reference books, using 1-3 Tcl, defined 1-3 tcp command 2-11, 4-26, A-329 TCP profile 5-1, 5-24 TCP traffic optimizing using profiles 5-15 setting service levels on packets 5-24 technical support 1-8 terminal access 4-18 timeout values, setting 5-24 tmm command 2-11, A-330 tmm service about status 4-28 handling failure of 4-24 tmstat compress command 5-14 tmstat utility 5-14 Tools Command Language 1-3 Index traffic types, listing of 5-2 traffic, copying 5-3 translation addresses, assigning 5-4 trunk command 2-11, A-331 trunk.internal.ffp bigdb database variable 3-8 trunks, customizing base network components 3-1 Type of Service (ToS) levels, setting 5-24 U udp command 2-11, 4-26, A-335 UDP profile 5-1, 5-24 UDP traffic 5-24 unchunking 5-8 unit command 2-11, A-336 unit IDs associating 4-24 viewing 4-25 Universal persistence 5-22 user access, auditing 4-23 user account administration, using bigdb database variables B-4 user accounts creating and managing 4-21 modifying and deleting 4-22 user command 2-1, 2-11, 4-21, 4-22, A-337 userroles file 4-7 V version command 2-11, A-340 virtual address command 2-11, A-347 virtual addresses enabling and disabling 4-35 removing from service 4-34 returning to service 4-34 virtual command and command syntax A-341 and logs 4-32 assigning a last hop pool to a virtual server 5-3 assigning a persistence profile to a virtual server 5-22 assigning a pool to a virtual server 5-26 assigning a profile to a virtual server 5-3 assigning an HTTP profile to a virtual server 5-5, 5-8 associating an authentication profile with a virtual server 5-21 configuring virtual servers 4-35 creating an authentication profile 5-20 creating or modifying a virtual server 5-3 described 2-11 displaying virtual servers 4-35 managing network traffic 5-2 setting up basic load balancing 5-2 verifying assignation of pool or profile 5-24 virtual ports removing from service 4-34 returning to service 4-34 virtual server mappings 4-35 virtual servers and unit IDs 4-24, 4-25 enabling and disabling 4-35 removing from service 4-34 returning to service 4-34 viewing 4-35 vlan command 2-11, A-350 VLAN groups customizing base network components 3-1 vlangroup command 2-11, A-354 VLANs customizing base network components 3-1 W WebAccelerator module 5-7 Welcome screen, in the Configuration utility 1-8 Write access 4-18 Write partition 4-19 BIG-IP® Command Line Interface Guide Index - 7 Index Index - 8