Professional Documents
Culture Documents
version 9.4.3
MAN-0236-02
Product Version
This manual applies to version 9.4.3 of the BIG-IP product family.
Publication Date
This guide was published on October 24, 2007.
Legal Notices
Copyright
Copyright 2007, F5 Networks, Inc. All rights reserved.
F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5
assumes no responsibility for the use of this information, nor any infringement of patents or other rights of
third parties which may result from its use. No license is granted by implication or otherwise under any
patent, copyright, or other intellectual property right of F5 except as specifically described by applicable
iControl user licenses. F5 reserves the right to change specifications at any time without notice.
Trademarks
F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, iControl, Internet Control Architecture, IP Application
Switch, iRules, OneConnect, Packet Velocity, SYN Check, Control Your World, ZoneRunner, uRoam,
FirePass, TrafficShield, Swan, WANJet, WebAccelerator, and TMOS are registered trademarks or
trademarks, and Ask F5 is a service mark, of F5 Networks, Inc. in the U.S. and certain other countries. All
other trademarks mentioned in this document are the property of their respective owners. F5 Networks'
trademarks may not be used in connection with any product or service except as permitted in writing by
F5.
Patents
This product protected by U.S. Patents 6,374,300; 6,473,802; 6,970,933. Other patents pending.
RF Interference Warning
This is a Class A product. In a domestic environment this product may cause radio interference, in which
case the user may be required to take adequate measures.
FCC Compliance
This equipment has been tested and found to comply with the limits for a Class A digital device pursuant
to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful
interference when the equipment is operated in a commercial environment. This unit generates, uses, and
can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual,
may cause harmful interference to radio communications. Operation of this equipment in a residential area
is likely to cause harmful interference, in which case the user, at his own expense, will be required to take
whatever measures may be required to correct the interference.
Any modifications to this device, unless expressly approved by the manufacturer, can void the user's
authority to operate this equipment under part 15 of the FCC rules.
Standards Compliance
This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to
Information Technology products at the time of manufacture.
Acknowledgments
This product includes software developed by the University of California, Berkeley and its contributors.
This product includes software developed by the Computer Systems Engineering Group at the Lawrence
Berkeley Laboratory.
This product includes software developed by the NetBSD Foundation, Inc. and its contributors.
This product includes software developed by Christopher G. Demetriou for the NetBSD Project.
This product includes software developed by Adam Glass.
This product includes software developed by Christian E. Hopps.
This product includes software developed by Dean Huxley.
This product includes software developed by John Kohl.
This product includes software developed by Paul Kranenburg.
This product includes software developed by Terrence R. Lambert.
This product includes software developed by Philip A. Nelson.
This product includes software developed by Herb Peyerl.
This product includes software developed by Jochen Pohl for the NetBSD Project.
This product includes software developed by Chris Provenzano.
This product includes software developed by Theo de Raadt.
This product includes software developed by David Muir Sharnoff.
This product includes software developed by SigmaSoft, Th. Lockert.
This product includes software developed for the NetBSD Project by Jason R. Thorpe.
This product includes software developed by Jason R. Thorpe for And Communications,
http://www.and.com.
This product includes software developed for the NetBSD Project by Frank Van der Linden.
This product includes software developed for the NetBSD Project by John M. Vinopal.
This product includes software developed by Christos Zoulas.
This product includes software developed by Charles Hannum.
This product includes software developed by Charles Hannum, by the University of Vermont and State
Agricultural College and Garrett A. Wollman, by William F. Jolitz, and by the University of California,
Berkeley, Lawrence Berkeley Laboratory, and its contributors.
This product includes software developed by the University of Vermont and State Agricultural College and
Garrett A. Wollman.
In the following statement, "This software" refers to the Mitsumi CD-ROM driver: This software was
developed by Holger Veit and Brian Moore for use with "386BSD" and similar operating systems.
"Similar operating systems" includes mainly non-profit oriented systems for research and education,
including but not restricted to "NetBSD," "FreeBSD," "Mach" (by CMU).
In the following statement, "This software" refers to the parallel port driver: This software is a component
of "386BSD" developed by William F. Jolitz, TeleMuse.
This product includes software developed by the Apache Group for use in the Apache HTTP server project
(http://www.apache.org/).
This product includes software developed by Darren Reed. ( 1993-1998 by Darren Reed).
This product includes software licensed from Richard H. Porter under the GNU Library General Public
License ( 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.
This product includes the standard version of Perl software licensed under the Perl Artistic License (
1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current
standard version of Perl at http://www.perl.com.
ii
Table of Contents
Table of Contents
1
Introducing the BIG-IP System
Introducing the BIG-IP system .....................................................................................................1-1
Overview of the BIG-IP system command line interface .............................................1-2
About this guide ..............................................................................................................................1-4
Additional information ..........................................................................................................1-5
Stylistic conventions ..............................................................................................................1-6
Finding help and technical support resources ..........................................................................1-8
2
Understanding the bigpipe Utility
Introducing the bigpipe utility ......................................................................................................2-1
Using the bigpipe shell ...................................................................................................................2-2
Controlling the bigpipe shell ...............................................................................................2-2
Using the bigpipe shell command history feature ..........................................................2-2
Using the bigpipe shell command edit feature ................................................................2-3
Using the bigpipe shell audit feature ..................................................................................2-3
Using the bigpipe shell command completion feature ..................................................2-4
Using the bigpipe shell command continuation feature ................................................2-4
Using grep functionality in the bigpipe shell ....................................................................2-5
Customizing the bigpipe shell ..............................................................................................2-5
Using the bigpipe shell escape feature ..............................................................................2-6
bigpipe command summary ..........................................................................................................2-6
3
Managing the BIG-IP System Network Components
Configuring the BIG-IP system network components ...........................................................3-1
Performing network management tasks ....................................................................................3-1
Managing the size of the log file ..........................................................................................3-1
Expanding the codes in the log file. ...................................................................................3-3
Configuring encrypted remote logging .............................................................................3-3
Implementing packet filtering ..............................................................................................3-8
Configuring routing ...............................................................................................................3-8
Implementing the trunk algorithm on FFP-supported platforms ................................3-8
4
Managing the BIG-IP System
Introducing BIG-IP system management ....................................................................................4-1
Understanding BIG-IP system management tools ...................................................................4-2
Using system management tools at the BIG-IP system prompt ..................................4-2
Using the bigpipe utility ........................................................................................................4-3
Understanding the BIG-IP system configuration state ...........................................................4-4
Understanding the stored configuration files ..................................................................4-6
Introducing the Single Configuration File ..................................................................................4-9
What is a single configuration file? .....................................................................................4-9
About the bigpipe utility and the single configuration file ......................................... 4-10
Creating a single configuration file .................................................................................. 4-12
Configuring a BIG-IP system using an SCF .................................................................... 4-13
Restoring a BIG-IP system configuration using an SCF .............................................. 4-14
Using the Copy and Paste SCF Feature ......................................................................... 4-15
Table of Contents
5
Managing Local Application Traffic
Performing local traffic management tasks ...............................................................................5-1
Setting up load balancing ...............................................................................................................5-2
Managing traffic types ............................................................................................................5-2
Configuring manual resumption of pool members and nodes ....................................5-3
Configuring clone pools .......................................................................................................5-3
Configuring a last hop pool .................................................................................................5-3
Implementing SNATs ............................................................................................................5-4
Controlling HTTP traffic ...............................................................................................................5-5
Configuring HTTP compression .........................................................................................5-5
Redirecting HTTP requests .................................................................................................5-5
Rewriting HTTP redirections ..............................................................................................5-5
Inserting and erasing HTTP headers .................................................................................5-6
Enabling or disabling cookie encryption ...........................................................................5-6
Enabling or disabling SYN cookie support .......................................................................5-7
Configuring the HTTP Class profile ..................................................................................5-7
Unchunking and rechunking HTTP response data .........................................................5-8
Configuring HTTP compression on the BIG-IP system .........................................................5-8
Understanding compression providers .............................................................................5-8
Understanding compression strategy selection ..............................................................5-9
Introducing adaptive compression .................................................................................. 5-10
Viewing compression statistics ........................................................................................ 5-14
Implementing HTTP and TCP optimization profiles ............................................................ 5-15
Authenticating application traffic .............................................................................................. 5-16
Generating SSL certificates ............................................................................................... 5-16
Generating CA certificates ............................................................................................... 5-16
Creating client certificates ................................................................................................ 5-17
Creating a certificate for a web site ............................................................................... 5-18
Working with certificate revocation .............................................................................. 5-18
Associating keys and certificates with SSL profiles ..................................................... 5-19
Performing other certificate-related tasks .................................................................... 5-19
Configuring remote server authentication ................................................................... 5-20
Implementing persistence ........................................................................................................... 5-22
Implementing session persistence ................................................................................... 5-22
Implementing connection persistence ............................................................................ 5-22
Enhancing the performance of the BIG-IP system ................................................................ 5-24
Setting Link QoS and IP ToS levels on packets ........................................................... 5-24
Setting idle timeout values ................................................................................................ 5-24
Implementing rate shaping ................................................................................................ 5-25
vi
Table of Contents
A
bigpipe Command Reference
Introduction to command syntax ...............................................................................................A-1
Using the keyword, all .........................................................................................................A-1
Identifying command types .................................................................................................A-1
Basic definitions .....................................................................................................................A-2
Alphabetical list of commands .....................................................................................................A-2
arp ......................................................................................................................................................A-3
auth crldp .........................................................................................................................................A-6
auth ldap ...........................................................................................................................................A-9
auth radius .....................................................................................................................................A-14
auth ssl cc ldap ..............................................................................................................................A-17
auth ssl ocsp ..................................................................................................................................A-22
auth tacacs .....................................................................................................................................A-24
bigpipe shell ...................................................................................................................................A-27
class .................................................................................................................................................A-29
cli ......................................................................................................................................................A-33
config ...............................................................................................................................................A-36
configsync .......................................................................................................................................A-39
conn .................................................................................................................................................A-42
crldp server ...................................................................................................................................A-44
daemon ...........................................................................................................................................A-47
daemon bigdbd .............................................................................................................................A-50
daemon mcpd ...............................................................................................................................A-52
daemon tmm .................................................................................................................................A-54
db .....................................................................................................................................................A-57
dns ...................................................................................................................................................A-59
exit ...................................................................................................................................................A-62
export .............................................................................................................................................A-63
f5adduser ........................................................................................................................................A-65
failover ............................................................................................................................................A-67
fasthttp ............................................................................................................................................A-71
fastL4 ...............................................................................................................................................A-72
fipscardsync ...................................................................................................................................A-73
fipsutil ..............................................................................................................................................A-74
ftp .....................................................................................................................................................A-77
global ...............................................................................................................................................A-78
ha table ...........................................................................................................................................A-79
hardware ........................................................................................................................................A-81
help ..................................................................................................................................................A-82
http ..................................................................................................................................................A-83
httpd ................................................................................................................................................A-84
icmp .................................................................................................................................................A-88
import .............................................................................................................................................A-89
interface ..........................................................................................................................................A-91
ip ......................................................................................................................................................A-95
list ....................................................................................................................................................A-96
load ..................................................................................................................................................A-97
vii
Table of Contents
viii
Table of Contents
B
Configuring bigdb Database Variables
Introducing the bigdb database ................................................................................................... B-1
Summarizing bigdb database variables for redundant system administration .................. B-2
Using failover bigdb database variables ............................................................................ B-2
Using connection mirroring bigdb database variables .................................................. B-3
Using configuration synchronization bigdb database variables ................................... B-3
Summarizing bigdb database variables for user account administration ........................... B-4
Summarizing bigdb database variables for event logging ....................................................... B-4
Summarizing bigdb database variables for HTTP compression ........................................... B-5
Configuring RAM Cache by setting a bigdb database variable ............................................. B-7
Configuring the MAC address of a VLAN using bigdb database variables ....................... B-7
Configuring debugging for the system using bigdb database variables ............................... B-8
Configuring the PVA10 Syn Cookie feature with bigdb database variables ................... B-10
Configuring dynamic routing with bigdb database variables .............................................. B-11
Glossary
Index
ix
Table of Contents
1
Introducing the BIG-IP System
1-1
Chapter 1
1-2
The industry-standard tools that you can also use to manage the BIG-IP
system are:
From the bigpipe shell prompt, use the command name followed by
help. Do not use underscores between the words in the command
name. For example:
bp> auth crldp help
1-3
Chapter 1
Additional information
In addition to this guide, you can use the following printed documents that
are included with the BIG-IP system to help you configure the system.
Configuration Worksheet
Use this worksheet to plan the basic configuration of your BIG-IP
system.
The following guides are available in PDF format from the CD-ROM
provided with the BIG-IP system. These guides are also available from the
first web page you see when you log on to the administrative web server on
the BIG-IP system.
Tip
This BIG-IP Command Line Interface Guide assumes that you have read
the following guides for important concepts and information.
1-5
Chapter 1
Stylistic conventions
To help you easily identify and understand important information, all of our
documentation uses the stylistic conventions described here.
For more information about the bigpipe shell see Using the bigpipe shell, on
page 2-2.
1-6
Description
< >
[]
...
::=
1-7
Chapter 1
1-8
2
Understanding the bigpipe Utility
You can invoke the bigpipe shell and type a command sequence at the
bigpipe shell prompt (bp>). For example, you can display all BIG-IP
system user accounts by typing this command sequence at the bigpipe
shell prompt:
bp> user show
For information on invoking the bigpipe shell, see Using the bigpipe shell,
following.
2-1
Chapter 2
2-2
The audit file may be larger than you expect, because the bigpipe shell
audits some of the commands that the system runs.
The audit file merges consecutive white spaces into single spaces. This
means that each command is a single, possibly, very long line.
2-3
Chapter 2
You use the command cli audit to enable auditing for the bigpipe shell and
to specify the level of auditing that you want the bigpipe shell to perform.
There are four different levels of auditing available, including:
disable
The bigpipe shell does not audit any commands. This is the default.
enable
The bigpipe shell audits all commands that users enter, and the
commands run by the command merge, but not the commands run by the
commands load and import.
verbose
The bigpipe shell audits all of the commands that users enter, and the
commands run by the merge command. Additionally, the bigpipe shell
audits the commands run by the commands load and import, except for
those commands that are found in these four system configuration files:
config_base.conf, base_monitors.conf, profile_base.conf, and
daemon.conf.
all
The bigpipe shell audits all commands.
The shell does nothing and presents an empty prompt for continuing:
bp>
At this point, you can continue to type more options for the auth radius
command:
debug enable
retries 4
2-4
The shell continues to gather the syntax for the command. When finished
typing, you can either type a command containing a closing brace ( } ), in
which case the shell runs the full command sequence that you typed, or you
can type:
stop
This discards the stored command sequence, without running the command.
Note
An opening brace that starts a continuation does not have to be the last
character on the line. Also, you can use more than one brace on a single
line.
The prompt option sets the shell's prompt to the given string value.
For example, when you type
bp> shell prompt BIG-IP>
2-5
Chapter 2
You can disable this feature by typing the following command at the BIG-IP
system prompt:
bigpipe shell -s
After you change the system configuration using any bigpipe command, you
must run the command save all to save your changes to the stored
configuration files. If you do not, your changes are lost.
Command
Description
arp
Creates static ARP addresses, and lists static and dynamic ARP addresses.
auth crldp
Configures a Certificate Revocation List Distribution Point (CRLDP) configuration object for
managing certificate revocation.
auth ldap
auth radius
Configures a Remote Access Dialup Service (RADIUS) configuration object for implementing
remote RADIUS-based client authentication.
Configures an SSL client certificate LDAP configuration object for implementing remote
SSL-based LDAP client authorization.
Configures an SSL OCSP configuration object for managing remote certificate revocation
based on the Online Certificate Revocation Protocol (OCSP).
auth tacacs
2-6
Command
Description
bigpipe
When typed at the BIG-IP system prompt, starts the bigpipe utility in its shell mode, and
configures the shell.
class
cli
config
configsync
Specifies the parameters for the task of syncing the configurations of two BIG-IP units in a
redundant system.
conn
Sets idle timeout for, displays, and deletes active connections on the BIG-IP system.
crldp server
Creates a Certificate Revocation List Distribution Point (CRDLP) server for implementing a
CRLDP authentication module.
daemon
Tunes the high availability functionality that is built into system daemons.
daemon_bigdbd
daemon_mcpd
daemon_tmm
db
dns
Displays and resets global statistics for the DNS profile on the BIG-IP system.
exit
export
Exports (saves) the running configuration into a flat, text file, with an extension of .scf. This
file is known as the single configuration file or SCF.
f5adduser
Used at the BIG-IP system prompt to add local user accounts to the BIG-IP system.
failover
fasthttp
Displays and resets global statistics for the Fast HTTP profile on the BIG-IP system.
fastL4
Displays and resets statistics for the Fast L4 profile on the BIG-IP system.
ftp
Displays and resets global statistics for the FTP profile on the BIG-IP system.
global
ha table
hardware
help
2-7
Chapter 2
Command
Description
http
httpd
icmp
import
Resets the running configuration of the system to the values that are contained in the SCF
that you are importing.
If you want the configuration that is contained in the SCF to be written to the configuration
files (bigip.conf, bigip_base.conf, bigip_local.conf, and bigip_sys.conf), you must use
the save all command following the import.
interface
ip
Manages IP statistics.
list
When the default Read partition is All, this command displays all objects the user has
permission to see. When you specify a Read partition, this command displays all objects the
user has permission to see, and all objects that are not in partitions.
load
Resets the running configuration of the BIG-IP system configuration with the values contained
in the bigip.conf, bigip_base.conf, bigip_local.conf, and bigip_sys.conf files.
Note that after you run the load command, you must run the save or save all command;
otherwise the system requires you to rerun the Setup utility.
logrotate
ltm
Configures the general properties for the BIG-IP local traffic management system.
mcp
memory
merge
Loads the specified configuration file, which resets the running configuration.
mgmt
mgmt route
mirror
Copies traffic from any port or set of ports to a single, separate port.
monitor
nat
ndp
node
ntp
Configures the Network Time Protocol (NTP) daemon for the BIG-IP system.
ocsp responder
Command
Description
oneconnect
packet filter
partition
Configures partitions for implementing access control for the BIG-IP system administrative
users.
password policy
Specifies the parameters of the valid passwords for the BIG-IP system.
persist
Configures a session persistence mode on a specific pool or node, for client requests.
platform
pool
profile
profile auth
profile clientssl
profile dns
profile fasthttp
profile fastl4
profile ftp
profile http
profile httpclass
profile oneconnect
profile persist
profile rtsp
profile sctp
profile serverssl
profile sip
profile stats
profile stream
profile tcp
2-9
Chapter 2
Command
Description
profile udp
pva
quit
radius server
rate class
remote users
Configures the default user role, partition access, and console access for all remotely
authenticated user accounts that have not been added as local user accounts on the BIG-IP
system.
remoterole
route
rtsp
Displays or resets Real Time Streaming Protocol (RTSP) statistics for the BIG-IP system.
rule
save all
sctp
Displays or resets Stream Control Transmission Protocol (SCTP) statistics for the BIG-IP
system.
self
self allow
Configures the default allow list for all self IP addresses on the BIG-IP system.
shell
snat
snat translation
snatpool
snmpd
Configures the simple network management protocol (SNMP) daemon for the BIG-IP system.
sshd
Configures the Secure Shell (SSH) daemon for the BIG-IP system.
ssl
statemirror
Configures connection mirroring for a BIG-IP unit that is part of a redundant system in a high
availability system.
stop
stp
Command
Description
stp instance
stream
syslog
Configures connection mirroring for a BIG-IP system that is part of a redundant pair in a high
availability system.
system
tcp
tmm
trunk
udp
unit
user
version
virtual
Defines virtual servers, virtual server mappings, and virtual server properties.
virtual address
vlan
vlangroup
2 - 11
Chapter 2
2 - 12
3
Managing the BIG-IP System Network
Components
3-1
Chapter 3
You adjust the amount of disk space that the system allocates for the log file
by using a command line script named resize-logFS. When you use the
resize-logFS script, the system prompts you for information, and validates
two facts:
The amount of disk space you specify falls within the valid range of 1 to
10 gigabytes.
The BIG-IP system has enough disk space to allocate the requested
amount.
WARNING
Before using the resize-logFS script, it is imperative that you stop the
BIG-IP system, or put the system into a safe condition such as standby
mode.
Note: This command prompts you for the file size in gigabytes.
3. At the prompt, type an integer. The minimum allowed value is 1,
and the maximum allowed value is 10.
A prompt appears that allows you to confirm the specified file size.
4. Type Y.
A message appears, notifying you of the need for the BIG-IP system
to perform a reboot, followed by a prompt, which allows you to
permit the reboot operation.
Note: Prior to rebooting, the BIG-IP system verifies that the integer
you typed in step 3 is within the allowed range, and checks to ensure
that enough disk space exists for the specified size.
5. Type Y.
A confirmation prompt appears.
6. Type Y.
The system displays messages indicating that the reboot operation is
about to occur.
7. Wait for the reboot operation to finish.
When the system becomes available again, the newly-specified disk
space for the log file is in effect.
If, at any time during the resize-logFS operation, you decide to exit the
script, no reboot occurs and the amount of allocated disk space remains as
is.
3-2
The system displays the log file with the codes expanded.
Attempt this configuration only if you understand the risks associated with
making changes to daemon startup scripts.
3-3
Chapter 3
Figure 3.2 Syntax to establish an SSH tunnel from the BIG-IP system
Table 3.1 contains detailed descriptions of the ssh syntax elements shown in
Figure 3.2.
SSH syntax
Description
<remote log
hostname>
3-4
SSH syntax
Description
<remote user>
Creating a unique SSH key to identify and authorize the BIG-IP system
After you have reviewed the ssh command syntax, use the ssh command to
create the encrypted tunnel on the BIG-IP system. You must create a unique
key on the BIG-IP system. The unique key is used to identify and authorize
the BIG-IP system to the remote logging host.
To create the file syslog_tunnel_ID and syslog_tunnel_ID.pub, use the
following command sequence:
$ ssh -b 2048 -f syslog_tunnel_ID -t rsa -N "" -P ""
Editing the syslog-ng start script to open and close the encrypted tunnel
Next change the syslog-ng utility startup script, /etc/init.d/syslog-ng, so that
the encrypted tunnel is opened when the syslog-ng script starts up, and is
closed when the script is restarted or stopped.
Before you edit the syslog-ng utility startup script, save a backup copy to the
root directory. Use the following command to save the backup to the root
directory:
$ cp /etc/init.d/syslog-ng /root/syslog-ng.backup
3-5
Chapter 3
3-6
Copying the unique SSH identity to the remote logging host and appending
it to the authorized keys file
After you have used the syslog command to set up the remote logging host
to log messages, you must copy the unique SSH identity to the remote
logging host. To do this, copy the syslog_tunnel_ID.pub to the remote
syslog server, and append this key to the authorized_keys file found in the
.ssh folder under the home directory of the user that you want to use to
capture remote log messages.
$ cat syslog_tunnel_ID.pub >> ~logger/.ssh/authorized_keys
Note
The following instructions are given as examples. The actual process for
setting up the new SSH key to be automatically authorized, and configuring
the syslog-ng utility may be different.
Verify that the logging facility is configured and ready to receive syslog-ng
messages on the <remote tunnel port>. If the remote logging host uses the
syslog-ng utility, you need to add a source configuration block like the one
in Figure 3.5.
source remote {
tcp(ip(10.0.0.100) port(5140));
};
3-7
Chapter 3
3. Exit from the SSH session to the BIG-IP system command line.
4. Restart the syslog-ng utility by typing the following command:
$ /etc/init.d/syslog-ng restart
Configuring routing
When you add routes for the switch interfaces, including the management
port, you must configure them. You can also remove routes from the system.
To remove routes
Use this command to remove routes:
bp> route (<route key list> | all | inet | inet6) delete
3-8
srcdestip
Select Source/Destination IP address to have the system base the hash on
the combined MAC addresses of the source and the destination.
srcdestmac
Select Source/Destination MAC address to have the system base the hash
on the combined MAC addresses of the source and the destination.
destmac
Select Destination MAC address to have the system base the hash on the
MAC address of the destination.
After you change a bigdb database variable using the db command, you
must run the save all command. If you do not, the next time that you run the
load command, the value of the bigdb database variable may be reset to the
value in the stored configuration.
3-9
Chapter 3
3 - 10
4
Managing the BIG-IP System
4-1
Chapter 4
F5 recommends that you do not give advanced shell access to users who are
assigned the user role of Resource Admin unless they must use the
tcpdump, ssldump, or qkview utilities, or manage certificate and key files
from the console. Instead, F5 recommends that you give these users bigpipe
shell access. For more information, see user, on page A-337.
For information on user accounts, see Managing user accounts, on page
4-21, and the BIG-IP Network and System Management Guide.
BIG-IP system
Commands
Description
bigstart
bigtop
config
fipsutil
4-2
BIG-IP system
Commands
fipscardsync
Description
Synchronizes the FIPS hardware security modules
(HSMs) of a redundant system. Note that synchronizing
the HSMs provides the ability to exchange keys
between the units of a redundant system.
For more information, see the Platform Guide: 1500,
3400, 6400, 6800.
halt
hostname
printdb
reboot
sys-icheck
sys-reset
The commands you can use within the bigpipe shell to manage the BIG-IP
system are listed in Appendix A, bigpipe Command Reference. You can also
access a list and description of these commands by typing the following
command at the bigpipe shell prompt:
bp> help
4-3
Chapter 4
For help with a specific command, access the online man page for that
command from the bigpipe shell prompt by typing the command name
followed by help. For example, to get help on the pool command, type this
command:
bp> pool help
Only users with the Administrator or Resource Admin user role assigned to
their user account can run the save all command. Users assigned other roles
receive an error when they run the save all command. They must instead run
the save command.
4-4
WARNING
The save all command saves all changes to the system since the last save or
save all command was run. If multiple users are making changes to the
system, and one of them runs the save all command, the system saves all of
the changes, including the changes made by the other users.
bigpipe command
Action performed
base load
Resets the running configuration based on the contents of the following files in the order
shown:
/defaults/config_base.conf
/config/bigip_base.conf
/config/bigip_sys.conf
load
Replaces the entire running configuration based on the contents of the following files in the
order shown:
/defaults/config_base.conf
/config/bigip_base.conf
/config/bigip_sys.conf
/usr/bin/monitors/builtins/base_monitors.conf
/config/profile_base.conf
/config/daemon.conf
/config/bigip.conf
/config/bigip_local.conf
It is important to note that if you want to modify the running configuration, rather than replace
it, you use the merge command. For more information, see merge, on page A-109.
base save
Saves only the portions of the running configuration that reside in these files:
/config/bigip_base.conf
/config/bigip_sys.conf
save
Saves only the portions of the running configuration that reside in these files:
/config/bigip.conf
/config/bigip_local.conf
/config/bigip_sys.conf
save all
Saves the entire running configuration into these stored configuration files:
/config/bigip.conf
/config/bigip_local.conf
/config/bigip_base.conf
/config/bigip_sys.conf
Table 4.2 About the bigpipe commands load and save, and the system configuration states
4-5
Chapter 4
Description
/config/bigip.conf
Stores all configuration objects for managing local application traffic, such as virtual
servers, load balancing pools, profiles, and SNATs.
You run the load command to load the configuration of these objects from the
bigip.conf file into the systems running configuration. You run the save all command to
write the running configuration of these objects into the bigip.conf file.
When you perform a configuration synchronization of a redundant system, this file is
synchronized to the other unit.
Important: Some objects, such as SNATs, do not reside in partitions. Therefore, if you
edit this file, and add one of these objects to a section of the file that configures a
specific partition, when you run the save all command, the object is saved, but not in the
partition. Consequently, the object is not protected by partition access control.
/config/bigip_base.conf
Stores the BIG-IP system network components. When you perform a configuration
synchronization of a redundant system, this file is not synchronized to the other unit.
You run the base load command to load the configuration of these objects from the
bigip_base.conf file into the systems running configuration. You run the save all
command to save the running configuration of these objects in the bigip_base.conf file.
Important: The objects in this file reside in partition Common. Consequently, the
objects are not protected by partition access control.
Table 4.3 Four principal stored configuration files for the BIG-IP system described
4-6
File
Description
/config/bigip_local.conf
Stores the virtual servers used by the BIG-IP Global Traffic Manager.
You run the base load command to load the configuration of these objects from the
bigip_local.conf file into the systems running configuration. You run the save all
command to write the running configuration of these objects into the bigip_local.conf
file.
/config/bigip_sys.conf
Stores the Linux or UNIX configuration objects. When you perform a configuration
synchronization of a redundant system, this file is synchronized to the other unit.
You use the base load command to load the configuration of these objects from the
bigip_base.conf file into the systems running configuration. You run the save all
command to write the running configuration of these objects into the bigip_base.conf
file.
Important: The objects in this file reside in partition Common. Consequently, the
objects are not protected by partition access control.
Table 4.3 Four principal stored configuration files for the BIG-IP system described
F5 recommends that you do not manually edit the files shown in Table 4.4
following.
Associated bigpipe
commands
File
Description
/config/bigip/auth/pam.d/system-auth
system
/config/bigip/auth/pam.d/httpd
remote users
/config/bigip/auth/userroles
remote users
/config/httpd/conf/httpd.conf
httpd
/config/httpd/conf.d/ssl.conf
httpd ssl
4-7
Chapter 4
Associated bigpipe
commands
File
Description
/config/httpd/conf.d/mod_auth_pam.conf
httpd pam
/config/ntp.conf
ntp
/config/bigip.conf
route
/config/ssh/sshd_config
sshd
/config/snmp/netsnmp.conf
snmpd
/etc/hosts
system
/etc/hosts.allow
snmpd
/etc/hosts.deny
N/A
/etc/localtime
ntp
/etc/login.defs
password policy
/etc/logrotate.conf
logrotate
/etc/rateclass.conf
/config/snmp/snmpd.conf
sshd
dns
/config/snmp/snmpd.conf
snmpd
ntp
/config/net-snmp/snmpd.conf
/etc/sysconfig/clock
4-8
Associated bigpipe
commands
File
Description
/etc/sysconfig/network
system
/etc/syslog-ng/syslog-ng.conf
syslog
4-9
Chapter 4
The BIG-IP system configuration exists in two different states, the stored
configuration and the running configuration. Understanding the two
different configuration states is important to understanding how the SCF
works. For more information, see Understanding the BIG-IP system
configuration state, on page 4-4.
mgmt 172.16.40.3 { netmask 255.255.255.0 }
mgmt route default inet { gateway 172.16.40.1 }
vlan external { tag 4093 interfaces 1.1 }
vlan internal { tag 4094 interfaces 1.3 }
stp instance 0 { vlans external internal interfaces 1.1 external path cost 20K internal path cost 20K 1.3 external path cost 20K internal \
path cost 20K}
self allow { default tcp ssh tcp domain tcp snmp tcp https tcp 4353 udp domain udp snmp udp efs udp 1026 udp 4353 proto ospf }
self 10.10.10.3 { netmask 255.255.0.0 vlan internal allow default }
self 172.16.1.3 { netmask 255.255.255.0 vlan external allow default }
shell write partition Common
system { gui setup disable hostname "beta1.gnet.com" }
# No partition
partition Common { description "Repository for system objects and shared objects." }
user root { password crypt "$1$iLl7Yctv$ld2WUUrJR9EF3oF7OJM2H1" }
route default inet { pool gw_pool static }
shell write partition Common
user admin { password crypt "$1$HtabUQst$PIpliwRcjZY5I2SQkRhOT1" description "Admin User" id 0 group 500 home "/home/admin" \
shell "/bin/false" role administrator in all }
user f5emsvr { password crypt "!!" description "F5 EM Service Account" id 975 group 975 home "/root" shell "/bin/false" role guest in all }
dns { nameservers 192.168.11.1 search "f5net.com" }
ntp { servers 192.168.11.168 }
configsync { password crypt "\\7DYX@Sf=8Be_KNNRgLRd;CD>I2RPrc=6R9bLQ/01Up8lC_" }
pool gw_pool { monitor all gateway_icmp members 172.16.1.1:any }
Never copy the contents of an SCF file and paste it onto the command line in
order to configure a system. Always use the import command to configure a
system using an SCF file, for example, import myconfiguration.scf.
4 - 10
Usage
export
Use the export command to create an SCF that you can then use to configure another BIG-IP system
using the import command.
It is important to note that the export command does not affect the running or stored configurations of
the BIG-IP system upon which you run the command; the export command simply saves the running
configuration to an SCF.
For more information about the parameters that you can use with the export command, see export, on
page A-63.
import
Use the import command to replace the entire running configuration of a BIG-IP system with the values
in the SCF that you are importing. You must then use the save all command to write the running
configuration to the stored configuration.
For more information about the parameters that you can use with the import command, see import, on
page A-89.
save all
Use the save all command to write the running configuration to the configuration files that contain the
stored configuration. For example, if you add a new NTP server to your network, and then use the ntp
command to configure that server on the BIG-IP system, you must then run the save all command to
save this change to the stored configuration.
Important: When you want to save to the stored configuration changes that you make to the system,
F5 recommends that you use the save all command.
For more information about the save command and its parameters, see Table 4.5, on page 4-11, and
save, on page A-271.
load
Use the load command to replace the entire running configuration of a BIG-IP system with the values
contained in the stored configuration. For example, when you use the bigpipe utility to make changes
to the system, the running configuration contains those changes. If you decide that you do not want the
running configuration to contain those changes, run the load command.
For more information about the parameters that you can use with the load command, see load, on page
A-97.
Table 4.5 Comparison of the bigpipe commands export, import, save, and load
BIG-IP Command Line Interface Guide
4 - 11
Chapter 4
The export command is independent of, and distinct from, the save all
command. The export command does not save the running configuration
into the configuration files that contain the stored configuration. To save the
running configuration, you must use the save all command.
You can use either the command export or the command sequence export
oneline to create an SCF. When you use either command, the system creates
a file (using a name that you specify) in the /var/local/scf directory. The
system appends the specified file name with the .scf extension. However, if
you use the .scf extension in the file name, the system does not add an
additional extension.
When you use the export command, the SCF contains line feeds between
the command attributes and their values, which makes the file easy to read.
When you use the export oneline command sequence, the SCF contains
each command, including all of the command attributes and their values, in
a single line. There is a line feed only after each command sequence. This
file is more difficult to read.
To create an SCF
1. Access the bigpipe shell.
2. To save the running configuration to the stored configuration files,
run the save all command.
3. Decide how you want to save the export file, either:
Run the export command and include a name for the SCF, for
example:
bp> export myConfiguration053107
4 - 12
4 - 13
Chapter 4
4. On the BIG-IP system that you want to configure, use the import
command to import the SCF:
bp> import myConfiguration
In step 3, you edited the SCF file changing the IP address, network mask,
management route, host name, and the password information for the root
and admin accounts to the values you wanted to use for this system.
Therefore, you do not need to run the Setup utility for the system.
The import default command does not reset manually modified bigdb
database variables to their factory defaults. Therefore, F5 recommends that
you do not manually modify any of the bigdb database variables. Instead,
use the bigpipe commands to change the system configuration. For more
information, see Appendix A, bigpipe Command Reference.
4 - 14
The import default command does not reset the management IP address or
the management default route back to the default values. These settings
remain the same.
4 - 15
Chapter 4
4 - 16
All users have access to every object on the system. Their user role
determines whether they can create, modify, delete, or simply view the
objects.
4 - 17
Chapter 4
By default, the Administrator user role does not have Terminal Access. To
allow the Administrator user role to access the bigpipe shell, you must use
the Configuration utility to enable Terminal Access for the user account.
For more information, see the BIG-IP Network and System Management
Guide.
Creating a partition
You can create one or more administrative partitions on the BIG-IP system
using the command partition. Only users with the Administrator user role
can create a partition.
Tip
The bigpipe shell syntax requires quotation marks around a string that
includes spaces.
4 - 18
To set a partition in which to simply view objects, use the command shell
read partition. For example, if you want to view the monitors that reside in
partition_a, use the following command to set the current Read partition to
partition_a:
bp> shell read partition partition_a
Users with Write access to only one partition do not need to use the
command shell write partition. The one partition to which the user has
access is always the users current partition. For example, if your user
account gives you the user role of Manager for partition_a only (as
opposed to all partitions), then you cannot set a partition to manage. Your
logon session establishes partition_a as the partition to which you have
Write access. As with all user accounts that have a user role other than No
Access, you can still view objects in partition Common, but with a
Manager user role, combined with access to a single partition, you cannot
use the shell write partition command to set a partition in which to manage
objects.
4 - 19
Chapter 4
4 - 20
You can create user accounts where the user names differ only by
case-sensitivity (for example, david and DAVID.) Note that there are
restrictions on reserved user names. You cannot create user accounts that
use the reserved names admin, root, support, or operator.
Note
4 - 21
Chapter 4
Tip
You can also create user accounts using the f5adduser command at the
BIG-IP system prompt. For information about the f5adduser command, log
on to the Ask F5sm Knowledge Base web site and search for solution
SOL5561.
The Administrator user role provides access to the BIG-IP system prompt.
If a user who is assigned the Administrator user role is logged in when you
change his user role to another user role without access to the BIG-IP
system prompt, the user can still run commands at the BIG-IP system
prompt until he logs out of the system. The same is true when you delete a
user account. If a user who is assigned the Administrator user role is logged
in when you delete the user account, that user can still run commands at the
BIG-IP system prompt until she logs out of the system.
4 - 22
4 - 23
Chapter 4
Definition
bigd
mcpd
sod
tmm
bcm56xxd
Two additional scripts, named f5active and f5standby, are located in the
directory /usr/lib/failover. Do not edit these scripts unless an F5 Networks
customer service representative instructs you to do so.
4 - 24
You must associate these local traffic management objects with a unit ID:
Virtual servers
Self IP addresses
SNATs
For example, associating virtual server A with unit 1 causes unit 1 to process
connections for virtual server A. Associating virtual server B with unit 2
causes unit 2 to process connections for virtual server B. This allows the two
units to process traffic for different virtual servers simultaneously, and
results in an increase in overall performance. If one of the units fails over,
the remaining unit begins processing the connections for all virtual servers
of the redundant pair, until failback occurs.
This scenario of using the two units to process different connections
simultaneously is one reason for the requirement that both units store
identical configuration files (/config/bigip.conf).
If you do not associate an object with a specific unit ID in an active-active
redundant pair, the redundant system uses 1 as the default unit ID.
4 - 25
Chapter 4
You cannot associate a default SNAT with a unit ID. The default SNAT is not
compatible with an active-active system.
4 - 26
If you have root privileges, you can run the bigstart and bigtop utilities from
within the bigpipe shell by entering an exclamation point (!) before the
command. For example, to run the command bigstart, enter the command at
the bigpipe shell prompt, as follows: bp>!bigstart.
4 - 27
Chapter 4
Note
4 - 28
current
time
00:31:59
Table 4.7 lists and describes the options you can use with the bigtop
command.
Option
Description
-bytes
-conn
-delay <value>
-delta
-help
4 - 29
Chapter 4
Option
Description
-nodes <value>
-nosort
Disables sorting.
-once
-pkts
-scroll
-virtuals
<value>
4 - 30
If you do not specify a bigdb database variable name, the system displays all
bigdb database variables.
Within the bigpipe shell, use this command to set a bigdb database variable
to the default value:
bp> db <key> reset
After you change a bigdb database variable using the db command, you
must run the save all command. If you do not, the next time that you run the
load command, the value of the bigdb database variable may be reset to the
value in the stored configuration.
4 - 31
Chapter 4
Maximum value
The maximum value for bigdb database variables of type integer and
unsigned_integer. This is the maximum length for strings.
Enumerated value
A list of allowed values for the bigdb database variable. The first
character is a delimiter for items.
You can configure the syslog-ng utility to send mail or activate pager
notification based on the priority of a logged event.
The syslog-ng log files track system events based on information defined in
the /etc/syslog-ng/syslog-ng.conf file. You can view the log files in a
standard text editor, or with the less file page utility.
Table 4.8 shows sample syslog-ng messages for events that are specific to
the BIG-IP system. For information about the format of syslog-ng messages,
see RFC 3164.
Sample message
Description
4 - 32
Before using the resize-logFS script, it is imperative that you stop the
BIG-IP system, or put the system into a safe condition such as standby
mode.
This command prompts you for the desired file size in gigabytes.
4. At the prompt, type an integer.
The minimum allowed value is 1, and the maximum allowed value
is 10.
A prompt appears that allows you to confirm the specified file size.
5. Type Y.
A message appears, notifying you of the need for the BIG-IP system
to perform a reboot, followed by a prompt, which allows you to
permit the reboot operation.
Note: Prior to rebooting, the BIG-IP system verifies that the integer
you typed in step 3 is within the allowed range, and checks to ensure
that enough disk space exists for the specified size.
4 - 33
Chapter 4
6. Type Y.
A confirmation prompt appears.
7. Type Y.
The system displays messages indicating that the reboot operation is
about to occur.
8. Wait for the reboot operation to finish.
When the system becomes available again, the newly-specified disk
space for the log file will be in effect.
If, at any time during the resize-logFS operation, you decide to exit the
script, no reboot occurs, and the amount of allocated disk space remains as
is.
WARNING
4 - 34
4 - 35
Chapter 4
To view license keys without showing the location of the files that contain
the keys, use this command:
find_keys -q
Finally, save the snapshot in the default directory, using this command:
snapshot backup
4 - 36
Backing up the product image and specifying the directory in which to save the image
To back up the product image on the current slot and save the snapshot in a
specified directory and file, first save the current running configuration,
using this command:
save all
Then, save the product image of the specified slot, using this command:
snapshot -s HD1.2 backup
You cannot use a snapshot file that you created from a product image on a
compact flash drive to restore a product image to a hard drive, nor the
reverse.
To determine if you can use a specific snapshot file to restore a product
image to a slot, you can view information about the file. To do this, you use
the snapshot list command.
4 - 37
Chapter 4
HD1.1 HD1.2
[root@f5:Active] / #
4 - 38
5
Managing Local Application Traffic
5-1
Chapter 5
Optionally, you can write an iRule that includes various commands, which
dynamically modify profile settings. For more information, see the
Configuration Guide for BIG-IP Local Traffic Management.
5-2
After the system makes the log entry, it waits for you to manually specify
the pool member or node as being up.
5-3
Chapter 5
Implementing SNATs
There are two basic ways to create a SNAT. You can either directly assign a
translation address to one or more original IP addresses, or you can create a
SNAT pool and then assign the SNAT pool to the original IP addresses. In
the latter case, the BIG-IP system automatically selects a translation address
from the assigned SNAT pool.
Note that you can assign these types of mappings from within an iRule.
5-4
5-5
Chapter 5
Tip
You can also manipulate HTTP headers by configuring a Fast HTTP profile
from the bigpipe shell, using the profile fasthttp command.
5-6
If the BIG-IP system includes Packet Velocity ASIC (PVA), use the
profile fastL4 command, specifying the hardware syncookie (enable |
disable | default) option. Also, based on your requirements, set the
following bigdb database variables using the db command:
pva.SynCookies.Full.ConnectionThreshold (default: 500000)
pva.SynCookies.Assist.ConnectionThreshold (default: 500000)
pva.SynCookies.ClientWindow (default: 0)
Note that the hardware syncookie feature is currently available on the
D84 and D88 platforms only. Setting the hardware syncookie feature on
a platform other than the D84 and D88 platforms, has no effect. Also, if
you set the software syncookie feature on the D84 and D88 systems
without setting the hardware syncookie feature, the SYN cookie
protection is handled by the software only.
If the BIG-IP system does not include Packet Velocity ASIC (PVA),
use the profile fastL4 command, specifying the software syncookie
(enable | disable | default) option.
5-7
Chapter 5
5-8
6400/6800/8400
tmzd
When a system contains a hardware card and
a hardware compression license, tmzd, a
software compression provider, is automatically
bundled with the hardware card. In order to use
tmzd, you must disable clustered
multi-processing on the system.
8800
zlib
Always available.
tmzd
Always available.
5-9
Chapter 5
Description
Speed
Size
The system performs as much compression in the software as possible using a ratio of TMM and
Offload. When the load on the system increases, and the software is busy, the system uses the
hardware compression provider to compress HTTP server responses. The Size strategy gives the
best ratio at the expense of CPU overhead.
Ratio
The system uses a weighted Round Robin approach to decide which compression provider to use
to compress data. The Ratio strategy limits CPU overhead while giving good compression ratios.
For more information on configuring the Ratio strategy, see Summarizing bigdb database variables
for HTTP compression, on page B-5.
Adaptive
The system first utilizes the software compression providers to compress HTTP server responses.
It switches to the hardware compression providers based on both the gzip compression level that
you set in the HTTP profile and the hardware compression provider the system contains.
As load on the system increases, the system responds by reducing the desired gzip compression
level (specified in the HTTP profile). The system utilizes the hardware compression providers only
when the provider can deliver the specified or systematically reduced gzip compression level.
The Adaptive strategy gives you the most control over how the BIG-IP system handles
compression.
5 - 10
When you want to use adaptive compression, you perform the following
tasks.
Enable adaptive compression on the system.
Set bigdb database variables to fine-tune how you want the system to
perform compression of the HTTP server responses. (The bigdb database
variable you set are different based on the systems hardware
compression provider.)
Create an HTTP profile and set the gzip compression level.
For more information on configuring adaptive compression, see Configuring
adaptive compression, on page 5-12.
When you enable adaptive compression, the BIG-IP system uses the bigdb
database variable settings in combination with the specified gzip
compression level to determine how to best utilize the software and
hardware compression providers on the system as the traffic flow through
the system changes.
It important to understand that hardware compression providers cannot
match the highest quality compression level that software compression
providers perform. On the other hand, software compression providers
require extensive system resources to deliver the highest quality
compression.
With the adaptive compression strategy, you can configure the system to
utilize only the software compression providers to compress server
responses at the quality level that you specify, when there are enough
system resources available. When the load on the system increases, the
adaptive compression strategy allows the system to incrementally decrease
the quality of the compression of server responses as the load on the system
increases. This frees the system resources to handle the load balancing of the
increased traffic rather than using those resources to compress the server
responses.
When traffic reaches a peak volume, and based on the gzip compression
level that you set in the HTTP profile, the system begins to handle
compression using the hardware compression providers. Conversely, as the
volume of traffic to the system decreases, more system resources become
available for compression, and the system can again utilize the software
compression providers to incrementally increase the quality of the
compression of the server responses.
5 - 11
Chapter 5
When you create an HTTP profile, you set a gzip compression level in the
range of 9 - 0. The higher the gzip compression level, the better the quality
of the compression, and the more resources the system uses to reach the
specified quality of compression.
Setting a gzip compression level of 9 specifies that you want the system to
use the optimal compression ratio when it compresses HTTP server
responses. For example, you might set the gzip compression level to 9, if
you are utilizing the BIG-IP system RAM cache feature to store response
data. The reason for this is that the stored data in the RAM cache is
continually re-used in responses, and you want the quality of the
compression of that data to be very high.
As the traffic flow on the BIG-IP system increases, compression quality is
incrementally decreased from the gzip compression level that you set in the
profile. When the gzip compression level decreases to the point where the
hardware compression provider is capable of providing the specified
compression level, the system uses the hardware compression providers,
rather than the software compression providers to compress the HTTP
server responses. This point is different on the BIG-IP 6400, 6800, and 8400
systems that contain a hardware card than it is on the BIG-IP 8800 systems.
After you change a bigdb database variable using the db command, you
must run the save all command. If you do not, the next time that you run the
load command, the value of the bigdb database variable may be reset to the
value in the stored configuration.
You also use the db command to configure other bigdb database variables in
order to fine-tune how the system compresses HTTP server responses. For
more information on configuring adaptive compression using bigdb
database variable, see Summarizing bigdb database variables for HTTP
compression, on page B-5.
You use the profile http command to configure the setting of the compress
gzip level parameter that is used by the adaptive compression strategy. For
more information on creating and configuring an HTTP profile, see profile
http, on page A-198.
5 - 12
5 - 13
Chapter 5
5 - 14
5 - 15
Chapter 5
Generating CA certificates
To obtain a valid certificate, you must have a private key. You can use the
gencert utility to generate a key, a temporary certificate, and a certificate
signing request file that you can submit to a certificate authority (CA).
Note
When you change any of the gencert utility defaults, you must include a key
size. For example, to change the name of the organization for which you are
requesting a certificate, use the following syntax:
gencert -o NewCompanyName 1024
To generate a CA certificate
1. Access the BIG-IP system prompt.
2. Run the gencert utility.
The following files are created and saved in the SSL directory:
ssl.csr is the certificate signing request file.
ssl.key contains the key.
5 - 16
5. Create a PKCS12 file using the above key and certificate pairs.
For example:
openssl pkcs12 -export -in auser1.crt -inkey \
auser1.key -out auser1.p12 -name "auser1 pkcs12"
5 - 17
Chapter 5
5 - 18
To revoke a certificate
Revoke a client certificate, using the openssl command from the BIG-IP
system prompt. For example, to revoke the client certificate auser1.crt:
openssl ca -config bigmirror-ca.config -keyfile \
bigmirror-ca.key -cert bigmirror-ca.crt -revoke auser1.crt
Note
When you are using the CRLDP authentication module, you must ensure
that the CRLs are stored in a remote LDAP database, and in ASN.1 DER
format (Abstract Syntax Notation.1 Distinguished Encoding Rules).
To verify a certificate
Use this command to verify a certificate:
openssl verify -CAfile bigmirror-ca.crt www.test.net.crt
To view a CRL
Use this command to view a CRL:
openssl crl -in bigmirror-ca.crl -text -noout
5 - 19
Chapter 5
5 - 20
5 - 21
Chapter 5
Implementing persistence
You can configure the BIG-IP system to implement both session and
connection persistence.
5 - 22
5 - 23
Chapter 5
5 - 24
5 - 25
Chapter 5
Monitoring services
You can monitor RPC, SMB, and JDBC services from the BIG-IP system
prompt.
In the following example, the Oracle monitor is closed after 100 uses.
bp> monitor <monitor_key> '{ count "100" }'
5 - 26
Once a pool member or node that was previously down becomes available,
you can then manually set the pool member or node to an up state, using the
pool or node command.
Important
5 - 27
Chapter 5
Implementing iRules
The iRules feature is powerful and flexible, and it significantly enhances
your ability to customize the BIG-IP system. An iRule can reference any
object, regardless of the partition in which the referenced object resides. For
example, an iRule that resides in partition_a can contain a pool statement
that specifies a pool residing in partition_b. For more information about
iRules, see http://devcentral.f5.com.
To implement an iRule
Write a script using the industry-standard Tools Command Language (Tcl)
and the commands that the BIG-IP system provides as Tcl extensions.
1. Access the bigpipe shell.
2. Create an iRule using the rule command. You must include the
name of the Tcl script and the script itself as arguments for the
command.
3. Assign the iRule to a virtual server, using the virtual command in
one of the following ways:
To associate multiple iRules with a virtual server, use this
syntax:
bp> virtual <virtual_server_name> rule <iRule1_name> \
<iRule2_name> ...
Important: In this case, the iRule becomes the only iRule that is
associated with each virtual server in the current Write partition.
Because this command overwrites all previous iRule
assignments, F5 does not recommend use of this command.
5 - 28
A
bigpipe Command Reference
From the bigpipe shell prompt, use the command name followed by
help. Do not use underscores between the words in the command name.
For example:
auth crldp help
A-1
Appendix A
Basic definitions
The following are basic definitions that apply to bigpipe commands.
<if name>
<ip addr>
<ip mask>
<mac addr>
<member>
<name>
<network ip> ::= (<ip addr> [mask <ip mask> | (prefixlen | /) <number>] | \
default [inet | inet6])
<number>
<protocol>
<service>
<string>
A-2
arp
Manages static and dynamic Address Resolution Protocol (ARP) entries in
the routing table. Provides the ability to add static ARP entries to the route
table. Also provides the ability to display and delete static and dynamic
route mappings between IP addresses and MAC addresses, or a list of IP
addresses.
Syntax
Use this command to create, modify, display, or delete entries in the
ARP cache.
Create/Modify
arp <arp key list> {}
arp (<arp key list> | all) [{] <arp arg list> [}]
<arp key> :=
<ip addr>
(dynamic | static)
<arp arg> ::=
(<mac addr> | none)
arp edit
Display
arp (<arp key list> | all) list [all]
arp (<arp key list> | all) [show [all]]
arp (<arp key list> | all) ip addr [show]
arp (<arp key list> | all) mac addr [show]
arp (<arp key list> | all) type [show]
Delete
arp (<arp key list> | all) delete
Description
You can use the arp command to create static ARP entries for IPv4
addresses to link-layer addresses, such as ethernet MAC addresses. In
addition to creating static ARP entries, you can view and delete static and
dynamic ARP entries. You can also use the db command to configure how
the system handles ARP entries for dynamic timeout, maximum dynamic
entries, add reciprocal, and maximum retries. For more information, see db,
on page A-57, or the db command online man page.
A-3
Appendix A
Examples
Creates an ARP mapping of the IP address 10.10.10.20 to the MAC address
00:0b:09:88:00:9a:
arp 10.10.10.20 00:0b:09:88:00:9a
Options
You can use these options with the arp command:
arp edit
Displays in a text editor the running configuration of all objects created
using the command arp. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
A-4
dynamic
Specifies that the IP address for which you want to create an ARP entry
is dynamic. A dynamic IP address is a temporary IP address.
ip addr
Specifies the IP address, for which you want to create an ARP entry, in
one of four formats:
ip addr list
Specifies a list of IP addresses separated by a single space. For example,
this list contains three IP addresses: 10.10.10.20 10.10.10.21
10.10.10.22.
mac addr
Specifies a 6-byte ethernet address in not case-sensitive hexadecimal
colon notation, for example, 00:0b:09:88:00:9a. You must specify a
MAC address when you create an ARP entry.
static
Specifies that the IP address for which you want to create an ARP entry
is static and does not change.
See also
db(1), ndp(1), bigpipe(1)
A-5
Appendix A
auth crldp
Configures a Certificate Revocation List Distribution Point (CRLDP)
configuration object for implementing CRLDP to manage certificate
revocation.
Syntax
Use this command to create, modify, display, or delete a CRLDP
configuration object.
Create/Modify
Important
If you are assigned a user user role that allows you to create objects, and
you are assigned access to all partitions, then before you create an object in
a specific partition, you must use the bigpipe shell command to set your
Write partition to the partition in which you want to create the object. For
more information, see the Configuring Administrative Partitions and
Managing User Accounts chapters in the BIG-IP Network and System
Management Guide.
auth crldp <auth crldp key list> {}
auth crldp (<auth crldp key list> | all) [{] <auth crldp arg list> [}]
<auth crldp key> ::=
<name>
<auth crldp arg> ::=
conn timeout (<number> | immediate | indefinite)
servers (<crldp server key list> | none) [add |delete]
update interval <number>
use issuer (enable | disable)
auth crldp edit
Display
auth crldp [<auth crldp key list> | all] [show [all]]
auth crldp [<auth crldp key list> | all] list [all]
auth crldp [<auth crldp key list> | all] conn timeout [show]
auth crldp [<auth crldp key list> | all] name [show]
auth crldp [<auth crldp key list> | all] partition [show]
auth crldp [<auth crldp key list> | all] servers [show]
auth crldp [<auth crldp key list> | all] update interval [show]
auth crldp [<auth crldp key list> | all] use issuer [show]
Delete
auth crldp (<auth crldp key list> | all) delete
A-6
Description
CRLDP authentication is a mechanism for checking certificate revocation
status for client connections passing through the BIG-IP system. This
module is useful when your authentication data is stored on a remote
CRLDP server. You configure a CRLDP authentication module by defining
a CRLDP server (using the crldp server command), creating a CRLDP
configuration object (using the auth crldp command) and assigning
CRLDP servers to the object, creating a CRLDP profile (using the profile
auth command) and assigning the CRLDP configuration object to the
profile, and assigning the CRLDP profile to a virtual server.
Examples
Creates a configuration object named my_auth_crldp:
auth crldp my_auth_crldp {}
Options
You can use these options with the auth crldp command:
connection timeout
Specifies the number of seconds before the connection times out. The
default is 15 seconds.
servers
Specifies the CRLDP server that you want to either assign to or remove
from the CRLDP configuration object.
update interval
Specifies an update interval for CRL distribution points. The update
interval for distribution points ensures that CRL status is checked at
regular intervals, regardless of the CRL timeout value. This helps to
prevent CRL information from becoming outdated before the BIG-IP
system checks the status of a certificate. The default is zero, which
indicates an internal default value is active.
A-7
Appendix A
use issuer
Indicates whether the CRL distribution point should be extracted from
the certificate of the client certificate issuer. The default is disable.
See also
profile auth(1), bigpipe(1)
A-8
auth ldap
Configures an LDAP configuration object for implementing remote
LDAP-based client authentication.
Syntax
Use this command to create, modify, display, or delete an LDAP
configuration object.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
auth ldap <auth ldap key list> {}
auth ldap (<auth ldap key list> | all) [{] <auth ldap arg list> [}]
<auth ldap key list> ::=
<name>
<auth ldap arg> ::=
bind dn (<string> | none)
bind pw (<string> | none)
bind timeout <number>
check host attr (enable | disable)
debug (enable | disable)
filter (<string> | none)
group dn (<string> | none)
group member attr (<string> | none)
idle timeout <number>
ignore authinfo unavail (enable | disable)
login attr (<string> | none)
scope (base | one | sub)
search base dn (<string> | none)
search timeout <number>
servers (<string list> | none) [add | delete]
service (<service> | none)
ssl (enable | disable)
ssl ca cert file (<string> | none)
ssl check peer (enable | disable)
A-9
Appendix A
Display
auth ldap [<auth ldap key list> | all] [show [all]]
auth ldap [<auth ldap key list> | all] list [all]
auth ldap [<auth ldap key list> | all] bind dn [show]
auth ldap [<auth ldap key list> | all] bind pw [show]
auth ldap [<auth ldap key list> | all] bind timeout [show]
auth ldap [<auth ldap key list> | all] check host attr [show]
auth ldap [<auth ldap key list> | all] debug [show]
auth ldap [<auth ldap key list> | all] filter [show]
auth ldap [<auth ldap key list> | all] group dn [show]
auth ldap [<auth ldap key list> | all] group member attr [show]
auth ldap [<auth ldap key list> | all] idle timeout [show]
auth ldap [<auth ldap key list> | all] ignore authinfo unavail [show]
auth ldap [<auth ldap key list> | all] login attr [show]
auth ldap [<auth ldap key list> | all] name [show]
auth ldap [<auth ldap key list> | all] partition [show]
auth ldap [<auth ldap key list> | all] scope [show]
auth ldap [<auth ldap key list> | all] search base dn [show]
auth ldap [<auth ldap key list> | all] search timeout [show]
auth ldap [<auth ldap key list> | all] servers [show]
auth ldap [<auth ldap key list> | all] service [show]
auth ldap [<auth ldap key list> | all] ssl [show]
auth ldap [<auth ldap key list> | all] ssl ca cert file [show]
auth ldap [<auth ldap key list> | all] ssl check peer [show]
auth ldap [<auth ldap key list> | all] ssl ciphers [show]
auth ldap [<auth ldap key list> | all] ssl client cert [show]
auth ldap [<auth ldap key list> | all] ssl client key [show]
auth ldap [<auth ldap key list> | all] user template [show]
auth ldap [<auth ldap key list> | all] version [show]
auth ldap [<auth ldap key list> | all] warnings [show]
Delete
auth ldap (<auth ldap key list> | all) delete
A - 10
Description
LDAP authentication is a mechanism for authenticating or authorizing client
connections passing through the system. LDAP authentication is useful
when your authentication or authorization data is stored on a remote LDAP
server or a Microsoft Windows Active Directory server, and you want the
client credentials to be based on basic HTTP authentication (that is, user
name and password). You configure an LDAP authentication module by
creating an LDAP configuration object, creating an LDAP profile, and
assigning the profile and a default iRule to the virtual server.
Examples
Creates a configuration object named my_auth_ldap:
auth ldap my_auth_ldap
Options
You can use these options with the auth ldap command:
auth ldap edit
Displays in a text editor the running configuration of all objects created
using the command auth ldap. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
bind dn
Specifies the distinguished name of an account to which to bind, in order
to perform searches. This search account is a read-only account used to
do searches. The admin account can be used as the search account. If no
admin DN is specified, then no bind is attempted. This setting is only
required when a site does not allow anonymous searches. If the remote
server is a Microsoft Windows Active Directory server, the distinguished
name must be in the form of an email address. Possible values are a
user-specified string, and none.
bind pw
Specifies the password for the search account created on the LDAP
server. This setting is required if you use a bind DN. Possible values are
a user-specified string, and none.
A - 11
Appendix A
bind timeout
Specifies a bind timeout limit, in seconds. The default is 30 seconds.
check host attr
Confirms the password for the bind distinguished name. This setting is
optional. The default is disable.
debug
Enables or disables syslog-ng debugging information at LOG DEBUG
level. Not recommended for normal use. The default is disable.
filter
Specifies a filter. This setting is used for authorizing client traffic.
Possible values are a user-specified string, and none.
group dn
Specifies the group distinguished name. This setting is used for
authorizing client traffic. Possible values are a user-specified string, and
none.
group member attr
Specifies a group member attribute. This setting is used for authorizing
client traffic. Possible values are a user-specified string, and none.
idle timeout
Specifies the idle timeout, in seconds, for connections. The default is
3600 seconds.
ignore authinfo unavail
Ignores the authentication information if it is not available. The default is
disable.
login attr
Specifies a logon attribute. Normally, the value for this setting is uid;
however, if the server is a Microsoft Windows Active Directory server,
the value must be the account name SAMACCOUNTNAME (not
case-sensitive). Possible values are a user-specified string, and none.
scope
Specifies the scope. Possible values are: base, one, and sub. The default
is sub.
search base dn
Specifies the search base distinguished name. You must specify a search
base distinguished name when you create an LDAP configuration object.
search timeout
Specifies the search timeout, in seconds. The default is 30 seconds.
servers
Specifies the LDAP servers that the system must use to obtain
authentication information. You must specify a server when you create
an LDAP configuration object.
service
Specifies the port number for the LDAP service. Port 389 is typically
used for non-SSL and port 636 is used for an SSL-enabled LDAP
service.
A - 12
ssl
Enables or disables SSL. The default is disable. Note that when you use
the command line interface to enable SSL for an LDAP service, the
system does not change the service port number from 389 to 636, as is
required. To change the port number from the command line, use the
service option of this command (see above), for example, auth ldap
<name> ssl enable service 636.
ssl ca cert file
Specifies the name of an SSL CA certificate. Possible values are: none
and specify full path.
ssl check peer
Checks an SSL peer. The default is disable.
ssl ciphers
Specifies SSL ciphers. Possible values are a user-specified string, and
none.
ssl client cert
Specifies the name of an SSL client certificate. Possible values are a
user-specified string, and none.
ssl client key
Specifies the name of an SSL client key. Possible values are a
user-specified string, and none.
version
Specifies the version number of the LDAP application. The default value
is 3.
warnings
Enables or disables warning messages. The default is enable.
See also
profile auth(1), bigpipe(1)
A - 13
Appendix A
auth radius
Configures a RADIUS configuration object for implementing remote
RADIUS-based client authentication.
Syntax
Use this command to create, modify, display, or delete a RADIUS
authentication configuration object.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
auth radius <auth radius key list> {}
auth radius (<auth radius key list> | all) [{] <auth radius arg list> [}]
<auth radius key> ::=
<name>
<auth radius arg> ::=
accounting bug (enable | disable)
client (<string> | none)
debug (enable | disable)
retries <number>
servers (<radius server key list> | none) [add | delete]
auth radius edit
Display
auth radius [<auth radius key list> | all] [show [all]]
auth radius [<auth radius key list> | all] list [all]
auth radius [<auth radius key list> | all] accounting bug [show]
auth radius [<auth radius key list> | all] client [show]
auth radius [<auth radius key list> | all] debug [show]
auth radius [<auth radius key list> | all] name [show]
auth radius [<auth radius key list> | all] partition [show]
auth radius [<auth radius key list> | all] retries [show]
auth radius [<auth radius key list> | all] servers [show]
A - 14
Delete
auth radius (<auth radius key list> | all) delete
Description
By creating a RADIUS configuration object, a RADIUS profile, and one or
more RADIUS server objects, you can implement the RADIUS
authentication module as the mechanism for authenticating client
connections passing through the traffic management system. You use this
module when your authentication data is stored on a remote RADIUS
server. In this case, client credentials are based on basic HTTP
authentication (that is, user name and password). You can use this
configuration object in conjunction with a RADIUS profile and a RADIUS
server object.
To use these commands, you must first create a RADIUS server object using
the radius command.
Examples
Creates a RADIUS configuration object named my_auth_radius:
auth radius my_auth_radius {}
Options
You can use these options with the command auth radius:
accounting bug
Enables or disables validation of the accounting response vector. This
option should be necessary only on older servers. The default is disable.
auth radius edit
Displays in a text editor the running configuration of all objects created
using the command auth radius. You can edit the value of any
parameter displayed. When you exit the editor, the BIG-IP system
modifies the running configuration based on your changes. To save your
changes to the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
A - 15
Appendix A
client
Sends a NAS-Identifier RADIUS attribute with string bar. If you do not
specify a value for the Client ID setting, the system uses the pluggable
authentication module (PAM) service type. You can disable this feature
by specifying a blank client ID. Possible values are a user-specified
string and none.
debug
Enables or disables syslog-ng debugging information at LOG DEBUG
level. Not recommended for normal use. The default is disable.
retries
Specifies the number of authentication retries that the BIG-IP local
traffic management system allows before authentication fails. The
default value is 3.
servers
Lists the IP addresses of the RADIUS servers that the BIG-IP local
traffic management system uses to obtain authentication data. Note that
for each server listed, you must create a corresponding RADIUS server
object. A RADIUS server object specifies the server name, port number,
RADIUS secret, and timeout value. Possible values are a user-specified
list of IP addresses and none.
See also
profile auth(1), radius(1), bigpipe(1)
A - 16
Syntax
Use this command to create, modify, display, or delete an SSL
certificate-based LDAP configuration object.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
auth ssl cc ldap <auth ssl cc ldap key list> {}
auth ssl cc ldap (<auth ssl cc ldap key list> | all) [{] <auth ssl cc ldap arg list> [}]
<auth ssl cc ldap key> ::=
<name>
<auth ssl cc ldap arg> ::=
admin dn (<string> | none)
admin pw (<string> | none)
cache size <number>
cache timeout (<number> | immediate | indefinite)
certmap base (<string> | none)
certmap key (<string> | none)
certmap use serial (enable | disable)
group base (<string> | none)
group key (<string> | none)
group member key (<string> | none)
role key (<string> | none)
search (user | certmap | cert)
secure (enable | disable)
servers (<string list> | none) [add | delete]
user base (<string> | none)
user class (<string> | none)
user key (<string> | none)
A - 17
Appendix A
Display
auth ssl cc ldap [<auth ssl cc ldap key list> | all] [show [all]]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] list [all]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] admin dn [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] admin pw [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] cache size [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] cache timeout [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] certmap base [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] certmap key [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] certmap use serial [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] group base [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] group key [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] group member key [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] name [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] partition [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] role key [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] search [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] secure [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] servers [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] user base [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] user class [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] user key [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] valid groups [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] valid roles [show]
Delete
auth ssl cc ldap (<auth ssl cc ldap key list> | all) delete
Description
You can use the auth ssl cc ldap command to configure SSL client
certificate-based remote LDAP authorization for client traffic passing
through the traffic management system.
Options
You can use these options with the auth ssl c ldap command:
A - 18
admin dn
Specifies the distinguished name of an account to which to bind, in order
to perform searches. This search account is a read-only account used to
do searches. The admin account can also be used as the search account. If
no admin DN is specified, then no bind is attempted. This parameter is
required only when an LDAP database does not allow anonymous
searches. Possible values are a user-specified string, and none.
admin pw
Specifies the password for the admin account. See the admin dn option
above. Possible values are a user-specified string, and none.
certmap base
Specifies the search base for the subtree used by the certmap search
method. A typical search base is: ou=people,dc=company,dc=com.
Possible values are a user-specified string, and none.
certmap key
Specifies the name of the certificate map found in the LDAP database.
Used by the certmap search method. Possible values are a user-specified
string, and none.
group base
Specifies the search base for the subtree used by group searches. This
parameter is only used when specifying the valid groups option. The
typical search base is similar to: ou=groups,dc=company,dc=com.
Possible values are a user-specified string, and none.
A - 19
Appendix A
group key
Specifies the name of the attribute in the LDAP database that specifies
the group name in the group subtree. An example of a typical key is cn
(common name for the group). Possible values are a user-specified
string, and none.
role key
Specifies the name of the attribute in the LDAP database that specifies a
user's authorization roles. This key is used only with the valid roles
option. A typical role key might be authorizationRole. Possible values
are a user-specified string, and none.
search
Specifies the type of LDAP search that is performed based on the client's
certificate. Possible values are:
user: Searches for a user based on the common name found in the
certificate.
cert: Searches for the exact certificate.
certmap: Searches for a user by matching the certificate issuer and
the certificate serial number or certificate.
The default is user.
A - 20
secure
Enables or disables an attempt to use secure LDAP (LDAP over SSL).
The alternative to using secure LDAP is to use insecure (clear text)
LDAP. Secure LDAP is a consideration when the connection between
the BIG-IP system and the LDAP server cannot be trusted. The default is
disable.
servers
Specifies a list of LDAP servers you want to search. Possible values are a
user-specified list of servers, and none. You must specify a server when
you create an SSL client certificate configuration object.
user base
Specifies the search base for the subtree used by the user and cert search
methods. A typical search base is: ou=people,dc=company,dc=com.
Possible values are a user-specified string, and none. You must specify a
user base when you create an SSL client certificate configuration object.
user class
Specifies the object class in the LDAP database to which the user must
belong in order to be authenticated.
user key
Specifies the key that denotes a user ID in the LDAP database (for
example, the common key for the user setting is uid). Possible values are
a user-specified string, and none. You must always specify a user key
when you create an SSL client certificate configuration object.
valid groups
Specifies a space-delimited list specifying the names of groups that the
client must belong to in order to be authorized (matches against the group
key in the group subtree). The client needs to be a member of only one of
the groups in the list. Possible values are a user-specified string, or none.
valid roles
Specifies a space-delimited list specifying the valid roles that clients
must have in order to be authorized. Possible values are a user-specified
string, and none.
See also
profile auth(1), bigpipe(1)
A - 21
Appendix A
Syntax
Use this command to create, display, modify, or delete an OCSP
configuration object.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
auth ssl ocsp <auth ssl ocsp key list> {}
auth ssl ocsp (<auth ssl ocsp key list> | all) [{] <auth ssl ocsp arg list> [}]
<auth ssl ocsp key> ::=
<name>
<auth ssl ocsp arg> ::=
responders (<ocsp responder key list> | none) [add | delete]
auth ssl ocsp edit
Display
auth ssl ocsp [<auth ssl ocsp key list> | all] [show]
auth ssl ocsp [<auth ssl ocsp key list> | all] list [all]
auth ssl ocsp [<auth ssl ocsp key list> | all] name [show]
auth ssl ocsp [<auth ssl ocsp key list> | all] partition [show]
auth ssl ocsp [<auth ssl ocsp key list> | all] responders [show]
Delete
auth ssl ocsp (<auth ssl ocsp key list> | all) delete
A - 22
Description
Online Certificate Status Protocol (OCSP) is an industry-standard protocol
that offers an alternative to a certificate revocation list (CRL) when using
public-key technology. A CRL is a list of revoked client certificates, which
a server system can check during the process of verifying a client certificate.
To use these commands, you must first create an OCSP responder object
using the ocsp responder command.
Options
You can use the following options with the auth ssl ocsp command:
partition
Displays the partition within which the auth ssl ocsp object resides.
responders
Specifies a list of OCSP responders that you configured using the ocsp
responder command.
See also
profile auth(1), ocsp responder(1), bigpipe(1)
A - 23
Appendix A
auth tacacs
Configure a TACACS+ configuration object for implementing remote
TACACS+-based client authentication.
Syntax
Use this command to create, modify, display, or delete a TACACS+
configuration object.
Create/ Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
auth tacacs <auth tacacs key list> {}
auth tacacs (<auth tacacs key list> | all) [{] <auth tacacs arg list> [}]
<auth tacacs key> ::=
<name>
<auth tacacs arg> ::=
acct all (enable | disable)
debug (enable | disable)
encrypt (enable | disable)
first hit (enable | disable)
protocol (<string> | none)
secret (<string> | none)
servers (<string list> | none) [add | delete]
service (<string> | none)
auth tacacs edit
Display
auth tacacs [<auth tacacs key list> | all] [show [all]]
auth tacacs [<auth tacacs key list> | all] list [all]
auth tacacs [<auth tacacs key list> | all] acct all [show]
auth tacacs [<auth tacacs key list> | all] debug [show]
auth tacacs [<auth tacacs key list> | all] encrypt [show]
auth tacacs [<auth tacacs key list> | all] first hit [show]
auth tacacs [<auth tacacs key list> | all] name [show]
auth tacacs [<auth tacacs key list> | all] partition [show]
A - 24
Delete
auth tacacs (<name list> | all) delete
Description
Using a TACACS+ configuration object and profile, you can implement the
TACACS+ authentication module as the mechanism for authenticating
client connections passing through the BIG-IP local traffic management
system. You use this module when your authentication data is stored on a
remote TACACS+ server. In this case, client credentials are based on basic
HTTP authentication (that is, user name and password). You configure a
TACACS+ authentication module by creating a TACACS+ configuration
object, creating a TACACS+ profile, and assigning the profile to a virtual
server.
Examples
Enables encryption for TACACS+ packets:
auth tacacs encrypt
Provides the ability to send accounting start and stop packets to all servers:
auth tacacs myauth2 myauth3 acct all enable
Options
You can use these options with the auth tacacs command:
acct all
If multiple TACACS+ servers are defined and pluggable authentication
module (PAM) session accounting is enabled, sends accounting start and
stop packets to the first available server or to all servers. Possible values
are:
enable: Sends to first available server.
disable: Sends to all servers.
The default is disable.
A - 25
Appendix A
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
debug
Enables syslog-ng debugging information at LOG DEBUG level. Not
recommended for normal use. The default is disable.
encrypt
Enables or disables encryption of TACACS+ packets. Recommended for
normal use. The default is enable.
first hit
Confirms the secret key supplied for the Secret setting. This setting is
required. The default is disable.
partition
Displays the partition within which the auth tacacs object resides.
protocol
Specifies the protocol associated with the value specified in the service
option, which is a subset of the associated service being used for client
authorization or system accounting.
secret
Sets the secret key used to encrypt and decrypt packets sent or received
from the server. This setting is required. Possible values are a
user-specified string and none.
servers
Specifies a host name or IP address for the TACACS+ server. This
setting is required. Possible values are a user-specified string, and none.
You must specify a server when you create a TACACS+ configuration
object.
service
Specifies the name of the service that the user is requesting to be
authenticated to use. Identifying the service enables the TACACS+
server to behave differently for different types of authentication requests.
This setting is required.
See also
profile auth(1), profile http(1), bigpipe(1), shell(1)
A - 26
bigpipe shell
When typed at the BIG-IP system prompt, starts the bigpipe utility in its
shell mode, and configures the shell.
Modify
bigpipe shell
bigpipe shell [{] <shell arg list> [}]
<shell arg> ::=
partition <partition key>
prompt <string>
read partition (<partition key> | all)
write partition <partition key>
Display
bigpipe shell prompt [show]
bigpipe shell read partition [show]
bigpipe shell write partition [show]
Description
When typed at the BIG-IP system prompt, the bigpipe shell command starts
the bigpipe utility in its shell mode and presents a prompt at which you can
type bigpipe commands. You can also use the bigpipe shell command from
the BIG-IP system prompt to configure the shell.
Examples
From the BIG-IP system prompt, starts the bigpipe utility in its shell mode
and presents a prompt at which you can type bigpipe commands:
bigpipe shell
For users with access to all partitions, changes the partition to which you
have Write access to partition application1:
bigpipe shell write partition application1
For users with access to all partitions, changes the partition to which you
have Read and Write access to partition application2:
bigpipe shell partition application2
A - 27
Appendix A
Options
You can use these options with the bigpipe shell command:
partition
Changes the partition to which you have Read and Write access to the
partition you specify. This option is only available to users with access to
all partitions.
prompt
Specifies a string to use for the bigpipe shell prompt. The default prompt
is bp>.
read partition
Changes the partition to which you have Read access to the partition you
specify. This option is only available to users with access to all partitions.
write partition
Changes the partition to which you have Write access to the partition you
specify. This option is only available to users with access to all partitions.
See also
partition(1), bigpipe(1)
A - 28
class
Creates, modifies, displays, or deletes classes.
Syntax
Use this command to configure classes.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
class <class key list> {}
class (<class key list> | all) [{] <class arg list> [}]
<class key list> ::=
<name>
<class arg list> ::=
filename (<file name> | none)
mode (read | rw)
type (ip | string | value)
(<IP class item list> | none) [add | delete]
(<number list> | none) [add | delete]
(<string list> | none) [add | delete]
<IP class item> ::=
host <ip addr> | network <ip addr>
class edit
Display
class [<class key list> | all] [show [all]]
class [<class key list> | all] list [all]
class [<class key list> | all] filename [show]
class [<class key list> | all] ip [show]
class [<class key list> | all] mode [show]
class [<class key list> | all] name [show]
class [<class key list> | all] partition [show]
class [<class key list> | all] string [show]
class [<class key list> | all] type [show]
class [<class key list> | all] value [show]
A - 29
Appendix A
Delete
class [<class key list> | all] delete
Description
Classes are lists of data that you define and use with iRules operators. The
system includes a number of predefined lists that you can use. They are:
AOL Network
Image Extensions
Private class IP addresses
The above lists are located in the file /config/profile_base.conf. The load
command loads these lists; however, unless the lists are modified, the load
command does not save the lists to the bigip.conf file.
Classes are either internal or external. Internal classes are stored in the
bigip.conf file. External classes are stored in external files that you define.
Note that external classes can be very large, which is one reason why these
classes are saved to external files. For example, a phone company may store
a list of thousands of phone numbers in an external class.
Internal classes can be one of three types of lists, an ip class item list, a
string list, or a number list. Strings must be surrounded by quotation
marks. Numbers can be either positive or negative.
External classes are lists that specify:
A file name where the list is saved
The type, indicated by a list of ip addresses, strings, or values
A permission mode that defines access to the class as either read or rw
(Read/Write)
You can update the external class file by issuing the list or save commands.
Note
When you use the bigpipe class command at the BIG-IP system prompt, you
must use escape characters around the strings in the syntax to stop the
operating system from interpreting the string literally.
Examples
Creates an internal class named MyNewClass that contains a single IP
address:
class MyNewClass host 10.0.0.0
A - 30
Displays the file name where the class list information is stored:
class MyExternalClass filename show
Options
You can use these options with the class command:
class edit
Displays in a text editor the running configuration of all objects created
using the command class. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
Note that the default text editor is vi.
filename
Specifies the path and file name that contains the list of data defined by
the external class.
name
Specifies a unique string identifying the class.
partition
Displays the partition within which the internal or external class
resides.
A - 31
Appendix A
See also
rule(1), bigpipe(1)
A - 32
cli
Configures the bigpipe shell.
Syntax
Use this command to configure the bigpipe shell.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
cli [{] <cli arg list> [}]
<cli arg> ::=
audit (enable | disable | verbose | all)
hostname lookup (enable | disable)
import save <number>
ip addr (name | number)
service (name | number)
cli edit
Display
cli [show [all]]
cli list [all]
cli audit [show]
cli hostname lookup [show]
cli import save [show]
cli ip addr [show]
cli partition [show]
cli service [show]
Description
This command provides the ability to configure the bigpipe shell to meet
your specific needs.
A - 33
Appendix A
Examples
Sets the audit level of the bigpipe shell to enable:
cli audit enable
Configures the bigpipe shell to store three backup single configuration files
(config/backup.scf, /config/backup-1.scf, and /config/backup-2.scf), and
to display IP addresses and services by number, for example,
192.168.10.20:80:
cli import 3 ip addr number service number
Options
You can use these options with the cli command:
audit
Specifies the global audit level of the bigpipe shell. The audited
commands are stored in /var/log/audit. The audit levels are:
disable
The bigpipe utility does not log any commands entered by users. This
is the default value.
enable
The bigpipe utility audits all commands entered by users, including
the commands that the merge command runs. This does not include
the commands that the load and import commands run.
verbose
The bigpipe utility audits all commands entered by users, including
the commands that the merge command runs. The bigpipe shell also
audits the commands that the load and import commands run, except
for those included in the system configuration files:
config_base.conf, base_monitors.conf, profile_base.conf, and
daemon.conf.
all
The bigpipe utility audits all the commands that are run from all
sources.
cli edit
Displays in a text editor the running configuration of all objects created
using the command cli. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if only cli { } displays, you can type
parameters and values between the braces. When you exit the editor, the
BIG-IP system modifies the running configuration based on the syntax
you entered. You must run the save all command to save this change to
the stored configuration files.
Note that the default text editor is vi.
A - 34
hostname lookup
When enabled, specifies that the bigpipe shell accepts host names in
place of IP addresses in the syntax of bigpipe commands. The default is
disable.
import
Specifies the number of backup single configuration files that the system
stores. Each time you run the import command, the bigpipe shell saves
the single configuration file. For example, if you set the import parameter
to 3, after you run the import command for the third time, you see three
files on your system:
/config/backup.scf
/config/backup-1.scf
/config/backup-2.scf
The newest backup file is /config/backup.scf. By default, the system
saves only two backup single configuration files.
ip addr
Specifies the format with which the bigpipe shell displays an IP address.
Possible values are:
name
The bigpipe shell displays an IP address using a host name, for
example, www.myhostname.com. This is the default value.
number
The bigpipe shell displays an IP address using a numeric address, for
example, 192.168.10.20.
partition
Displays the partition within which the object resides.
service
Specifies the format in which the bigpipe shell displays a service.
Possible values are:
name
The bigpipe shell displays a service using a host name, for example,
HTTP.
number
The bigpipe shell displays a service using a numeric value, for
example, 192.168.10.20:80, where 80 indicates HTTP. This is the
default value.
See also
bigpipe(1)
A - 35
Appendix A
config
Manages the BIG-IP system user configuration sets.
Syntax
Use this command to manage or display configuration data.
Modify
config show <file.ucs>
config [support] save <file.ucs> [passphrase [<string>]]
config install [all] <file.ucs> [passphrase [<string>]]
config sync min
config sync pull
config sync [all]
config check [all]
Display
config sync show
Description
The config command manages user configuration sets. A user configuration
set (UCS) is the set of all configuration files that a user may edit to
configure a BIG-IP system. A *.ucs file is an archive that contains all the
configuration files in a UCS.
The config command allows you to save the BIG-IP system configuration to
a *.ucs file, install the configuration from a *.ucs file, or synchronize the
configuration with the other BIG-IP system in a redundant pair.
Examples
Saves <file.ucs>, overwriting all configuration files, including
/config/bigip.conf:
config [support] save <file.ucs> [passphrase [<string>]]
Displays the status of the configuration synchronization system and the date
and time the last configuration change was made:
config sync show
A - 36
Copies a UCS file, without the license file, from one system to another:
config install all <file.ucs> [passphrase [<string>]] [excludes <file.ucs>]
Note that when copying the *.ucs file, using the above command, the
system:
Checks to see whether a license file exists and if so, checks whether the
file is valid. If no license file exists or the license file is not valid, the
bigpipe utility exits.
Sets the system host name according to the host name in the UCS file.
Saves the running configuration to the location
/var/local/ucs/cs_backup.ucs.
Installs the configuration from the UCS file onto the system, excluding
the license file.
Saves the currently running configuration to /config/bigip.conf. Copies
/config/bigip.conf to the other BIG-IP system in a redundant pair, and loads
/config/bigip.conf on the other BIG-IP system:
config sync min
Creates a temporary UCS file and transfers it to the other BIG-IP system.
Installs the UCS file on the other BIG-IP system:
config sync all
Use the following command to pull the configuration from the peer device
and install it on the local device. This command saves the UCS file on the
remote peer, then transfers the UCS file to the local system, and installs it on
the local system. This command provides the ability to synchronize the
configuration from the local device without having to log on to the peer
device to push the configuration back:
config sync pull
Use the following command to configure a BIG-IP system using the UCS
file of another BIG-IP system. To do this, copy the *.ucs file from a BIG-IP
system, save it to the BIG-IP system that you want to configure, and then
run the following command on the system that you want to configure.
config install [all] file_name.ucs passphrase mypassword
Options
You can use these options with the config command:
install
Installs the specified UCS file, overwriting the existing UCS file.
BIG-IP Command Line Interface Guide
A - 37
Appendix A
save
Saves the password protected configuration file that has a .ucs file
extension.
sync
Saves the running configuration and copies it to the other unit in the
redundant system.
Note that the configsync command allows you to set the parameters for
the task of running the configuration synchronization. For more
information, see configsync, on page A-39.
<file.ucs>
Specifies the name of a UCS file that you want to install or save.
See also
bigpipe(1), configsync(1)
A - 38
configsync
Specifies the parameters for the task of synchronizing the configurations of
two BIG-IP units in a redundant system.
Syntax
Use this command to set up the environment for a configuration
synchronization of two BIG-IP units in a redundant system.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
configsync [{] <configsync arg list> [}]
<configsync arg> ::=
auto detect (enable | disable)
custom peer addr (<ip addr> | none)
encrypt (enable | disable)
passphrase (crypt <string> | none | string | none)
password (crypt <string> | none | string | none)
peer update interval <number>
time diff <number>
user (<string> | none)
configsync edit
Display
configsync [show [all]]
configsync list [all]
configsync auto detect [show]
configsync custom peer addr [show]
configsync encrypt [show]
configsync partition [show]
configsync passphrase [show]
configsync password [show]
configsync peer update interval [show]
configsync time diff [show]
configsync user [show]
A - 39
Appendix A
Description
You can use the configsync command to set up a the parameters for the task
of synchronizing the configuration of two BIG-IP units in a redundant
system.
Examples
Indicates that when a user with the user name admin attempts to perform a
configuration synchronization between two BIG-IP systems, she will have
to enter the password, 15GmA*4.
configsync encrypt enable password 15GmA*4 user admin
Options
You can use these options with the configsync command:
auto detect
Enables or disables the automatic detection of a difference in the
configurations of two systems in a redundant pair. The default value is
disable.
configsync edit
Displays in a text editor the running configuration of all objects created
using the command configsync. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if only configsync { } displays, you can type
parameters and values between the braces. When you exit the editor, the
BIG-IP system modifies the running configuration based on the syntax
you entered. You must run the save all command to save this change to
the stored configuration files.
Note that the default text editor is vi.
custom peer addr
Specifies the IP address of the other BIG-IP system in a redundant pair.
This is the IP address of the system to which you want to synchronize the
configuration. The default value is the value of the statemirror peer
addr field.
encrypt
Enables or disables the encryption of the configuration synchronization
action. When enabled, the system automatically requests a password
when a user attempts to synchronize the configurations of two BIG-IP
systems in a redundant pair. The default value is disable.
partition
Displays the partition within which the configsync object resides.
passphrase
When the encrypt parameter is enabled, specifies the passphrase that you
must enter during a configuration synchronization of two systems in a
redundant pair in order to decrypt any encrypted data. The system
A - 40
prompts you to enter this passphrase twice. Once to create the UCS file
on one unit of a redundant system, and a second time to unpack and
install that UCS file on the peer unit.
password
Specifies the password that is required to perform the configuration
synchronization of two BIG-IP systems. By default, this value is the
password for the admin user account.
peer update interval
When auto detect is enabled, specifies how often the system monitors
the configuration of the two units in a redundant system. The default
value is 30 seconds.
time diff
Specifies the maximum number of seconds of difference there can be in
the time settings of the units in a redundant system before a configuration
synchronization occurs. The default time difference is 600 seconds.
user
Specifies the name of the user account that has the necessary permissions
to run the configsync command. You must specify an existing local user
account. The default is admin. It is important to note that if you change
this option, F5 recommends that you also change the password option.
See also
bigpipe(1), config(1)
A - 41
Appendix A
conn
Sets idle timeout for, displays, and deletes active connections on the BIG-IP
system.
Syntax
Use this command to set the idle timeout for, display, or delete active
connections on the BIG-IP system.
Create/Modify
conn (<conn key list> | all) [{] <conn arg list> [}]
<conn key> ::=
[client (<ip addr> | <member>)] [server (<ip addr> | <member>)] \
[(any | mirror | local)] [protocol <protocol>] [age <number>]
<conn arg> ::=
idle timeout <number>
Display
conn (<conn key list> | all) [show [all]]
conn (<conn key list> | all) age [show]
conn (<conn key list> | all) client [show]
conn (<conn key list> | all) idle timeout [show]
conn (<conn key list> | all) protocol [show]
conn (<conn key list> | all) server [show]
Delete
conn (<conn key list> | all) delete
Description
The conn command displays the current connections on the BIG-IP system,
sets the idle timeout for a connection, or deletes the connection.
You can specify the <protocol> value using either a number or a name
(http, or 80).
If you do not specify a port or service, the system deletes all connections
with the client-side source that match just the IP address. If you do not
specify an IP address, the system deletes all connections including mirrored
connections.
Examples
Shows basic connection information for all connections:
conn all show
A - 42
Options
You can use this option with the conn command:
<protocol>
Specifies a port or service.
See also
bigpipe(1)
A - 43
Appendix A
crldp server
Creates a Certificate Revocation List Distribution Point (CRDLP) server
object for implementing a CRLDP authentication module.
Syntax
Use this command to create, modify, display, or delete a CRLDP server
object.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
crldp server <crldp server key list> {}
crldp server (<crldp server key list> | all) [{] <crldp server arg list> [}]
<crldp server key> ::=
<name>
<crldp server arg> ::=
server (<string> | none)
service (<service> | none)
base dn (<string> | none)
reverse dn (enable | disable)
crldp server edit
Display
crldp server [<crldp server key list> | all] [show [all]]
crldp server [<crldp server key list> | all] list [all]
crldp server [<crldp server key list> | all] name [show]
crldp server [<crldp server key list> | all] partition [show]
crldp server [<crldp server key list> | all] server [show]
crldp server [<crldp server key list> | all] service [show]
crldp server [<crldp server key list> | all] base dn [show]
crldp server [<crldp server key list> | all] reverse dn [show]
Delete
crldp server (<crldp server key list> | all) delete
A - 44
Description
CRLDP authentication is a mechanism for checking certificate revocation
status for client connections passing through the BIG-IP system. This
module is useful when your authentication data is stored on a remote
CRLDP server. You configure a CRLDP authentication module by defining
a CRLDP server (using the crldp server command), creating a CRLDP
configuration object (using the auth crldp command), creating a CRLDP
profile (using the profile auth command), and assigning the profile to the
virtual server.
Examples
Creates a CRLDP server named my_crldp_server:
crldp server my_auth_crldp {}
Options
You can use these options with the crldp server command:
base dn
Specifies the LDAP base directory name for certificates that specify the
CRL distribution point in directory name (dirName) format. Used when
the value of the X509v3 attribute crlDistributionPoints is of type
dirName. In this case, the BIG-IP system attempts to match the value of
the crlDistributionPoints attribute to the base dn value. An example of
a base dn value is cn=lxxx,dc=f5,dc=com.
crldp server edit
Displays in a text editor the running configuration of all objects created
using the command crldp server. You can edit the value of any
parameter displayed. When you exit the editor, the BIG-IP system
modifies the running configuration based on your changes. To save your
changes to the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
partition
Displays the partition within which the crldp server object resides.
reverse dn
Specifies in which order the system is to attempt to match the Base DN
value to the value of the X509v3 attribute crlDistributionPoints. When
enabled, the system matches the base DN from left to right, or from the
A - 45
Appendix A
See also
auth crldp(1), profile auth(1), bigpipe(1)
A - 46
daemon
Tunes the high availability functionality that is built into daemons.
Syntax
Use this command to modify or display daemons.
Modify
daemon <daemon key list> {}
daemon (<daemon key list> | all) [{] <daemon arg list> [}]
<daemon key> ::=
<name>
<daemon arg> ::=
(enable | disable)
heartbeat monitor (enable | disable)
heartbeat monitor (reboot | restart | failover |
failover restart | \
Display
daemon [<daemon key list> | all] [show [all]]
daemon [<daemon key list> | all] list [all]
daemon [<daemon key list> | all] heartbeat monitor [show]
daemon [<daemon key list> | all] heartbeat monitor redundant [show]
daemon [<daemon key list> | all] heartbeat monitor stand alone [show]
daemon [<daemon key list> | all] name [show]
daemon [<daemon key list> | all] proc not run action [show]
daemon [<daemon key list> | all] running [show]
daemon [<daemon key list> | all] running timeout [show]
Description
This command provides the ability to fine-tune the daemons that provide
high availability functionality.
A - 47
Appendix A
Examples
Enables the system to fail over and reboot due to lack of a detected heartbeat
from the sod daemon:
daemon sod heartbeat monitor enable
Options
You can use these options with the daemon command:
daemon edit
Displays in a text editor the running configuration of all objects created
using the command daemon. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if only daemon { } displays, you can type
parameters and values between the braces. When you exit the editor, the
BIG-IP system modifies the running configuration based on the syntax
you entered. You must run the save all command to save this change to
the stored configuration files.
Note that the default text editor is vi.
heartbeat monitor
Enables or disables the heartbeat on the specified daemon, or performs an
action. Typically, if a daemon does not periodically connect with its
heartbeat location, it is restarted automatically. This command allows
you to disable automatic restart. The daemons that supply a heartbeat are:
tmm, mcpd, bigd, sod, and bcm56xxd. The default is enable.
Specify the action the daemon should take if no heartbeat is detected.
Possible values are reboot, restart, failover, failover restart, go active
no action, restart all, and failover restart tm. The default is restart.
heartbeat monitor redundant
Specify the action the daemon should take if no heartbeat is detected on
the redundant heartbeat monitor. Possible values are reboot, restart,
failover, failover restart, go active no action, restart all, and failover
restart tm. The default is restart.
heartbeat monitor stand alone
Specify the action the daemon should take if no heartbeat is detected on a
standalone heartbeat monitor. Possible values are reboot, restart,
failover, failover restart, go active no action, restart all, and failover
restart tm. The default is restart.
proc not run action
Specify the action the daemon should take if a configured traffic or
system management action is not run. Possible values are reboot,
restart, failover, failover restart, go active no action, restart all, and
failover restart tm. The default is failover.
running
Enables or disables actions configured for the traffic management and
system management daemons. You can use this feature to disable the
A - 48
action a daemon takes during failover. For example, when you want to
stop a daemon and you do not want the unit to failover, you can issue the
running disable command for the daemon. The default is disable.
running timeout
Specify the length of time you want disabled actions to remain disabled.
The default is 10 seconds.
See also
ha table(1), bigpipe(1)
A - 49
Appendix A
daemon bigdbd
Sets internal settings for the bigdbd daemon.
Syntax
Use this command to set the system log levels for the bigdbd daemon.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
daemon bigdbd [{] <daemon bigdbd arg list> [}]
<daemon bigdbd arg> ::=
loglevel (critical | error | warning | notice |\
informational | debug)
daemon bigdbd edit
Display
daemon bigdbd [show [all]]
daemon bigdbd list [all]
daemon bigdbd loglevel [show]
daemon bigdbd partition [show]
Description
You use this command to set the system log levels for the bigdbd daemon.
Examples
The following command sets the log level of the bigdbd daemon messages
to critical. This means that the system logs only critical messages from the
daemon:
daemon bigdbd loglevel critical
A - 50
Options
You can use the following options with the command daemon bigdbd:
daemon bigdbd edit
Displays in a text editor the running configuration of all objects created
using the command daemon bigdbd. You can edit the value of any
parameter displayed. When you exit the editor, the BIG-IP system
modifies the running configuration based on your changes. To save your
changes to the stored configuration files, run the save all command.
When the text editor opens, if only daemon bigdbd { } displays, you can
type parameters and values between the braces. When you exit the editor,
the BIG-IP system modifies the running configuration based on the
syntax you entered. You must run the save all command to save this
change to the stored configuration files.
Note that the default text editor is vi.
loglevel
Specifies the lowest level of bigdbd daemon messages to include in the
system log. The default is warning.
partition
Displays the partition within which the bigdbd daemon resides.
See also
bigpipe(1), daemon(1), daemon mcpd(1), daemon tmm(1)
A - 51
Appendix A
daemon mcpd
Sets internal settings for the mcpd daemon.
Syntax
Use this command to set the system log levels for the mcpd daemon.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
daemon mcpd [{] <daemon mcpd arg list> [}]
<mcpd mcpd arg> ::=
audit (enable | disable | verbose | all)
loglevel (panic | emergency | alert | critical | error | warning | notice |\
informational | debug)
daemon mcpd edit
Display
daemon mcpd [show [all]]
daemon mcpd list [all]
daemon mcpd audit log [show]
daemon mcpd loglevel [show]
daemon mcpd partition [show])
Description
You use this command to enable auditing and to set the system log levels for
the mcpd daemon.
Examples
The following command sets the log level of the mcpd daemon to critical.
This means that the system logs critical, alert, emergency and panic
messages from the daemon.
daemon mcpd loglevel critical
A - 52
Options
You can use the following options with the daemon mcpd command:
audit
Enables or disables auditing for the mcpd daemon, and specifies verbose
or all as the auditing level. The default is disable.
daemon mcpd edit
Displays in a text editor the running configuration of all objects created
using the command daemon mcpd. You can edit the value of any
parameter displayed. When you exit the editor, the BIG-IP system
modifies the running configuration based on your changes. To save your
changes to the stored configuration files, run the save all command.
When the text editor opens, if only daemon mcpd { } displays, you can
type parameters and values between the braces. When you exit the editor,
the BIG-IP system modifies the running configuration based on the
syntax you entered. You must run the save all command to save this
change to the stored configuration files.
Note that the default text editor is vi.
loglevel
Specifies the lowest level of mcp daemon messages to include in the
system log. The default is notice.
partition
Displays the partition within which the mcpd daemon resides.
See also
bigpipe(1), daemon(1), daemon bigdbd(1), daemon tmm(1)
A - 53
Appendix A
daemon tmm
Sets internal settings for the tmm daemon.
Syntax
Use this command to set the system log levels for the tmm daemon.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
daemon tmm [{] <daemon tmm arg list> [}]
<daemon tmm arg> ::=
arp loglevel (error | warning | notice | informational | debug)
http compression loglevel (error | warning | notice | informational | debug)
http loglevel (error | warning | notice | informational | debug)
ip loglevel (warning | notice | informational | debug)
layer4 loglevel (error | warning | notice | informational | debug)
net loglevel (critical | error | warning | notice | informational | debug)
os loglevel (emergency | alert | critical | error | warning | notice |\
informational | debug)
pva loglevel (notice | informational | debug)
rules loglevel (error | warning | notice | informational | debug)
ssl loglevel (emergency | alert | critical | error | warning | notice |\
informational | debug)
daemon tmm edit
Display
daemon tmm [show [all]]
daemon tmm list [all]
daemon tmm arp loglevel [show]
daemon tmm http compression loglevel [show]
daemon tmm http loglevel [show]
daemon tmm ip loglevel [show]
daemon tmm layer4 loglevel [show]
daemon tmm net loglevel [show]
daemon tmm os loglevel [show]
A - 54
Description
You use this command to set the system log levels for the tmm daemon.
Examples
The following command sets the ARP message log level for the tmm
daemon to error. This means that the system logs only ARP error messages
from the daemon.
daemon tmm arp loglevel error
Options
You can use the following options with the daemon tmm command:
arp loglevel
Specifies the lowest level of ARP messages from the tmm daemon to
include in the system log. The default is warning.
daemon tmm edit
Displays in a text editor the running configuration of all objects created
using the command daemon tmm. You can edit the value of any
parameter displayed. When you exit the editor, the BIG-IP system
modifies the running configuration based on your changes. To save your
changes to the stored configuration files, run the save all command.
When the text editor opens, if only daemon tmm { } displays, you can
type parameters and values between the braces. When you exit the editor,
the BIG-IP system modifies the running configuration based on the
syntax you entered. You must run the save all command to save this
change to the stored configuration files.
Note that the default text editor is vi.
http loglevel
Specifies the lowest level of HTTP messages from the tmm daemon to
include in the system log. The default is error.
http compression loglevel
Specifies the lowest level of HTTP compression messages from the tmm
daemon to include in the system log. The default is error.
ip loglevel
Specifies the lowest level of IP address messages from the tmm daemon
to include in the system log. The default is warning.
layer4 loglevel
Specifies the lowest level of Layer 4 messages from the tmm daemon to
include in the system log. The default is notice.
A - 55
Appendix A
net loglevel
Specifies the lowest level of network messages from the tmm daemon to
include in the system log. The default is warning.
os loglevel
Specifies the lowest level of operating system messages from the tmm
daemon to include in the system log. The default is notice.
partition
Displays the partition within which the tmm daemon resides.
pva loglevel
Specifies the lowest level of PVA messages from the tmm daemon to
include in the system log. The default is informational.
rules loglevel
Specifies the lowest level of iRule messages from the tmm daemon to
include in the system log. The default is warning.
ssl loglevel
Specifies the lowest level of SSL messages from the tmm daemon to
include in the system log. The default is warning.
See also
bigpipe(1), daemon(1), daemon mcpd(1), daemon bigdbd(1)
A - 56
db
Displays or modifies bigdb database entries.
Syntax
Use this command to modify or display configuration database entries.
Modify
db <db key list> {}
db (<db key list> | all) [{] <db arg list> [}]
<db key> ::= <name>
<db arg> ::= <string>
db (<db key list> | all) reset
db edit
Display
db (<db key list> | all) [show [all]]
db (<db key list> | all) list [all]
db (<db key list> | all) name [show]
Description
The db command allows you to modify and retrieve the data that is stored in
the bigdb configuration database.
Important
After you change a bigdb database variable using the db command, you
must run the save all command. If you do not, the next time that you run the
load command, the value of the bigdb database variable may be reset to the
value in the stored configuration.
Examples
Resets each database entry and setting to its default:
db all reset
Sets the database entry, SYN Check Activation Threshold, back to the
default value.
db Connection.SynCookies.Threshold 16384
A - 57
Appendix A
Options
Use these options with the db command:
db edit
Displays in a text editor the running configuration of all objects created
using the command db. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
name
The name of the database entry that you want to modify or display.
string
The value that you want to assign to the database entry that you are
modifying. When you are modifying a configuration database entry, this
value is required.
See also
bigpipe(1)
A - 58
dns
Configures the Domain Name Service (DNS) for the BIG-IP system. Also,
displays and resets statistics for the DNS profile.
Syntax
Use this command to configure DNS for the system.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
dns [{] <dns arg list> [}]
<dns arg> ::=
include (<string> | none)
nameservers (<ip addr list> | none) [add | delete]
search (<string list> | none) [add | delete]
dns edit
Display
dns [show [all]]
dns list [all]
dns include [show]
dns nameservers [show]
dns partition [show]
dns search [show]
Description
Use this command to manage configurations by server grouping, in this
case, DNS servers.
A - 59
Appendix A
Examples
The following commands display the global statistics for the DNS profile:
dns
dns show
Options
Use these options with the dns command:
dns edit
Displays in a text editor the running configuration of all objects created
using the command dns. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if only dns { } displays, you can type
parameters and values between the braces. When you exit the editor, the
BIG-IP system modifies the running configuration based on the syntax
you entered. You must run the save all command to save this change to
the stored configuration files.
Note that the default text editor is vi.
include
Warning: Do not use this parameter without assistance from the F5
Technical Support team. The system does not validate the commands
issued using the include parameter. If you use this parameter incorrectly,
you put the functionality of the system at risk.
nameservers
Adds a group of DNS name servers to or deletes a group of DNS name
servers from the BIG-IP system.
partition
Displays the partition within which the dns object resides.
search
Adds a list of domain names in a specific order. DNS uses that order
when searching for host names that are not fully qualified. You can also
use this option to delete domain names in the list.
A - 60
See also
bigpipe(1), profile dns(1)
A - 61
Appendix A
exit
Exits the bigpipe shell.
Syntax
Use this command to exit the bigpipe shell.
Usage
exit
Description
Use this command at the bigpipe shell prompt to exit the shell and return to
the BIG-IP system prompt.
Examples
When you are finished running commands at the bigpipe shell prompt, type
exit to exit the shell and return to the system prompt.
exit
See also
bigpipe(1)
A - 62
export
Creates a single configuration file (SCF) that you can use to configure
another BIG-IP system using the import command.
Important
The export command is independent of and distinct from the save all
command. For more information on the save all command, see save, on
page A-271.
Syntax
Use this command to create a single configuration file (SCF).
Create/Modify
export [oneline] [<file name> | -]
Description
You use the export command to save the running configuration in a flat,
text file with the extension .scf.
Examples
Creates the SCF, myconfiguration.scf, which contains the running
configuration of the system:
export myconfiguration
Note
The system appends the specified file name with the extension .scf.
Creates the SCF, default.scf, which contains the running configuration of
the system:
export /shared/default
WARNING
You cannot use the export command to create an SCF file named default,
unless you explicitly include a path name to the file, as shown in the
example above.
Options
Use these options with the export command:
oneline
Specifies that each command in the file is written on one line without
line feeds, and that there is one line feed after each command. This
A - 63
Appendix A
parameter can create very long lines of text. Note that if you do not use
this parameter, each command is written with line feeds between the
attributes and values for readability.
<file name>
Specifies the name of the SCF you are creating. The system appends this
name with the extension .scf.
See also
bigpipe(1), import(1)
A - 64
f5adduser
Adds local user accounts to the BIG-IP system.
Syntax
Use this command at the BIG-IP system prompt to add one or more local
users.
Create
f5adduser [-r <role name>|<role number>] [-n] [-s] -p <partition name> <username> ...
Description
You can use this command at the BIG-IP system prompt to add one or more
local users.
Examples
Adds a user account with the user role of Manager and access to all
partitions for Jim Smith:
f5adduser -r manager jsmith
Options
You can use these options with the f5adduser command at the BIG-IP
system prompt:
-r
Specifies the user role you are assigning to the user. The default user role
is guest. The available user roles are:
administrator
resource admin
user manager
manager
app editor
operator
guest
policy editor
-n
Indicates no password for the user account. If you indicate no password,
the user cannot log on until an Administrator creates a password for the
account. If you do not use this option, the system prompts you to enter a
password, and then to confirm that password.
A - 65
Appendix A
-s
If you are creating a user account with the user role of administrator,
the user is given access to the system prompt. If you are creating a user
account with a user role other than administrator, the user is given
access to the bigpipe shell.
-p
Specify a partition name. If you do not specify a partition, the user
account is valid in all partitions.
See also
user(1)
A - 66
failover
Configures and controls failover for a redundant system.
Syntax
Use this command to control the failover of a system, and to configure the
failover feature for the system.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
Use this syntax to configure the failover feature for a system:
failover [{] <failover arg list> [}]
<failover arg> ::=
active-active mode (enable | disable)
custom addr (<ip addr> | none)
custom peer addr (<ip addr> | none)
force active (enable | disable)
force standby (enable | disable)
network failover (enable | disable)
redundant (enable | disable)
standby link down time <float>
unit <number>
failover edit
Display
failover [show [all]]
failover list [all]
failover active-active mode [show]
failover custom addr [show]
failover custom peer addr [show]
failover force active [show]
failover force standby [show]
A - 67
Appendix A
Description
Failover is a process that occurs when one unit in a redundant system
becomes unavailable, thereby requiring the peer unit to assume the
processing of traffic originally targeted for the unavailable unit. To facilitate
coordination of the failover process, each unit has a unit ID (1 or 2).
You can use the command failover to switch the active unit to be the
standby unit in a redundant configuration. Be careful about using the
command failover to control the unit. It is provided only for special
situations. The unit automatically switches between active and standby
modes, without operator intervention.
Examples
Causes the active unit to go into the standby state, forcing the other unit in
the redundant system to become active:
failover standby
Options
Use these options to control failover of the system:
failback
Initiates failback for an active-active system. Failback re-establishes
normal BIG-IP system processing when a previously-unavailable BIG-IP
system becomes available again.
standby
Specifies that the active unit fails over to a standby state, causing the
standby unit to become active.
Use these options to configure failover for the system:
active mode
Enables or disables active mode for a unit in a redundant system. The
default value is disable.
custom addr
Specifies the self-IP address or management IP address on the unit that
the network failover mechanism uses to listen for peer responses. When
using network failover, this is a required setting.
A - 68
A - 69
Appendix A
See also
bigpipe(1), statemirror(1)
A - 70
fasthttp
Displays and resets global statistics for the Fast HTTP profile on the BIG-IP
system.
Syntax
Use this command to display and reset statistics for the Fast HTTP profile.
Modify
fasthttp stats reset
Display
fasthttp [show [all]]
Description
Use this command to display and reset global statistics for the Fast HTTP
profile.
Examples
The following commands display the global statistics for the Fast HTTP
profile:
fasthttp
fasthttp show
Resets all statistics for the Fast HTTP profile on the system:
fasthttp stats reset
See also
profile fasthttp (1)
A - 71
Appendix A
fastL4
Displays and resets statistics for the Fast Layer 4 profile on the BIG-IP
system.
Syntax
Use this command to display and reset statistics for the Fast Layer 4 profile.
Modify
fastl4 stats reset
Display
fastl4 [show [all]]
Description
Display detailed Fast Layer 4 profile statistics. These statistics include
connectivity statistics, errors generated, and SYN cookies used.
Examples
The following commands display statistics for the Fast Layer 4 profile:
fastl4
fastl4 show
Resets all statistics for the Fast Layer 4 profile on the system:
fastl4 stats reset
See also
profile fastl4 (1)
A - 72
fipscardsync
Synchronizes the FIPS hardware security modules (HSMs) of a redundant
system.
Syntax
Use this command at the BIG-IP system prompt to synchronize the FIPS
HSMs of a redundant system.
Modify
fipscardsync peer
Description
Synchronizes the FIPS hardware security modules (HSMs) of a redundant
system. Note that synchronizing the HSMs provides the ability to exchange
keys between the units of a redundant system.
Examples
Run this command at the console of the active unit to synchronize the FIPS
HSMs of a redundant system:
fipscardsync peer
See also
fipsutil(1)
A - 73
Appendix A
fipsutil
Configures and maintains a FIPS security domain on a BIG-IP redundant
system.
Syntax
Use this command at the console to configure and maintain a FIPS security
domain for a BIG-IP redundant system.
Modify
fipsutil [flags] <action>
[flags] ::=
-d
-f
-v
<action> ::=
clean
crash
dump
fwcheck
fwupdate
genpbekey
init
labelcheck
monitor
login
logout
postfwupdate
reset
scupdate
test
Description
You can use this command to initialize the FIPS hardware security module
(HSM), and to create a security officer (SO) password and a security domain
name on the active unit of a BIG-IP redundant system. After you do this on
the active unit, use the same security domain name and SO password to
initialize and configure the other unit of the redundant system.
A - 74
Examples
Initializes the HSM, prompts you to create an SO password, and then
prompts you to create a security domain name:
fipsutil -f init
Options
You can use the following options with the fipsutil command:
flags
The flags include:
-d
Indicates to use the default SO Password. You are not prompted to
create a password.
-f
Re-initializes the Nitrox FIPS board (NFB) or installs older firmware.
-v
Displays verbose information about the FIPS security domain.
actions
The actions include:
clean
Do not use this option unless F5 Networks support requests that you
use it for debugging.
crash
Do not use this option unless F5 Networks support requests that you
use it for debugging.
dump
Do not use this option unless F5 Networks support requests that you
use it for debugging.
fwcheck
Checks for available NFB firmware updates.
fwupdate
Updates NFB firmware, if necessary.
genpbekey
This option is not used.
init
Initializes and logs you in to the NFB, and sets the security domain
name.
labelcheck
Checks to see if the FIPS card is set to the default.
login
Do not use this option unless F5 Networks support requests that you
use it for debugging.
A - 75
Appendix A
logout
Do not use this option unless F5 Networks support requests that you
use it for debugging.
monitor
Do not use this option unless F5 Networks support requests that you
use it for debugging.
postfwupdate
Do not use this option unless F5 Networks support requests that you
use it for debugging.
reset
Do not use this option unless F5 Networks support requests that you
use it for debugging.
scupdate
Do not use this option unless F5 Networks support requests that you
use it for debugging.
test
Do not use this option unless F5 Networks support requests that you
use it for debugging.
See also
fipscardsync(1)
A - 76
ftp
Displays and resets global statistics for the FTP profile on the BIG-IP
system.
Syntax
Use this command to display and reset the statistics for the FTP profile.
Modify
ftp stats reset
Display
ftp [show [all]]
Description
You can use the ftp command to display and reset global statistics for the
FTP profile.
Examples
The following commands display the global statistics for the FTP profile:
ftp
ftp show
See also
profile ftp (1)
A - 77
Appendix A
global
Displays and resets global statistics for the BIG-IP system.
Syntax
Use this command to display or reset global statistics for the system.
Display
global [stats [show [all]]]
Delete
global stats reset
Description
Display and reset global system statistics. These statistics include client
side, server side, PVA connections, TMM cycles, denials, CPU usage,
memory, packets, authorization, and OneConnect information.
Examples
Displays all global statistics.
global stats show
See also
bigpipe(1)
A - 78
ha table
Displays the settings for high availability on a system.
Syntax
Use this command to display high availability settings.
Display
<ha table key> ::=
peer
ha table [<ha table key list> | all] [show [all]]
ha table [<ha table key list> | all] list [all]
Description
Displays high availability settings for the system. These settings include
daemon settings and failover settings.
Examples
Displays all peer settings:
ha table peer
Columns
The HA table consists of several columns including Feature, Key, Action,
En, Act, Proc, Time, and Data.
Feature
Displays the high availability feature.
Key
Displays the specific instance of the feature, for example which daemon's
heartbeat is represented.
Action
Displays the action that should be taken when the Act (take action)
column is yes.
En
Indicates whether the feature is enabled.
Act
Indicates that you should take action. For example, if the VLAN fail-safe
functionality determined that the VLAN had failed, it would set this
setting to yes which would cause the daemon to reboot the BIG-IP
system.
A - 79
Appendix A
Proc
Indicates the process that is exclusively responsible for creating and
writing to this row in the HA table.
Time
The meaning of this column varies depending on the feature associated
with it. Typically, this value is a timeout value. For example, the sod
daemon heartbeat time is set to 20 (seconds). That means that if sod does
not increment its heartbeat in 20 seconds, the BIG-IP system reboots.
Data
The meaning of this column also varies depending on the feature. For
daemon heartbeats, for example, this value shows the daemon
incrementing the value of its heartbeat.
See also
daemon(1), bigpipe(1)
A - 80
hardware
Displays information about the system hardware.
Syntax
Use this command to display the baud rate of the system hardware.
Display
hardware {}
hardware [{] <hardware arg list>
<hardware arg> ::=
baud rate <number>
hardware [show [all]]
hardware list [all]
hardware baud rate [show]
Description
You can use the hardware command to display the baud rate of the system
hardware.
Examples
The following three commands display the baud rate of the system
hardware:
hardware
hardware show
hardware baud rate
See also
bigpipe(1)
A - 81
Appendix A
help
Displays online help for bigpipe command syntax.
Syntax
Use this command to display the online man page for a bigpipe command.
Display
<command> help
Description
Use this command to access the online man page for the specified
command.
Examples
Displays the online man page for the specified command:
vlan help
See also
bigpipe(1)
A - 82
http
Displays or resets HTTP statistics on the BIG-IP system.
Syntax
Use this command to display or reset HTTP statistics.
Modify
http stats reset
Display
http [show [all]]
Description
Display and reset HTTP statistics. The statistics you can view are standard
HTTP statistics, including requests, responses, Set-Cookie header insertions,
and OneConnect idle connections.
You can also view compression statistics (in bytes), such as the following:
total, image, HTML, JS, XML, SGML, plain text, video, audio, and octet.
Tip
Examples
Displays all HTTP statistics including compression statistics:
http show all
See also
profile http(1), bigpipe(1)
A - 83
Appendix A
httpd
Configures the HTTP daemon for the BIG-IP system.
Syntax
Use this command to configure the httpd daemon for the system.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
httpd [{] <httpd arg list> [}]
<httpd arg> ::=
allow (<string list> | all | none) [add | delete]
authname <string>
authpamcachetimeout <number>
hostnamelookups (On | Off | Double)
include (<string> | none)
loglevel (debug | info | notice | warn | error | crit | alert | emerg)
sslcertchainfile (<string> | none)
sslcertfile <string>
sslcertkeyfile <string>
sslciphersuite <string>
ssl include (<string> | none)
httpd edit
Display
httpd [show [all]]
httpd list [all]
httpd allow [show]
httpd authname [show]
httpd authpamcachetimeout [show]
httpd hostnamelookups [show]
httpd include [show]
httpd loglevel [show]
httpd partition [show]
httpd sslcertchainfile [show]
A - 84
Description
You configure the HTTP daemon for the system using the httpd command.
Important
F5 recommends that users of the Configuration utility exit the utility before
changes are made to the system using the httpd command. This is because
making changes to the system using the httpd command causes a restart of
the httpd daemon. Likewise, restarting the httpd daemon creates the
necessity for a restart of the Configuration utility.
Examples
When you change the SSL key, you must also change the SSL certificate.
You change the certificate/key pair using following command:
httpd { sslcertfile <string> sslcertkeyfile <string> }
Sets the pluggable authentication module (PAM) cache timeout to half a day
(in seconds):
httpd authpamcachetimeout 43200
Replaces the existing list of hosts that can connect to the httpd daemon with
the hosts in the range, 172.27.0.0/255.255.0.0:
httpd allow 172.27.0.0/255.255.0.0
Options
You can use the following options with the httpd command.
allow
Adds or deletes IP addresses, partial IP addresses, and IP address ranges,
host names, partial host names, domain names, partial domain names,
and network and netmask pairs for the HTTP clients from which the
httpd daemon accepts request. The default value is all.
Warning: Using the value none resets the httpd daemon to allow all
HTTP clients access to the system. F5 recommends that you do not use
the value none with the httpd command.
authname
Specifies the name for the authentication realm. The default is BIG-IP.
A - 85
Appendix A
authpamcachetimeout
Specifies, in seconds, the cache timeout for PAM. The default value is
86400 seconds.
hostnamelookups
The default value is Off.
include
Warning: Do not use this parameter without assistance from the F5
Technical Support team. The system does not validate the commands
issued using the include parameter. If you use this parameter incorrectly,
you put the functionality of the system at risk.
loglevel
Specifies the minimum httpd message level to include in the system log.
The default value is warn.
httpd edit
Displays in a text editor the running configuration of all objects created
using the command httpd. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if only httpd { } displays, you can type
parameters and values between the braces. When you exit the editor, the
BIG-IP system modifies the running configuration based on the syntax
you entered. You must run the save all command to save this change to
the stored configuration files.
Note that the default text editor is vi.
partition
Displays the partition within which the httpd daemon resides.
sslcertchainfile
Specifies the name of the file that contains the SSL certificate chain. The
default is none.
sslcertfile
Specifies the name of the file that contains the SSL certificate. The
default value is /etc/httpd/conf/ssl.crt/server.crt.
Note that the path to the file must start with /etc/httpd/conf/ssl.crt/ or
/config/httpd/conf/ssl.crt/ unless the path is a relative path. If the path is
a relative path, then it must start with conf/ssl.crt/.
sslcertkeyfile
Specifies the name of the file that contains the SSL certificate key. The
default value is /etc/httpd/conf/ssl.key/server.key.
Note that the path to the file must start with /etc/httpd/conf/ssl.key/ or
/config/httpd/conf/ssl.key/ unless the path is a relative path. If the path
is a relative path, then it must start with conf/ssl.key/.
When you change the key file, you must also change the certificate file.
In other words, the following command does not work to change the key:
httpd sslcertkeyfile <string>. Instead, you must use this command:
{ httpd sslcertfile <string> sslcerkeyfile <string> }.
A - 86
sslciphersuite
Specifies the ciphers that the system uses.
ssl include
Warning: Do not use this parameter without assistance from the F5
Technical Support team. The system does not validate the commands
issued using the include parameter. If you use this parameter incorrectly,
you put the functionality of the system at risk.
See also
bigpipe(1), ntp(1), dns(1), sshd(1), snmpd(1)
A - 87
Appendix A
icmp
Displays and resets ICMP statistics.
Syntax
Use this command to display or reset ICMP statistics.
Modify
icmp stats reset
Display
icmp [show [all]]]
Description
Display and reset ICMP statistics. The statistics you can view are standard
ICMP statics, including ICMPv4 packets and errors, and ICMPv6 packets
and errors.
Examples
Displays all ICMP statics including compression statistics:
icmp show all
See also
monitor(1), bigpipe(1)
A - 88
import
Saves a backup of the running configuration in the /var/local/scf/ directory,
and then replaces the running configuration with the configuration contained
in the single configuration file (SCF) that you are importing.
Syntax
Use this command to replace the running configuration of the system with
the values contained in the SCF that you are importing. If you want to write
the new running configuration to the stored configuration files, after you run
the import command, you must run the save all command.
If you want to modify the running configuration of the BIG-IP system,
rather than replace it, you must use the merge command. For more
information, see the online man page for the merge command.
Create/Modify
import [<file> | default | -]
Description
You import an SCF that was exported from another BIG-IP system after you
edit the file to work on the system to which you are importing it.
Examples
Loads the SCF, myconfiguration.scf, on the system:
import myconfiguration.scf
Options
You can use the following options with the import command.
- <contents of SCF>
Use this option to replace the running configuration of the system using
the data in an SCF. First copy the contents of an SCF. Then type import
- and press the Enter key. The system responds with a Reading...
message. When the system finishes responding, on the command line,
paste the contents of the SCF that you copied, and then type Ctrl-D.
A - 89
Appendix A
After the command sequence runs, the system has replaced the running
configuration. If you want to save the running configuration to the stored
configuration files, run the save all command.
Warning: F5 recommends that you do not use this option to import an
SCF. Instead, F5 recommends that you use the file name, as shown in the
following option.
<file>
Specifies the name of the SCF that you want to import.
default
Resets the running configuration of the system to the factory defaults.
However, note that this option does not change the management port
networking information.
See also
bigpipe(1), export(1)
A - 90
interface
Configures the parameters of interfaces.
Syntax
Use this command to modify or display interface settings.
Modify
interface <interface key list> {}
interface (<interface key list> | all) [{] <if arg list> [}]
<interface key> ::=
<if name>
<interface arg> ::=
prefer (sfp | fixed)
media fixed (auto | 10baseT half | 10baseT full | 100baseTX half | 100baseTX full |\
1000baseT half | 1000baseT full | 1000baseSX full | 1000baseLX full | \
10GbaseT full
media sfp (auto | 10baseT half | 10baseT full | 100baseTX half | 100baseTX full | \
1000baseT half | 1000baseT full | 1000baseSX full | 1000baseLX full | \
10GbaseT full | 10GbaseSR full | 10GbaseLR full | 10GbaseER full)
(enable | disable)
pause (rx tx |rx | tx | tx rx | none)
link type (p2p | shared | auto)
edge port (true | false)
auto edge (enable | disable)
stp (enable | disable)
stp reset
media (auto | 10baseT half | 10baseT full | 100baseTX half | 100baseTX full | \
1000baseT half | 1000baseT full | 1000baseSX full | 1000baseLX full | \
10GbaseT full | 10GbaseSR full | 10GbaseLR full | 10GbaseER full)
interface (<interface key list> | all) stats reset
interface edit
Display
interface [<<interface key list> | all] [show [all]]
interface [<<interface key list> | all] list [all]
interface [<<interface key list> | all] auto edge [show]
interface [<<interface key list> | all] edge port [show]
interface [<<interface key list> | all] enabled [show]
interface [<<interface key list> | all] errors [show]
interface [<<interface key list> | all] link type [show]
interface [<<interface key list> | all] name [show]
A - 91
Appendix A
Description
This command displays and sets media options, duplex mode, and status for
an interface. In addition, this command provides the ability to set
per-interface spanning tree parameters such as link type, edge port status,
automatic edge port detection, and also whether the interface participates in
the spanning tree configuration.
Examples
Enables the interface named 1.1:
interface 1.1 enable
Enables auto edge detection for STP on the interfaces named 1.1, 1.2, and
1.3:
interface 1.1 1.2 1.3 auto edge enable
Sets the edge port attribute for STP on the interfaces named 1.1, 1.2, and
1.3:
interface 1.1 1.2 1.3 edge port true
Options
You can use these options with the interface command:
auto edge
When automatic edge port detection is enabled on an interface, the
system monitors the interface for incoming STP, RSTP, or MSTP
packets. If no such packets are received for a sufficient period of time
(about three seconds), the interface is automatically given edge port
status. When automatic edge port detection is disabled on an interface,
the system never gives the interface edge port status automatically. By
A - 92
A - 93
Appendix A
See also
mirror(1), stp(1), vlan(1), vlangroup(1), bigpipe(1)
A - 94
ip
Manages IP statistics on the BIG-IP system.
Syntax
Use this command to display or delete IP statistics on the BIG-IP system.
Display
ip [stats [show [all]]]
Delete
ip stats reset
Description
Display and reset IP statistics. The statistics you can view are standard IP
statistics, including IPv4 and IPv6 packets, fragments, fragments
reassembled, and errors.
Examples
Displays all IP statistics for the system:
ip show all
See also
bigpipe(1)
A - 95
Appendix A
list
Displays all objects the user has permission to view. Depending on the
users Read partition, all objects that are not in partitions and all objects in
partition Common may also display.
Syntax
Use this command to display objects based on your Read partition setting.
Display
[base] list [all]
Description
When the default Read partition is All, the list command displays all objects
the user has permission to view. When you specify a Read partition, this
command displays all objects the user has permission to view in the current
partition, all objects that are not in partitions, and all objects in partition
Common.
Options
You can use these options with the list command:
base
Lists the output of the single configuration file (SCF), including the
configuration of the BIG-IP system network components: MGMT port
address, MGMT route, internal and external VLANs, VLAN groups,
self-IP addresses, and self-allow values.
all
Displays the complete system configuration.
See also
bigpipe(1)
A - 96
load
Replaces the running configuration with the configuration in the stored
configuration files.
Syntax
Use this command to replace the running configuration with the
configuration in the stored configuration files.
Usage
[base] load [<file> | - ]
verify load
Description
You can also use the load command to replace the running configuration
with the configuration stored in a specified file.
If you want to modify the running configuration of the BIG-IP system,
rather than replace it, you must use the merge command. For more
information, see the online man page for the merge command.
Examples
The following command replaces the running configuration with the
configuration in the stored configuration files. The configuration loads after
you type Ctrl-D.
load <Ctrl-D>
The base load command replaces the running configuration using the
contents of the following files in the order shown:
/defaults/config_base.conf
/config/bigip_base.conf
/config/bigip_sys.conf
The load command replaces the entire running configuration using the
contents of the following files in the order shown:
/defaults/config_base.conf
This file contains the commands, and their attributes and values, that
configure the basic system information for all of the components of the
BIG-IP system. When you run the base load or load commands, the
A - 97
Appendix A
A - 98
Options
You can use these options with the load command:
<file>
Specifies a file name that replaces the /config/bigip.conf file.
Specifies that the BIG-IP system loads configuration commands from the
standard input device after loading the configuration of the BIG-IP
network components. Using this option replaces all of the values in the
/config/bigip.conf file.
- <contents of SCF>
Use this option to replace only the values in the /config/bigip.conf file.
First copy the contents of an SCF. Then type load - and press the Enter
key. The system responds with a Reading... message. When the system
finishes responding, on the command line paste the contents of the SCF
that you copied, and then type Ctrl-D. After the command sequence
runs, the system has replaced the running configuration. To save the new
values in the bigip.conf file, run the save all command.
Warning: This is not the preferred way to load an SCF. F5 recommends
that you use the import command. For more information, see import, on
page A-89.
base
Replaces the configuration of the BIG-IP system network components
with the values contained in the /config/bigip_base.conf and
/config/bigip_sys.conf files.
log
Causes error messages to be written to /var/log/ltm, in addition to the
terminal.
verify
Validates the specified configuration file.
See also
bigpipe(1), save(1)
A - 99
Appendix A
logrotate
Configures log rotation for the BIG-IP system.
Syntax
Use this command to configure log rotation for the system.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. F5
recommends that you create a monitor in the same partition in which the
object that it monitors resides. For more information, see the Configuring
Administrative Partitions and Managing User Accounts chapters in the
BIG-IP Network and System Management Guide.
logrotate [{] <logrotate arg list> [}]
<logrotate arg> ::=
common backlogs <number>
common include (<string> | none)
include (<string> | none)
mysql include (<string> | none)
syslog include (<string> | none)
tomcat include (<string> | none)
wa include (<string> | none)
logrotate edit
Display
logrotate [show [all]]
logrotate list [all]
logrotate common backlogs [show]
logrotate common include [show]
logrotate include [show]
logrotate mysql include [show]
logrotate partition [show]
logrotate syslog include [show]
logrotate tomcat include [show]
logrotate wa include [show]
A - 100
Description
You can configure the system to rotate the log files after a specified length
of time. This helps you to clear the hard drive of unneeded log files.
Examples
Specifies that the system saves seven copies of the common log files:
logrotate common backlogs 7
Options
You can use these options with the logrotate command:
common backlogs
Specifies the number of logs that you want the system to save. Select a
number from the valid range of 1 - 100.
common include
Warning: Do not use this parameter without assistance from the F5
Technical Support team. The system does not validate the commands
issued using the include parameter. If you use this parameter incorrectly,
you put the functionality of the system at risk.
include
Warning: Do not use this parameter without assistance from the F5
Technical Support team. The system does not validate the commands
issued using the include parameter. If you use this parameter incorrectly,
you put the functionality of the system at risk.
logrotate edit
Displays in a text editor the running configuration of all objects created
using the command logrotate. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if only logrotate { } displays, you can type
parameters and values between the braces. When you exit the editor, the
BIG-IP system modifies the running configuration based on the syntax
you entered. You must run the save all command to save this change to
the stored configuration files.
Note that the default text editor is vi.
partition
Displays the partition within which the logrotate object resides.
syslog include
Warning: Do not use this parameter without assistance from the F5
Technical Support team. The system does not validate the commands
issued using the include parameter. If you use this parameter incorrectly,
you put the functionality of the system at risk.
A - 101
Appendix A
tomcat include
Warning: Do not use this parameter without assistance from the F5
Technical Support team. The system does not validate the commands
issued using the include parameter. If you use this parameter incorrectly,
you put the functionality of the system at risk.
wa include
Warning: Do not use this parameter without assistance from the F5
Technical Support team. The system does not validate the commands
issued using the include parameter. If you use this parameter incorrectly,
you put the functionality of the system at risk.
See also
bigpipe(1), ntp(1), dns(1), httpd(1), snmpd(1)
A - 102
ltm
Configures the general properties for the BIG-IP local traffic management
system.
Syntax
Use this command to configure the general properties of the system.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. F5
recommends that you create a monitor in the same partition in which the
object that it monitors resides. For more information, see the Configuring
Administrative Partitions and Managing User Accounts chapters in the
BIG-IP Network and System Management Guide.
ltm [{] <ltm arg list> [}]
<ltm arg> ::=
adaptive reaper hiwater <number>
adaptive reaper lowater <number>
auto last hop (enable | disable)
fastest max idle time <number>
l2 cache timeout <number>
maint (enable | disable)
max reject rate <number>
path mtu discovery (enable | disable)
reject unmatched (enable | disable)
share single mac (first member | global)
snat packet forward (enable | disable)
syncookies threshold <number>
vlan keyed conn (enable | disable)
ltm edit
Display
ltm [show [all]]
ltm list [all]
ltm adaptive reaper hiwater [show]
ltm adaptive reaper lowater [show]
ltm auto last hop [show]
ltm fastest max idle time [show]
A - 103
Appendix A
Description
You can use this command to set up the local traffic management system.
Examples
Specifies that the maximum rate per second at which the BIG-IP system
issues reject packets (TCP RST or ICMP port unreach) is 1000 seconds:
ltm max reject rate 1000
Options
You can use these options with the ltm command:
adaptive reaper hiwater
Specifies, in a percentage, the memory usage at which the system stops
establishing new connections. Once the system meets the reaper
high-water mark, the system does not establish new connections until the
memory usage drops below the reaper low-water mark. The default
setting is 95. To disable the adaptive reaper, set the high-water mark to
100.
Note that the adaptive reaper settings help mitigate the effects of a
denial-of-service attack.
adaptive reaper lowater
Specifies, in percent, the memory usage at which the system silently
purges stale connections, without sending reset packets (RST) to the
client. If the memory usage remains above the low-water mark after the
purge, then the system starts purging established connections closest to
their service timeout. The default setting is 85. To disable the adaptive
reaper, set the low-water mark to 100.
auto last hop
Specifies that the system automatically maps the last hop for pools. The
default is enable.
A - 104
A - 105
Appendix A
syncookies threshold
Specifies the number of new or untrusted TCP connections that can be
established before the system activates the SYN Cookies authentication
method for subsequent TCP connections. The default value is 16384.
vlan keyed conn
Enables or disables VLAN-keyed connections. You use VLAN-keyed
connections when traffic for the same connection must pass through the
system several times, on multiple pairs of VLANs (or in different VLAN
groups). The default setting is enable.
See also
bigpipe(1)
A - 106
mcp
Displays the Master Control Program (MCP) state.
Syntax
Use this command to display the state of the MCP.
Display
mcp [show [all]]
Delete
mcp stats reset
Note
Description
Displays the state of the MCP, whether running or inactive.
Examples
Displays the state of the MCP:
mcp show all
See also
bigpipe(1)
A - 107
Appendix A
memory
Displays memory usage statistics.
Syntax
Use this command to display memory statistics.
Display
memory [show [all]]
memory stats [show]
Description
Display detailed memory usage statistics. These statistics include total
memory available, total memory used, and how the memory is currently
allocated to objects, the size of the objects, and the maximum memory that
can be allocated to a specified object.
Examples
Displays all memory usage information:
memory show all
See also
bigpipe(1)
A - 108
merge
Loads the specified configuration file. This modifies the running
configuration.
Syntax
Use this command to load the specified configuration file or data to modify
the running configuration.
Usage
merge (<file> | -)
Description
The merge command loads the specified configuration file or data. This
modifies the running configuration. After you run the merge command, if
you want to save the modified running configuration in the stored
configuration files, run the save all command.
It is important to note that if you want to replace the running configuration
of the BIG-IP system, rather than modify it, you use the load command. For
more information, see the online man page for the load command.
Options
You can use these options with the merge command:
<file>
Specifies the file that you want to load to modify the running
configuration.
- <contents of SCF>
Use this option to modify the running configuration of a system using the
data in an SCF. First copy the contents of an SCF. Then type merge - and
press the Enter key. The system responds with a Reading... message.
When the system finishes responding, on the command line paste the
contents of the SCF that you copied, and then type Ctrl-D. After the
command sequence runs, the system has modified the running
configuration. If you want to save the running configuration to the stored
configuration files, run the save all command.
Warning: F5 recommends that you do not use this option. Instead, F5
recommends that you use a file name as shown above in the first option
in this list of options.
A - 109
Appendix A
See also
bigpipe(1), save(1)
A - 110
mgmt
Specifies network settings for the management interface (MGMT).
Syntax
Use this command to create or delete settings for the management interface.
Create/Modify
mgmt <mgmt key list> {}
mgmt (<mgmt key list> | all) {} [{] <mgmt arg list> [}]
<mgmt key> ::=
(<ip addr> | none)
<mgmt arg> ::=
netmask (<ip mask> | none)
mgmt edit
Display
mgmt [<mgmt key list> | all] [show [all]]
mgmt [<mgmt key list> | all] list [all]
mgmt [<mgmt key list> | all] addr [show]
mgmt [<mgmt key list> | all] netmask [show]
Delete
mgmt (<ip addr list> | all) delete
Description
Specifies network settings for the management interface. The management
interface is available on all switch platforms and is designed for
management purposes. You can access the web-based Configuration utility
and command line configuration utility through the management port. You
cannot use the management interface in traffic management VLANs. You
can only configure one IP address on the management interface.
After you make any changes using the mgmt command, issue the following
command to save the changes to the bigip_base.conf file:
base save
Examples
Creates the IP address 10.10.10.1 on the management interface:
mgmt 10.10.10.1
A - 111
Appendix A
Options
You can use these options with the mgmt command:
mgmt edit
Displays in a text editor the running configuration of all objects that you
use the command mgmt to create. You can edit the value of any
parameter displayed. When you exit the editor, the BIG-IP system
modifies the running configuration based on your changes. To save your
changes to the stored configuration files, run the save all command.
When the text editor opens, if only mgmt { } displays, you can type
parameters and values between the braces. When you exit the editor, the
BIG-IP system modifies the running configuration based on your
additions. You must run the save all command to save this change to the
stored configuration files.
Note that the default text editor is vi.
See also
route(1), bigpipe(1), mgmt route(1)
A - 112
mgmt route
Specifies route settings for the management interface (MGMT).
Syntax
Use this command to create, display, or delete route settings for the
management interface.
Create/Modify
mgmt route <mgmt route key list> {}
mgmt route (<mgmt route key list> | all) [{] <mgmt route arg list> [}]
<mgmt route key> ::=
<network ip>
<mgmt route arg> ::=
(mgmt | reject)
gateway (<ip addr> | none)
mtu <number>
mgmt route edit
Display
mgmt route [<mgmt route key list> | all] [show [all]]
mgmt route [<mgmt route key list> | all] list [all]
mgmt route [<mgmt route key list> | all] type [show]
mgmt route [<mgmt route key list> | all] gateway [show]
mgmt route [<mgmt route key list> | all] mtu [show]
Delete
mgmt route (<mgmt route key list> | all) delete
Description
Specifies route settings for the management interface. You must configure a
route on the management interface if you want to access the management
network on the system by connecting from another network. The
management interface is available on all switch platforms. It is designed for
management purposes. All upgrades should be installed through the
management port. You can access the web-based Configuration utility and
command line configuration utility through the management interface. You
cannot include the management interface in traffic management VLANs.
A - 113
Appendix A
Examples
Sets the management interface default gateway IP address to 10.10.10.254:
mgmt route default gateway 10.10.10.254
Options
You can use these options with the mgmt route command:
gateway
Specifies that the system forwards packets to the destination through the
gateway with the specified IP address.
mgmt
Specifies that the system forwards packets to the destination through the
management interface.
mtu
Specifies the maximum transmission unit (MTU) for the management
interface. The value of the MTU is the largest size that the BIG-IP
system allows for an IP datagram passing through the management
interface.
network ip
Specifies the network IP address, in one of four formats:
IPv4 address in dotted-quad notation, for example, 10.10.10.1
IPv6 address, for example, 1080::8:800:200C:417A
Host name, for example, www.siterequest.com
Node screen name, for example, node1
A - 114
reject
Specifies that the system drops packets that are sent to this destination.
See also
mgmt(1), bigpipe(1), route(1)
A - 115
Appendix A
mirror
Configures interface (port) mirroring.
Syntax
Use this command to create, modify, display, or delete interface mirroring.
Create/Modify
mirror <mirror key list> {}
mirror (<mirror key list> | all) [{] <mirror arg list> [}]
<mirror key> ::=
<if name>
<mirror arg> ::=
interfaces (<interface key list> | none) [add | delete]
mirror edit
Display
mirror [<mirror key list> | all] [show [all]]
mirror [<mirror key list> | all] list [all]
mirror [<mirror key list> | all] name [show]
mirror [<mirror key list> | all] interfaces [show]
Delete
mirror (<mirror key
Description
Use the mirror command to create, display, modify, or delete port
mirroring on given interfaces. You can mirror traffic from many ports to one
port. The mirror-to port is dedicated to mirroring and cannot be a VLAN or
a trunk member.
Examples
Creates a port mirror, 1.1, that includes interfaces 1.2, 1.3, 1.4. Traffic from
the interfaces 1.2, 1.3, and 1.4 is mirrored to the interface 1.1:
mirror 1.1 interfaces 1.2 1.3 1.4
Adds interfaces 1.2, 1.3, 1.4 to the existing port mirror 1.1:
mirror 1.1 interface 1.2 1.3 1.4 add
A - 116
Options
You can use these options with the mirror command:
add
Adds interfaces to an existing port mirror.
Important
Be aware that if you do not use add, the list of interfaces you specify
replaces the existing interfaces on the port mirror.
all
Provides the ability to apply a command to all existing port mirrors.
delete
Deletes interfaces from an existing port mirror. The list of interfaces you
specify is deleted from the port mirror.
<interface key>
Specifies an interface name, for example 3.1.
<key list>
Provides the ability to apply a command to a list of existing port mirrors.
mirror edit
Displays in a text editor the running configuration of all objects created
using the command mirror. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
See also
interface(1), bigpipe(1)
A - 117
Appendix A
monitor
Creates, modifies, and deletes monitor instances or templates.
Syntax
Use this command to create, modify, display, or delete monitor instances or
monitors.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. F5
recommends that you create a monitor in the same partition in which the
object that it monitors resides. For more information, see the Configuring
Administrative Partitions and Managing User Accounts chapters in the
BIG-IP Network and System Management Guide.
monitor <monitor key list> {}
monitor (<monitor key list> | all) [{] <monitor arg list> [}]
<monitor key> ::=
<name>
<monitor arg> ::=
<name> <string>
defaults from <name>
(enable | disable)
accounting node <string>
accounting port <string>
agent <string>
agent type <string>
args <string>
base <string>
call id <string>
cert <string>
cipherlist <string>
cmd <string>
community <string>
compatibility <string>
count <string>
cpu coefficient <string>
cpu threshold <string>
database <string>
A - 118
debug <string>
dest (<ip addr> | <node>)
disk coefficient <string>
disk threshold <string>
domain <string>
fault <string>
filename <string>
filter <string>
folder <string>
framed addr <string>
get <string>
gwm addr <string>
gwm interval <string>
gwm protocol <string>
gwm service <string>
instance <monitor instance list>
interval <number>
is read only
key <string>
mandatoryattrs <string>
manual resume
mem coefficient <string>
mem threshold <string>
method <string>
metrics <string>
mode <string>
namespace <string>
nasip <string>
newsgroup <string>
param name <string>
param type <string>
param value <string>
password <string>
post <string>
program <string>
protocol <string>
recv <string>
recvcolumn <string>
recvdrain <string>
recvrow <string>
return type <string>
return value <string>
reverse
run <string>
A - 119
Appendix A
secret <string>
security <string>
send <string>
sendpackets <string>
server <string>
server id <string>
service <string>
session id <string>
snmp version <string>
timeout (<number> | immediate | indefinite)
timeoutpackets <string>
transparent
urlpath <string>
username <string>
version <string>
<monitor instance> ::=
(<monitor instance key list> | all) \
[{] <monitor instance arg list> [}]
<monitor instance key> ::=
(<ip addr> | <member>)
<monitor instance arg> ::=
(enable | disable)
monitor edit
WARNING
If you disable a monitor instance, and then run the load command, the
monitor instance is automatically enabled.
Display
monitor [<monitor key list> | all] [show [all]]
monitor [<monitor key list> | all] list [all]
monitor [<monitor key list> | all] <name> [show]
monitor [<monitor key list> | all] accounting node [show]
monitor [<monitor key list> | all] accounting port [show]
monitor [<monitor key list> | all] agent [show]
monitor [<monitor key list> | all] agent type [show]
monitor [<monitor key list> | all] args [show]
monitor [<monitor key list> | all] base [show]
monitor [<monitor key list> | all] call id [show]
monitor [<monitor key list> | all] cert [show]
A - 120
A - 121
Appendix A
Delete
monitor (<monitor key list> | all) delete
Description
Monitors verify connections on pool members and nodes. A monitor can be
either a health monitor or a performance monitor, designed to check the
status of a pool, pool member, or node on an ongoing basis, at a set interval.
If a pool member or node being checked does not respond within a specified
timeout period, or the status of a pool member, or node indicates that
performance is degraded, the system can redirect the traffic to another pool
A - 122
member or node. Some monitors are included as part of the system, while
other monitors are user-created. Monitors that the system provides are
known as pre-configured monitors. User-created monitors are known as
custom monitors.
The task of implementing a monitor varies depending on whether you are
using a pre-configured monitor or creating a custom monitor. If you want to
implement a pre-configured monitor, you need only associate the monitor
with a pool, pool member, or node. If you want to implement a custom
monitor, you must first create the custom monitor, and then associate it with
a pool, pool member, or node.
Note
To view the man page for the monitor command, you must enter man
monitor at the BIG-IP system prompt.
Pre-configured monitors
The following monitors are pre-configured monitors:
gateway icmp
http
https
https 443
icmp
real server
snmp dca
tcp
tcp echo
tcp half open
Examples
This procedure describes how to create a custom HTTP monitor.
1. Access the bigpipe shell.
2. View the variables for the default monitors, by typing the following
command:
monitor list all |more
3. Find a default monitor on which you want to base the new monitor
and make a note of the settings that you want to change.
For example, if you want to define a new monitor that is based on
the default HTTP monitor, view the default HTTP monitor.
The default HTTP monitor appears as follows:
monitor http {
A - 123
Appendix A
defaults from
interval 5
timeout 16
dest *:*
password
recv
send GET /
username
}
Important: The values for the password, recv, send, and username
settings are contained in quotation marks. If you want to change
these values, you must place the new values in quotation marks.
4. Define the new monitor, using the following command syntax:
monitor <name> '{ defaults from <monitor> <setting>
<value>... }'>
5. Replace name with the name you want to use for the new monitor.
6. Replace monitor with the name of the default monitor on which
you want to base the new monitor.
7. Replace setting and value with the name and value of each setting
you want to change.
For example, if you want to create a monitor named
myhttpmonitor that has an interval of 30, a timeout of 91, and a
send string of GET /test.html, you would type the following
command:
monitor myhttpmonitor '{ defaults from http interval 30
timeout 91 send GET /test.html }'
If you decide to change the timeout for the monitor to 121, you
would type the following command:
monitor myhttpmonitor '{ interval 121 }'
A - 124
Options
You can use these options with the monitor command:
defaults from
Specifies the monitor that you want to use as the parent monitor. Your
new monitor inherits all settings and values from the parent monitor
specified. The new monitor will have the default settings of the monitor
you specify, but you can change any of the settings. This option is
required.
agent
Specifies an agent for use with Real Server, SNMP Base, and WMI
monitors only.
agent type
Specifies the SNMP DCA agent type. This is the type of agent running
on the server that you are monitoring with an SNMP DCA monitor.
args
Specifies any required command line arguments used by external
monitors.
base
Specifies a base name, used by LDAP.
cert
Provides the ability to supply a certificate file to be presented to the
server by an HTTPS monitor. If you do not provide the full path to the
certificate file, the system adds the path /config/ssl/ssl.crt. The cert must
be surrounded by quotation marks, for example, cert "client.crt", or
cert "/config/ssl/ssl.crt/client.crt". The default is null, that is, no
certificate is supplied.
cipherlist
Changes the cipher list that the HTTPS monitor uses, from the default.
The default cipherlist used is: DEFAULT:+SHA:+3DES:+kEDH. The
default cipher list is located in the file base_monitors.conf.
cmd
Specifies a command associated with metrics and metric values. Applies
to Real Server and WMI monitors.
community
Specifies an SNMP community name. Applies to SNMP DCA monitors
only. The default value is Public.
compatibility
Sets the SSL options to ALL for an HTTPS monitor. You can enable or
disable this option.
cpu coefficient
Specifies an SNMP DCA CPU Coefficient. This is a CPU value used for
calculating a ratio weight.
cpu threshold
Specifies an SNMP DCA CPU threshold. This is the highest disk
threshold value allowed, used in calculating a ratio weight.
A - 125
Appendix A
A - 126
database
Specifies a database name, used by SQL. This is the name of the data
source on the node being pinged, for example, sales or hr.
debug
Specifies whether the monitor provides debug mode.
If the value is yes, the monitor redirects its stderr output to the file
/var/log/<service> <ip addr>.<port>.log, and additional debug
information is directed to stderr.
dest
Specifies a destination IP address. You can also set this to a node name.
disk coefficient
Specifies an SNMP DCA Disk coefficient. This is a disk value used for
calculating a ratio weight.
disk threshold
Specifies an SNMP DCA Disk threshold. This is the highest disk
threshold value allowed, used in calculating a ratio weight.
domain
Specifies a domain name, for SMTP monitors only.
fault
For a SOAP monitor, fault is a Boolean operator specifying whether to
check for a SOAP fault. Valid values are (0, 1). When the fault parameter
is specified as a value of 1, the monitor expects the successful execution
it is monitoring to include a returned fault. This is useful to test for
situations when a fault is expected. This tests only for the existence of a
SOAP fault. Any other server error codes signal a failure of the monitor.
filter
Specifies a filter name, used by LDAP.
folder
Specifies a folder name, used by IMAP.
get
Gets a specified string.
interval
Monitors interval time in seconds. The default is 0.
key
Specifies the RSA private key to be used for client authentication. The
key must be surrounded by quotation marks, for example, key
"client.key". Note that if you specify a key, you must also specify a
value for the cert option. For more information, see the cert option on the
previous page.
mem coefficient
Specifies an SNMP DCA Memory coefficient. This is a memory value
used for calculating a ratio weight.
mem threshold
Specifies an SNMP DCA Memory threshold. This is the highest disk
threshold value allowed, used in calculating a ratio weight.
method
Specifies a method specification such as GET or POST. Applies to Real
Server, SOAP, and WMI monitors only.
metrics
Specifies metrics that you want to monitor, such as CPU percentage or
memory usage. Applies to Real Server and WMI monitors only.
mode
Sets the mode of the monitor. For example, an acceptable setting for this
value is passive for an FTP monitor, or udp or tcp for a SIP monitor.
monitor edit
Displays in a text editor the running configuration of all objects created
using the command monitor. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
name
Specifies the monitor name.
namespace
Specifies the namespace associated with the given web service for a
SOAP monitor.
nasip
Specifies the network access servers IP address for a RADIUS monitor.
newsgroup
Specifies a newsgroup name, for NNTP monitors only.
param name
If the method has a parameter, specifies the name of that parameter for
the SOAP monitor.
param type
Specifies the basic type associated with the given parameter name in a
SOAP monitor. Valid values are (long, int, string, bool).
param value
Specifies the value of the given parameter for the SOAP monitor.
partition
Displays the partition within which the monitor resides.
password
Specifies the password for the specified user name.
post
Specifies a WMI and Real Server post setting.
A - 127
Appendix A
protocol
Specifies the protocol to use for a SOAP monitor. Valid values are http
or https.
recv
This is an optional parameter, containing the value expected back for a
particular row and column of the table retrieved by the send parameter,
for example, Smith. The expected data must be of a database type that
converts directly to a Java String (for example, VARCHAR). If no value
is specified for this parameter, the returned data is not checked for any
specific value and, as long as no discernible errors occurred (for
example, data was received), the service is considered to be up.
recvcolumn
This option is meaningful only if the recv option is specified. It contains
the column in the returned table in which the recv value is expected.
recvrow
This option is meaningful only if the recv option is specified. It contains
the row in the returned table in which the recv value is expected.
return type
If a return type is to be tested, specifies the basic type of the return
parameter. Valid values are:
bool (Boolean)
char
double
float
int (integer)
long
short
string
return value
For the SOAP monitor. If a return name is specified, this is the value to
use for comparison to yield a successful service check.
reverse
Checks a monitor recv string reverse mode.
run
Runs a path name.
secret
Specifies a secret or shared secret, used by RADIUS.
security
Valid values are:
ssl: This value requests that LDAP over SSL be used.
tls: This value requests that TLS be used.
A - 128
none: This value (or a null value or any value that does not equal one
of the above) invokes no special security. The monitor runs as the
previous LDAP pinger was run.
send
You can use this parameter with TCP, HTTP, and HTTPS ECVs, as well
as the SQL monitor. Since this may have special characters, it may
require that it be enclosed with single quotation marks. If this value is
null, then a valid connection suffices to determine that the service is up.
In this case, the recv, recvrow, and recvcolumn options are not needed,
and will be ignored even if not null.
sendpackets
Specifies the number of packets to send when using the UDP monitor.
snmp version
Specifies the SNMP version.
timeout
Monitors timeout in seconds. You can also set the timeout to immediate
or indefinite. The default is 0.
timeoutpackets
Specifies the timeout in seconds for receiving UDP packets.
transparent
Specifies a monitor for transparent devices. In this mode, the node with
which the monitor is associated is pinged through to the destination node.
urlpath
For a SOAP monitor, supplies a URL path.
username
Specifies a user name for services with password security. For LDAP
monitors only, this is a distinguished name, that is, LDAP-format user
name.
See also
node(1), pool(1), bigpipe(1)
A - 129
Appendix A
nat
Configures network address translation (NAT).
Syntax
Use this command to create, modify, display, or delete a NAT.
Create/Modify
nat <nat key list> {}
nat (<nat key list> | all) [{] <nat arg list> [}]
<nat key> ::=
(<ip addr> | none)
<ip addr> to <ip addr>
(<ip addr> | none) map <ip addr>
<nat arg> ::=
orig addr (<ip addr> | none)
(enable | disable)
arp (enable | disable)
unit <number>
<ip addr>
map <ip addr>
vlans (<vlan key list> | none | all) (enable | disable)
nat [<nat key list> | all] stats reset
nat edit
Display
nat [<nat key list> | all] [show [all]]
nat [<nat key list> | all] list [all]
nat [<nat key list> | all] orig addr [show]
nat [<nat key list> | all] trans addr [show]
nat [<nat key list> | all] enabled [show]
nat [<nat key list> | all] arp [show]
nat [<nat key list> | all] unit [show]
nat [<nat key list> | all] stats [show]
nat [<nat key list> | all] to [show]
nat [<nat key list> | all] map [show]
nat [<nat key list> | all] vlans [show]
Delete
nat (<nat key list> | all) delete
A - 130
Description
A network address translation (NAT) defines a bi-directional mapping
between an originating IP address, orig addr, and a translated IP address,
trans addr.
A primary reason for defining a NAT is to allow one of the servers in the
server array behind the traffic management system to initiate
communication with a computer in front of, or external to the system.
Examples
The node behind the system with the IP address 10.0.140.100 has a presence
in front of the BIG-IP system as IP address 11.0.0.100:
nat 10.0.140.100 to 11.0.0.100
Additional Restrictions
The nat command has the following additional restrictions:
A virtual server cannot use the IP address defined in the <trans addr>
parameter.
A NAT cannot use a BIG-IP system's IP address.
A NAT cannot use an originating or translated IP address defined for and
used by a SNAT or another NAT.
You must delete a NAT before you can redefine it.
Options
You can use these options with the nat command:
arp
Enables or disables Address Resolution Protocol (ARP).
<ip addr> to <ip addr> or <ip addr> map <ip addr>
Specifies the IP address that is translated or mapped, and the IP address
to which it is translated or mapped. One of these settings is required
when creating a NAT.
nat edit
Displays in a text editor the running configuration of all objects created
using the command nat. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
A - 131
Appendix A
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
orig addr
Specifies the IP address from which traffic is being initiated.
trans addr
Specifies the IP address that <orig addr> is translated to by the traffic
management system.
vlans
Specifies the name of an existing VLAN on which access to the NAT is
enabled or disabled. A NAT is accessible on all VLANs by default.
unit
Specifies a unit ID, currently 1 or 2 for the redundant system. The default
unit ID is set to 1.
See also
snat(1), snat translation(1), bigpipe(1)
A - 132
ndp
Manages IPv6 neighbor discovery.
Syntax
Use this command to create, display, and delete IPv6 neighbor discovery.
Create/Modify
ndp <ndp key list> {}
ndp (<ndp key list> | all) [{]}<ndp arg list> {]}
<ndp key> :=
<ip addr>
(static | dynamic)
<ndp arg> :=
(<mac addr> | none)
ndp edit
Display
ndp (<ndp key list> | all) [show [all]]
ndp (<ndp key list> | all) list [all]
ndp (<ndp key list> | all) ip addr [show]
ndp (<ndp key list> | all) type [show]
ndp (<ndp key list> | all) mac addr [show]
Delete
ndp (<ndp key list> | all) delete
Description
The ndp command provides the ability to display and modify the
IPv6-to-Ethernet address translation tables used by the IPv6 neighbor
discovery protocol.
Examples
Maps the IPv6 address fec0:f515::c001 to the MAC address
00:0B:DB:3F:F6:57:
ndp fec0:f515::c001 00:0B:DB:3F:F6:57
A - 133
Appendix A
Options
You can use these options with the ndp command:
all
Displays all static and dynamic IPv6 address-to-MAC address mapping.
dynamic
Displays dynamic IPv6 address-to-MAC address mapping.
<ip addr>
Specifies the IPv6 address to be mapped to the MAC address. For
example, fec0:f515::c001.
<mac addr>
Specifies a 6-byte ethernet address in hexadecimal colon notation that is
not case-sensitive. For example, 00:0b:09:88:00:9a. This option is
required.
ndp edit
Displays in a text editor the running configuration of all objects created
using the command ndp. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
static
Displays static IPv6 address-to-MAC address mapping.
See also
arp(1), bigpipe(1)
A - 134
node
Creates, modifies, or displays node addresses and services.
Syntax
Use this command to create, modify, or display node addresses and services.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
node <node key list> {}
node (<node key list> | all) [{] <node arg list> [}]
<node key> ::=
(<ip addr> | none)
<node arg> ::=
dynamic ratio <number>
limit <number>
monitor (default | <monitor key> | <monitor key> and <monitor key> \
[ and <monitor key> ...] | min <number> of <monitor key list>)
ratio <number>
session (enable | disable)
(up | down)
screen (<name> | none)
node [<node key list> | all] stats reset
node edit
Display
node [<node key list> | all] [show [all]]
node [<node key list> | all] list [all]
node [<node key list> | all] addr [show]
node [<node key list> | all] dynamic ratio [show]
node [<node key list> | all] limit [show]
node [<node key list> | all] monitor [show]
node [<node key list> | all] monitor state [show]
node [<node key list> | all] partition [show]
node [<node key list> | all] ratio [show]
A - 135
Appendix A
Delete
node [<node key list> | all] delete
Description
Displays information about nodes, and sets attributes of nodes and node IP
addresses.
Examples
Displays information for all nodes in the system configuration:
node all show
Removes the default node monitor from all nodes. This command does not
remove monitors that have been explicitly assigned to nodes:
node * monitor none
Options
You can use these options with the node command:
dynamic ratio
Sets the dynamic ratio number for the node. Used for dynamic ratio load
balancing. The ratio weights are based on continuous monitoring of the
servers and are therefore continually changing. Dynamic Ratio load
balancing may currently be implemented on RealNetworks RealServer
platforms, on Windows platforms equipped with Windows Management
Instrumentation (WMI), or on a server equipped with either the UC
Davis SNMP agent or Windows 2000 Server SNMP agent.
limit
Specifies the maximum number of connections allowed for the node or
node address.
monitor
Specifies the name of the monitor that you want to associate with the
node.
A - 136
node edit
Displays in a text editor the running configuration of all objects created
using the command node. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
partition
Displays the partition in which the node resides.
ratio
Specifies the fixed ratio value used for a node during ratio load
balancing.
screen <name> | none
Specifies the given name of the node, if any.
session
Displays the current connections for the specified node.
up | down
Marks the node up or down.
See also
pool(1), monitor(1), bigpipe(1)
A - 137
Appendix A
ntp
Configures the Network Time Protocol (NTP) daemon for the BIG-IP
system.
Syntax
Use this command to configure the NTP servers for the system.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
ntp [{] <ntp arg list> [}]
<ntp arg> ::=
include (<string> | none)
servers (<ip addr list> | none) [add | delete]
timezone (<string> | none)
ntp edit
Display
ntp [show [all]]
ntp list [all]
ntp include [show]
ntp partition [show]
ntp servers [show]
ntp timezone [show]
Description
Use this command to configure the NTP servers for the system.
Examples
Adds the NTP server with the IP address, 192.168.1.245, to the system:
ntp servers 192.168.1.245 add
Replaces the existing list of NTP servers with a single host, time.f5net.com:
ntp servers time.f5net.com
A - 138
Options
You can use these options with the ntp command:
include
Warning: Do not use this parameter without assistance from the F5
Technical Support team. The system does not validate the commands
issued using the include parameter. If you use this parameter incorrectly,
you put the functionality of the system at risk.
ntp edit
Displays in a text editor the running configuration of all objects created
using the command ntp. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if only ntp { } displays, you can type
parameters and values between the braces. When you exit the editor, the
BIG-IP system modifies the running configuration based on the syntax
you entered. You must run the save all command to save this change to
the stored configuration files.
Note that the default text editor is vi.
partition
Displays the partition within which the ntp object resides.
servers
Adds NTP servers to or deletes NTP servers from the BIG-IP system.
timezone
Specifies the time zone that you want to use for the system time.
See also
bigpipe(1), dns(1), httpd(1), snmpd(1), sshd(1)
A - 139
Appendix A
ocsp responder
Configures Online Certificate System Protocol (OCSP) responder objects.
Syntax
Use the command to create, modify, display, or delete an OCSP responder
object.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
ocsp responder <ocsp responder key list> {}
ocsp responder (<ocsp responder key list> | all) [{] <ocsp arg list> [}]
<ocsp responder key> ::=
<name>
<ocsp responder arg> ::=
ca file (<file name> | none)
ca path (<file name> | none)
certid digest (sha1 | md5)
certs (enable | disable)
chain (enable | disable)
check certs (enable | disable)
explicit (enable | disable)
ignore aia (enable | disable)
intern (enable | disable)
sig verify (enable | disable)
sign key (<file name> | none)
sign key pass phrase (<string> | none)
sign other (<file name> | none)
sign digest (sha1 | md5)
signer (<file name> | none)
status age <number>
trust other (enable | disable)
url (<string> | none)
va file (<file name> | none)
validity period <number>
A - 140
Display
ocsp responder [<ocsp responder key list> | all] [show [all]]
ocsp responder [<ocsp responder key list> | all] list [all]
ocsp responder [<ocsp responder key list> | all] ca file [show]
ocsp responder [<ocsp responder key list> | all] ca path [show]
ocsp responder [<ocsp responder key list> | all] certid digest [show]
ocsp responder [<ocsp responder key list> | all] certs [show]
ocsp responder [<ocsp responder key list> | all] chain [show]
ocsp responder [<ocsp responder key list> | all] check certs [show]
ocsp responder [<ocsp responder key list> | all] explicit [show]
ocsp responder [<ocsp responder key list> | all] ignore aia [show]
ocsp responder [<ocsp responder key list> | all] name [show]
ocsp responder [<ocsp responder key list> | all] intern [show]
ocsp responder [<ocsp responder key list> | all] partition [show]
ocsp responder [<ocsp responder key list> | all] sig verify [show]
ocsp responder [<ocsp responder key list> | all] sign digest [show]
ocsp responder [<ocsp responder key list> | all] sign key [show]
ocsp responder [<ocsp responder key list> | all] sign key pass phrase [show]
ocsp responder [<ocsp responder key list> | all] sign other [show]
ocsp responder [<ocsp responder key list> | all] signer [show]
ocsp responder [<ocsp responder key list> | all] status age [show]
ocsp responder [<ocsp responder key list> | all] trust other [show]
ocsp responder [<ocsp responder key list> | all] url [show]
ocsp responder [<ocsp responder key list> | all] va file [show]
ocsp responder [<ocsp responder key list> | all] validity period [show]
ocsp responder [<ocsp responder key list> | all] verify [show]
ocsp responder [<ocsp responder key list> | all] verify cert [show]
ocsp responder [<ocsp responder key list> | all] verify other [show]
Delete
ocsp responder (<ocsp responder key list> | all) delete
Description
To implement the SSL OCSP authentication module, you must create the
following objects: one or more OCSP responder objects, an SSL OCSP
configuration object, and an SSL OCSP profile.
A - 141
Appendix A
Options
You can use these options with the ocsp responder command:
ca file
Specifies the name of the file containing trusted CA certificates used to
verify the signature on the OCSP response.
ca path
Specifies the name of the path containing trusted CA certificates used to
verify the signature on the OCSP response.
certid digest
Specifies a specific algorithm identifier, either sha1 or md5. sha1 is
newer and provides more security with a 160 bit hash length. md5 is
older and has only a 128 bit hash length. The default is sha1.
The cert ID is part of the OCSP protocol. The OCSP client (in this case,
the BIG-IP system) calculates the cert ID using a hash of the Issuer and
serial number for the certificate that it is trying to verify.
certs
Enables or disables the addition of certificates to an OCSP request. The
default is enable.
chain
Constructs a chain from certificates in the OCSP response. The default is
enable.
check certs
Makes additional checks to see if the signer's certificate is authorized to
provide the necessary status information. Used for testing purposes only.
The default is enable.
explicit
Specifies that the BIG-IP local traffic management system explicitly
trusts that the OCSP response signer's certificate is authorized for OCSP
response signing. If the signer's certificate does not contain the OCSP
signing extension, specification of this setting causes a response to be
untrusted. The default is enable.
ignore aia
Causes the system to ignore the URL contained in the certificate's AIA
fields, and to always use the URL specified by the responder instead. The
default is disable.
intern
Causes the system to ignore certificates contained in an OCSP response
when searching for the signer's certificate. To use this setting, the signer's
certificate must be specified with either the Verify Other or VA File
setting. The default is enable.
A - 142
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
partition
Displays the partition within which the ocsp responder object resides.
sig verify
Checks the signature on the OCSP response. Used for testing purposes
only. The default is enable.
sign key
Used to sign an OCSP request.
sign key pass phrase
Used to encrypt the sign key.
sign other
Adds a list of additional certificates to an OCSP request.
sign digest
Specifies the algorithm for signing the request, using the signing
certificate and key. This parameter has no meaning if request signing is
not in effect (that is, both the request signing certificate and request
signing key parameters are empty). This parameter is required only when
request signing is in effect. The default is sha1.
signer
Specifies a certificate used to sign an OCSP request. If the certificate is
specified but the key is not specified, then the private key is read from
the same file as the certificate. If neither the certificate nor the key is
specified, then the request is not signed. If the certificate is not specified
and the key is specified, then the configuration is considered to be
invalid.
status age
The default is 0.
trust other
Instructs the BIG-IP local traffic management system to trust the
certificates specified with the Verify Other setting. The default is
disable.
url
Specifies the URL used to contact the OCSP service on the responder.
When using the ocsp responder command, you must specify a URL.
va file
Specifies the name of the file containing explicitly-trusted responder
certificates. This parameter is needed in the event that the responder is
not covered by the certificates already loaded into the responder's CA
store.
A - 143
Appendix A
validity period
Specifies the number of seconds used to specify an acceptable error
range. This setting is used when the OCSP responder clock and a client
clock are not synchronized, which could cause a certificate status check
to fail. This value must be a positive number. The default is 300 seconds.
verify
Enables or disables verification of an OCSP response signature or the
nonce values. Used for debugging purposes only. The default is enable.
verify cert
The default is enable.
verify other
Specifies the name of the file used to search for an OCSP response
signing certificate when the certificate has been omitted from the
response.
See also
auth ssl ocsp(1), profile auth(1), bigpipe(1)
A - 144
oneconnect
Displays or resets OneConnect statistics for the BIG-IP system.
Syntax
Use this command to display or reset OneConnect statistics for the BIG-IP
system.
Display
oneconnect [show [all]]
Modify
oneconnect stats reset
Description
The OneConnect feature optimizes the use of network connections by
keeping server-side connections open and pooling them for re-use. You can
use the oneconnect command to display or reset OneConnect statistics for
the BIG-IP system.
See also
profile(1), profile oneconnect(1), bigpipe(1)
A - 145
Appendix A
packet filter
Configures packet filter rules and trusted allow lists.
Syntax
Use this command to create, modify, display, or delete packet filtering.
Create/Modify
Use this syntax to create or modify packet filter rules:
packet filter (<packet filter key list> | all) [{] <packet filter arg list> [}]
<packet filter key> ::=
<name>
<packet filter arg> ::=
order <number>
action (none | accept | discard | reject | continue)
vlan (<vlan key> | none)
log (enable | disable)
rate class (<rate class key> | none)
filter (<rule>)
packet filter [<packet filter key list> | all] stats reset
packet filter edit
Use this syntax to modify the packet filters allow trusted lists:
packet filter {}
packet filter [{] <packet filter arg list> [}]
<packet filter arg> ::=
allow trusted <allow trusted>
<allow trusted> ::=
[{] <allow trusted arg list> [}]
<allow trusted arg> ::=
addresses (<ip addr list> | none) [add | delete]
vlans (<vlan key list> | none) [add | delete]
macs (<mac addr list> | none) [add | delete]
packet filter <packet filter key list> {}
Display
packet filter [show [all]]
packet filter list [all]
packet filter allow trusted [show]
A - 146
Delete
packet filter [<packet filter key list> | all] delete
Description
Provides the ability to create a layer of security for the traffic management
system using packet filter rules or trusted allow lists.
The BIG-IP system packet filters are based on the Berkeley Software Design
Packet Filter (BPF) architecture. Packet filter rules are composed of four
mandatory attributes and three optional attributes. The mandatory attributes
are name, order, action, and filter. The optional attributes are vlan, log,
and rate class. The filter attribute you choose defines the BPF script to
match for the rule.
Trusted allow lists are lists of IP addresses, MAC addresses, and VLANs
that you want to allow to bypass the packet filter.
Important
You must enable the packet filter flag using the Configuration utility, for any
packet filter configuration to work. By default, the packet filter flag is
disabled.
A - 147
Appendix A
In this example, you have an administrative laptop that you want to have
unrestricted access to the traffic management system. This is a laptop, and
therefore it might have a different IP address from time to time. One way to
solve the problem is to add a trusted MAC address. A trusted MAC address
is a MAC address that passes MAC address-based authentication.
This trusted allow list example shows the laptop MAC address as
00:02:3F:3E:2F:FE. Now the laptop can access the traffic management
system regardless of what address it boots with or to which VLAN it is
connected, as long as it is on the same physical segment as the traffic
management system.
Also in this example, the traffic management system is configured with a
basic firewall for the internal network. This example shows a way to filter
incoming traffic, and allow outgoing traffic to be unrestricted. To do this,
you add trusted VLANs that represent all traffic that originated on the
internal network.
Note
A - 148
This example has a single virtual server IP, and it does not matter what
interface the traffic is destined for. If you want to be more specific, you
could specify each service port, as well (for example, HTTP, FTP, Telnet,
and so on).
packet filter virtuals {
order 20
action accept
vlan external
rate class root
filter {( dst host 172.19.254.80 )}
}
A - 149
Appendix A
Options
You can use these options with the packet filter command to create packet
filter rules:
action
Specifies the action that the packet filter rule should take. The values for
action are: accept, discard, reject, continue, and none. There is no
default; you must specify a value when you create a packet filter rule.
filter
Specifies the BPF expression to match. The filter is mandatory, however
you can leave it empty. If empty, the packet filter rule matches all
packets.
log
Enables or disables packet filter logging. If you omit this value, no
logging is performed.
order
Specifies a sort order. The values for the sort order are all integers
between 0 and 999, inclusive. No two rules may have the same sort
order.
There is a single, global list of rules. Each rule in the list has a relative
integer sort-order. The rule with the lowest sort-order value is always
evaluated first, the rule with the highest sort-order value is always
evaluated last, and all other rules are evaluated in-between in order based
on ascent of their sort-order value.
For example, if there are five rules, numbered 500, 100, 300, 200, 201;
the rule evaluation order is 100, 200, 201, 300, 500.
Each packet to be filtered is compared against the list of rules in
sequence, starting with the first. Evaluation of the rule list stops on the
first match that has an action of accept, discard, or reject. A match on a
rule with an action of none does not stop further evaluation of the rule
list; the statistics count is updated and a log is generated if the rule
indicates it, but otherwise rule processing continues with the next rule in
the list.
Rules should be sequenced for effect and efficiency by the user;
generally this means:
More specific rules should be evaluated first, and thus have the lowest
sort-orders.
One expression with multiple criteria is likely to evaluate more
efficiently than multiple expressions each with a single criterion.
This is a required setting.
A - 150
When the text editor opens, if only packet filter { } displays, you can
type parameters and values between the braces. When you exit the editor,
the BIG-IP system modifies the running configuration based on the
syntax you entered. You must run the save all command to save this
change to the stored configuration files.
Note that the default text editor is vi.
rate class
Specifies the name of a rate class. The value for the rate class association
is the name of any existing rate class. If omitted, no rate filter is applied.
vlan
Specifies the VLAN to which the packet filter rule should apply. The
value for this option is any VLAN name currently in existence. If you
omit this value, the rule applies to all VLANs.
You can use these options with the packet filter command to create trusted
allow lists:
addresses
Specifies a list of source IP addresses. Any traffic matching a source IP
in the list is automatically allowed. This simplifies configuration of the
packet filter to allow trusted internal traffic to be passed from VLAN to
VLAN without a filter rule, including out to the Internet. Processing of
traffic by this option occurs before rule list evaluation, making it
impossible to override this option and mask out (block) certain types of
traffic with a packet filter rule. This option is empty by default.
macs
Specifies a list of MAC addresses. The system allows any traffic
matching a MAC address in the source address list. This simplifies
configuration of the packet filter to allow trusted internal traffic to be
passed from VLAN to VLAN without a filter rule, including out to the
Internet. Processing of traffic by this option occurs before rule list
evaluation, making it impossible to override this option and mask out
(block) certain types of traffic with a packet filter rule. This option is
empty by default.
vlans
Specifies a list of ingress VLANs. Any traffic matching received on a
VLAN in the ingress VLAN list is automatically allowed. This simplifies
configuration of the packet filter to allow trusted internal traffic to be
passed from VLAN to VLAN without a filter rule, including out to the
Internet. Processing of traffic by this option occurs before rule list
evaluation, making it impossible to override this option and mask out
(block) certain types of traffic with a packet filter rule. This option is
empty by default.
See also
rate class(1), virtual(1), vlan(1), vlangroup(1), bigpipe(1)
A - 151
Appendix A
partition
Creates, modifies, and deletes administrative partitions that implement
access control for the BIG-IP system users.
Syntax
Use this command to create, modify, and delete administrative partitions
that implement access control for the BIG-IP system users. To use this
command, you must have the Administrator user role assigned to your user
account.
Create/Modify
partition <partition key list> {}
partition (<partition key list> | all) [{] <partition agr list> [}]
<partition key> ::=
<name>
<partition arg> ::=
description (<string> | none)
partition edit
Display
partition (<partition key list> | all] [show [all]]
partition (<partition key list> | all] list [all]
partition (<partition key list> | all] name [show]
partition (<partition key list> | all] description [show]
Delete
partition (<partition key list> | all) delete
Description
An administrative partition is a logical container that you create, containing
a defined set of BIG-IP system objects, such as virtual servers, pools, and
profiles. When a specific set of objects resides in a partition, you can then
give certain users the authority to view and manage the objects in that
partition only, rather than to all objects on the BIG-IP system. This gives a
finer degree of administrative control.
A - 152
Options
You can use the following options with the partition command:
description
Specifies a description of the partition, for example, This partition
contains local traffic management objects for managing HTTP
traffic.
partition edit
Displays in a text editor the running configuration of all objects created
using the command partition. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
See also
user(1), bigpipe(1)
A - 153
Appendix A
password policy
Specifies the parameters of the valid passwords for the BIG-IP system.
Syntax
Use this command to create a password policy for the BIG-IP system in
order to enforce your company's security requirements.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
password policy [{] <password policy arg list> [}]
<password policy arg> ::=
max days <number>
min days <number>
min length <number>
remember <number>
required lowercase <number>
required numeric <number>
required special <number>
required uppercase <number>
strict (enable | disable)
warn age <number>
password policy edit
Display
password policy [show [all]]
password policy list [all]
password policy max days [show]
password policy min days [show]
password policy min length [show]
password policy required lowercase [show]
password policy required numeric [show]
password policy required special [show]
password policy required uppercase [show]
password policy partition [show]
A - 154
Description
This command provides the ability to define the parameters of valid
passwords on the BIG-IP system.
Examples
Creates a password policy that specifies that passwords are valid for a
maximum of 90 days, and a minimum of 30 days. Also specifies that in
order to be valid, a password must contain at least 6 characters, but not more
than 10 characters, including 2 lowercase alpha characters, 2 uppercase
alpha characters, and 1 number. Also states that the system will
automatically warn users five days before their passwords expire:
password policy max days 90 min days 30 min length 6 max length 10 required lowercase 2 \
required uppercase 2 required special 1 required numeric 1 warn age 5
Options
You can use the following options with the password policy command.
max days
Specifies the maximum number of days a password is valid. The default
value is 99999.
min days
Specifies the minimum number of days a password is valid. The default
value is 0 (zero).
min length
Specifies the minimum number of characters in a valid password. The
default value is 6.
partition
Displays the partition within which the password policy resides.
password policy edit
Displays in a text editor the running configuration of all objects created
using the command password policy. You can edit the value of any
parameter displayed. When you exit the editor, the BIG-IP system
modifies the running configuration based on your changes. To save your
changes to the stored configuration files, run the save all command.
When the text editor opens, if only password policy { } displays, you can
type parameters and values between the braces. When you exit the editor,
the BIG-IP system modifies the running configuration based on the
syntax you entered. You must run the save all command to save this
change to the stored configuration files.
Note that the default text editor is vi.
A - 155
Appendix A
remember
Specifies whether the user has configured the BIG-IP system to
remember a password on a specific computer. The default value is 0
(zero).
required lowercase
Specifies the number of lowercase alpha characters that must be present
in a password for the password to be valid. The default value is 0 (zero).
required numeric
Specifies the number of numeric characters that must be present in a
password for the password to be valid. The default value is 0 (zero).
required special
Specifies the number of special characters that must be present in a
password for the password to be valid. The default value is 0 (zero).
required uppercase
Specifies the number of uppercase alpha characters that must be present
in a password for the password to be valid. The default value is 0 (zero).
strict
Enables or disables the password policy on the BIG-IP system. The
default value is disable.
warn age
Specifies the number of days before a password expires. Based on this
value, the BIG-IP system automatically warns users when their password
is about to expire. The default value is 7.
See also
bigpipe(1), user(1), remote_users(1), remoterole(1)
A - 156
persist
Configures persistence for the system, and manages the persistence table
entries on the system.
Syntax
Use this command to configure persistence for the system and to manage the
persistence table entries on the system. For information on configuring
session persistence for a virtual server, see profile persist, on page A-214.
Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
Use this syntax to configure persistence on the system:
persist [{] <persist arg list> [}]
<persist arg> ::=
dest addr limit (timeout | maxcount)
dest addr max <number>
proxy group (<string> | none)
persist edit
Display
persist [<persist key list> | all] [show [all]]
persist list [all]
persist dest addr limit [show]
persist dest addr max [show]
A - 157
Appendix A
Delete
persist [<persist key list> | all] delete
Description
You can use the persist command to configure persistence for the BIG-IP
system. You can also use the persist command to manage the records in the
persistence table of the system. If you specify a parameter for persist key,
you must specify a mode and no other parameter than mode.
Examples
Displays all persistence records with a mode of source addr:
persist mode source addr
Options
You can use the following options to configure persistence for the BIG-IP
system:
partition
Displays the partition within which the persist object resides.
persist edit
Displays in a text editor the running configuration of all objects created
using the command persist. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if only persist { } displays, you can type
parameters and values between the braces. When you exit the editor, the
BIG-IP system modifies the running configuration based on the syntax
you entered. You must run the save all command to save this change to
the stored configuration files.
A - 158
proxy group
Specifies a group of servers that are configured to process all of the
requests from a single source address during a persistence session.
You can use the following options to manage the persistence table entries:
mode
Specifies the type of persistence you are setting up for the system. The
following options are available:
client
When you specify source addr for the mode option, use this option to
specify the IP address on which the session persists.
cookie
Cookie persistence uses an HTTP cookie stored on a client's computer
to allow the client to connect to the same server previously visited at a
web site.
dest addr
Also known as sticky persistence, destination address affinity
persistence supports TCP and UDP protocols, and directs session
requests to the same server based solely on the destination IP address
of a packet.
hash
Hash persistence is based on an existing iRule.
key
Specifies a string for the system to use to persist a client session.
msrdp
MSRDP persistence provides an efficient way of load balancing
traffic and maintaining persistent sessions between Windows clients
and servers that are running the Microsoft Terminal Services service.
The recommended scenario for enabling the MSRDP persistence
feature is to create a load balancing pool that consists of members
running Windows .NET Server 2003, Enterprise Edition, or later,
where all members belong to a Windows cluster and participate in a
Windows session directory.
sip
Session Initiation Protocol (SIP) persistence is a type of persistence
available for server pools. You can configure SIP persistence for
proxy servers that receive SIP messages sent through UDP. The
BIG-IP system currently supports persistence for SIP messages sent
through UDP, TCP, or SCTP.
source addr
Also known as simple persistence, source address affinity persistence
supports TCP and UDP protocols, and directs session requests to the
same server based solely on the source IP address of a packet. When
you specify source addr as the mode of persistence, you must specify
an IP address using the client option.
A - 159
Appendix A
ssl
SSL persistence is a type of persistence that tracks non-terminated
SSL sessions, using the SSL session ID. Even when the client's IP
address changes, the system still recognizes the connection as being
persistent based on the session ID. Note that the term, non-terminated
SSL sessions, refers to sessions in which the system does not perform
the tasks of SSL certificate authentication and
encryption/re-encryption.
universal
Universal persistence allows you to write an expression that defines
what to persist on in a packet. The expression, written using the same
expression syntax that you use in iRules, defines some sequence of
bytes to use as a session identifier.
node
Indicates the node with which the client session remains persistent.
pool
Indicates the pool member with which the client session remains
persistent.
virtual
Indicates the virtual server with which the client session remains
persistent.
See also
profile persist(1), virtual(1), bigpipe(1)
A - 160
platform
Displays information about the BIG-IP system platform.
Syntax
Use this command to display information about the system platform,
including name and number, the license level of the installed hardware SSL
compression cards, the amount of installed memory, the type and speed of
the CPU, the PVA type (if present), and a list of licensed and enabled
modules, such as the BIG-IP Global Traffic Manager.
Display
platform [show [all]]
platform list [all]
platform base mac [show]
platform bios rev [show]
Description
Display platform statistics such as CPU fan speed and temperature, chassis
temperature, and power supply status.
Examples
This command:
platform show all
This command:
platform base mac [show]
A - 161
Appendix A
See also
bigpipe(1)
A - 162
pool
Configures load balancing pools on the traffic management system.
Syntax
Use this command to create, modify, display, or delete a load balancing
pool.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
pool <pool key list> {}
pool <pool key list>[{] <pool arg list> [}]
<pool key>::=
<name>
<pool arg> ::=
lb method (round robin | member ratio | member least conn | member observed | \
member predictive | ratio | least conn | fastest | observed | predictive | \
dynamic ratio | fastest app resp | least sessions | member dynamic ratio | \
l3 addr | rr | node ratio)
action on svcdown (none | reset | drop | reselect)
min up members <number>
min up members (enable | disable)
min up members (reboot | restart all | failover)
min active members <number>
unit <number>
snat (enable | disable)
nat (enable | disable)
ip tos to client (<number> | pass)
ip tos to server (<number> | pass)
link qos to client (<number> | pass)
link qos to server (<number> | pass)
slow ramp time <number>
monitor all (none | <monitor key> | <monitor key> and <monitor key> \
[and <monitor key> ...] | min <number> of <monitor key list>)
members (<pool member list> | none) [add | delete]
A - 163
Appendix A
Display
pool [<pool key list> | all] [show [all]]
pool [<pool key list> | all] list [all]
pool (<pool key list> | all) name show
pool [<pool key list> | all] lb method [show]
pool [<pool key list> | all] action on svcdown [show]
pool [<pool key list> | all] min up members [show]
pool [<pool key list> | all] min active members [show]
pool [<pool key list> | all] unit [show]
pool [<pool key list> | all] snat [show]
pool [<pool key list> | all] nat [show]
pool [<pool key list> | all] ip tos to client [show]
pool [<pool key list> | all] ip tos to server [show]
pool [<pool key list> | all] link qos to client [show]
pool [<pool key list> | all] link qos to server [show]
pool [<pool key list> | all] slow ramp time [show]
pool [<pool key list> | all] monitor all [show]
pool [<pool key list> | all] partition [show]
pool [<pool key list> | all] members [show]
pool [<pool key list> | all] stats [show]
Delete
pool (<pool key list> | all) delete
A - 164
Description
The pool command creates, deletes, modifies, and displays the pool
definitions on the traffic management system. Pools group the member
servers together to use a common load balancing algorithm.
Examples
Creates a pool with two members 10.2.3.11, and 10.2.3.12, where both
members use the round robin load balancing method, and the default HTTP
monitor checks for member availability:
pool mypool {
monitor all http
member 10.2.3.11:http
member 10.2.3.12:http
}
Deletes the pool mypool: (Note that all references to a pool must be
removed before a pool may be deleted.)
pool mypool delete
Options
You can use these options with the pool command:
action on svcdown
Specifies the action to take if the service specified in the pool is marked
down. Possible values are none, reset, drop, or reselect. You can
specify no action with none, you can reset the system with reset, you can
drop connections using drop, or, you can reselect a node for the next
packet that comes in on a Layer 4 connection if the existing connections
service is marked down by specifying reselect. The default is none.
<ip:service>
Specifies an IP address and service being assigned to a pool as a member.
For example, 10.2.3.12:http.
A - 165
Appendix A
lb method
Specifies the load balancing mode that the system is to use for the
specified pool.
dynamic ratio - Specifies a range of numbers that you want the
system to use in conjunction with the ratio load balancing method.
The default ratio number is 1.
fastest - Indicates that the system passes a new connection based on
the fastest response of all currently active nodes in a pool. This
method may be particularly useful in environments where nodes are
distributed across different logical networks.
fastest app resp - Indicates that the system passes a new connection
based on the fastest application response of all currently active nodes
in a pool.
l3 addr - Indicates that the system passes connections sequentially to
each member configured using its IP address. The IP address is a
Layer 3 address.
least conn - Indicates that the system passes a new connection to the
node that has the least number of current connections.
least sessions - Indicates that the system passes a new connection to
the node that has the least number of current sessions. Least Sessions
methods work best in environments where the servers or other
equipment you are load balancing have similar capabilities. This is a
dynamic load balancing method, distributing connections based on
various aspects of real-time server performance analysis, such as the
current number of sessions
member dynamic ratio - Indicates that the system passes a new
connection to the member based on continuous monitoring of the
servers, which are continually changing. This is a dynamic load
balancing method, distributing connections based on various aspects
of real-time server performance analysis, such as the current number
of connections per node or the fastest node response time.
member least conn - Indicates that the system passes a new
connection to the member that has the least number of current
connections.
member observed - Indicates that the system passes connections
sequentially to each member based on observed status of the member.
member predictive - Indicates that the system passes connections
sequentially to each member based on a predictive algorithm.
member ratio - Specifies a ratio number that you want the system to
use in conjunction with the ratio load balancing method. The default
ratio number is 1.
node ratio - Specifies a ratio number that you want the system to use
in conjunction with the ratio load balancing method. The default ratio
number is 1.
observed - Indicates that the system passes connections sequentially
to each node based on observed status of the member.
A - 166
min up members
Enables or disables this feature. The default is disable.
You can also specify the minimum number of members that must remain
up for traffic to be confined to a priority group when using priority-based
activation. If the number specified is exceeded, the action specified
happens. The default is 0.
You can also specify the action taken if the min up members number is
exceeded. The actions you can specify are reboot to reboot the unit,
restart all to restart the load balancing system, or failover to fail over to
another unit. The default is failover.
monitor all
Creates a monitor rule for the pool. You can specify a monitor rule that
marks the pool down if the specified number of monitors are not
successful.
nat
Enables or disables NAT connections for the pool.
partition
Displays the partition within which the pool resides.
pool edit
Displays in a text editor the running configuration of all objects created
using the command pool. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
priority
Specifies a priority that you want to assign to a pool member, to ensure
that traffic is directed to that member before being directed to a member
of a lower priority.
A - 167
Appendix A
snat
Enables or disables SNAT connections for the pool.
unit
Specifies the unit number used by this pool in an active-active redundant
system.
See also
monitor(1), node(1), virtual(1), bigpipe(1)
A - 168
profile
Displays profile settings, resets statistics, or deletes a profile.
Syntax
Use this command to display profile settings, reset statistics, or delete a
profile.
Modify
<profile key> ::=
<name>
profile [<profile key list> | all] stats reset
profile edit
Display
profile [<profile key list> | all] [show [all]]
profile [<profile key list> | all] list [all]
profile [<profile key list> | all] name [show]
Delete
profile (<profile key list> | all) delete
Description
Use this command to display or delete existing profiles. You can also reset
statistics for an existing profile or display the configuration for a profile.
Examples
Displays all profiles on the system. Includes all system profiles.
profile all show
Options
You can use these options with the profile command:
profile edit
Displays in a text editor the running configuration of all objects created
using the command profile. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
Note that the default text editor is vi.
A - 169
Appendix A
See also
profile auth(1), profile clientssl(1), profile fastl4(1), profile fastthttp(1),
profile ftp(1), profile http(1), profile oneconnect(1), profile persist(1),
profile serverssl(1), profile statistics(1), profile stream(1), profile tcp(1),
profile udp(1), bigpipe(1)
A - 170
profile auth
Configures a type of authentication profile.
Syntax
Use this command to create, modify, display, or delete a type of
authentication profile.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
profile auth <profile auth key list> {}
profile auth (<profile auth key list> | all) [{] <auth profile arg list> [}]
<auth auth key> ::=
<name>
<auth profile arg> ::=
config (<name> | default)
credential source (http basic auth | default)
defaults from (<profile auth key> | none)
mode (enable | disable | default)
type (ldap | radius | ssl cc ldap | ssl ocsp | tacacs | generic | ssl crldp | \
default)
rule (<rule key> | none | default)
idle timeout (<number> | immediate | indefinite | default)
profile auth [<profile auth key list> | all] stats reset
profile auth edit
Display
profile auth [<profile auth key list> | all] [show [all]]
profile auth [<profile auth key list> | all] list [all]
profile auth [<profile auth key list> | all] config [show]
profile auth [<profile auth key list> | all] credential source [show]
profile auth [<profile auth key list> | all] defaults from [show]
profile auth [<profile auth key list> | all] idle timeout [show] profile auth \
[<profile auth key list> | all] mode [show]
profile auth [<profile auth key list> | all] name [show]
A - 171
Appendix A
Delete
profile auth (<profile auth key list> | all) delete
Description
Create, modify, display, or delete an authentication profile. An
authentication profile is an object that specifies the type of authentication
module you want to implement, a parent profile, and the configuration
object. For example, you can use the profile auth command to create a
TACACS+ profile (see example following). You can either use the default
profile that the BIG-IP local traffic management system provides for each
type of authentication module, or create a custom profile. The types of
authentication profiles you can create with the profile auth command are:
LDAP, SSL CC LDAP, RADIUS, TACACS+, SSL OCSP, and CRLDP.
Examples
Creates a profile named mytacacs_profile for TACACS+ authentication:
profile auth mytacacs_profile {
config mytacacs_profile config credential source http basic auth defaults from tacacs \
mode enable type tacacs rule myrule1 idle timeout 60
}
A - 172
Options
You can use these options with the profile auth command:
config
Specifies the name of the authentication profile that you are creating.
You can specify an LDAP, RADIUS, TACACS+, SSL client certificate,
SSL OCSP, or CRLDP configuration object. This setting is required.
credential source
Specifies the credential source as http basic auth or default. For LDAP,
RADIUS, and TACACS+, specify http basic auth for the credential
source. For SSL client certificate or SSL OCSP specify default.
defaults from
Specifies the name of the default authentication profile from which you
want your custom profile to inherit settings. This setting is required.
idle timeout
Sets the idle timeout for the auth profile. The options are a number,
immediate, indefinite, or default. The default is 300 seconds.
mode
Specifies the profile mode. The options are enable, disable, or default.
The default is enable.
partition
Displays the partition in which the authentication profile resides.
rule
Specifies the name of the default rule or custom rule that corresponds to
the authentication method you want to use.
type
Specifies the type of authentication profile that you want use. The
following types are available:
generic - Unlike the other authentication profile types, when you are
using the command line interface to create a generic authentication
profile, you must manually create or edit a pluggable authentication
module (PAM) configuration file. The name of this configuration file
for a given authentication profile is /etc/pam.d/tmm_{name} where
{name} is the value of the profile instance's name. The bigpipe utility
displays an informational message to this effect, specifying the actual
file to create or edit when you manipulate a generic authentication
profile. F5 recommends that you have expertise with PAM before you
use this advanced feature.
A - 173
Appendix A
See also
auth crldp(1), auth ldap(1), auth radius(1), auth ssl cc ldap(1), auth ssl
ocsp(1), auth tacacs(1), bigpipe(1)
A - 175
Appendix A
profile clientssl
Configures a Client SSL profile.
Syntax
Use this command to create, display, modify, or delete a Client SSL profile.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
profile clientssl <profile clientssl key list> {}
profile clientssl (<profile clientssl key list> | all) \
[{] <profile clientsll arg list> [}]
<profile clientssl key> ::=
<name>
<profile clientssl arg> ::=
defaults from (<profile clientssl key> | none)
mode (enable | disable | default)
key (<file name> | none | default)
cert (<file name> |
none | default)
none | default)
none | default)
none | default)
none | default)
none | default)
A - 176
Display
profile clientssl [<profile clientssl key list> | all] [show [all]]
profile clientssl [<profile clientssl key list> | all] list [all]
profile clientssl [<profile clientssl key list> | all] alert timeout [show]
profile clientssl [<profile clientssl key list> | all] authenticate [show]
profile clientssl [<profile clientssl key list> | all] authenticate depth [show]
profile clientssl [<profile clientssl key list> | all] ca file [show]
profile clientssl [<profile clientssl key list> | all] cache size [show]
profile clientssl [<profile clientssl key list> | all] cache timeout [show]
profile clientssl [<profile clientssl key list> | all] cert [show]
profile clientssl [<profile clientssl key list> | all] chain [show]
profile clientssl [<profile clientssl key list> | all] ciphers [show]
profile clientssl [<profile clientssl key list> | all] client cert ca [show]
profile clientssl [<profile clientssl key list> | all] crl file [show]
profile clientssl [<profile clientssl key list> | all] defaults from [show]
profile clientssl [<profile clientssl key list> | all] handshake timeout [show]
profile clientssl [<profile clientssl key list> | all] key [show]
profile clientssl [<profile clientssl key list> | all] mode [show]
profile clientssl [<profile clientssl key list> | all] modssl methods [show]
profile clientssl [<profile clientssl key list> | all] name [show]
profile clientssl [<profile clientssl key list> | all] nonssl [show]
A - 177
Appendix A
Delete
profile clientssl (<profile clientssl key list> | all) delete
Description
This command provides the ability to create a custom Client SSL profile.
Client-side profiles allow the traffic management system to handle
authentication and encryption tasks for any SSL connection coming into a
traffic management system from a client system. You implement this type of
profile by using the default profile, or creating a custom profile based on the
default clientssl profile and modifying its settings. All default profiles are
stored in the file /config/profile_base.conf.
Examples
Creates a Client SSL profile named myclientsslprofile using the system
defaults:
profile clientssl myclientsslprofile { mode enable }
Arguments
Several command arguments are available for use with this command.
defaults from
Specifies the profile that you want to use as the parent profile. Your new
profile inherits all settings and values from the parent profile specified.
mode
Specifies the profile mode, which enables or disables SSL processing.
The options are enable, disable, or default. The default is enable.
key
Specifies the name of a key file that you generated and installed on the
system. When selecting this option, type a key file name or use the
default key name default.key. The default key name is default.key.
cert
Specifies the name of the certificate installed on the traffic management
system for the purpose of terminating or initiating an SSL connection.
You can specify the default certificate name, which is default.crt.
A - 178
chain
Specifies or builds a certificate chain file that a client can use to
authenticate the profile. To use the default chain name, specify default.
ca file
Specifies the certificate authority (CA) file name. To use the default CA
file name, specify default. Configures certificate verification by
specifying a list of client or server CAs that the traffic management
system trusts.
crl file
Specifies the certificate revocation list file name. To use the default
certificate revocation file name, specify default.
client cert ca
Specifies the client cert certificate authority name. To use the client cert
certificate authority name, specify default.
ciphers
Specifies a cipher name. To use the default ciphers, specify default.
Options
Several options are available, including some industry-related workarounds:
A - 179
Appendix A
A - 180
[TLS D5 BUG]
This option is a workaround for communicating with older
TLSv1-enabled applications that specify an incorrect encrypted RSA key
length. This option is ignored for server-side SSL.
[ALL BUGFIXES]
This option enables all of the above defect workarounds. It is usually safe
to use the All bugfixes Enabled option to enable the defect workaround
options when you want compatibility with broken implementations. Note
that if you edit the configuration in the web-based configuration utility,
the ALL BUGFIXES syntax is expanded into each individual option.
[SINGLE DH USE]
This option creates a new key when using temporary/ephemeral DH
parameters. This option must be used to prevent small subgroup attacks,
when the DH parameters were not generated using strong primes, for
example, when using DSA-parameters. If strong primes were used, it is
not strictly necessary to generate a new DH key during each handshake,
but it is recommended. Enable the Single DH use option, whenever
temporary/ephemeral DH parameters are used.
[EPHEMERAL RSA]
This option uses ephemeral (temporary) RSA keys when doing RSA
operations. According to the specifications, this is only done when an
RSA key can only be used for signature operations (namely under export
ciphers with restricted RSA key length). By setting this option, you
specify that ephemeral RSA keys are always used. This option breaks
compatibility with the SSL/TLS specifications, and may lead to
interoperability problems with clients. Therefore, F5 does not
recommend it. You should use ciphers with EDH (ephemeral
Diffie-Hellman) key exchange instead. This option is ignored for
server-side SSL.
[PKCS1 CHECK 1]
This debugging option deliberately manipulates the PKCS1 padding used
by SSL clients in an attempt to detect vulnerability to particular SSL
server vulnerabilities. F5 does not recommend this option for normal use.
The system ignores this option for client-side SSL.
[PKCS1 CHECK 2]
This debugging option deliberately manipulates the PKCS1 padding used
by SSL clients in an attempt to detect vulnerability to particular SSL
server vulnerabilities. F5 does not recommend this option for normal use.
The system ignores this option for client-side SSL.
[NETSCAPE CA DN BUG]
This option handles a defect regarding the system crashing or hanging. If
the system accepts a Netscape Navigator browser connection, demands
a client cert, has a non-self-signed CA that does not have its CA in
Netscape Navigator, and the browser has a certificate, the system
becomes unavailable. This option works for Netscape Navigator versions
3.x and 4.xbeta.
[NO SSLv2]
Do not use the SSLv2 protocol.
[NO SSLv3]
Do not use the SSLv3 protocol.
[NO TLSv1]
Do not use the TLSv1 protocol.
A - 181
Appendix A
[PASSIVE CLOSE]
Indicates how to handle industry-related workarounds.
none - Choose this option if you want to disable all workarounds. F5
does not recommend this option.
default - Specifies the value, all bugfixes enabled, which enables a
set of industry-related miscellaneous workarounds related to SSL
processing.
A - 182
modssl methods
Enables or disables ModSSL methods. This setting enables or disables
ModSSL method emulation. This setting should be enabled when
OpenSSL methods are inadequate. For example, you can enable this
when you want to use SSL compression over TLSv1.
cache size
Specifies the SSL session cache size. For client-side profiles only, you
can configure timeout and size values for the SSL session cache. Because
each profile maintains a separate SSL session cache, you can configure
the values on a per-profile basis.
cache timeout
Specifies the SSL session cache timeout value. This specifies the number
of usable lifetime seconds of negotiated SSL session IDs. The default
timeout value for the SSL session cache is 300 seconds. Acceptable
values are integers greater than or equal to 5. You can also set this value
to indefinite.
renegotiate period
Specifies the Renegotiate Period setting to renegotiate an SSL session
based on the number of seconds that you specify.
renegotiate size
Specifies the Renegotiate Size setting forces the traffic management
system to renegotiate an SSL session based on the size, in megabytes, of
application data that is transmitted over the secure channel.
authenticate
Specifies frequency of authentication. Options are once, always, or
default.
authenticate depth
Specifies the authenticate depth. This is the client certificate chain
maximum traversal depth.
unclean shutdown
By default, the SSL profile performs unclean shutdowns of all SSL
connections, which means that underlying TCP connections are closed
without exchanging the required SSL shutdown alerts. If you want to
force the SSL profile to perform a clean shutdown of all SSL
connections, you can disable the default setting.
strict resume
Specifies enable to prevent an SSL session from being resumed after an
unclean shutdown. The default option is disable, which causes the SSL
profile to allow uncleanly shut down SSL sessions to be resumed.
Conversely, when the enable option is set, the SSL profile refuses to
resume SSL sessions after an unclean shutdown.
nonssl
Specifies enable to allow non-SSL connections to pass through the
traffic management system as clear text.
passphrase
Specifies the key passphrase if required.
handshake timeout
Specifies the handshake timeout in seconds. You can also specify
indefinite, or default.
alert timeout
Specifies the alert timeout in seconds. You can also specify immediate,
indefinite, or default.
partition
Displays the partition within which the clientssl profile resides.
See also
profile(1), profile serverssl(1), bigpipe(1)
A - 183
Appendix A
profile dns
Configures a domain name service (DNS) profile.
Syntax
Use this command to create, modify, display, or delete a DNS profile.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
profile dns <profile dns key list> {}
profile dns (<profile dns key list> | all) [{] <profile dns arg list> [}]
<profile dns key> ::=
<name>
<profile dns arg> ::=
defaults from (<profile dns key> | none)
gtm (enable | disable | default) Modify
profile dns (<profile dns key list> | all) stats reset
profile dns edit
Display
profile dns (<profile dns key list> | all) [show [all]]
profile dns (<profile dns key list> | all) list [all]
profile dns (<profile dns key list> | all) defaults from [show]
profile dns (<profile dns key list> | all) gtm [show]
profile dns (<profile dns key list> | all) name [show]
profile dns (<profile dns key list> | all) partition [show]
profile dns (<profile dns key list> | all) stats [show]
Delete
profile dns (<profile dns key list> | all) delete
Description
This command provides the ability to define the behavior of DNS traffic.
A - 184
Examples
Creates a DNS profile named mydnsprofile that inherits its settings from
the system default DNS profile:
profile dns mydnsprofile {}
Options
You can use these options with the profile dns command:
defaults from
Specifies the profile that you want to use as the parent profile. Your new
profile inherits all settings and values from the parent profile specified.
name
Specifies the name of the profile.
gtm
Indicates whether to allow the BIG-IP global traffic management system
to handle DNS resolution for DNS queries and responses that contain
wide IP names. The options are enable, disable, and default (that is,
accept the default from the parent profile). The default is enable.
partition
Displays the partition within which the profile resides.
profile dns edit
Displays in a text editor the running configuration of all objects created
using the command profile dns. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
See also
dns(1), profile(1), virtual(1), bigpipe(1)
A - 185
Appendix A
profile fasthttp
Configures a Fast HTTP profile.
Syntax
Use this command to create, modify, display, or delete a Fast HTTP profile.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
profile fasthttp <profile fasthttp key list> {}
profile fasthttp (<profile fasthttp key list> | all) [{] <fasthttp profile arg list> [}]
<profile fasthttp key> ::=
<name>
<profile fasthttp arg> ::=
client close timeout (<number> | immediate | indefinite | default)
conn pool idle timeout override (<number> | disable | indefinite | default)
conn pool max reuse (<number> | default)
conn pool max size (<number> | default)
conn pool min size (<number> | default)
conn pool replenish (enable | disable | default)
conn pool step (<number> | default)
defaults from (<profile fasthttp key list> | none)
force http10 response (enable | disable | default)
header insert (<string> | none | default)
http11 close workarounds (enable | disable | default)
idle timeout (<number> | immediate | indefinite | default)
insert xforwarded for (enable | disable | default)
layer7 (enable | disable | default)
max header size (<number> | default)
max requests (<number> | default)
mss override (<number> | default)
reset on timeout (enable | disable | default)
server close timeout (<number> | immediate | indefinite | default)
unclean shutdown (enable | disable | fast | default)
A - 186
Display
profile fasthttp [<profile fasthttp key list> | all] [show [all]]
profile fasthttp [<profile fasthttp key list> | all] list [all]
profile fasthttp [<profile fasthttp key list> | all] defaults from [show]
profile fasthttp [<profile fasthttp key list> | all] client close timeout [show]
profile fasthttp [<profile fasthttp key list> | all] conn pool idle timeout [show]
profile fasthttp [<profile fasthttp key list> | all] conn pool max reuse [show]
profile fasthttp [<profile fasthttp key list> | all] conn pool max size [show]
profile fasthttp [<profile fasthttp key list> | all] conn pool min size [show]
profile fasthttp [<profile fasthttp key list> | all] conn pool replenish [show]
profile fasthttp [<profile fasthttp key list> | all] conn pool step [show]
profile fasthttp [<profile fasthttp key list> | all] force http10 response [show]
profile fasthttp [<profile fasthttp key list> | all] header insert [show]
profile fasthttp [<profile fasthttp key list> | all] http11 close workarounds [show]
profile fasthttp [<profile fasthttp key list> | all] idle timeout [show]
profile fasthttp [<profile fasthttp key list> | all] insert xforwarded for [show]
profile fasthttp [<profile fasthttp key list> | all] layer7 [show]
profile fasthttp [<profile fasthttp key list> | all] max header size [show]
profile fasthttp [<profile fasthttp key list> | all] max requests [show]
profile fasthttp [<profile fasthttp key list> | all] mss override [show]
profile fasthttp [<profile fasthttp key list> | all] name [show]
profile fasthttp [<profile fasthttp key list> | all] partition [show]
profile fasthttp [<profile fasthttp key list> | all] reset on timeout [show]
profile fasthttp [<profile fasthttp key list> | all] server close timeout [show]
profile fasthttp [<profile fasthttp key list> | all] stats [show]
profile fasthttp [<profile fasthttp key list> | all] unclean shutdown [show]
Delete
profile fasthttp (<name list> | all) delete
Description
The Fast HTTP profile provides the ability to accelerate certain HTTP
connections such as banner ads.
Examples
Creates a Fast HTTP profile named myfasthttpprofile that inherits its
settings from the system default fasthttp profile:
profile fasthttp myfasthttpprofile {}
A - 187
Appendix A
Options
You can use the following options with the profile fasthttp command:
A - 188
defaults from
Specifies the profile that you want to use as the parent profile. Your new
profile inherits all settings and values from the parent profile specified.
header insert
Specifies a string that the system inserts as a header in an HTTP request.
If the header exists already, the system does not replace it.
idle timeout
Specifies the number of seconds after which a connection is eligible for
deletion, when the connection has no traffic. The default is 300 seconds.
layer7
When enabled, the system parses HTTP data in the stream. Disable this
setting if you want to use the performance HTTP profile to shield against
denial-of-service attacks against non-HTTP protocols. The default setting
is enable.
max requests
Specifies the maximum number of requests that the system can receive
on a client-side connection, before the system closes the connection. A
setting of 0 specifies that requests are not limited. The default is 0.
mss override
Specifies a maximum segment size (MSS) override for server-side
connections. The default setting is 0, which corresponds to an MSS of
1460. You can specify any integer between 536 and 1460.
partition
Displays the partition within which the profile resides.
reset on timeout
When enabled, the system sends a TCP RESET packet when a
connection times out, and deletes the connection. The default is enable.
A - 189
Appendix A
unclean shutdown
Specifies how the system handles closing a connection. The default is
enable, which allows unclean shutdown of a client connection. Use
disable to prevent unclean shutdown of a client connection. Fast
specifies that the system sends a RESET packet to close the connection
only if the client attempts to send further data after the response has
completed. Default specifies to use the setting from the parent profile.
See also
profile(1), virtual(1), bigpipe(1)
A - 190
profile fastl4
Configures a Fast Layer 4 profile.
Syntax
Use this command to create, modify, display, or delete a Fast Layer 4
profile.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
profile fastL4 <profile fastL4 key list> {}
profile fastL4 (<profile fastL4 key list> | all) [{] <profile fastL4 arg list> [}]
<profile fastL4 key> ::=
<name>
<profile fastL4 arg> ::=
defaults from (<profile fastL4 key> | none)
idle timeout (<number> | immediate | indefinite | default)
mss override (<number> | default)
pva acceleration (none | assist | full | default)
reassemble fragments (enable | disable | default)
reset on timeout (enable | disable | default)
tcp close timeout (<number> | immediate | indefinite | default)
tcp timestamp (preserve | strip | rewrite | default)
tcp wscale (preserve | strip | default)
tcp generate isn (enable | disable | default)
tcp strip sack (enable | disable | default)
ip tos to client (<num> | pass | default)
ip tos to server (<num> | pass | default)
link qos to client (<num> | pass | default)
link qos to server (<num> | pass | default)
tcp handshake timeout (<number> | immediate | indefinite | default)
rtt from client (enable | disable | default)
rtt from server (enable | disable | default)
loose initiation (enable | disable | default)
loose close (enable | disable | default)
A - 191
Appendix A
Display
profile fastL4 [<profile fastL4 key list> | all] [show [all]]
profile fastL4 [<profile fastL4 key list> | all] list [all]
profile fastL4 [<profile fastL4 key list> | all] defaults from [show]
profile fastL4 [<profile fastL4 key list> | all] hardware syncookie [show]
profile fastL4 [<profile fastL4 key list> | all] idle timeout [show]
profile fastL4 [<profile fastL4 key list> | all] ip tos to client [show]
profile fastL4 [<profile fastL4 key list> | all] ip tos to server [show]
profile fastL4 [<profile fastL4 key list> | all] link qos to client [show]
profile fastL4 [<profile fastL4 key list> | all] link qos to server [show]
profile fastL4 [<profile fastL4 key list> | all] loose close [show]
profile fastL4 [<profile fastL4 key list> | all] loose initiation [show]
profile fastL4 [<profile fastL4 key list> | all] max segment override [show]
profile fastL4 [<profile fastL4 key list> | all] mss override [show]
profile fastL4 [<profile fastL4 key list> | all] name [show]
profile fastL4 [<profile fastL4 key list> | all] partition [show]
profile fastL4 [<profile fastL4 key list> | all] pva acceleration [show]
profile fastL4 [<profile fastL4 key list> | all] reassemble fragments [show]
profile fastL4 [<profile fastL4 key list> | all] reset on timeout [show]
profile fastL4 [<profile fastL4 key list> | all] rtt from client [show]
profile fastL4 [<profile fastL4 key list> | all] rtt from server [show]
profile fastL4 [<profile fastL4 key list> | all] software syncookie [show]
profile fastL4 [<profile fastL4 key list> | all] stats [show]
profile fastL4 [<profile fastL4 key list> | all] tcp generate isn [show]
profile fastL4 [<profile fastL4 key list> | all] tcp strip sack [show]
profile fastL4 [<profile fastL4 key list> | all] tcp timestamp [show]
profile fastL4 [<profile fastL4 key list> | all] tcp wscale [show]
profile fastL4 [<profile fastL4 key list> | all] tcp handshake timeout [show]
profile fastL4 [<profile fastL4 key list> | all] tcp close timeout [show]
Delete
profile fastL4 (<profile fastL4 key list> | all) delete
Description
The fastl4 profile is the default profile used by the system when you create a
basic configuration for non-UDP traffic. Any changes you make to an active
fastL4 profile (one that is in use by a virtual server) take affect after the idle
A - 192
timeout value has passed. That means new connections are affected by the
profile change immediately. However, old connections need to be aged out
by the idle timeout value or closed for the new values to take effect.
Examples
Creates a custom Fast Layer 4 profile named myfastl4profile that inherits
its settings from the system default fastl4 profile:
profile fastl4 myfastl4profile {}
Options
You can use these options with the profile fastL4 command:
defaults from
Specifies the profile that you want to use as the parent profile. Your new
profile inherits all settings and values from the parent profile specified.
idle timeout
Specifies an idle timeout in seconds. You can also specify immediate,
indefinite, or default. This setting specifies the number of seconds that a
connection is idle before the connection is eligible for deletion. When
you specify an idle timeout for the Fast L4 profile, the value needs to be
greater than the bigdb database variable Pva.Scrub time in msec for it to
work properly. The default is 300 seconds.
mss override
Specifies a maximum segment size (MSS) override for server-side
connections. The default setting is disable, which corresponds to an MSS
of 1460. Disable specifies that the system does not use an MSS override.
To choose a different value than the default, specify any integer between
536 and 1460 bytes. Note that this is also the MSS advertised to a client
when a client first connects.
partition
Displays the partition within which the Fast L4 profile resides.
pva acceleration
Specifies the Packet Velocity ASIC acceleration mode. The options are
none, assist, full, or default.
reassemble fragments
Specifies whether to reassemble fragments. The options are enable,
disable, or default. This option is enabled by default.
A - 193
Appendix A
A - 194
reset on timeout
Specifies whether you want to reset connections on timeout. The options
are enable, disable, or default. This option is enabled by default.
tcp timestamp
Specifies how you want to handle the TCP timestamp. The options are
preserve, strip, rewrite, or default. Preserve is the default setting for
this option.
tcp wscale
Specifies how you want to handle the TCP window scale. The options
are preserve, strip, rewrite, or default. The default setting for this
option is preserve TCP window scale.
ip tos to client
Specifies an IP ToS number for the client side. This setting specifies the
Type of Service level that the traffic management system assigns to UDP
packets when sending them to clients. The default is 65535, which
indicates, do not modify UDP packets.
ip tos to server
Specifies an IP ToS number for the server side. This setting specifies the
Type of Service level that the traffic management system assigns to UDP
packets when sending them to servers. The default is 65535, which
indicates, do not modify UDP packets.
loose initiation
Specifies that the system initializes a connection when it receives any
TCP packet, rather than requiring a SYN packet for connection initiation.
The default is disable.
loose close
Specifies that the system closes a loosely-initiated connection when the
system receives the first FIN packet from either the client or the server.
The default is disable.
partition
Displays the partition within which the profile resides.
hardware syncookie
Enables or disables hardware SYN cookie support when PVA10 is
present on the system. Note that when you set the hardware syncookie
option to enable, you may also want to set the following bigdb database
variables using the db command, based on your requirements:
pva.SynCookies.Full.ConnectionThreshold (default: 500000)
pva.SynCookies.Assist.ConnectionThreshold (default: 500000)
pva.SynCookies.ClientWindow (default: 0)
The default is disable.
software syncookie
Enables or disables software SYN cookie support when PVA10 is not
present on the system. The default is disable.
See also
profile(1), virtual(1), bigpipe(1)
A - 195
Appendix A
profile ftp
Configures an FTP profile.
Syntax
Use this command to create, modify, display, or delete an FTP profile.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
profile ftp <profile ftp key list> {}
profile ftp (<profile ftp key list> | all) [{] <profile ftp arg list> [}]
<profile ftp key> ::=
<name>
<profile ftp arg> ::=
defaults from (<profile ftp key> | none)
translate extended (enable | disable | default)
data port (<service> | none | default)
security (enable | disable | default)
profile ftp [<profile ftp key list> | all] stats reset
profile ftp edit
Display
profile ftp [<profile ftp key list> | all] [show [all]]
profile ftp [<profile ftp key list> | all] list [all]
profile ftp [<profile ftp key list> | all] data port [show]
profile ftp [<profile ftp key list> | all] defaults from [show]
profile ftp [<profile ftp key list> | all] name [show]
profile ftp [<profile ftp key list> | all] partition [show]
profile ftp [<profile ftp key list> | all] security [show]
profile ftp [<profile ftp key list> | all] stats [show]
profile ftp [<profile ftp key list> | all] translate extended [show]
Delete
profile ftp (<profile ftp key list> | all) delete
A - 196
Description
Manages a profile for FTP traffic.
Examples
Creates a custom FTP profile named myftpprofile that inherits its settings
from the system default FTP profile:
profile ftp myftpprofile { }
Options
You can use these options with the profile ftp command:
data port
Specifies a service for the data channel port used for this FTP profile.
The default port is 20.
defaults from
Specifies the profile that you want to use as the parent profile. Your new
profile inherits all settings and values from the parent profile specified.
partition
Displays the partition within which the profile resides.
profile ftp edit
Displays in a text editor the running configuration of all objects created
using the command profile ftp. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
Note that the default text editor is vi.
security
Enables secure FTP traffic for the BIG-IP Application Security
Manager. You can set the security option only if the system is licensed
for the BIG-IP Application Security Manager.
translate extended
This setting is enabled by default, and thus, automatically translates
RFC2428 extended requests EPSV and EPRT to PASV and PORT when
communicating with IPv4 servers.
See also
profile(1), virtual(1), bigpipe(1)
A - 197
Appendix A
profile http
Creates, modifies, displays, or deletes an HTTP profile.
Syntax
Use this command to create, modify, display, or delete an HTTP profile.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
profile http <profile http key list> {}
profile http (<profile http key list> | all) [{] <HTTP profile arg list> [}]
<profile http key> ::=
<name>
<profile http arg> ::=
defaults from (<profile http key> | none)
adaptive parsing (enable | disable | default)
basic auth realm (<string> | none | default)
compress (enable | disable | selective | default)
compress browser workarounds (enable | disable | default)
compress buffer size (<number> | default)
compress content type exclude ((<string list> | none) [add | delete] | default)
compress content type include ((<string list> | none) [add | delete] | default)
compress cpu saver (enable | disable | default)
compress cpu saver high (<number> | default)
compress cpu saver low (<number> | default)
compress gzip level (<number> | default)
compress gzip memory level (<number>(K|k) | default)
compress gzip window size (<number>(K|k) | default)
compress http 1.0 (enable | disable | default)
compress keep accept encoding (enable | disable | default)
compress min size (<number> | default)
compress prefer (deflate | gzip | default)
compress uri exclude ((<string list> | none) [add | delete] | default)
compress uri include ((<string list> | none) [add | delete] | default)
compress vary header (enable | disable | default)
A - 198
Display
profile http [<profile http key list> | all] [show [all]]
profile http [<profile http key list> | all] list [all]
profile http [<profile http key list> | all] defaults from <show>
profile http [<profile http key list> | all] name <show>
profile http [<profile http key list> | all] adaptive parsing [show]
profile http [<profile http key list> | all] basic auth realm [show]
profile http [<profile http key list> | all] compress [show]
profile http [<profile http key list> | all] compress browser work arounds [show]
profile http [<profile http key list> | all] compress keep accept encoding [show]
profile http [<profile http key list> | all] compress buffer size [show]
A - 199
Appendix A
profile http [<profile http key list> | all] compress cpu saver [show]
profile http [<profile http key list> | all] compress cpu saver high [show]
profile http [<profile http key list> | all] compress cpu saver low [show]
profile http [<profile http key list> | all] compress gzip level [show]
profile http [<profile http key list> | all] compress gzip memory level [show]
profile http [<profile http key list> | all] compress gzip window size [show]
profile http [<profile http key list> | all] compress http 1.0 [show]
profile http [<profile http key list> | all] compress keep accept encoding [show]
profile http [<profile http key list> | all] compress min size [show]
profile http [<profile http key list> | all] compress prefer [show]
profile http [<profile http key list> | all] compress content type exclude [show]
profile http [<profile http key list> | all] compress content type include [show]
profile http [<profile http key list> | all] compress uri exclude [show]
profile http [<profile http key list> | all] compress uri include[show]
profile http [<profile http key list> | all] compress vary header [show]
profile http [<profile http key list> | all] cookie secret [show]
profile http [<profile http key list> | all] encrypt cookies [show]
profile http [<profile http key list> | all] fallback [show]
profile http [<profile http key list> | all] fallback status [show]
profile http [<profile http key list> | all] header erase [show]
profile http [<profile http key list> | all] header insert [show]
profile http [<profile http key list> | all] insert xforwarded for [show]
profile http [<profile http key list> | all] lws separator [show]
profile http [<profile http key list> | all] lws width [show]
profile http [<profile http key list> | all] max header size [show]
profile http [<profile http key list> | all] max requests [show]
profile http [<profile http key list> | all] oneconnect transformations [show]
profile http [<profile http key list> | all] partition [show]
profile http [<profile http key list> | all] pipelining [show]
profile http [<profile http key list> | all] ramcache [show]
profile http [<profile http key list> | all] ramcache aging rate [show]
profile http [<profile http key list> | all] ramcache entry [<ramcache info key list> | \
all] [show]
profile http [<profile http key list> | all] ramcache ignore client cache control [show]
profile http [<profile http key list> | all] ramcache insert age header [show]
profile http [<profile http key list> | all] ramcache max age [show]
profile http [<profile http key list> | all] ramcache max entries [show]
profile http [<profile http key list> | all] ramcache max object size [show]
profile http [<profile http key list> | all] ramcache min object size [show]
profile http [<profile http key list> | all] ramcache size [show]
profile http [<profile http key list> | all] ramcache uri exclude [show]
profile http [<profile http key list> | all] ramcache uri include [show]
profile http [<profile http key list> | all] ramcache uri pinned [show]
profile http [<profile http key list> | all] redirect rewrite [show]
A - 200
Delete
profile http (<profile http key list> | all) ramcache entry (<ramcache info key> | all) \
delete
profile http (<profile http key list> | all) delete
Description
Use the default HTTP profile to create a custom HTTP profile. This default
profile includes default values for any of the properties and settings related
to managing HTTP traffic. When you create a custom HTTP profile, you
can use the default settings, or you can change their values to suit your
needs. This profile contains the configuration settings for compression and
RAM Cache.
The BIG-IP system installation includes these HTTP-type profiles:
http
http-lan-optimized-caching
http-wan-optimized-compression
http-wan-optimized-compression-caching
You can modify the settings of these profiles, or create new HTTP-type
profiles using any of these existing profiles as parent profiles.
Examples
Creates a custom HTTP profile named myhttpprofile that inherits its
settings from the system default http profile:
profile http myhttpprofile { }
Replaces the header in the profile named myhttpprofile with the default
header:
profile http myhttpprofile header insert default
Options
You can use these options with the profile http command:
adaptive parsing
Enables or disables adaptive parsing.
A - 201
Appendix A
compress
Specifies the compression mode. The options are enable, disable,
selective, and default. Note that the data compression feature
compresses HTTP server responses, and not client requests.
A - 202
compress prefer
Specifies the type of compression that is preferred by the system. The
options are deflate, gzip, or default.
cookie secret
Specifies a passphrase for the cookie encryption.
A - 203
Appendix A
A - 204
defaults from
Specifies the profile that you want to use as the parent profile. Your new
profile inherits all settings and values from the parent profile specified.
encrypt cookies
Encrypts specified cookies that the BIG-IP system sends to a client
system.
fallback
Specifies an HTTP fallback host. HTTP redirection allows you to
redirect HTTP traffic to another protocol identifier, host name, port
number, or URI path. For example, if all members of the targeted pool
are unavailable (that is, the members are disabled, marked as down, or
have exceeded their connection limit), the system can redirect the HTTP
request to the fallback host, with the HTTP reply Status Code 302
Found. For details about how to configure this string, refer to the
Configuration Guide for BIG-IP Local Traffic Management.
fallback status
Specifies one or more three-digit status codes that can be returned by an
HTTP server.
header erase
Specifies the header string that you want to erase from an HTTP request.
You can also specify none or default.
header insert
Specifies the header string that you want to insert into an HTTP request.
You can also specify none or default. An optional setting in an HTTP
profile is HTTP header insertion. The HTTP header being inserted can
include a client IP address. Including a client IP address in an HTTP
header is useful when a connection goes through a secure network
address translation (SNAT) and you need to preserve the original client
IP address. The format of the header insertion that you specify must be a
quoted string. When you assign the configured HTTP profile to a virtual
server, the system then inserts the header specified by the profile into any
HTTP request that the system sends to a pool or pool member.
lws separator
Specifies the linear white space separator that the system should use
between HTTP headers when a header exceeds the maximum width
specified by the lws width setting. The options are cr, lf, or sp.
lws width
Specifies the maximum number of columns allowed for a header that is
inserted into an HTTP request. See also the lws separator option above.
oneconnect transformations
Enables the system to perform HTTP header transformations for the
purpose of keeping server-side connections open. This feature requires
configuration of a OneConnect profile.
partition
Displays the partition within which the profile resides.
pipelining
Enables HTTP/1.1 pipelining. This allows clients to make requests even
when prior requests have not received a response. In order for this to
succeed, however, destination servers must include support for
pipelining.
ramcache
Enables or disables the RAM Cache feature. The default setting is
disable. Note that you cannot insert a cookie on an HTTP RESPONSE
when the RAM Cache is enabled and the document is cacheable.
ramcache entry
Specifies the following information about a ramcache entry:
exact max response
Specifies the maximum number of responses allowed to utilize the
cached entry.
URI
Specifies the URI from which the entry was cached.
host
Specifies the host from which the entry was cached.
A - 205
Appendix A
ramcache size
Specifies the maximum size for the RAM cache. When the cache reaches
the maximum size, the system starts removing the oldest entries. The
default setting is 100 megabytes.
redirect rewrite
Specifies which of the application HTTP redirects the system rewrites to
HTTPS. Use this feature when the application is generating HTTP
redirects that send the client to HTTP (a non-secure channel) when you
want the client to continue accessing the application using HTTPS (a
secure channel). This is a common occurrence when using client-side
SSL processing on a BIG-IP system.
all
Specifies to rewrite to HTTPS all application redirects.
matching
Specifies to rewrite to HTTPS only application redirects that match
the original URI exactly.
nodes
If the URI contains a node IP address, instead of a host name,
specifies that the system rewrites the node IP address to the virtual
server IP address.
none
Specifies that the system does not rewrite to HTTPS any application
HTTP redirects. This is the default value.
default
Specifies to use the default value for this parameter, which is none.
A - 206
response
Specifies how to handle chunked and unchunked requests and responses.
unchunk
If the request or response is chunked, this option unchunks the request
or response, and processes the HTTP content, and passes the request
or response on as unchunked. The Keep-Alive value for the
Connection header is not supported, and therefore the system sets the
value of the header to Close.
If the request or response is unchunked, the BIG-IP local traffic
management system processes the HTTP content and passes the
request or response on untouched.
rechunk
If the request or response is chunked, the system unchunks the request
or response, processes the HTTP content, re-adds the chunk trailer
headers, and then passes the request or response on as chunked. Any
chunk extensions are lost.
If the request or response is unchunked, the system adds transfer
encoding and chunking headers on egress.
preserve chunk
Specifies that the system processes the HTTP content, and sends the
response to the client unchanged.
selective chunk
If the request or response is chunked, the system unchunks the request
or response, processes the HTTP content, re-adds the chunk trailer
headers, and then passes the request or response on as chunked. Any
chunk extensions are lost.
If the request is unchunked, the system processes the HTTP content
and then passes the request or response on untouched.
default
Indicates to use the value in the default http profile.
See also
profile(1), virtual(1), profile fasthttp(1), bigpipe(1)
A - 207
Appendix A
profile httpclass
Configures an HTTP Class type of profile.
Syntax
Use this command to create an HTTP class profile, redirect HTTP traffic to
HTTPS using the same virtual server, and redirect HTTP traffic without
changing the URL in the browser.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
profile httpclass <profile httpclass key list> {}
profile httpclass (<profile httpclass key list> | all) [{] \
<profile httpclass arg list> [}]
<profile httpclass key> ::=
<name>
<profile httpclass arg> ::=
asm (enable | disable | default)
cookies ((<regex/glob list> | none) [add | delete] | default)
defaults from (<profile httpclass key> | none)
headers ((<regex/glob list> | none) [add | delete] | default)
hosts ((<regex/glob list> | none) [add | delete] | default)
paths ((<regex/glob list> | none) [add | delete] | default)
pool (<poolkey> | none | default)
redirect (<string> | none | default)
url rewrite (<string> | none | default)
wa (enable | disable | default)
<regex/glob> ::
[glob | regex] <string>
profile httpclass [<profile httpclass key list> | all] stats reset
profile httpclass edit
Display
profile httpclass [<profile httpclass key list> | all] [show [all]]
profile httpclass [<profile httpclass key list> | all] list [all]
A - 208
Delete
profile httpclass (<profile httpclass key list> | all) delete
Description
Use this command to create an HTTP class profile, redirect HTTP traffic to
HTTPS using the same virtual server, and redirect HTTP traffic without
changing the URL in the browser.
Examples
Creates an HTTP class profile named myhttpclassprofile that inherits its
settings from the system default HTTP Class profile:
profile httpclass myhttpclassprofile { }
Options
You can use the following options with the profile httpclass command:
asm
Enables application security management. You can set the asm option
only if the system is licensed for the BIG-IP Application Security
Manager. The options are enable, disable, and default.
cookies
Specifies how the system routes all incoming HTTP traffic for the web
application, based on cookie headers.
defaults from
Specifies the profile that you want to use as the parent profile. Your new
profile inherits all settings and values from the parent profile specified.
headers
Specifies how the system routes incoming HTTP traffic for the web
application, based on HTTP headers and values.
A - 209
Appendix A
hosts
Specifies how the system routes incoming HTTP traffic, based on host
information.
partition
Displays the partition within which the profile resides.
paths
Specifies how the system routes all incoming HTTP traffic for the web
application, based on URI paths.
pool
Specifies a local traffic pool to which the system sends the HTTP traffic.
The options are <pool key>, none, and default.
profile httpclass edit
Displays in a text editor the running configuration of all objects created
using the command profile httpclass. You can edit the value of any
parameter displayed. When you exit the editor, the BIG-IP system
modifies the running configuration based on your changes. To save your
changes to the stored configuration files, run the save all command.
Note that the default text editor is vi.
redirect
Specifies a URL to which the system redirects the traffic. The options are
none, <string>, and default.
url rewrite
Specifies the TCL expression that the system uses to rewrite the request
URI that is forwarded to the server without sending an HTTP redirect to
the client. The options are none, <string>, and default.
wa
Specifies web acceleration. You can set the wa option only if the system
is licensed for the BIG-IP WebAccelerator Module. The options are
enable, disable, and default.
See also
profile(1), profile http(1)
A - 210
profile oneconnect
Creates, modifies, displays, or deletes a OneConnect profile.
Syntax
Use this command to create, modify, display, or delete a OneConnect
profile.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
profile oneconnect <profile oneconnect key list> {}
profile oneconnect (<profile oneconnect key list> | all) \
[{] <profile oneconnect arg list> [}]
<profile oneconnect key> ::=
<name>
<profile oneconnect arg> ::=
defaults from (<<profile oneconnect key> | none)
idle timeout override (<number> | disable | indefinite | default)
max size (<number> | default)
max age (<number> | default)
max reuse (<number> | default)
source mask (<ip mask> | none | default)
profile oneconnect [<<profile oneconnect key list> | all] stats reset
profile oneconnect edit
Display
profile oneconnect [<profile oneconnect key list> | all] [show [all]]
profile oneconnect [<profile oneconnect key list> | all] list [all]
profile oneconnect [<profile oneconnect key list> | all] defaults from [show]
profile oneconnect [<profile oneconnect key list> | all] idle timeout override [show]
profile oneconnect [<profile oneconnect key list> | all] max size [show]
profile oneconnect [<profile oneconnect key list> | all] max age [show]
profile oneconnect [<profile oneconnect key list> | all] max reuse [show]
profile oneconnect [<profile oneconnect key list> | all] name [show]
profile oneconnect [<profile oneconnect key list> | all] partition [show]
A - 211
Appendix A
profile oneconnect [<profile oneconnect key list> | all] source mask [show]
profile oneconnect [<profile oneconnect key list> | all] stats [show]
Delete
profile oneconnect (<profile oneconnect key list> | all) delete
Description
Create a OneConnect profile that optimizes connections by improving
client performance and increasing server capacity.
Examples
Creates a OneConnect profile named myOCprofile that inherits its
settings from the system default OneConnect profile:
profile oneconnect myOCprofile { }
Options
You can use the following options with the profile oneconnect command:
defaults from
Specifies the profile that you want to use as the parent profile. Your new
profile inherits all settings and values from the parent profile specified.
idle timeout override
Specifies the number of seconds that a connection is idle before the
connection flow is eligible for deletion. Possible values are disable,
indefinite, or a numeric value that you specify. The default is disable.
max size
Specifies the maximum number of connections that the system holds in
the connection reuse pool. If the pool is already full, then the server-side
connection closes after the response is completed. The default setting is
10000.
max age
Specifies the maximum age in number of seconds allowed for a
connection in the connection reuse pool. For any connection with an age
higher than this value, the system removes that connection from the reuse
pool. The default maximum age is 86400.
max reuse
Specifies the maximum number of times that a server-side connection
can be reused. The default is 1000.
partition
Displays the partition within which the profile resides.
profile oneconnect edit
Displays in a text editor the running configuration of all objects created
using the command profile oneconnect. You can edit the value of any
A - 212
parameter displayed. When you exit the editor, the BIG-IP system
modifies the running configuration based on your changes. To save your
changes to the stored configuration files, run the save all command.
Note that the default text editor is vi.
source mask
Specifies a source IP mask. The system applies the value of this setting to
the source address to determine its eligibility for reuse. A mask of 0
causes the system to share reused connections across all clients. A host
mask, that is, all 1 values in binary, causes the system to share only those
reused connections originating from the same client IP address. The
default mask is 0.0.0.0.
See also
profile(1), bigpipe(1)
A - 213
Appendix A
profile persist
Configures a persistence profile.
Syntax
Use this command to create, modify, display, or delete a persistence profile.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
profile persist <profile persist key list> {}
profile persist (<profile persist key list> | all) [{] <persistence profile arg list> [}]
<profile persist key>::=
<name>
<persistence profile arg> ::=
defaults from (<profile persist key> | none)
mode (none | source addr | dest addr | cookie | ssl | msrdp | universal | hash |\
sip | default)
rule (<rule key> | none | default)
sip info (<string> | none | default)
timeout (<number> | immediate | indefinite | default)
mask (<ip mask> | none)
cookie mode (insert | rewrite | passive | hash | default | none)
cookie expiration ([<number>d] [<hh>:<mm>:<ss>] | default)
cookie hash offset (<number> | default)
cookie hash length (<number> | default)
cookie name (<string> | none | default)
mirror (enable | disable | default)
msrdp session directory (enable | disable | default)
map proxies (enable | disable | default)
across pools (enable | disable | default)
across services (enable | disable | default)
across virtuals (enable | disable | default)
profile persist edit
A - 214
Display
profile persist [<profile persist key list> | all] [show [all]]
profile persist [<profile persist key list> | all] list [all]
profile persist [<profile persist key list> | all] defaults from [show]
profile persist [<profile persist key list> | all] across pools [show]
profile persist [<profile persist key list> | all] across services [show]
profile persist [<profile persist key list> | all] across virtuals [show]
profile persist [<profile persist key list> | all] cookie expiration [show]
profile persist [<profile persist key list> | all] cookie hash length [show]
profile persist [<profile persist key list> | all] cookie hash offset [show]
profile persist [<profile persist key list> | all] cookie mode [show]
profile persist [<profile persist key list> | all] cookie name [show]
profile persist [<profile persist key list> | all] map proxies [show]
profile persist [<profile persist key list> | all] mask [show]
profile persist [<profile persist key list> | all] mirror [show]
profile persist [<profile persist key list> | all] mode [show]
profile persist [<profile persist key list> | all] msrdp session directory [show]
profile persist [<profile persist key list> | all] name [show]
profile persist [<profile persist key list> | all] partition [show]
profile persist [<profile persist key list> | all] rule [show]
profile persist [<profile persist key list> | all] sip info [show]
profile persist [<profile persist key list> | all] timeout [show]
Delete
profile persist (<profile persist key list> | all) delete
Description
A persistence profile is a pre-configured object that automatically enables
persistence when you assign the profile to a virtual server. Using a
persistence profile avoids having to write an iRule to implement a type of
persistence.
Each type of persistence that the traffic management system offers includes
a corresponding default persistence profile. These persistence profiles each
contain settings and setting values that define the behavior of the system for
that type of persistence. You can either use the default profile, or create a
custom profile based on the default.
Examples
Creates a custom persistence profile named mypersistprofile that inherits
its settings from the default Cookie persistence profile:
profile persist mypersistprofile { defaults from cookie }
A - 215
Appendix A
Options
You can use these options with the profile persist command:
across pools
Enables or disables persistence across pools. When enabled, specifies
that the BIG-IP system can use any pool that contains this persistence
entry. Persistence across all pools causes the traffic management system
to maintain persistence for all connections requested by the same client,
regardless of which pool hosts each individual connection initiated by the
client. The default is disable.
across services
Enables or disables persistence across services. When enabled, this
setting specifies that all persistent connections from a client IP address
that go to the same virtual IP address also go to the same node. The
default is disable.
across virtuals
Enables or disables persistence across virtual servers. When enabled,
specifies that all persistent connections from a client IP address that go to
the same virtual IP address also go to the same node. Persistence across
all virtual servers causes the traffic management system to maintain
persistence for all connections requested by the same client, regardless of
which virtual server hosts each individual connection initiated by the
client. The default is disable.
cookie expiration
Specifies the cookie expiration date in the format <number>
<hh>:<mm>:<ss>. The default is 0 seconds.
cookie mode
Specifies the cookie mode for cookie persistence. The default is insert.
Options are: none, insert, rewrite, passive, hash, and default.
insert
If you specify HTTP cookie insert method within the profile, the
information about the server to which the client connects is inserted in
the header of the HTTP response from the server as a cookie. The
cookie is named BIGipServer <pool name>, and it includes the
address and port of the server handling the connection. The expiration
A - 216
date for the cookie is set, based on the timeout configured on the
traffic management system. HTTP cookie insert method is the
default value for the cookie mode setting.
rewrite
Specifies cookie rewrite mode. HTTP cookie rewrite mode requires
you to set up the cookie created by the server. For HTTP cookie
rewrite mode to succeed, there needs to be a blank cookie coming
from the web server for the system to rewrite. For web servers that are
Apache server variants, you can add the cookie to every web page
header by adding the following entry to the httpd.conf file of the web
server:
Header add Set-Cookie BIGipCookie=0000000000000000000000000...
cookie name
Specifies the cookie name. Type the name of an HTTP cookie being sent
by the Web site. This could be something like Apache or
SSLSESSIONID. The name depends on the type of web server your site
is running. This attribute is used by cookie hash mode.
defaults from
Specifies the profile that you want to use as the parent profile. Your new
profile inherits all settings and values from the parent profile specified.
map proxies
Enables or disables the map proxies attribute. The default setting for the
map proxies for the persistence variable is enable. The AOL proxy
addresses are hard-coded. This enables you to use client IP address
persistence with a simple persist mask, but forces all AOL clients to
persist to the same server. All AOL clients persist to the node that was
picked for the first AOL client connection received. The default is
disable.
mask
Specifies an IP mask. This is the mask used by simple persistence for
connections.
A - 217
Appendix A
mirror
Enables or disables mirroring of persistence date. The default is disable.
mode
Specifies the persistence mode. The default is none. This setting is
required. The options are: none, source addr, dest addr, cookie, ssl,
msrdp, universal, hash, sip, or default.
source addr
Also known as simple persistence, source address affinity persistence
supports TCP and UDP protocols, and directs session requests to the
same server based solely on the source IP address of a packet.
dest addr
Also known as sticky persistence, destination address affinity
persistence supports TCP and UDP protocols, and directs session
requests to the same server based solely on the destination IP address
of a packet.
cookie
Cookie persistence uses an HTTP cookie stored on a client computer
to allow the client to reconnect to the same server previously visited at
a web site.
ssl
SSL persistence is a type of persistence that tracks non-terminated
SSL sessions, using the SSL session ID. Even when the client's IP
address changes, the BIG-IP local traffic management system still
recognizes the connection as being persistent based on the session ID.
Note that the term non-terminated SSL sessions refers to sessions in
which the traffic management system does not perform the tasks of
SSL certificate authentication and encryption/re-encryption.
msrdp
Microsoft Remote Desktop persistence tracks sessions between
clients and servers running Microsoft Remote Desktop Protocol
(MSRDP).
universal
Universal persistence allows you to write an expression that defines
what to persist on in a packet. The expression, written using the same
expression syntax that you use in iRules, defines some sequence of
bytes to use as a session identifier.
hash
Hash persistence allows you to create a persistence hash based on an
existing iRule.
sip
SIP persistence load balances all of the SIP communications in a SIP
session to the same SIP server based on SIP header field information.
default
Specify default if you want to use the default system profile settings
for persistence mode.
A - 218
partition
Displays the partition within which the profile resides.
rule
Specifies a rule name if you are using a rule for universal persistence.
sip info
Specifies the SIP header field on which you want SIP sessions to persist.
The default is Call-ID. Your options include, but are not limited to the
following header fields:
Call-ID: Specifies to persist on the ID of the call. The Call-ID is a
globally unique identifier of a call.
SIP-ETag: Specifies to persist on the SIP-ETag.
To: Specifies to persist on the destination of the SIP session.
From: Specifies to persist on the origin of the SIP session.
Subject: Specifies to persist on the subject of the SIP session.
Before you can use the sip info option of the profile persist command,
you must create a SIP profile (using the profile sip command). Then, you
must assign both profiles to the same virtual server.
timeout
Specifies the timeout. Possible values are default, immediate,
indefinite, or a numeric value that you specify. This is the simple
persistence timeout. The default is 180 seconds.
The timeout value that you specify allows the BIG-IP system to free up
resources associated with old persistence entries, without having to test
each inbound packet for one of the different types of final messages. A
default timeout value exists, which is 180 seconds. If you change the
timeout value, F5 recommends that the value be no lower than the
default.
See also
profile(1), virtual(1), rule(1), bigpipe(1)
A - 219
Appendix A
profile rtsp
Configures a Real Time Streaming Protocol (RTSP) profile.
Syntax
Use this command to create, modify, display, or delete an RTSP profile.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
profile rtsp <profile rtsp key list> {}
profile rtsp (<profile rtsp key list> | all) [{] <profile rtsp arg list> [}]
<profile rtsp key> ::=
<name>
<profile rtsp arg> ::=
defaults from (<profile rtsp key> | none)
idle timeout (<number> | immediate | indefinite | default)
max header size (<number> | default)
max queued data (<number> | default)
multicast redirect (enable | disable | default)
proxy (none | external | internal | default)
proxy header (<string> | none | default)
real http persistence (enable | disable | default)
rtcp service (<service> | none | default)
rtp service (<service> | none | default)
session reconnect (enable | disable | default)
unicast redirect (enable | disable | default)
profile rtsp [<profile rtsp key list> | all] stats reset
profile rtsp edit
Display
profile rtsp [<profile rtsp key list> | all] [show [all]]
profile rtsp [<profile rtsp key list> | all] list [all]
profile rtsp [<profile rtsp key list> | all] defaults from [show]
profile rtsp [<profile rtsp key list> | all] idle timeout [show]
profile rtsp [<profile rtsp key list> | all] max header size [show]
A - 220
profile rtsp [<profile rtsp key list> | all] max queued data [show]
profile rtsp [<profile rtsp key list> | all] multicast redirect [show]
profile rtsp [<profile rtsp key list> | all] partition [show]
profile rtsp [<profile rtsp key list> | all] proxy [show]
profile rtsp [<profile rtsp key list> | all] proxy header [show]
profile rtsp [<profile rtsp key list> | all] real http persistence [show]
profile rtsp [<profile rtsp key list> | all] rtcp service [show]
profile rtsp [<profile rtsp key list> | all] rtp service [show]
profile rtsp [<profile rtsp key list> | all] session reconnect [show]
profile rtsp [<profile rtsp key list> | all] stats [show]
profile rtsp [<profile rtsp key list> | all] unicast redirect [show]
Delete
profile rtsp [<profile rtsp key list> | all] delete
Description
Manages a profile for RTSP traffic.
Examples
Creates a custom RTSP profile named myrtspprofile that inherits its
settings from the system default RTSP profile:
profile rtsp myrtspprofile { }
Options
You can use these options with the profile rtsp command:
defaults from
Specifies the profile that you want to use as the parent profile. Your new
profile inherits all of the settings and values from the specified parent
profile.
idle timeout
Specifies the number of seconds that a connection is idle before the
connection is eligible for deletion. You can also specify immediate,
indefinite or default. The default is 300 seconds.
max header size
Specifies the maximum size of an RTSP request or response header that
the RTSP filter allows before dropping the connection. The default is
4096 bytes.
max queued data
Specifies the maximum amount of data that the RTSP filter buffers
before dropping the connection. The default is 32768 bytes.
A - 221
Appendix A
multicast redirect
Specifies whether to enable or disable multicast redirect. When enabled,
the client can select the destination to which to stream data. The default
value is disable.
partition
Displays the partition within which the profile resides.
profile rtsp edit
Displays in a text editor the running configuration of all objects created
using the command profile rtsp. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
Note that the default text editor is vi.
proxy
Specifies whether the RTSP filter is associated with an RTSP proxy
configuration. The default value is none.
proxy header
When a proxy is set, specifies the name of the header in the RTSP proxy
configuration that is passed from the client-side virtual server to the
server-side virtual server. Note that the name of the header must begin
with X-.
real http persistence
Specifies whether to enable or disable real HTTP persistence. When
enabled, the RTSP filter automatically persists Real Networks RTSP
over HTTP using the RTSP port. The default value is enable. If you
disable this parameter, you can override the default behavior with an
iRule.
rtcp service
The Real Time Control Protocol (RTCP) allows monitoring of the
real-time data delivery. This parameter specifies the number of the port
to use for the RTCP service.
rtp service
The Real Time Protocol (RTP) provides data transport functions suitable
for applications transmitting real-time data. This parameter specifies the
number of the port to use for the RTP service.
session reconnect
Specifies whether to enable or disable session reconnect. When enabled,
the RTSP filter persists the control connection, which is being resumed,
to the correct server. The default value is disable.
unicast redirect
Specifies whether to enable or disable unicast redirect. When enabled,
the client can select the destination to which to stream data. The default
value is disable.
See also
profile(1), virtual(1), bigpipe(1)
A - 222
profile sctp
Configures a Stream Control Transmission Protocol (SCTP) profile.
Syntax
Use this command to create, modify, display, or delete an SCTP profile.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
profile sctp <profile sctp key list> {}
profile sctp (<profile sctp key list> | all) [{] <profile sctp arg list> [}]
<profile sctp key> ::=
<name>
<profile sctp arg> ::=
cookie expiration (<number> | default)
defaults from (<profile sctp key> | none)
heartbeat (<number> | default)
idle timeout (<number> | immediate | indefinite | default)
in streams (<number> | default)
init max retries (<number> | default)
ip tos (<number> | pass | default)
link qos (<number> | pass | default)
out streams (<number> | default)
proxy buffer high (<number> | default)
proxy buffer low (<number> | default)
recv chunks (<number> | default)
recv ordered (enable | disable | default)
recv window (<number> | default)
reset on timeout (enable | disable | default)
secret (<string> | none | default)
send buffer (<number> | default)
send max retries (<number> | default)
send partial (enable | disable | default)
tcp shutdown (enable | disable | default)
trans chunks (<number> | default)
A - 223
Appendix A
Display
profile sctp [<profile sctp key list> | all] [show [all]]
profile sctp [<profile sctp key list> | all] list [all]
profile sctp [<profile sctp key list> | all] cookie expiration [show]
profile sctp [<profile sctp key list> | all] defaults from [show]
profile sctp [<profile sctp key list> | all] heartbeat [show]
profile sctp [<profile sctp key list> | all] idle timeout [show]
profile sctp [<profile sctp key list> | all] in streams [show]
profile sctp [<profile sctp key list> | all] init max retries [show]
profile sctp [<profile sctp key list> | all] ip tos [show]
profile sctp [<profile sctp key list> | all] link qos [show]
profile sctp [<profile sctp key list> | all] out streams [show]
profile sctp [<profile sctp key list> | all] partition [show]
profile sctp [<profile sctp key list> | all] proxy buffer high [show]
profile sctp [<profile sctp key list> | all] proxy buffer low [show]
profile sctp [<profile sctp key list> | all] recv chunks [show]
profile sctp [<profile sctp key list> | all] recv ordered [show]
profile sctp [<profile sctp key list> | all] recv window [show]
profile sctp [<profile sctp key list> | all] reset on timeout [show]
profile sctp [<profile sctp key list> | all] secret [show]
profile sctp [<profile sctp key list> | all] send buffer [show]
profile sctp [<profile sctp key list> | all] send max retries [show]
profile sctp [<profile sctp key list> | all] send partial [show]
profile sctp [<profile sctp key list> | all] stats [show]
profile sctp [<profile sctp key list> | all] tcp shutdown [show]
profile sctp [<profile sctp key list> | all] trans chunks [show]
Delete
profile sctp (<profile sctp key list> | all) delete
Description
Manages a profile for SCTP traffic.
Examples
Creates a custom SCTP profile named mysctpprofile that inherits its
settings from the system default SCTP profile:
profile sctp mysctpprofile { }
A - 224
Options
You can use these options with the profile sctp command:
cookie expiration
Specifies how many seconds the cookie is valid. The default is 60
seconds.
defaults from
Specifies the profile that you want to use as the parent profile. Your new
profile inherits all settings and values from the parent profile specified.
heartbeat
Specifies the number of seconds to wait before sending a heartbeat
chunk. The default is 30 seconds.
idle timeout
Specifies the number of seconds without traffic before a connection is
eligible for deletion. The default is 300 seconds.
in streams
Specifies the number of inbound streams. The default is 2.
init max retries
Specifies the maximum number of retries to establish a connection. The
default is 4.
ip tos
Specifies the type of IP service set in packets sent to peer. The default is
0.
link qos
Specifies the link quality of service set in sent packets. The default is 0.
out streams
Specifies the number of outbound streams. The default is 2.
partition
Displays the partition within which the profile resides.
profile sctp edit
Displays in a text editor the running configuration of all objects created
using the command profile sctp. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
Note that the default text editor is vi.
proxy buffer high
Specifies the proxy buffer level after which the system closes the receive
window. The default is 16384.
proxy buffer low
Specifies the proxy buffer level after which the system opens the receive
window. The default is 4096.
recv chunks
Specifies the size (in chunks) of the rx_chunk buffer. The default is 256.
A - 225
Appendix A
recv ordered
When enabled, the system delivers messages to the application layer in
order. The default is enable.
recv window
Specifies the size (in bytes) of the receive window. Prorate this value to
the Receive Chunks value. The default is 65536.
reset on timeout
When enabled, the system resets a connection when the connection times
out. The default is enable.
secret
Specifies the internal secret string that the system uses for HTTP
Message Authenticated Code (HMAC) cookies.
send buffer
Specifies the size in bytes of the buffer. The default is 65536.
send max retries
Specifies the maximum number of times the system tries again to send
data. The default is 8.
send partial
When enabled, the system accepts partial application data. The default is
enable.
tcp shutdown
When enabled, the system emulates the closing of a TCP connection. The
default is enable.
trans chunks
Specifies the size (in chunks) of the tx_chunk buffer. The default is 256.
See also
profile(1), bigpipe(1), profile rtsp(1), profile sip(1)
A - 226
profile serverssl
Configures a Server SSL profile.
Syntax
Use this command to create, modify, display, or delete a Server SSL profile.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
profile serverssl <profile serverssl key list> {}
profile serverssl (<profile serverssl key list> | all) [{]
[}]
A - 227
Appendix A
Display
profile serverssl [<profile serverssl key list> | all] [show [all]]
profile serverssl [<profile serverssl key list> | all] list [all]
profile serverssl [<profile serverssl key list> | all] name [show]
profile serverssl [<profile serverssl key list> | all] defaults from [show]
profile serverssl [<profile serverssl key list> | all] mode [show]
profile serverssl [<profile serverssl key list> | all] key [show]
profile serverssl [<profile serverssl key list> | all] cert [show]
profile serverssl [<profile serverssl key list> | all] chain [show]
profile serverssl [<profile serverssl key list> | all] ca file [show]
profile serverssl [<profile serverssl key list> | all] crl file [show]
profile serverssl [<profile serverssl key list> | all] ciphers [show]
profile serverssl [<profile serverssl key list> | all] options [show]
profile serverssl [<profile serverssl key list> | all] modssl methods [show]
profile serverssl [<profile serverssl key list> | all] renegotiate period [show]
profile serverssl [<profile serverssl key list> | all] renegotiate size [show]
profile serverssl [<profile serverssl key list> | all] peer cert mode [show]
profile serverssl [<profile serverssl key list> | all] authenticate [show]
profile serverssl [<profile serverssl key list> | all] authenticate depth [show]
profile serverssl [<profile serverssl key list> | all] authenticate name [show]
profile serverssl [<profile serverssl key list> | all] unclean shutdown [show]
profile serverssl [<profile serverssl key list> | all] strict resume [show]
profile serverssl [<profile serverssl key list> | all] passphrase [show]
profile serverssl [<profile serverssl key list> | all] handshake timeout [show]
profile serverssl [<profile serverssl key list> | all] alert timeout [show]
profile serverssl [<profile serverssl key list> | all] cache size [show]
profile serverssl [<profile serverssl key list> | all] cache timeout [show]
profile serverssl [<profile serverssl key list> | all] stats [show]
profile serverssl [<profile serverssl key list> | all] partition [show]
Delete
profile serverssl (<profile serverssl key list> | all) delete
A - 228
Description
Server-side profiles allow the traffic management system to handle
encryption tasks for any SSL connection being sent from a local traffic
management system to a target server. A server-side SSL profile is able to
act as a client by presenting certificate credentials to a server when
authentication of the local traffic management system is required. You
implement this type of profile by using the default profile, or creating a
custom profile based on the Server SSL profile template and modifying its
settings.
Examples
Creates a custom Server SSL profile named myserversslprofile that inherits
its settings from the system default serverssl profile:
profile serverssl myserversslprofile { }
Arguments
Several arguments are available for use with this command.
ca file
Specifies the certificate authority (CA) file name or indicates the system
uses the certificate authority file name from the parent profile.
Configures certificate verification by specifying a list of client or server
CAs that the traffic management system trusts.
cert
Specifies the certificate file name or indicates the system uses the
certificate file name from the parent profile. Specifies the name of the
certificate installed on the traffic management system for the purpose of
terminating or initiating an SSL connection. The default is default.crt.
chain
Specifies the chain name or indicates the system uses the chain name
from the parent profile. Specifies or builds a certificate chain file that a
client can use to authenticate the profile.
ciphers
Specifies a cipher name or indicates the system uses the default ciphers
from the parent profile.
crl file
Specifies the certificate revocation list file name or indicates the system
uses the certificate revocation file name from the parent profile.
defaults from
Specifies the profile that you want to use as the parent profile. Your new
profile inherits all settings and values from the parent profile specified.
A - 229
Appendix A
key
Specifies the key file name or indicates the system uses the key file name
from the parent profile. Specifies the name of the key installed on the
traffic management system for the purpose of terminating or initiating an
SSL connection. The default key file name is default.key.
mode
Specifies the profile mode. The options are enable, disable, or default.
Enables or disables SSL processing. The default is enable.
Options
These options are available, including some industry-related workarounds:
A - 230
alert timeout
Specifies the alert timeout in seconds. You can also specify immediate,
indefinite, or default. The default is 60 seconds.
authenticate
Specifies frequency of authentication. Options are once, always, or
default.
authenticate depth
Specifies the client certificate chain maximum traversal depth.
authenticate name
Specifies a Common Name (CN) that is embedded in a server certificate.
The system authenticates a server based on the specified CN.
cache size
Specifies the SSL session cache size. For client-side profiles only, you
can configure timeout and size values for the SSL session cache. Because
each profile maintains a separate SSL session cache, you can configure
the values on a per-profile basis.
cache timeout
Specifies the SSL session cache timeout value, which is the usable
lifetime seconds of negotiated SSL session IDs. The default is 300
seconds. Acceptable values are integers greater than or equal to 5. You
can also set this value to immediate or indefinite.
handshake timeout
Specifies the handshake timeout in seconds. You can also specify
immediate, indefinite, or default.
modssl methods
Enables or disables ModSSL method emulation. Use enable when
OpenSSL methods are inadequate. For example, you can enable ModSSL
method emulation when you want to use SSL compression over TLSv1.
partition
Displays the partition within which the profile resides.
passphrase
Specifies the key passphrase, if required.
renegotiate period
Specifies the number of seconds from the initial connect time after which
the system renegotiates an SSL session. The default is indefinite
meaning that you do not want the system to renegotiate SSL sessions.
Each time the session renegotiation is successful, a new connection is
started. Therefore, the system attempts to renegotiate the session again,
in the specified amount of time following the successful session
renegotiation. For example, setting the Renegotiate Period to 3600
seconds triggers session renegotiation at least once an hour.
renegotiate size
Specifies a throughput size, in bytes, of SSL renegotiation. This setting
forces the traffic management system to renegotiate an SSL session
based on the size, in megabytes, of application data that is transmitted
over the secure channel. The default is indefinite specifying that you do
not want a throughput size.
strict resume
You can enable or disable the resumption of SSL sessions after an
unclean shutdown. The default is disable, which indicates that the SSL
profile refuses to resume SSL sessions after an unclean shutdown.
unclean shutdown
By default, the SSL profile performs unclean shutdowns of all SSL
connections, which means that underlying TCP connections are closed
without exchanging the required SSL shutdown alerts. If you want to
force the SSL profile to perform a clean shutdown of all SSL
connections, you can disable the default setting.
[ALL BUGFIXES]
This option enables all of the above defect workarounds. It is usually safe
to use the All bugfixes Enabled option to enable the defect workaround
options when compatibility with broken implementations is desired. Note
that if you edit the configuration in the web-based configuration utility,
the ALL BUGFIXES syntax is expanded into each individual option.
A - 231
Appendix A
A - 232
[EPHEMERAL RSA]
This option uses ephemeral (temporary) RSA keys when doing RSA
operations. According to the specifications, this is only done when an
RSA key can only be used for signature operations (namely under export
ciphers with restricted RSA key length). By setting this option, you
specify that you want to use ephemeral RSA keys always. This option
breaks compatibility with the SSL/TLS specifications and may lead to
interoperability problems with clients. Therefore, F5 does not
recommend this option. You should use ciphers with EDH (ephemeral
Diffie-Hellman) key exchange instead. This option is ignored for
server-side SSL.
[NETSCAPE CA DN BUG]
This option handles a defect regarding the system crashing or hanging. If
the system accepts a Netscape Navigator browser connection, demands a
client cert, has a non-self-signed CA that does not have its CA in
Netscape, and the browser has a certificate, the system crashes or hangs.
[NO SSLv2]
Do not use the SSLv2 protocol.
[NO SSLv3]
Do not use the SSLv3 protocol.
[NO TLSv1]
Do not use the TLSv1 protocol.
[PASSIVE CLOSE]
Specifies how to handle passive closes.
none
Choose this option if you want to disable all workarounds. F5 does
not recommend this option.
default
Specifies the value, all bugfixes enabled, which enables a set of
industry-related miscellaneous workarounds related to SSL
processing.
[PKCS1 CHECK 1]
This debugging option deliberately manipulates the PKCS1 padding used
by SSL clients in an attempt to detect vulnerability to particular SSL
server vulnerabilities. F5 does not recommend this option for normal use.
The system ignores this option for client-side SSL.
[PKCS1 CHECK 2]
This debugging option deliberately manipulates the PKCS1 padding used
by SSL clients in an attempt to detect vulnerability to particular SSL
server vulnerabilities. F5 does not recommend this option for normal use.
The system ignores this option for client-side SSL.
[SINGLE DH USE]
This option creates a new key when using temporary/ephemeral DH
parameters. This option must be used to prevent small subgroup attacks,
when the DH parameters were not generated using strong primes (for
example. when using DSA-parameters). If strong primes were used, it is
A - 233
Appendix A
[TLS D5 BUG]
This option is a workaround for communicating with older
TLSv1-enabled applications that specify an incorrect encrypted RSA key
length. This option is ignored for server-side SSL.
See also
profile(1), profile clientssl(1), bigpipe(1)
A - 234
profile sip
Configures a Session Initiation Protocol (SIP) profile.
Syntax
Use this command to create, modify, display, or delete a SIP profile.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
profile sip <profile sip key list> {}
profile sip (<profile sip key list> | all) [{] <profile sip arg
list> [}]
<profile sip key> ::=
<name>
<profile sip arg> ::=
defaults from (<profile sip key> | none)
insert record route (enable | disable | default)
insert via (enable | disable | default)
max size (<number> | default)
secure via (enable | disable | default)
terminate bye (enable | disable | default)
profile sip [<profile sip key list> | all] stats reset
profile sip edit
Display
profile sip [<profile sip key list> | all] [show [all]]
profile sip [<profile sip key list> | all] list [all]
profile sip [<profile sip key list> | all] edit
profile sip [<profile sip key list> | all] defaults from [show]
profile sip [<profile sip key list> | all] insert record route
[show]
profile sip [<profile sip key list> | all] insert via [show]
profile sip [<profile sip key list> | all] max size [show]
profile sip [<profile sip key list> | all] name [show]
profile sip [<profile sip key list> | all] partition [show]
A - 235
Appendix A
profile sip [<profile sip key list> | all] secure via [show]
profile sip [<profile sip key list> | all] stats [show]
profile sip [<profile sip key list> | all] terminate bye [show]
Description
This command provides the ability to create a SIP profile.
Examples
Creates a SIP profile named mysipprofile using the system defaults:
profile sip mysipprofile { }
Options
You can use the following options with the profile sip command:
defaults from
Specifies the profile that you want to use as the parent profile. Your new
profile inherits all of the settings and values from the specified parent
profile. The default is sip.
insert via
Enables or disables the insertion of a Via header, which indicates where
the message originated. The response message uses this routing
information. The default is disable.
max size
Specifies the maximum SIP message size that the BIG-IP system accepts.
The default is 64000 bytes.
partition
Displays the partition within which the profile resides.
A - 236
secure via
Enables or disables the insertion of a Secure Via header, which indicates
where the message originated. When you are using SSL/TLS (over TCP)
to create a secure channel with the server node, use this setting to
configure the BIG-IP system to insert a Secure Via header into SIP
requests. The default is disable.
terminate bye
Enables or disables the termination of a connection when a BYE
transaction finishes. Use this parameter with UDP connections only, not
with TCP connections. The default is enable.
See also
bigpipe(1), profile(1), profile persist(1)
A - 237
Appendix A
profile stats
Creates, modifies, displays, or deletes a Statistics profile.
Syntax
Use this command to create, modify, display, or delete a Statistics profile.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
profile stats <profile stats key list> {}
profile stats (<profile stats key list> | all) [{] <profile stats arg list> [}]
<profile stats key> ::=
<name>
<profile stats arg> ::=
defaults from (<profile stats key> | none)
field<i> (<name> | none | default)
(i=1-32)
Display
profile stats [<profile stats key list> | all] [show [all]]
profile stats [<profile stats key list> | all] list [all]
profile stats [<profile stats key list> | all] name [show]
profile stats [<profile stats key list> | all] defaults from [show]
profile stats [<profile stats key list> | all] field<i> [show]
Delete
profile stats [<profile stats key list> | all] delete
Description
Use the stats profile to create a custom Statistics profile.
A - 238
Examples
Lists all available custom statistics fields:
profile stats all list
Options
You can use these options with the profile stats command:
defaults from
Specifies the profile that you want to use as the parent profile. Your new
profile inherits all settings and values from the parent profile.
field
Specifies the field identifier. This is a number from 1 to 32.
partition
Displays the partition within which the profile resides.
See also
profile(1), bigpipe(1)
A - 239
Appendix A
profile stream
Configures a Stream profile.
Syntax
Use this command to create, modify, display, or delete a Stream profile.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
profile stream <profile stream key list> {}
profile stream (<profile stream key list | all) [{] <profile stream arg list> [}]
<profile stream key> ::=
<name>
<profile stream arg> ::=
defaults from (<profile stream key> | none)
target (<string> | none | default)
source (<string> | none | default)
profile stream [<profile stream key list> | all] stats reset
profile stream edit
Display
profile stream [<profile stream key list> | all] [show [all]]
profile stream [<profile stream key list> | all] list [all]
profile stream [<profile stream key list> | all] defaults from [show]
profile stream [<profile stream key list> | all] name [show]
profile stream [<profile stream key list> | all] partition [show]
profile stream [<profile stream key list> | all] target [show]
profile stream [<profile stream key list> | all] stats [show]
profile stream [<profile stream key list> | all] source [show]
Delete
profile stream (<profile stream key list> | all) delete
A - 240
Description
You can use the Stream profile to search and replace strings within a data
stream, such as a TCP connection.
Examples
Creates a custom Stream profile named mystreamprofile that inherits its
settings from the system default stream profile:
profile stream mystreamprofile { }
Options
You can use these options with the profile stream command:
defaults from
Specifies the profile that you want to use as the parent profile. Your new
profile inherits all settings and values from the parent profile specified.
partition
Displays the partition within which the profile resides.
target
Specifies the string you want to rewrite. You can also specify default if
you want to use the default system profile value.
source
Specifies the string that is used to rewrite the target string. You can also
specify default if you want to use the default stream profile value.
See also
profile(1), virtual(1), bigpipe(1)
A - 241
Appendix A
profile tcp
Configures a TCP profile.
Syntax
Use this command to create, modify, display, or delete a TCP profile.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
profile tcp <profile tcp key list> {}
profile tcp (<profile tcp key list | all) [{] <profile tcp arg list> [}]
<profile tcp key> ::=
<name>
<profile tcp arg> ::=
defaults from (<profile tcp key> | none)
abc (enable | disable | default)
ack on push (enable | disable | default)
bandwidth delay (enable | disable | default)
close wait (<number> | immediate | indefinite | default)
cmetrics cache (enable | disable | default)
congestion control (reno | newreno | scalable | highspeed | none | default)
deferred accept (enable | disable | default)
delayed acks (enable | disable | default)
dsack (enable | disable | default)
ecn (enable | disable | default)
fin wait (<number> | immediate | indefinite | default)
idle timeout (<number> | indefinite | default)
ip tos (<number> | default)
keep alive interval (<number> | default)
limited transmit (enable | disable | default)
link qos (<number> | default)
max retrans (<number> | default)
max retrans syn (<number> | default)
md5 sign (enable | disable | default)
md5 sign passphrase (<string> | none | default)
A - 242
Display
profile tcp [<profile tcp key list> | all] [show all]]
profile tcp [<profile tcp key list> | all] name [show]
profile tcp [<profile tcp key list> | all] defaults from [show]
profile tcp [<profile tcp key list> | all] abc [show]
profile tcp [<profile tcp key list> | all] ack on push [show]
profile tcp [<profile tcp key list> | all] bandwidth delay [show]
profile tcp [<profile tcp key list> | all] close wait [show]
profile tcp [<profile tcp key list> | all] cmetrics cache [show]
profile tcp [<profile tcp key list> | all] congestion control [show]
profile tcp [<profile tcp key list> | all] deferred accept [show]
profile tcp [<profile tcp key list> | all] delayed acks [show]
profile tcp [<profile tcp key list> | all] dsack [show]
profile tcp [<profile tcp key list> | all] ecn [show]
profile tcp [<profile tcp key list> | all] fin wait [show]
profile tcp [<profile tcp key list> | all] idle timeout [show]
profile tcp [<profile tcp key list> | all] ip tos [show]
profile tcp [<profile tcp key list> | all] keep alive interval [show]
profile tcp [<profile tcp key list> | all] limited transmit [show]
profile tcp [<profile tcp key list> | all] link qos [show]
profile tcp [<profile tcp key list> | all] max retrans [show]
profile tcp [<profile tcp key list> | all] max retrans syn [show]
profile tcp [<profile tcp key list> | all] md5 sign [show]
profile tcp [<profile tcp key list> | all] md5 sign passphrase [show]
profile tcp [<profile tcp key list> | all] nagle [show]
profile tcp [<profile tcp key list> | all] partition [show]
profile tcp [<profile tcp key list> | all] proxy buffer high [show]
profile tcp [<profile tcp key list> | all] proxy buffer low [show]
A - 243
Appendix A
profile tcp [<profile tcp key list> | all] proxy mss [show]
profile tcp [<profile tcp key list> | all] proxy options [show]
profile tcp [<profile tcp key list> | all] recv window [show]
profile tcp [<profile tcp key list> | all] reset on timeout [show]
profile tcp [<profile tcp key list> | all] rfc1323 [show]
profile tcp [<profile tcp key list> | all] selective acks [show]
profile tcp [<profile tcp key list> | all] send buffer [show]
profile tcp [<profile tcp key list> | all] slow start [show]
profile tcp [<profile tcp key list> | all] stats [show]
profile tcp [<profile tcp key list> | all] time wait [show]
profile tcp [<profile tcp key list> | all] time wait recycle [show]
Delete
profile tcp (<profile tcp key list> | all) delete
Description
The TCP profile is a configuration tool for managing TCP network traffic.
Many of the TCP profile settings are standard SYSCTL types of settings,
while others are unique to the traffic management system. For most of the
TCP profile settings, the default values usually meet your needs. The
specific settings that you might want to change are: Reset on Timeout, Idle
Timeout, IP ToS, and Link QoS.
The BIG-IP system installation includes these TCP-type profiles: tcp,
tcp-lan-optimized, and tcp-wan-optimized. You can modify the settings of
these profiles, or create new TCP-type profiles using any of these existing
profiles as parent profiles.
Examples
Creates a custom TCP profile named mystcpprofile that inherits its settings
from the system default tcp profile:
profile tcp mytcpprofile { }
Options
You can use these options with the profile tcp command:
A - 244
abc
When enabled, increases the congestion window by basing the increase
amount on the number of previously unacknowledged bytes that each
ACK covers. The default is enable.
ack on push
When enabled, significantly improves performance to Windows and
MacOS peers who are writing out on a very small send buffer. The
default is disable.
bandwidth delay
When enabled, the system attempts to calculate the optimal bandwidth to
use to contact the client, based on throughput and round-trip time,
without exceeding the available bandwidth. The default is enable.
close wait
Specifies the number of seconds that a connection remains in a
LAST-ACK state before quitting. A value of 0 represents a term of
forever (or until the matrix of the FIN state). The default is 5 seconds.
You can also specify immediate, indefinite, or default.
cmetrics cache
When enabled, specifies that the system uses a cache for storing
congestion metrics. The default is enable.
congestion control
Specifies the algorithm to use to share network resources among
competing users to reduce congestion. The default is New Reno.
The options are:
High Speed: Specifies that the system uses a more aggressive,
loss-based algorithm.
New Reno: Specifies that the system uses a modification to the Reno
algorithm that responds to partial acknowledgements when SACKs
are unavailable.
None: Specifies that the system does not use a
network-congestion-control mechanism, even when congestion
occurs.
Reno: Specifies that the system uses an implementation of the TCP
Fast Recovery algorithm, which is based on the implementation in the
BSD Reno release.
Scalable: Specifies that the system uses a TCP algorithm
modification that adds a scalable, delay-based and loss-based
component into the Reno algorithm.
defaults from
Specifies the profile that you want to use as the parent profile. Your new
profile inherits all settings and values from the parent profile.
deferred accept
When enabled, the system defers allocation of the connection chain
context until the client response is received. This setting is useful for
dealing with 3-way handshake DOS attacks. The default is disable.
delayed acks
When enabled, the traffic management system allows coalescing of
multiple ACK responses. The default is enable.
dsack
When enabled, specifies the use of the Selective ACKs (SACK) option to
acknowledge duplicate segments. The default is disable.
A - 245
Appendix A
A - 246
ecn
When enabled, the system uses the TCP flags CWR and ECE to notify
its peer of congestion and congestion counter-measures. The default is
disable.
fin wait
Specifies the number of seconds that a connection is in the FIN-WAIT or
closing state before quitting. The default is 5 seconds. A value of 0
represents a term of forever (or until the matrix of the FIN state). You
can also specify immediate, indefinite, or default.
idle timeout
Specifies the number of seconds that a connection is idle before the
connection is eligible for deletion. You can also specify indefinite or
default. The default is 300 seconds.
ip tos
Specifies the Type of Service level that the traffic management system
assigns to TCP packets when sending them to clients.
limited transmit
When enabled, the system uses limited transmit recovery revisions for
fast retransmits (as specified in RFC 3042) to reduce the recovery time
for connections on a lossy network. The default is enable.
link qos
Specifies the Quality of Service level that the system assigns to TCP
packets when sending them to clients.
max retrans
Specifies the maximum number of retransmissions of data segments that
the system allows.
md5 sign
Specifies, when enabled, that the system uses RFC2385 TCP-MD5
signatures to protect TCP traffic against intermediate tampering. The
default is disable.
nagle
Specifies, when enabled, that the system applies Nagle's algorithm to
reduce the number of short segments on the network. The default setting
is enable. Note that for interactive protocols such as Telnet, rlogin, or
SSH, F5 recommends disabling this setting on high-latency networks, to
improve application responsiveness.
partition
Displays the partition within which the profile resides.
proxy mss
When enabled, the system advertises the same mss to the server as was
negotiated with the client. The default is enable.
proxy options
When enabled, the system advertises an option, such as a time-stamp to
the server only if it was negotiated with the client. The default is enable.
recv window
Specifies the size of the receive window, in bytes. The default value is
4096 bytes.
reset on timeout
Specifies whether to reset connections on timeout.
rfc1323
When enabled, the system uses the timestamp and window-scaling
extensions for TCP (as specified in RFC 1323) to enhance high-speed
network performance. The default is enable.
selective acks
When enabled, the system negotiates RFC2018-compliant Selective
Acknowledgements with peers. The default is enable.
send buffer
Specifies the size of the buffer, in bytes. The default is 8192 bytes.
slow start
When enabled, the system uses larger initial window sizes (as specified
in RFC 3390) to help reduce round trip times. The default is enable.
time wait
Specifies the number of seconds that a connection is in the TIME-WAIT
state before closing. You can also specify immediate, indefinite, or
default. The default is 2 seconds.
A - 247
Appendix A
See also
profile(1), virtual(1), bigpipe(1)
A - 248
profile udp
Configures a UDP profile.
Syntax
Use this command to create, modify, display, or delete a UDP profile.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
profile udp <profile udp key list> {}
profile udp (<profile udp key list> | all) [{] <profile udp arg list> [}]
<profile udp key> ::=
<name>
<UDP profile arg> ::=
defaults from (<profile udp key> | none)
idle timeout (<number> | immediate | indefinite | default)
ip tos (<number> | default)
link qos (<number> | default)
datagram lb (enable | disable | default)
allow payload (enable | disable | default)
profile udp [<profile udp key list> | all] stats reset
profile udp edit
Display
profile udp [<profile udp key list> | all] [show [all]]
profile udp [<profile udp key list> | all] list [all]
profile udp [<profile udp key list> | all] defaults from [show]
profile udp [<profile udp key list> | all] allow payload [show]
profile udp [<profile udp key list> | all] datagram lb [show]
profile udp [<profile udp key list> | all] idle timeout [show]
profile udp [<profile udp key list> | all] ip tos [show]
profile udp [<profile udp key list> | all] link qos [show]
profile udp [<profile udp key list> | all] name [show]
profile udp [<profile udp key list> | all] partition [show]
profile udp [<profile udp key list> | all] stats [show]
A - 249
Appendix A
Delete
profile udp (<profile udp key list> | all) delete
Description
The UDP profile is a configuration tool for managing UDP network traffic.
Examples
Creates a custom UDP profile named myudpprofile that inherits its settings
from the system default udp profile:
profile udp myudpprofile { }
Options
You can use these options with the profile udp command:
allow payload
Provides the ability to allow the passage of datagrams that contain header
information, but no essential data. The default is disable.
datagram lb
Provides the ability to load balance UDP datagram by datagram. The
default is disable.
defaults from
Specifies the profile that you want to use as the parent profile. Your new
profile inherits all settings and values from the parent profile.
idle timeout
Specifies the number of seconds that a connection is idle before the
connection is eligible for deletion. You can also specify immediate,
indefinite, or default. The default is 60 seconds.
ip tos
Specifies the Type of Service level that the traffic management system
assigns to UDP packets when sending them to clients.
link qos
Specifies the Quality of Service level that the system assigns to UDP
packets when sending them to clients.
partition
Displays the partition within which the profile resides.
A - 250
See also
profile(1), virtual(1), bigpipe(1)
A - 251
Appendix A
pva
Displays or resets Packet Velocity ASIC statistics for the BIG-IP system.
Syntax
Use this command to display or reset Packet Velocity ASIC statistics.
Display
<pva key> ::=
(<number>.<number> | none)
pva [<pva key list> | all] [show all]]
Modify
pva [<pva key list> | all] stats reset
Description
Display or reset Packet Velocity ASIC statistics for the BIG-IP system.
See also
bigpipe(1)
A - 252
radius server
Creates, modifies, displays, or deletes a RADIUS server object for RADIUS
authentication.
Syntax
Use this command to create, modify, display, or delete a RADIUS server.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
radius server <radius server key list> {}
radius server (<radius server key list> | all) [{]
Display
radius server [<radius server key list> | all] [show [all]]
radius server [<radius server key list> | all] list [all]
radius server [<radius server key list> | all] name [show]
radius server [<radius server key list> | all] server [show]
radius server [<radius server key list> | all] service [show]
radius server [<radius server key listt> | all] secret [show]
radius server [<radius server key list> | all] timeout [show]
radius server [<radius server key list> | all] partition [show]
Delete
radius server (<radius server key list> | all) delete
A - 253
Appendix A
Description
Creates, modifies, or deletes the RADIUS server. Note that you must also
create an auth radius profile to use a RADIUS server.
Examples
Lists the configuration for all RADIUS server objects on the system:
radius server all list
Options
You can use these options with the radius server command:
partition
Displays the partition in which the RADIUS server resides.
radius server edit
Displays in a text editor the running configuration of all objects created
using the command radius server. You can edit the value of any
parameter displayed. When you exit the editor, the BIG-IP system
modifies the running configuration based on your changes. To save your
changes to the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
secret
Sets the secret key used to encrypt and decrypt packets sent or received
from the server. This setting is required.
server
The host name or IP address of the RADIUS server. This setting is
required.
service
Specifies the port for RADIUS authentication traffic. The default is port
1812.
timeout
Specifies the timeout value in seconds. The default is 3 seconds. You can
also specify immediate or indefinite.
A - 254
See also
auth_radius(1), bigpipe(1)
A - 255
Appendix A
rate class
Configures rate classes.
Syntax
Use this command to create, modify, display, or delete a rate class.
Create/Modify
rate class <rate class key list> {}
rate class (<rate class key list> | all) [{] <rate class arg list> [}]
<rate class key> ::=
<name>
<rate class arg> ::=
rate <number>[bps | K[bps] | M[bps] | G[bps]]
ceiling <float>[bps | K[bps] | M[bps] | G[bps]]
burst <float>[K | M | G]
parent (<rate class key> | none)
type (sfq | pfifo)
direction (to client | to server | any)
rate class [<rate class key list> | all] stats reset
rate class edit
Display
rate class [<rate class key list> | all] [show [all]]
rate class [<rate class key list> | all] list [all]
rate class [<rate class key list> | all] rate [show]
rate class [<rate class key list> | all] burst [show]
rate class [<rate class key list> | all] ceiling [show]
rate class [<rate class key list> | all] cname [show]
rate class [<rate class key list> | all] direction [show]
rate class [<rate class key list> | all] parent [show]
rate class [<rate class key list> | all] stats [show]
rate class [<rate class key list> | all] type [show]
Delete
rate class (<rate class key list> | all) delete
Description
A rate class is a rate-shaping policy that you want to assign to a type of
traffic, such as Layer 3 traffic that specifies a certain source, destination, or
service. More specifically, a rate class defines the number of bits per second
A - 256
that the system allows per connection and the number of packets in a queue.
You configure rate shaping by creating a rate class and then assigning the
rate class to a packet filter, a virtual server, or from within an iRule.
Examples
Creates the rate class myRTclass with a rate of 500 Mbps:
rate class myRTclass { rate 500M }
Options
You can use these options with the rate class command:
burst
Specifies the maximum number of bytes that traffic is allowed to burst
beyond the base rate. You can configure the rate in kilobits per second
(Kbps), megabits per second (Mbps), or gigabits per second (Gbps).
ceiling
Similar to the base rate, specifies how far beyond the base rate traffic is
allowed to flow when bursting. This number sets an absolute limit. No
traffic can exceed this rate. You can configure the rate in bits per second
(bps), kilobits per second (Kbps), megabits per second (Mbps), or
gigabits per second (Gbps).
direction
Specifies the direction of traffic to which the rate class is applied.
Possible values are to client, to server, or any.
parent
Specifies the rate class used to create a custom rate class. A custom rate
class borrows bandwidth from a parent class. Note that borrowing
bandwidth affects the base rate, ceiling rate, and queue discipline.
rate class edit
Displays in a text editor the running configuration of all objects created
using the command rate class. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
rate
Specifies the maximum throughput rate allowed for traffic handled by
the rate class. Packets that exceed the specified number are dropped. This
A - 257
Appendix A
setting is required. You can configure the rate in bits per second (bps),
kilobits per second (Kbps), megabits per second (Mbps), or gigabits per
second (Gbps).
type
The two options for type are sfq or pfifo. Stochastic Fair Queueing
(SFQ) is a queueing method that queues traffic under a set of many lists,
choosing the specific list based on a hash of the connection information.
This results in traffic from the same connection always being queued in
the same list. SFQ then dequeues traffic from the set of the lists in a
round-robin fashion. The overall effect is that fairness of dequeueing is
achieved because one connection cannot control the queue at the
exclusion of another. If the rate class has a parent class, the default
queueing discipline is that of the parent class. If the rate class has no
parent class, then the default value is sfq.
The Priority FIFO (PFIFO) queueing method queues all traffic under a
set of five lists based on the Type of Service (ToS) field of the traffic.
Four of the lists correspond to the four possible ToS values (Minimum
delay, Maximum throughput, Maximum reliability, and Minimum
cost). The fifth list represents traffic with no ToS value. The Priority
FIFO method processes these five lists in a way that preserves the
meaning of the ToS field as much as possible. For example, a packet
with the ToS field set to Minimum cost might yield dequeuing to a
packet with the ToS field set to Minimum delay.
See also
packet filter(1), rule(1), virtual(1), bigpipe(1)
A - 258
remote users
Configures the default user role, partition access, and console access for all
remotely authenticated user accounts that have not been added as local user
accounts on the BIG-IP system.
Note
Syntax
Use this command to configure the default parameters for all of the remote
user accounts on the BIG-IP system as a group.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
remote users [{] <remote users arg list> [}]
<remote users arg> ::=
default partition (<string> | none)
default role (administrator | resource admin | user manager | manager | app editor \
| operator | guest | policy editor | none)
remote console access (enable | disable)
remote users edit
Display
remote users [show [all]]
remote users list [all]
remote users default partition [show]
remote users default role [show]
remote users partition [show]
remote users remote console access [show]
A - 259
Appendix A
Description
Use this command to configure the default parameters for all of the remote
user accounts on the BIG-IP system as a group.
Examples
For all remote users, sets the default partition access to partition Common,
the default user role to none, and the default remote console access to
disable:
remoteusers default partition Common default role none remote console access disable
Options
You can use the following options with the remote users command.
default partition
Specifies the default partition for all remote user accounts. The default
partition is Common.
default role
Specifies the default user role for all remote user accounts. The default
value is none. The available user roles are:
administrator
resource admin
user manager
app editor
operator
guest
policy editor
partition
Displays the partition within which the remote users object resides.
remote console access
Enables or disables the default console access for all remote user
accounts. The default value is disable.
remote users edit
Displays in a text editor the running configuration of all objects created
using the command remote users. You can edit the value of any
parameter displayed. When you exit the editor, the BIG-IP system
modifies the running configuration based on your changes. To save your
changes to the stored configuration files, run the save all command.
When the text editor opens, if only remote users { } displays, you can
type parameters and values between the braces. When you exit the editor,
the BIG-IP system modifies the running configuration based on the
syntax you entered. You must run the save all command to save this
change to the stored configuration files.
Note that the default text editor is vi.
A - 260
See also
bigpipe(1), user(1), remoterole(1)
A - 261
Appendix A
remoterole
Creates a file (/config/bigip/auth/remoterole) that an LDAP or Active
Directory server reads to determine the specific access rights to grant to
groups of remotely authenticated users.
Syntax
Use this command to grant access to a specific group of remotely
authenticated users.
Create
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
remoterole [{] <remoterole arg list> [}]
<remoterole arg> ::=
role info (<role info list> | none) [add | delete]
<role info> ::= (<role info key list> | all) [{] <role info arg list> [}]
<role info key> ::=
<name>
<role info arg> ::=
attribute (<string> | none)
console (enable | disable)
deny (enable | disable)
line order <number>
role (administor | resource admin | user manager | manager | app editor | \
operator | guest | policy editor | none)
user partition (<string> | none)
remoterole edit
Display
remoterole [show [all]]
remoterole list [all]
remoterole role info [<role info key list> | all] [show]
remoterole role info [<role info key list> | all] attribute [show]
remoterole role info [<role info key list> | all] console [show]
remoterole role info [<role info key list> | all] deny [show]
A - 262
remoterole role info [<role info key list> | all] line order [show]
remoterole role info [<role info key list> | all] partition [show]
remoterole role info [<role info key list> | all] role [show]
remoterole role info [<role info key list> | all] user partition [show]
Description
Use this command to grant access to a specific group of remotely
authenticated users without having to create a local user account on the
BIG-IP system for each user in the group.
Examples
Creates the first line of the /config/bigip/auth/remoterole file, and grants
the Manager user role in partition_A to the group of remote users named
mygroupofusers:
remoterole role info mygroupofusers { line order 1000 role manager user partition
partition_A attribute "application administrators" }
Options
You can use the following options with the remoterole command.
attribute
Specifies the name of the group of remotely authenticated users for
whom you are configuring specific access rights to the BIG-IP system.
This value is required.
console
Enables or disables console access for the specified group of remotely
authenticated users. The default value is disable.
deny
Enables or disables remote access for the specified group of remotely
authenticated users. The default value is disable.
line order
Specifies the order of the lines in the file,
/config/bigip/auth/remoterole. The LDAP and Active Directory servers
read this file line by line. The order of the information is important;
therefore, F5 recommends that you set the first line at 1000. This allows
you, in the future, to insert lines before the first line. This value is
required.
partition
Displays the partition within which the remoterole object resides.
role
Specifies the user role that you want to grant to the specified group of
remotely authenticated users. The default value is none. The available
user roles are:
administrator
resource admin
A - 263
Appendix A
user manager
app editor
operator
guest
policy editor
remoterole edit
Displays in a text editor the running configuration of all objects created
using the command remoterole. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if only remoterole { } displays, you can type
parameters and values between the braces. When you exit the editor, the
BIG-IP system modifies the running configuration based on the syntax
you entered. You must run the save all command to save this change to
the stored configuration files.
Note that the default text editor is vi.
user partition
Specifies the partition to which you are assigning access to the specified
group of remotely authenticated users. The default value is Common.
See also
bigpipe(1), user(1), remote_users(1)
A - 264
route
Configures routes for traffic management.
Syntax
Use this command to create, display, or delete a traffic route.
Create
route <route key list> {}
route (<route key list> | all) [{] <route arg list> [}]
<route key> ::=
(<ip addr> [mask <ip mask> | (prefixlen / ) <number>] | default [inet | inet6]
(connected | dynamic | static)
<route arg> ::=
gateway (<ip addr> | none)
mtu <number>
pool (<pool key> | none)
vlan (<vlan key> | none)
(reject)
route edit
Display
route [<route key list> | all] [show [all]]
route [<route key list> | all] list [all]
route [<route key list> | all] dest [all]
route [<route key list> | all] gateway [show]
route [<route key list> | all] mtu [show]
route [<route key list> | all] pool [show]
route [<route key list> | all] source [show]
route [<route key list> | all] type [show]
route [<route key list> | all] vlan [show]
Delete
route (<route key list> | all | inet | inet6) delete
Description
Configure static routes for the system, including default routes. When
configuring a static route, you can specify a gateway (that is, the next- or
last-hop router) to be an IP address, a VLAN name, or the name of a pool of
routers.
A - 265
Appendix A
Examples
Sets the route 12.12.3.0/24 on the VLAN named internal:
route 12.12.3.0/24 vlan internal
Options
You can use the following options with the route command.
Note
The options gateway, vlan, pool, and reject are mutually exclusive. You can
use only one of these options at a time, and at least one of these options is
required when using the route command.
default
Sets the default routing type to IPv4 (inet) or IPv6 (inet6).
gateway
Specifies a gateway address for the system.
ip addr
Creates an IP address/netmask route. You can also specify the route
using CIDR notation, such as 12.12.3.0/24.
mtu
Sets a specific maximum transition unit (MTU).
pool
Specifies a routing pool. A routing pool contains several routes.
reject
Rejects packets coming from the specified route.
route edit
Displays in a text editor the running configuration of all objects created
using the command route. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
vlan
Specifies the VLAN name for the route.
See also
mgmt(1), bigpipe(1), mgmt route(1), pool(1), vlan(1), vlangroup(1)
A - 266
rtsp
Displays or resets Real Time Streaming Protocol (RTSP) statistics for the
BIG-IP system.
Syntax
Use this command to display or reset RTSP statistics for the system.
Display
rtsp [show [all]]
Modify
rtsp stats reset
Description
Displays or resets RTSP statistics for the system.
Examples
Displays all RTSP statistics for the system:
rtsp show all
See also
bigpipe(1), profile rtsp (1)
A - 267
Appendix A
rule
Creates, modifies, deletes, and displays iRules for traffic management
system configuration.
Syntax
Use this command to create, modify, display, or delete an iRule.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
rule <rule key list> {}
rule (<rule key list> | all) [{] <rule arg list> [}]
<rule key> ::=
<name>
<rule arg> ::=
<iRule>
rule edit
Display
rule [<rule key list> | all] [show [all]]
rule [<rule key list> | all] list [all]
rule [<rule key list> | all] definition [show]
rule [<rule key list> | all] name [show]
rule [<rule key list> | all] partition [show]
Delete
rule (<rule key list> | all) delete
Description
iRules can direct traffic not only to specific pools, but also to individual
pool members, including port numbers and URI paths, either to implement
persistence or to meet specific load balancing requirements. The syntax that
you use to write iRules is based on the Tools Command Language (Tcl)
programming standard. Thus, you can use many of the standard Tcl
A - 268
commands, plus a robust set of extensions that the BIG-IP local traffic
management system provides to help you further increase load balancing
efficiency.
For information about standard Tcl syntax, see
http://tmml.sourceforge.net/doc/tcl/index.html. For a list of Tcl
commands that have been disabled within the traffic management system
and therefore cannot be used in the traffic management system, see the
Configuration Guide for BIG-IP Local Traffic Management. This guide
is available at http://tech.f5.com.
Examples
In this example, the iRule my_Rule includes the event declaration
CLIENT_ACCEPTED, as well as the iRule command IP::remote_addr.
In this case, the IP address that the iRule command returns is that of the
client, because the default context of the event declaration
CLIENT_ACCEPTED is clientside:
rule my_Rule '{ when CLIENT_ACCEPTED { if [[IP::remote_addr] ==
10.1.1.80] { pool myPool }}}'
This example shows the iRule my_Rule2, which includes the event
declaration SERVER_CONNECTED, as well as the iRule command
IP::remote_addr. In this case, the IP address that the iRule command
returns is that of the server, because the default context of the event
declaration SERVER_CONNECTED is serverside:
rule my_Rule2 '{ when SERVER_CONNECTED { if { [IP::remote_addr]
== 10.1.1.80 } { pool my_pool2 }}}'
Options
You can use the following options with the rule command:
partition
Displays the partition in which the rule resides.
rule edit
Displays in a text editor the running configuration of all objects created
using the command rule. You can edit the value of any parameter
A - 269
Appendix A
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
See also
persist(1), pool(1), profile(1), rate class(1), snat(1), bigpipe(1)
A - 270
save
Writes the running configuration into the stored configuration files.
Syntax
Use this command to write the running configuration into the stored
configuration files.
Modify
save
save all
[base] save
Description
Use this command to save the running configuration of the BIG-IP system.
Options
You can use the following options with the save command.
Important
When you want to save to the stored configuration files the changes that you
make to the system, F5 recommends that you use the save all command.
base save
Saves only the portions of the running configuration that reside in these
stored configuration files:
/config/bigip_base.conf
/config/bigip_sys.conf
save
Saves only the portions of the running configuration that reside in these
stored configuration files:
/config/bigip.conf
/config/bigip_local.conf
/config/bigip_sys.conf
save all
Saves the entire running configuration into these stored configuration
files:
/config/bigip.conf
/config/bigip_local.conf
/config/bigip_base.conf
/config/bigip_sys.conf
A - 271
Appendix A
See also
bigpipe(1), load(1)
A - 272
sctp
Displays or resets Stream Control Transmission Protocol (SCTP) statistics
for the BIG-IP system.
Syntax
Use this command to display or reset SCTP statistics for the system.
Display
sctp [show [all]]
Modify
sctp stats reset
Description
Displays or resets SCTP statistics for the system.
Examples
Displays all SCTP statistics for the system:
sctp show all
See also
bigpipe(1), profile sctp (1)
A - 273
Appendix A
self
Configures a self IP address for a VLAN.
Syntax
Use this command to create, modify, display, and delete a self IP address.
Create/Modify
self <self key list> {}
self (<self key list> | all) [{] <self arg list> [}]
<self key> ::=
(<ip addr> | none)
<self arg> ::=
vlan (<vlan key> | none)
netmask (<ip mask> | none)
unit <number>
floating (enable | disable)
allow (default | all | none | <protocol/service list>) [add | delete]
<protocol/service> ::=
(proto <protocol list> | (tcp | udp) <service list>)
self edit
Display
self [<self key list> | all] list [all]
self [<self key list> | all] [show [all]]
self [<self key list> | all] addr [show]
self [<self key list> | all] allow [show]
self [<self key list> | all] floating [show]
self [<self key list> | all] netmask [show]
self [<self key list> | all] unit [show]
self [<self key list> | all] vlan [show]
Delete
self (<self key list> | all) delete
Description
A self IP address is an IP address that is assigned to the system. Self IP
addresses are part of the configuration of the BIG-IP network components.
You must define at least one self IP address for each VLAN.
A - 274
Examples
Adds the self IP address 10.10.10.24 to the VLAN named internal:
self 10.10.10.24 vlan internal
Options
You can use the following options with the self command.
addr
Specifies the self IP address for a VLAN.
allow
Specifies the type of protocol/service that the VLAN handles.
floating
Enables or disables a floating self IP address for the VLAN. A floating
self IP address is an additional self IP address for a VLAN that serves as
a shared address by both units of a BIG-IP redundant system.
netmask
Specifies a netmask for the self IP address for the VLAN.
self edit
Displays in a text editor the running configuration of all objects created
using the command self. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
unit
Specifies the unit number in a redundant system.
vlan
Specifies the VLAN for which you are setting a self IP address. This
setting is required.
See also
vlan(1), vlangroup(1), bigpipe(1)
A - 275
Appendix A
self allow
Configures the default allow list for all self IP addresses on the BIG-IP
system.
Syntax
Use this command to delete, modify, or display the default allow list for all
self IP addresses on the BIG-IP system. The default allow list displays
which service and protocol ports allow connections from outside the system.
Connections made to a service or protocol port that is not on the list are
refused.
Modify
self allow {}
self allow [{] <self allow arg list> [}]
<self allow arg> ::=
default (<protocol/service list> | all | none) [add | delete]
<protocol/service> ::=
proto <protocol> | (tcp | udp) <service>
self allow edit
Display
self allow list [all]
self allow [show [all]]
self allow default [show]
Delete
self allow delete
Description
Use this command to modify, display, or delete the default allow list for all
self IP addresses on the BIG-IP system.
Examples
Sets the default allow list for all self IP addresses on the system to the
system default:
self allow default tcp 22 53 161 443 4353 udp 53 161 520 1026 4353 proto 89
Sets the default allow list for all self IP addresses on the system to TCP:
self allow default tcp 55
Displays the default allow list for all self IP addresses on the system:
self allow default
A - 276
Options
You can use the following options with the self allow command:
default
Specifies to set the default allow list to one of the following:
all
Specifies all protocols and services allow connections from outside
the system. Use this option to open the system to complete access.
none
Specifies that no protocols or services allow connections from outside
the system.
protocol/service list
Specifies a list of protocols/services that allow connections from
outside the system.
delete
Deletes the default self allow list.
See also
vlan(1), vlangroup(1), bigpipe(1)
A - 277
Appendix A
shell
Displays information about, and customizes the bigpipe shell.
Syntax
Use this command to customize the bigpipe shell, and display information
about the shell.
Modify
shell {}
shell [{] <shell arg list> [}]
<shell arg> ::=
history <number>
prompt <string>
read partition <name>
write partition <name>
partition <name>
shell edit
Display
shell [show [all]]
shell list [all]
shell history [show]
shell prompt [show]
shell read partition [show]
shell write partition [show]
shell partition [show]
Description
When typed at the BIG-IP system prompt, the bigpipe shell command starts
the bigpipe utility in its shell mode and presents a prompt at which you can
type bigpipe commands. You can also use the bigpipe shell command from
the BIG-IP system prompt to configure the shell.
Once the bigpipe utility is started in its shell mode, you can use the shell
command to configure the shell.
Examples
Customizes the bigpipe shell prompt to display as F5>:
shell prompt F5>
Displays the bigpipe shell prompt, and the Read and Write partitions:
shell list
A - 278
Displays the maximum number of commands that the bigpipe shell saves in
the shell history file, $HOME/.bphistory-<user>.
shell history show
For users with access to all partitions, changes the partition to which you
have Write access to the partition named Application1:
shell write partition Application1
For users with access to all partitions, changes the partition to which you
have Read and Write access to the partition named Application2:
shell partition Application2
Options
You can use these options with the shell command:
history
Specifies the maximum number of commands that the bigpipe shell
saves in the shell history file, $HOME/.bphistory-<user>. The default
value is 50. A value of 0 (zero) specifies that the bigpipe shell does not
save any commands in history.
prompt
Specifies a string to use for the bigpipe shell prompt. The default prompt
is bp>.
read partition
Changes the partition to which you have Read access to the partition you
specify. This option is only available to users with access to all partitions.
write partition
Changes the partition to which you have Write access to the partition you
specify. This option is only available to users with access to all partitions.
partition
Changes the partition to which you have Read and Write access to the
partition you specify. This option is only available to users with access to
all partitions.
shell edit
Displays in a text editor the running configuration of all objects created
using the command shell. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
Note that the default text editor is vi.
See also
partition(1), bigpipe(1)
A - 279
Appendix A
snat
Configures secure network address translation (SNAT).
Syntax
Use this command to create, modify, display, or delete a SNAT.
Create/Modify
snat <snat key list> {}
snat (<snat key list> | all) [{] <snat arg list> [}]
<snat key> ::=
<name>
<snat arg> ::=
mirror (enable | disable)
(none | automap)
origins (<ip addr list> | none) [add | delete]
translation <snat translation key>
snatpool (<snatpool key> | none)
vlans (<vlan key list> | none | all) (enable | disable)
<orig IP> ::= <IP addr> [mask <ip mask>]
snat [<snat key list> | all] stats reset
snat edit
Display
snat [<snat key list> | all] [show [all]]
snat [<snat key list> | all] list [all]
snat [<snat key list> | all] mirror [show]
snat [<snat key list> | all] name [show]
snat [<snat key list> | all] origins [show]
snat [<snat key list> | all] snatpool [show]
snat [<snat key list> | all] stats [show]
snat [<snat key list> | all] translation [show]
snat [<snat key list> | all] type [show]
snat [<snat key list> | all] vlans [show]
Delete
snat (<snat key list> | all) delete
A - 280
Description
The snat command creates, deletes, sets properties on, and displays
information about SNATs. A SNAT defines the relationship between an
externally visible IP address, SNAT IP, or translated address, and a group of
internal IP addresses, or originating addresses, of individual servers at your
site.
Examples
Creates the SNAT mysnat that translates the address of connections that
originate from the address 10.1.1.3 to the translation address 11.1.1.3:
snat mysnat { origin 10.1.1.3 translation 11.1.1.3 }
Options
You can use these options with the snat command:
automap
Turns on SNAT automapping. This setting can only be used when
snatpool and translation are not used.
mirror
Enables or disables mirroring of SNAT connections.
origin
Specifies an originating IP address. Note that originating addresses are
behind the unit. This setting is required.
snatpool
Specifies the name of a SNAT pool. This setting can only be used when
automap and translation are not used.
snat edit
Displays in a text editor the running configuration of all objects created
using the command snat. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
translation
Specifies a translated IP address. Note that translated addresses are
outside the traffic management system. This setting can only be used
when automap and snatpool are not used.
type
Displays the type of SNAT. The types are automap, snatpool, and
translation.
A - 281
Appendix A
vlan
Specifies the name of the VLAN to which you want to assign the SNAT.
The default is vlans all enable.
See also
nat(1), snat translation(1), snatpool(1), virtual(1), bigpipe(1)
A - 282
snat translation
Configures an explicit SNAT translation address.
Syntax
Use this command to create, modify, display, or delete an explicit SNAT
translation address.
Create/Modify
snat translation <snat translation key list> {}
snat translation (<snat translation key list> | all) [{] <snat translation arg list> [}]
<snat translation key> ::=
(<ip addr> | none)
<snat translation arg> ::=
(enable | disable)
unit <number>
arp (enable | disable)
limit <number>
tcp timeout (<number> | indefinite)
udp timeout (<number> | indefinite)
ip timeout (<number> | immediate | indefinite)
snat translation [<snat translation key list> | all] stats reset
snat translation edit
Display
snat translation [<snat translation key list> | all] [show [all]]
snat translation [<snat translation key list> | all] list [all]
snat translation [<snat translation key list> | all] addr [show]
snat translation [<snat translation key list> | all] arp [show]
snat translation [<snat translation key list> | all] enabled [show]
snat translation [<snat translation key list> | all] ip timeout [show]
snat translation [<snat translation key list> | all] limit [show]
snat translation [<snat translation key list> | all] stats[show]
snat translation [<snat translation key list> | all] tcp timeout [show]
snat translation [<snat translation key list> | all] udp timeout [show]
snat translation [<snat translation key list> | all] unit [show]
Delete
snat translation (<snat translation key list> | all) delete
A - 283
Appendix A
Description
Explicitly defines the properties of a SNAT translation address.
Examples
Disables Address Resolution Protocol (ARP) on all SNAT translation
addresses:
snat translation all arp disable
Options
You can use these options with the snat translation command:
arp
Indicates whether or not the system responds to ARP requests or sends
gratuitous ARPs. The default is enable.
ip timeout
Specifies the number of seconds that IP connections initiated using a
SNAT address are allowed to remain idle before being automatically
disconnected. Possible values are immediate, indefinite, or a number
that you specify.
limit
Specifies the number of connections a translation address must reach
before it no longer initiates a connection. The default value of 0 indicates
that the setting is disabled.
snat translation edit
Displays in a text editor the running configuration of all objects created
using the command snat translation. You can edit the value of any
parameter displayed. When you exit the editor, the BIG-IP system
modifies the running configuration based on your changes. To save your
changes to the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
tcp timeout
Specifies the number of seconds that TCP connections initiated using a
SNAT address are allowed to remain idle before being automatically
disconnected. Possible values are immediate, indefinite, or a number
that you specify. The default setting is indefinite.
udp timeout
Specifies the number of seconds that UDP connections initiated using a
SNAT address are allowed to remain idle before being automatically
disconnected. Possible values are immediate, indefinite, or a number
that you specify. The default setting is indefinite.
A - 284
unit
Specifies the unit number in a redundant system.
See also
nat(1), snat(1), snatpool(1), virtual(1), bigpipe(1)
A - 285
Appendix A
snatpool
Configures a SNAT pool.
Syntax
Use this command to create, modify, display, or delete a SNAT pool.
Create/Modify
snatpool <snatpool key list> {}
snatpool (<snatpool key list> | all) [{] <snatpool arg list> [}]
<snatpool key> ::=
<name>
<snatpool arg> ::=
members (<snatpool translation key list> | none) [add | delete]
<snat translation key> ::=
(<ip addr> | none)
snatpool [<snatpool key list> | all] stats reset
snatpool edit
Display
snatpool [<snatpool key list> | all] [show [all]]
snatpool [<snatpool key list> | all] list [all]
snatpool [<snatpool key list> | all] members [show]
snatpool [<snatpool key list> | all] name [show]
snatpool [<snatpool key list> | all] stats [show]
Delete
snatpool (<snatpool key list> | all) delete
Description
A SNAT pool is a pool of translation addresses that you can map to one or
more original IP addresses. Translation addresses in a SNAT pool are not
self-IP addresses. You can simply create a SNAT pool and then assign it as
a resource directly to a virtual server. This eliminates the need for you to
explicitly define original IP addresses to which to map translation addresses.
Examples
Creates the SNAT pool mysnatpool1 that contains the translation addresses
(members) 11.12.11.24 and 11.12.11.25:
snatpool mysnatpool1 { members 11.12.11.24 11.12.11.25 }
A - 286
Options
You can use the following options with the snatpool command:
members
Specifies to add a translation address to or delete a translation address
from a SNAT pool.
snatpool edit
Displays in a text editor the running configuration of all objects created
using the command snatpool. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
See also
nat(1), snat(1), snat translation(1), bigpipe(1)
A - 287
Appendix A
snmpd
Configures the simple network management protocol (SNMP) daemon for
the BIG-IP system.
Syntax
Use this command to configure the snmpd daemon for the system.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
snmpd [{] <snmpd arg list> [}]
<snmpd arg> ::=
agent address (<string list> | none) [add | delete]
agenttrap (enable | disable)
allow (<string list> | none) [add | delete]
authtrapenable (enable | disable)
bigip traps (enable | disable)
community (<community list> | none) [add | delete]
disk (<disk list> | none) [add | delete]
include (<string> | none)
l2forward vlan (<vlan key> | none | all) [add | delete]
load max1 <number>
load max15 <number>
load max5 <number>
proc (<proc list> | none) [add | delete]
syscontact (<string> | none)
syslocation (<string> | none)
sysservices <number>
trap2sink (<trap2sink list> | none) [add | delete]
trapcommunity (<string> | none)
trapsess (<trapsess list> | none) [add | delete]
trapsink (<trapsink list> | none) [add | delete]
trapsource (<ip addr> | none)
usmuser (<usmuser list> | none) [add | delete]
<community> ::= (<community key list> | all) [{] <community arg list> [}]
A - 288
A - 289
Appendix A
Display
snmpd [show [all]]
snmpd list [all]
snmpd agent address [show]
snmpd agenttrap [show]
snmpd allow [show]
snmpd authtrapenable [show]
snmpd bigip traps [show]
snmpd community [<community key list> | all] [show]
snmpd community [<community key list> | all] access [show]
snmpd community [<community key list> | all] community name [show]
snmpd community [<community key list> | all] ipv6 [show]
snmpd community [<community key list> | all] oid [show]
snmpd community [<community key list> | all] partition [show]
snmpd community [<community key list> | all] source [show]
snmpd disk [<disk key list> | all] [show]
snmpd disk [<disk key list> | all] minspace [show]
snmpd disk [<disk key list> | all] minspace type [show]
snmpd disk [<disk key list> | all] partition [show]
snmpd disk [<disk key list> | all] path [show]
snmpd include [show]
snmpd l2forward vlan [show]
snmpd load max1 [show]
A - 290
A - 291
Appendix A
Description
Use this command to configure the snmpd daemon for the system.
Important
F5 recommends that users of the Configuration utility exit the utility before
changes are made to the system using the command snmpd. This is because
making changes to the system using the command snmpd causes a restart of
the snmpd daemon. Likewise, restarting the snmpd daemon creates the
necessity for a restart of the Configuration utility.
Examples
Specifies that the person who administers the snmpd daemon for the system
can be reached using the email address, admin@company.com:
snmpd syscontact admin@company.com
Specifies that the physical location of the system is the central office:
snmpd syslocation "central office"
Adds the SNMP version 2c trapsess, ts1, to the system. The IP address of
ts1 is 192.168.1.245 and the community that has access to ts1 is public:
snmpd trapsses ts1 { host 192.168.1.245 community public }
Adds the SNMP version 2 trapsink, number1, to the system. The host of
number1 is 10.20.5.11, the port is 162, and the community that has access
to number1 is public.
snmpd trap2sink number1 { community public host 10.20.5.11 port 162 }
A - 292
Replaces the default community specification for the BIG-IP system. Using
this command, the default community includes a community, named public,
that provides read-only access to the default host. The oid for this
community is 1:
snmpd community default { community name public source default oid 1 access ro }
Options
You can use the following commands with the snmpd command:
agent address
Indicates that the SNMP agent listens on the specified address. F5
recommends that you do not change this setting without fully
understanding the impact of the change.
agenttrap
Specifies, when enabled, that snmpd sends traps, for example, start/stop
traps. The default setting is enable.
allow
Adds or deletes IP addresses for the SNMP clients from which the
snmpd daemon accepts requests. An SNMP client is a system that runs
the SNMP manager software for the purpose of remotely managing the
BIG-IP system. The default value is 127.
authtrapenable
Specifies, when enabled, the snmpd daemon generates authentication
failure traps. The default setting is disable.
bigip traps
Specifies, when enabled, that the BIG-IP system sends device warning
traps to the trap destinations. The default value is enable.
community
Adds or deletes a community. Note that you must include a community
key, and you must enclose the attributes in braces. The options are
additive, and include:
access
Specifies the community access level to the MIB. The options are ro
(Read-Only community), and rw (Read-Write community). The
default value is ro.
community name
Specifies the name of the community that you are adding or deleting.
This setting is required. The default value is public.
ipv6
Enables or disables IPv6 addresses for the community that you are
adding or deleting. The default value is disable.
A - 293
Appendix A
oid
Specifies to restrict access for the community to every object below
the specified object identifier (OID) for the record.
source
Specifies the source addresses with the specified community name
that can access the management information base (MIB). The default
value is default, which means allow any source address to access the
MIB.
disk
Checks the disks mounted at the specified path for available disk space.
The options are:
minspace type
Specifies a minimum disk space measurement type of either size (in
kBs) or percent. Please note that the minspace setting is based on the
this setting.
minspace
Specifies the minimum disk space threshold in either kBs or
percentage based on the minspace type setting. If the available disk
space is less than this amount, the associated entry in the
1.3.6.1.4.1.2021.9.1.100 MIB table is set to (1) and a descriptive error
message is returned to queries of 1.3.6.1.4.1.2021.9.1.101.
path
Specifies the path to the disk that the system checks for disk space.
include
Warning: Do not use this parameter without assistance from the F5
Technical Support team. The system does not validate the commands
issued using the include parameter. If you use this parameter incorrectly,
you put the functionality of the system at risk.
l2forward vlan
Specifies the VLANs for which you want the snmpd daemon to expose
Layer 2 forwarding information. Layer 2 forwarding is the means by
which frames are exchanged directly between hosts, with no IP routing
required.
none
This is the default value; it means this parameter is not set.
Important: The default is not the same as setting the l2forward vlan
parameter to the string "none," which indicates that you do not want
the snmpd daemon to expose Layer 2 forwarding for any VLAN.
<vlan key>
Specifies the names of the VLANs for which the snmpd daemon
exposes Layer 2 forwarding information. The snmpd daemon
overwrites the value of the sysL2ForwardAttrVlan object identifier
(OID) with the specified VLAN names. Once you set this parameter,
users cannot change the value of the sysL2FowardAttrVlan OID
using the SNMP set method.
A - 294
all
Specifies that the snmpd daemon exposes Layer 2 forwarding
information for all VLANs. Warning: When you set this parameter to
all, the system can create a very large table of statistics, and
potentially affect system performance.
load max1
Specifies the maximum 1-minute load average of the machine. If the load
exceeds this threshold, the associated entry in the
1.3.6.1.4.1.2021.10.1.100 MIB table is set to (1) and a descriptive error
message is returned to queries of 1.3.6.1.4.1.2021.10.1.101.
Note that when you specify a 0 (zero) for all three of the load max1,
load max5, and load max15 options, the system does not monitor the
load average.
load max15
Specifies the maximum 15-minute load average of the machine. If the
load exceeds this threshold, the associated entry in the
1.3.6.1.4.1.2021.10.1.100 MIB table is set to (1) and a descriptive error
message is returned to queries of 1.3.6.1.4.1.2021.10.1.101.
Note that when you specify a 0 (zero) for all three of the load max1,
load max5, and load max15 options, the system does not monitor the
load average.
load max5
Specifies the maximum 5-minute load average of the machine. If the load
exceeds this threshold, the associated entry in the
1.3.6.1.4.1.2021.10.1.100 MIB table is set to (1) and a descriptive error
message is returned to queries of 1.3.6.1.4.1.2021.10.1.101.
Note that when you specify a 0 (zero) for all three of the load max1,
load max5, and load max15 options, the system does not monitor the
load average.
partition
Displays the partition within which the snmpd daemon resides.
proc
Specifies to check the machine to determine if the specified process is
running. An error flag (1) and a description message are passed to the
1.3.6.1.4.1.2021.2.1.100 and 1.3.6.1.4.1.2021.2.1.101 MIB columns
(respectively) if the specified program is not found in the process table as
reported by /bin/ps -e.
F5 recommends that you do not modify or delete system processes;
however, you can add, modify, or delete user-defined processes.
max
Specifies the maximum number of instances of the process that can
run. If min and max settings are not specified, the max setting is 1 by
default. The maximum is infinity.
A - 295
Appendix A
min
Specifies the minimum number of instances of the process that can
run. If max setting is specified, but min setting is not specified, the
min setting is 1 by default.
process
Specifies the name of the process for which you are checking. The
maximum length for a process name is 16 characters.
snmpd edit
Displays in a text editor the running configuration of all objects created
using the command snmpd. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if only snmpd { } displays, you can type
parameters and values between the braces. When you exit the editor, the
BIG-IP system modifies the running configuration based on the syntax
you entered. You must run the save all command to save this change to
the stored configuration files.
Note that the default text editor is vi.
syscontact
Specifies the name of the person who administers the snmpd daemon for
this system.
syslocation
Describes this system's physical location.
sysservices
Specifies the value of the system.sysServices.0 object.
trap2sink
Adds or deletes an SNMP version 2 trap destination. Note that you must
include a trap2sink key, and you must enclose the attributes in braces.
community
Specifies the community name for the trap destination that you are
adding or deleting.
host
Specifies the IP address or the FQDN for the trap2sink host that you
are adding or deleting. Note that you must configure the DNS Server
on the BIG-IP system. You can use the dns command to do this.
port
Specifies the port for the trap destination that you are adding or
deleting. The default setting is 162.
A - 296
trapcommunity
Specifies the common community name for the trap destination.
trapsess
Adds or deletes an SNMP trap destination. Note that you must include a
trapsess key, and you must enclose the attributes in braces.
auth password
Specifies the authentication password only for an SNMP version 3
trap. Note that if you enter an authentication password, the auth
protocol option cannot equal NONE.
auth protocol
Specifies the authentication method only for an SNMP version 3 trap.
The default value is NONE. You must use capital letters for the
following authentication methods:
MD5
Specifies that the system uses the MD5 algorithm to authenticate
the user. This option is valid only for SNMP version 3.
SHA
Specifies that the system uses the secure hash algorithm (SHA) to
authenticate the user. This option is valid only for SNMP version
3.
NONE
Specifies that user does not require authentication. Note that if
you use this option, you do not use the auth password option.
This option is not valid for SNMP version 3.
engine id
Specifies the authoritative security engine ID for SNMP version 3.
host
Specifies the IP address or the FQDN for the trapsess host that you
are adding or deleting. Note that you must configure the DNS Server
on the BIG-IP system. You can use the dns command to do this. This
setting is required.
port
Specifies the port for the trapsess destination. The default setting is
162.
privacy password
Specifies the privacy pass phrase to use for encrypted SNMP version
3 messages. Note that if you enter a privacy password, the privacy
protocol option cannot equal NONE. Use this setting to set only
SNMP version 3 traps.
A - 297
Appendix A
privacy protocol
Specifies the encryption protocol to use to deliver authentication
information for this trapsess. The default value is NONE. Use this
setting to set only SNMP version 3 traps. You must use the specified
case for the following options exactly:
DES
Specifies that the system encrypts the user information using
DES (Data Encryption Standard). This option is valid only for
SNMP version 3.
NONE
Specifies that the system does not encrypt the user information.
Note that if you use this option, you do not use the privacy
password option.
security level
Specifies the security level for the trapsess. The default value is
noAuthNoPriv. Use this setting to set only SNMP version 3 traps.
You must use the specified case for the following options exactly:
noAuthNoPriv
Specifies that if the system cannot authenticate the user, the
system does not grant the user access to the system. This setting
is required if the SNMP version is other than version 3.
authNoPriv
Specifies that the SNMP trap destination uses the auth protocol
setting, but not the privacy protocol setting. Note that if you use
this option, auth protocol cannot be NONE, and auth password
must be set. This option is valid only for SNMP version 3.
authPriv
Specifies that the SNMP trap destination uses both the
authentication protocol setting and the privacy protocol
setting. Note that if you use this option, auth protocol cannot be
set to NONE, and privacy protocol cannot be set to NONE. This
option is valid only for SNMP version 3.
security name
Specifies the security name the system uses to authenticate SNMP
version 3 messages.
version
Specifies to which SNMP version the trap destination applies. The
default value is 2c.
A - 298
trapsink
Adds or deletes an SNMP version 1 trap destination.
community
Specifies the community name for the trap destination.
host
Specifies the IP address or the FQDN for the trapsink host that you
are adding or deleting. Note that you must configure the DNS Server
on the BIG-IP system. You can use the dns command to do this.
port
Specifies the port for the trapsink destination.
trapsource
Specifies the source of the SNMP trap. The default value is none.
usmuser
Adds or deletes a user for which you are setting an SNMP access level
for SNMP version 3. Note that you must include a usmuser key, and you
must enclose the attributes in braces. The options are additive and
include:
access
Specifies the user access level to the MIB. The default value is ro
(Read Only).
authpassword
Specifies the users authentication password. Note that if you enter an
authentication password, the auth type option cannot equal NONE.
auth protocol
Specifies the authentication method for this user. This setting is
required. You must use capital letters for the following authentication
methods:
MD5
Specifies that the system uses the MD5 algorithm to authenticate
the user.
SHA
Specifies that the system uses the secure hash algorithm (SHA) to
authenticate the user.
NONE
Specifies that user does not require authentication.
oid
Specifies an object identifier (OID) for the record.
privacy password
Specifies the password for the user. Note that if you enter a privacy
password, the privacy protocol option cannot equal NONE.
A - 299
Appendix A
privacy protocol
Specifies the encryption protocol to use to deliver authentication
information for this user. Note that if you enter a privacy protocol, the
auth type option cannot equal NONE. This setting is required. You
must use capital letters for the following authentication methods:
DES
Specifies that the system encrypts the user information using
DES. This option is valid only for SNMP version 3.
NONE
Specifies that the system does not encrypt the user information.
Note that if you use this option, you do not use the privacy
password option.
security level
Specifies the security level for the user. The default value is
noAuthNoPriv. Use this setting to set only SNMP version 3 traps.
You must use the specified case for the following options exactly:
noAuthNoPriv
Specifies that if the user cannot be authenticated, the system does
not grant access to the system. This setting is required if the
SNMP version is other than version 3.
authNoPriv
Specifies that the SNMP trap destination uses the auth protocol
setting, but not the privacy protocol setting. Note that if you use
this option, auth protocol cannot be NONE, and auth password
must be set. This option is valid only for SNMP version 3.
authPriv
Specifies that the SNMP trap destination uses the authentication
protocol setting and the privacy protocol setting. Note that if
you use this option, auth protocol cannot be set to NONE, and
privacy protocol cannot be set to NONE. This option is valid
only for SNMP version 3.
username
Specifies the name of the user who is using SNMP version 3 to access
the MIB. This setting is required.
See also
bigpipe(1), httpd(1), ntp(1), dns(1), sshd(1)
A - 300
sshd
Configures the Secure Shell (SSH) daemon for the BIG-IP system.
Syntax
Use this command to configure the sshd daemon on the system.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
Note
You must enter the values for the loglevel argument using the exact case
shown below. In other words, to assign a log level of ERROR, you use the
syntax: sshd loglevel ERROR.
sshd [{] <sshd arg list> [}]
<sshd arg> ::=
allow (<string list> | none) [add | delete]
banner (enable | disable)
banner text (<string> | none)
inactivity timeout <number>
include (<string> | none)
login (enable | disable)
loglevel (QUIET | FATAL | ERROR | INFO | VERBOSE | DEBUG | DEBUG1 | DEBUG2 | DEBUG3)
sshd edit
Display
sshd [show [all]]
sshd list [all]
sshd allow
sshd banner [show]
sshd banner text [show]
sshd inactivity timeout [show]
sshd include [show]
sshd login [show]
A - 301
Appendix A
Description
Use the sshd command to configure a secure channel between the BIG-IP
system and other devices.
Important
F5 recommends that users of the Configuration utility exit the utility before
changes are made to the system using the sshd command. This is because
making changes to the system using the sshd command causes a restart of
the sshd daemon. Likewise, restarting the sshd daemon creates the necessity
for a restart of the Configuration utility.
Examples
Creates an initial range of IP addresses (192.168.0.0 with a netmask of
255.255.0.0) that are allowed to log on to the system:
sshd allow 192.168.0.0/255.255.0.0
Note
A - 302
Options
You can use the following options with the sshd command:
allow
Adds a server to or removes a server from the /etc/hosts.allow file. Use
this option to either add servers to the BIG-IP system that are allowed to
access the system, or delete these servers from the system.
Warning: Using the value none resets the sshd daemon to allow all
servers access to the system. F5 recommends that you do not use the
value none with the sshd command.
banner
Enables or disables the display of the banner text field when a user logs
in to the system using SSH. The default value is disable.
banner text
When banner is enabled, specifies the text to include in the banner that
displays when a user attempts to log on to the system.
inactivity timeout
Specifies the number of seconds before inactivity causes an SSH session
to log off. The default value is 0 (zero) seconds, which indicates that
inactivity timeout is disabled.
include
Warning: Do not use this parameter without assistance from the F5
Technical Support team. The system does not validate the commands
issued using the include parameter. If you use this parameter incorrectly,
you put the functionality of the system at risk.
login
Enables or disables SSH logons to the system. The default is enable.
loglevel
Specifies the minimum sshd message level to include in the system log.
You must enter the following values in capital letters:
DEBUG - DEBUG3
Indicates that the minimum sshd message level that the system logs is
the specified debugging level.
ERROR
Indicates that the minimum sshd message level that the system logs is
error.
FATAL
Indicates that the minimum sshd message level that the system logs is
fatal.
INFO
Indicates that the minimum sshd message level that the system logs is
informational.
QUIET
Indicates that the system does not log sshd messages.
VERBOSE
Indicates that the system logs all sshd messages.
A - 303
Appendix A
partition
Displays the partition within which the sshd daemon resides.
sshd edit
Displays in a text editor the running configuration of all objects that you
use the command sshd to create. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if only sshd { } displays, you can type
parameters and values between the braces. When you exit the editor, the
BIG-IP system modifies the running configuration based on your
additions. You must run the save all command to save this change to the
stored configuration files.
Note that the default text editor is vi.
See also
bigpipe(1), ntp(1), dns(1), httpd(1), snmpd(1)
A - 304
ssl
Displays or resets Secure Sockets Layer (SSL) statistics for the BIG-IP
system.
Syntax
Use this command to display or reset SSL statistics for the system.
Display
ssl [show [all]]
Modify
ssl stats reset
Description
Displays or resets SSL statistics for the system.
Examples
Displays all SSL statistics for the system:
ssl show all
See also
bigpipe(1)
A - 305
Appendix A
statemirror
Configures connection mirroring for a BIG-IP unit that is part of a
redundant system.
Syntax
Use this command to enable and configure connection mirroring for the
system.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
statemirror [{] <statemirror arg list> [}]
<statemirror arg> ::=
addr (<ip addr> | none)
peer addr (<ip addr> | none)
secondary addr (<ip addr> | none)
secondary peer addr (<ip addr> | none)
state (enable | disable)
statemirror edit
Display
statemirror [show [all]]
statemirror list [all]
statemirror addr [show]
statemirror partition [show]
statemirror peer addr [show]
statemirror secondary addr [show]
statemirror secondary peer addr [show]
statemirror state [show]
A - 306
Description
You use this command to configure connection mirroring on a system that is
part of a redundant pair in a high availability system. Connection mirroring
is the process of duplicating connections from the active system to the
standby system. Enabling this setting ensures a higher level of connection
reliability, but it may also have an impact on system performance.
Examples
Enables and configures connection mirroring for a high availability system
in which one BIG-IP system has an IP address of 192.168.10.10 and its peer
has an IP address of 192.168.10.20.
statemirror state enable addr 192.168.10.10 peer addr 192.168.10.20
Options
You can use the following options with the statemirror command:
addr
Specifies the primary self-IP address on this unit to which the peer unit
mirrors its connections. This is a required setting.
partition
Displays the partition within which the statemirror object resides.
peer addr
Specifies the primary self-IP address on the peer unit to which this unit
mirrors its connections. This is a required setting.
secondary addr
Specifies another self-IP address on this unit to which the peer unit
mirrors its connections when the primary address is unavailable.
secondary peer addr
Specifies another self-IP address on the peer unit to which this unit
mirrors its connections when the primary peer address is unavailable.
state
Enables or disables connection mirroring. The default is enable.
statemirror edit
Displays in a text editor the running configuration of all objects that you
use the command statemirror to create. You can edit the value of any
parameter displayed. When you exit the editor, the BIG-IP system
modifies the running configuration based on your changes. To save your
changes to the stored configuration files, run the save all command.
A - 307
Appendix A
When the text editor opens, if only statemirror { } displays, you can
type parameters and values between the braces. When you exit the editor,
the BIG-IP system modifies the running configuration based on your
additions. You must run the save all command to save this change to the
stored configuration files.
Note that the default text editor is vi.
See also
bigpipe(1), failover(1)
A - 308
stop
Discontinues command continuation.
Syntax
Use this command to discontinue command continuation.
Usage
stop
Description
If you type any command using an unbalanced opening brace, the bigpipe
shell stores the command entered up to that point. The shell stores any
subsequent commands in a similar way until you type a command that
closes all open braces, or you type the stop command.
Examples
Suppose you type the auth radius command, with an opening brace, but no
closing brace:
bp> auth radius rad-1 {
The shell does nothing. At this point, you can continue to type more options
for the auth radius command:
debug enable
retries 4
The shell continues to gather the syntax for the command. When finished
typing, you can either type a command containing a closing brace (}), in
which case the shell runs the full command sequence that you typed, or you
can type:
stop
A - 309
Appendix A
stp
Configures spanning tree protocols on the system.
Syntax
Use this command to modify or display an RSTP, MSTP, or STP
configuration.
Modify
stp {}
stp [{] <stp arg list> [}]
<stp arg> ::=
config name (<string> | none)
config revision <number>
forward delay <number>
hello <number>
max age <number>
max hops <number>
mode (stp | rstp | mstp | disable | passthru)
transmit hold <number>
stp edit
Display
stp [show [all]]
stp list [all]
stp config name [show]
stp config revision [show]
stp forward delay [show]
stp hello [show]
stp max age [show]
stp max hops [show]
stp mode [show]
stp transmit hold [show]
Description
Provides the ability to configure spanning tree protocols for the traffic
management system. Spanning tree protocols are Layer 2 protocols for
preventing bridging loops. The system supports multiple spanning tree
protocol (MSTP), rapid spanning tree protocol (RSTP), and spanning tree
protocol (STP).
A - 310
Examples
Sets the STP mode to passthru. Passthru mode forwards spanning tree
bridge protocol data units (BPDUs) received on any interface to all other
interfaces:
stp mode passthru
Sets the STP mode to disable. No STP, RSTP, or MSTP packets are
transmitted or received on the interface or trunk, and the spanning tree
algorithm exerts no control over forwarding or learning on the port or the
trunk:
stp mode disable
Options
You can use these options with the stp command:
config name
Specifies the configuration name (1 - 32 characters in length) only when
the spanning tree mode is MSTP. The default configuration name is a
string representation of a globally-unique MAC address belonging to the
traffic management system.
The MSTP standard introduces the concept of spanning tree regions,
which are groups of adjacent bridges with identical configuration names,
configuration revision levels, and assignments of VLANs to spanning
tree instances.
config revision
Specifies the revision level of the MSTP configuration only when the
spanning tree mode is MSTP. The specified number must be in the range
0 to 65535. The default is 0.
forward delay
In the original Spanning Tree Protocol, the forward delay parameter
controlled the number of seconds for which an interface was blocked
from forwarding network traffic after a reconfiguration of the spanning
tree topology. This parameter has no effect when RSTP or MSTP are
used, as long as all bridges in the spanning tree use the RSTP or MSTP
protocol. If any legacy STP bridges are present, then neighboring bridges
must fall back to the old protocol, whose reconfiguration time is affected
by the forward delay value. The default forward delay value is 15, and
the valid range is 4 to 30.
hello
Specifies the time interval in seconds between the periodic transmissions
that communicate spanning tree information to the adjacent bridges in
the network. The default is 2 seconds, and the valid range is 1 to 10. The
default hello time is optimal in virtually all cases. Changing the hello
time is not recommended.
A - 311
Appendix A
max age
Specifies the number of seconds for which spanning tree information
received from other bridges is considered valid. The default is 20
seconds, and the valid range is 6 to 40 seconds.
max hops
Specifies the maximum number of hops an MSTP packet may travel
before it is discarded. Use this option only when the spanning tree mode
is MSTP. The number of hops must be in the range of 1 to 255 hops. The
default number of hops is 20.
mode
Specifies one of three spanning tree modes:
stp
STP mode is supported for legacy systems. If STP is detected in the
network, the traffic management system changes to STP mode even
when the mode option is set to rstp or mstp.
rstp
The default mode is RSTP, or rapid spanning tree protocol. RSTP
converges to a fully-connected state quickly.
mstp
MSTP mode supports multiple spanning tree instances. The spanning
tree instances operate independently of one another. Each instance
asserts control over one or more VLANs, called the members of the
spanning tree instance. STP and RSTP do not support multiple
spanning tree instances. They support only a single instance (instance
0), which contains all VLANs.
disabled
Disabled mode discards spanning tree bridge protocol data units
(BPDUs) received on any interface.
passthru
Passthru mode forwards spanning tree bridge protocol data units
(BPDUs) received on any interface to all other interfaces. Essentially,
passthru mode makes the traffic management system transparent to
spanning tree BPDUs.
stp edit
Displays in a text editor the running configuration of all objects that you
use the command stp to create. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if only stp { } displays, you can type
parameters and values between the braces. When you exit the editor, the
BIG-IP system modifies the running configuration based on your
additions. You must run the save all command to save this change to the
stored configuration files.
Note that the default text editor is vi.
A - 312
transmit hold
Specifies the absolute limit on the number of spanning tree protocol
packets the traffic management system may transmit on a port in any
hello time interval. It is used to ensure that spanning tree packets do not
unduly load the network even in unstable situations. The default is 6
packets, and the valid range is 1 to 10 packets.
See also
interface(1), stp instance(1), bigpipe(1)
A - 313
Appendix A
stp instance
Configures an STP configuration instance.
Syntax
Use this command to create, modify, display, or delete an STP configuration
instance.
Create/Modify
stp instance <stp instance key list> {}
stp instance (<stp instance key list> | all) [{] <stp instance arg list> [}]
<stp instance key> ::=
<number>
<stp instance arg> ::=
vlans (<vlan key list> | none) [add | delete]
priority <number>
interfaces (<stp interface list> | none) [add | delete]
trunks (<stp interface list> | none) [add | delete]
<stp interface key> ::=
<interface>
<trunk>
<stp interface arg> ::=
external path cost <number>
internal path cost <number>
priority <number>
stp instance (<stp instance key list> | all) stats reset
stp edit
Display
stp instance [<stp instance key list> | all] [show [all]]
stp instance [<stp instance key list> | all] list [all]
stp instance [<stp instance key list> | all] interfaces [show]
stp instance [<stp instance key list> | all] priority [show]
stp instance [<stp instance key list> | all] stats [show]
stp instance [<stp instance key list> | all] trunk [show]
stp instance [<stp instance key list> | all] vlans [show]
Delete
stp instance (<stp instance key list> | all) delete
A - 314
Description
Creates, modifies, and displays an STP configuration instance.
Examples
Displays all STP instances on the system:
stp instance show
All members are removed from the instance, and then the instance itself is
deleted. Spanning tree instance 0 (the Common and Internal Spanning Tree)
cannot be deleted. This command may be used only in MSTP mode:
stp instance 2 delete
Options
You can use these options with the stp instance command:
vlan
Specifies a list of VLAN names.
priority
Specifies the priority number. Each bridge in a spanning tree instance has
a priority value. The relative values of the bridge priorities control the
topology of the spanning tree chosen by the protocol. The bridge with the
lowest priority value (numerically) becomes the root of the spanning tree.
Priority values vary from 0 to 61440 in increments of 4096.
A - 315
Appendix A
interface priority
Specifies the interface priority number. Each network interface has an
associated priority within each spanning tree instance. The relative
values of the interface priorities influence which interfaces are chosen to
carry network traffic. All other things being equal, interfaces with
numerically lower priority values are favored to carry traffic. Interface
priorities take values in the range 0 to 240 in increments of 16. The
default interface priority is 128, the middle of the valid range.
trunk priority
Specifies the trunk priority number. Each network trunk has an
associated priority within each spanning tree instance. The relative
values of the trunk priorities influence which trunks are chosen to carry
network traffic. All other things being equal, trunks with numerically
lower priority values are favored to carry traffic. Trunk priorities take
values in the range 0 to 240 in increments of 16. The default trunk
priority is 128, the middle of the valid range.
See also
interface(1), stp(1), bigpipe(1)
A - 316
stream
Displays or resets global stream statistics for the BIG-IP system.
Syntax
Use this command to display or reset global stream statistics for the system.
Modify
stream stats reset
Display
stream [show [all]]
Description
Displays or resets stream statistics for the system.
Examples
Displays the global stream statistics for the system:
stream show
See also
bigpipe(1)
A - 317
Appendix A
sys-icheck
Identifies unintended modifications to BIG-IP system files.
Syntax
Use this command at the BIG-IP system prompt to identify any unintended
modifications to BIG-IP system files. Note that a hot fix (patch) is an
intended modification that will not be identified by the sys-icheck
command.
Usage
sys-icheck [options]
Options
You can use these options with the sys-icheck command.
-h
Use this option to report Warn issues, as well as the default, Error
issues.
-i
Use this option to report Info and Warn issues, as well as the default,
Error issues.
Description
The sys-icheck command identifies any unintended modifications to BIG-IP
system files and returns Error issues. Use the options to report Warn or
Info issues, as well.
Examples
Runs the sys-icheck utility, and returns Info, Error, and Warn issues:
sys-reset -i
See also
sys-reset(8)
A - 318
sys-reset
Returns the configuration of the system to the factory default (installation
time) state.
Syntax
Use this command at the BIG-IP system prompt to return the configuration
of the system to the factory default (installation time) state.
Usage
sys-reset [options]
Options
You can use these options with the sys-reset command.
-h
Use this option to show help for the sys-reset command.
-p
Use this option to ignore all applied hot fixes.
-s
Use this option to prevent the /shared file system from being changed.
-u
Use this option to ignore unrecoverable file errors.
Description
The sys-reset command runs the sys-icheck utility, and if there are no
system integrity issues, returns the system to the factory default state. Note
that if you have applied hot fixes (patches) to your system, you must specify
an override option for sys-reset to run.
Examples
Runs the sys-reset command to restore the system to the factory default
state ignoring any hot fixes that have been applied to the system:
sys-reset -p
Runs the sys-reset command to restore the system to the factory default state
without changing the /shared file system.
sys-reset -s
See also
sys-icheck(8)
A - 319
Appendix A
syslog
Configures the system log, /var/run/config/syslog-ng.conf.
Syntax
Use this command to configure the system log.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
syslog [{] <syslog arg list> [}]
<syslog arg> ::=
authpriv from (emerg | alert | crit | err | warning | notice | info | debug)
authpriv to (emerg | alert | crit | err | warning | notice | info | debug)
cron from (emerg | alert | crit | err | warning | notice | info | debug)
cron to (emerg | alert | crit | err | warning | notice | info | debug)
daemon from (emerg | alert | crit | err | warning | notice | info | debug)
daemon to (emerg | alert | crit | err | warning | notice | info | debug)
include (<string> | none)
kern from (emerg | alert | crit | err | warning | notice | info | debug)
kern to (emerg | alert | crit | err | warning | notice | info | debug)
local ip (<ip addr> | none)
mail from (emerg | alert | crit | err | warning | notice | info | debug)
mail to (emerg | alert | crit | err | warning | notice | info | debug)
messages from (emerg | alert | crit | err | warning | notice | info | debug)
messages to (emerg | alert | crit | err | warning | notice | info | debug)
remote port <number>
remote server (<ip addr> | none)
userlog from (emerg | alert | crit | err | warning | notice | info | debug)
userlog to (emerg | alert | crit | err | warning | notice | info | debug)
syslog edit
Display
syslog [show [all]]
syslog list [all]
syslog authpriv from [show]
A - 320
Description
Use this command to configure the system log.
Examples
Resets the message range of the security/authorization messages that are
included in the system log to messages with a level of warning, error,
critical, alert, and emergency:
syslog authpriv from warning
Options
You can use the following options with the syslog command:
authpriv from
Specifies the lowest level of security/authorization messages to include
in the log. The default value is notice.
authpriv to
Specifies the highest level of messages about user authentication to
include in the log. The default value is emerg.
cron from
Specifies the lowest level of messages about time-based scheduling to
include in the log. The default value is warning.
cron to
Specifies the highest level of messages about time-based scheduling to
include in the log. The default value is emerg.
A - 321
Appendix A
daemon from
Specifies the lowest level of messages about daemon performance to
include in the log. The default value is notice.
daemon to
Specifies the highest level of messages about daemon performance to
include in the log. The default value is emerg.
include
Warning: Do not use this parameter without assistance from the F5
Technical Support team. The system does not validate the commands
issued using the include parameter. If you use this parameter incorrectly,
you put the functionality of the system at risk.
kern from
Specifies the lowest level of kern messages to include in the log. The
default value is notice.
kern to
Specifies the highest level of kern messages to include in the log. The
default value is emerg.
local ip
Specifies the IP address of the interface that the syslog-ng utility binds
with in order to log messages to a remote host. For example, if you want
the syslog-ng utility to log messages to a remote host that is connected to
a VLAN, you set this parameter to the self IP address of the VLAN.
mail from
Specifies the lowest level of mail log messages to include in the log. The
default value is notice.
mail to
Specifies the highest level of mail log messages to include in the log. The
default value is emerg.
messages from
Specifies the lowest level of system messages to include in the log. The
default value is notice.
messages to
Specifies the highest level of system messages to include in the log. The
default value is warning.
remote port
Specifies the port number of a remote server to which the Syslog utility
sends messages. The default value is 514.
remote server
Specifies the IP address of a remote server to which the Syslog utility
sends messages. The default value is none.
syslog edit
Displays in a text editor the running configuration of all objects that you
use the command syslog to create. You can edit the value of any
parameter displayed. When you exit the editor, the BIG-IP system
modifies the running configuration based on your changes. To save your
changes to the stored configuration files, run the save all command.
A - 322
When the text editor opens, if only syslog { } displays, you can type
parameters and values between the braces. When you exit the editor, the
BIG-IP system modifies the running configuration based on your
additions. You must run the save all command to save this change to the
stored configuration files.
Note that the default text editor is vi.
userlog from
Specifies the lowest level of user account messages to include in the log.
The default value is notice.
userlog to
Specifies the highest level of user account messages to include in the log.
The default value is emerg.
See also
bigpipe(1)
A - 323
Appendix A
system
Sets up the BIG-IP system.
Syntax
Use this command to set up the BIG-IP system.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
system [{] <system arg list> [}]
<system arg> ::=
archive encrypt (on | on request | off)
auth source type (local | ldap | radius | activedirectory | tacacs)
console inactivity timeout <number>
custom addr (<ip addr> | none)
failsafe action (failover | reboot | restart all | failover restart tm)
gui setup (enable | disable)
host addr mode (mgmt | statemirror | custom)
hostname (<string> | none)
hosts allow include (<string> | none)
lcd display (enable | disable)
net reboot (enable | disable)
quiet boot (enable | disable)
remote host (<remote host list> | none) [add | delete]
<remote host> ::= (<remote host key list> | all) [{] <remote host arg list> [}]
<remote host key> ::=
<name>
<remote host arg> ::=
addr (<ip addr> | none)
hostname (<string> | none)
system edit
Displays
system [show [all]]
system list [all]
A - 324
system edit
system archive encrypt [show]
system auth source type [show]
system console inactivity timeout [show]
system custom addr [show]
system failsafe action [show]
system gui setup [show]
system host addr mode [show]
system hostname [show]
system hosts allow include [show]
system lcd display [show]
system net reboot [show]
system partition [show]
system quiet boot [show]
system remote host [<remote host key list> | all] [show]
system remote host [<remote host key list> | all] addr [show]
system remote host [<remote host key list> | all] hostname [show]
Description
You use this command to set up the general properties of the BIG-IP system.
Examples
Sets up the BIG-IP system using the system defaults.
system {}
Options
You can use these options with the system command:
archive encrypt
Specifies whether the system archive encryption feature is set to on,
off, or on request. The default value is on request. Note that you must
configure the system archive encrypt option in conjunction with the
configsync encrypt and configsync passphrase options.
The reason for this is when you perform a configuration synchronization
of two BIG-IP units in a redundant system, the process involves saving a
*.ucs file from one system onto the peer system, and then installing the
saved file on the peer system. You use the system archive encrypt
option to indicate whether the process of saving the *.ucs file creates an
A - 325
Appendix A
encrypted or unencrypted file. For example, you can set the configsync
encrypt option to enable, and configure a passphrase using the
configsync passphrase option. If you use the default value, on request,
for the system archive encrypt option, then when a user saves the *.ucs
file, and provides the passphrase, the *.ucs file is encrypted. If the user
does not provide the passphrase, the *.ucs file is not encrypted.
custom addr
Indicates a user-specified IP address for the BIG-IP system. The default
value is none.
It is important to note that you must set the host addr mode option to
custom, if you want to specify an IP address using custom addr. For
more information, see the host addr mode option, following.
failsafe action
Specifies the action that the system takes when the switch board fails.
The default is failover restart tm.
failover
Specifies that the active unit fails over to its peer.
reboot
Specifies that after the active unit fails over to its peer, it reboots
while the peer processes the traffic.
restart all
Specifies that the system restarts all system services.
failover restart tm
Specifies that the active unit fails over to its peer and restarts the
traffic management service.
gui setup
Enables or disables the Setup utility in the browser-based Configuration
utility. The default value is enable.
When you configure a BIG-IP system using the command line interface,
disable this option. Disabling the gui setup option of the system
command allows your system administrators to use the browser-based
Configuration utility without having to run the Setup utility.
A - 326
If you use the statemirror option, then the host address of the system is
shared by the other unit in a redundant system. In case of system failure,
the traffic to the other system is routed to this system.
If you use the custom option, you must specify a custom IP address for
the system using the custom addr option. For more information, see the
custom addr option, above.
hostname
Specifies a local name for the BIG-IP system. The default value is
bigip1.
lcd display
Enables or disables the system menu to display on the LCD panel on the
front of the BIG-IP system. The default is enable.
net reboot
Enables or disables the network reboot feature. The default is disable. If
you enable this feature and then reboot the system, the system boots from
an ISO image on the network, rather than from an internal media drive.
Use this option only when you want to install software on the system, for
example, for an upgrade or a re-installation. Note that this setting reverts
to disabled after you reboot the system a second time.
partition
Displays the partition within which the system object resides.
quiet boot
Enables or disables the quiet boot feature. The default is enable. If you
enable this feature, the system suppresses informational text on the
console during the boot cycle.
remote host
Adds a remote host to or removes a remote host from the /etc/hosts file.
The default value is none. You must enter both an IP address and a fully
qualified domain name (FQDN) or alias for each host that you want to
add to the file.
system edit
Displays in a text editor the running configuration of all objects that you
use the command system to create. You can edit the value of any
parameter displayed. When you exit the editor, the BIG-IP system
modifies the running configuration based on your changes. To save your
changes to the stored configuration files, run the save all command.
When the text editor opens, if only system { } displays, you can type
parameters and values between the braces. When you exit the editor, the
BIG-IP system modifies the running configuration based on your
additions. You must run the save all command to save this change to the
stored configuration files.
A - 327
Appendix A
See also
bigpipe(1)
A - 328
tcp
Displays or resets TCP statistics for the BIG-IP system.
Syntax
Use this command to display or reset TCP statistics for the BIG-IP system.
Modify
tcp stats reset
Display
tcp [show [all]]
Description
Display or reset TCP statistics for the system.
Examples
Resets TCP statistics for the system:
tcp stats reset
See also
bigpipe(1)
A - 329
Appendix A
tmm
Displays or resets statistics about the tmm daemon.
Syntax
Use this command to display or reset statistics about the tmm daemon.
Create/Modify
tmm [<tmm key list> | all] stats reset
<tmm key> ::= (<number>.<number> | none)
Display
tmm [<tmm key list> | all] [show [all]]
Description
You use this command to view or reset statistics about the Traffic
Management Microkernel (tmm) daemon. The purpose of this daemon is
to direct all application traffic passing through the BIG-IP system.
Options
You can use the following option with the tmm command:
stats reset
Resets the statistics for the tmm daemon.
See also
bigpipe(1)
A - 330
trunk
Configures a trunk, with link aggregation.
Syntax
Use this command to create, modify, display, or delete a trunk.
Create/Modify
trunk <trunk key list> {}
trunk (<trunk key list> | all) [{] <trunk arg list> [}]
<trunk key> ::=
<name>
<trunk arg> ::=
interfaces (<interface key list> | none) [add | delete]
lacp (enable | disable)
lacp mode (active | passive)
lacp timeout (short | long)
distribution (src dest mac | dest mac | src dest ip | src dest port | index)
policy (auto | max bw)
stp (enable | disable)
stp reset (enable | disable)
trunk [<trunk key list> | all] stats reset
trunk edit
Display
trunk [<trunk key list> | all] [show [all]]
trunk [<trunk key list> | all] list [all]
trunk [<trunk key list> | all] distribution [show]
trunk [<trunk key list> | all] interfaces [show]
trunk [<trunk key list> | all] lacp [show]
trunk [<trunk key list> | all] lacp mode [show]
trunk [<trunk key list> | all] lacp timeout [show]
trunk [<trunk key list> | all] name [show]
trunk [<trunk key list> | all] policy [show]
trunk [<trunk key list> | all] stats [show]
trunk [<trunk key list> | all] stp [show]
trunk [<trunk key list> | all] stp reset [show]
Delete
trunk (<trunk key list> | all) delete
A - 331
Appendix A
Description
Link aggregation allows multiple physical links to be treated as one logical
link. It is also referred to as trunking. The main objective of link
aggregation is to provide increased bandwidth at a lower cost, without
having to upgrade hardware. The bandwidth of the aggregated trunk is the
sum of the capacity of individual member links. Thus it provides an option
for linearly incremental bandwidth as opposed to bandwidth options
available through physical layer technology. The traffic management system
supports link aggregation control protocol (LACP).
When a trunk is created, LACP is disabled by default. In this mode, no
control packets are exchanged and the member links carry traffic as long as
the physical layer is operational. In the event of physical link failure, an
LACP member is removed from the aggregation.
It should be noted that both endpoints of the trunk should have identical
LACP configuration in order to work properly. A mixed configuration
where one endpoint is LACP enabled and other LACP disabled is not valid.
Examples
Creates a trunk named mytrunk that includes the interfaces 1.1, 1.2, and
1.3:
trunk mytrunk { interface 1.1 1.2 1.3 }
Options
You can use these options with the trunk command:
A - 332
distribution
Specifies the method of frame distribution. The options are src dest mac,
dest mac, or src dest ip. When frames are transmitted on a trunk, they
are distributed across the working member links. The distribution
function ensures that the frames belonging to a particular conversation
are neither mis-ordered nor duplicated at the receiving end. Distribution
is done by calculating a hash value based on source and destination
addresses carried in the frame, and associating the hash value with a link.
All frames with a particular hash value are transmitted on the same link,
thereby maintaining frame order.
interfaces
Specifies a list of interface names separated by spaces.
lacp
Indicates whether to enable or disable Link Aggregation Control Protocol
(LACP).
lacp mode
Sets the LACP mode to active or passive.
In active mode, LACP packets are transmitted periodically, regardless
of peer systems control value.
In passive mode, LACP packets are not transmitted periodically,
unless peer system's control value is active.
lacp timeout
Sets the LACP timeout to short or long. The default value is long.
When you use the short timeout value, LACP packets are exchanged
every second.
When you use the long timeout value, LACP packets are exchanged
every 30 seconds.
policy
Sets the LACP policy to auto or max bw (maximum bandwidth). Link
aggregation is allowed only when all the interfaces are operating at the
same media speed and connected to the same partner aggregation system.
When there is a mismatch among configured members due to
configuration errors or topology changes (auto-negotiation), link
selection policy determines which links become working members and
form the aggregation.
With auto link selection, the lowest numbered operational link is
chosen as the reference link. All the members that have the same
media speed and are connected to the same partner as that of the
reference link are declared as working members, and they are
aggregated. The other configured members do not carry traffic.
With max bw link selection, a subset of links that gives maximum
aggregate bandwidth to the trunk is added to the aggregation.
stp
Enables or disables spanning tree protocols (STP).
stp reset
Enables or disables STP reset.
trunk edit
Displays in a text editor the running configuration of all objects created
using the command trunk. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
A - 333
Appendix A
See also
interface(1), vlan(1), vlangroup(1), bigpipe(1)
A - 334
udp
Displays or resets all UDP statistics for the system.
Syntax
Use this command to display or reset all UDP statistics for the system.
Modify
udp stats reset
Display
udp [show [all]]
Description
Displays or resets all UDP statistics for the system.
Examples
Displays the UDP statistics for the system:
udp stats show
See also
bigpipe(1)
A - 335
Appendix A
unit
Displays the unit ID for the unit, or peer unit, in a redundant system.
Syntax
Use this command to display the unit ID of a unit in a redundant system.
Display
unit [peer] [show]
Description
Displays the unit ID for the unit, or peer unit, in a redundant system.
Examples
Displays the unit number of the peer unit in the redundant system:
unit peer show
See also
ha table(1), bigpipe(1)
A - 336
user
Configures user accounts for managing the BIG-IP system.
Syntax
Use this command to create, display, modify, or delete user accounts on the
BIG-IP system.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
user <user key list> {}
user (<user key list> | all) [{] <user arg list> [}]
<user key> ::=
<name>
<user arg> ::=
<name>
password (<old password> <new password>)
description <string>
shell (<file name> | none)
role (administrator | resource admin | user manager | manager | \
app editor | operator | guest | policy editor | none) in (<partition key> | all)
user edit
You can create user accounts where the user names differ only by
case-sensitivity (for example, david and DAVID.) F5 Networks may
re-instate case-sensitivity in a future release. Note that there are
restrictions on reserved user names. For example, admin and root are
reserved names. You cannot create a user account using any variation of
these two names, such as Admin or ADMIN.
Note
Only users with the Administrator or Resource Admin user role can save
user accounts. Therefore, if you have a user role other than one of these,
and you are creating or modifying user accounts, when you are done with
your work, you must contact an Administrator or Resource Admin to save
the user accounts to the bigip.conf file.
A - 337
Appendix A
Display
user [<user key list> | all] [show [all]]
user [<user key list> | all] list [all]
user [<user key list> | all] role [show]
user [<user key list> | all] name [show]
user [<user key list> | all] password [show]
user [<user key list> | all] description [show]
user [<user key list> | all] home [show]
user [<user key list> | all] shell [show]
user [<user key list> | all] partition [show]
Delete
user (<user key list> | all) delete
Description
The user command allows you to create, display, modify, or delete user
accounts.
Examples
Creates a new user in the pm_users partition:
shell write partition pm_users user nwinters password none none role guest in all
Changes the password for the nwinters account from none to h411pass:
user nwinters password none h411pass
Displays all the user accounts and the user role and partition to which each
account is assigned:
user show
Options
You can use these options with the user command:
user edit
Displays in a text editor the running configuration of all objects created
using the command user. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
Note that the default text editor is vi.
user <name>
Specifies the name of the user account you are configuring.
role <role name> in <partition key>
Specifies the user role you want to assign to the user account and the
partition that the user account can access. The available user roles are
A - 338
See also
bigpipe(1), remote users(1), remoterole(1)
A - 339
Appendix A
version
Displays software version information for the system.
Syntax
Use this command to display the software version information for the
system.
Display
version [show [all]]
version list [all]
Description
Displays detailed licensing and version information for the system,
including kernel version, BIG-IP software version, installed hot fixes, and a
list of licensed features.
Examples
Displays detailed licensing and version information for the system:
version
See also
bigpipe(1)
A - 340
virtual
Configures a virtual server.
Syntax
Use this command to create, modify, display, or delete a virtual server.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP Network and System Management
Guide.
virtual <virtual key list> {}
virtual (<virtual key list> | all) [{] <virtual arg list> [}]
<virtual key> ::=
<name>
<virtual arg> ::=
(enable | disable)
auth (<profile auth key list> | none) [add | delete]
clone pools (<clone pool name/type list> | none) [add | delete]
cmp (enable | disable)
cmp processor (<number>.<number> | none)
destination <node>
fallback persist (<profile persist key> | none)
(ip forward | l2 forward | reject)
ip protocol (<protocol> | any | * | none)
httpclass (<profile httpclass key list> | none) [add | delete]
lasthop pool (<pool key> | none)
limit <number>
mask (<ip mask> | none)
mirror (enable | disable)
persist (<profile persist key list> | none) [add | delete]
pool (<pool key> | none)
profiles (<virtual server profile list> | none) [add | delete]
rate class (<rate class key> | none)
rules (<rule key list> | none) [add | delete]
snat (automap | none)
snatpool (<snatpool key> | none)
A - 341
Appendix A
Display
virtual [<virtual key list> | all] [show [all]]
virtual [<virtual key list> | all] list [all]
virtual [<virtual key list> | all] auth [show]
virtual [<virtual key list> | all] clone pools [show
virtual [<virtual key list> | all] cmp [show]
virtual [<virtual key list> | all] cmp processor [show]
virtual [<virtual key list> | all] cmp mode [show]
virtual [<virtual key list> | all] destination [show]
virtual [<virtual key list> | all] enabled [show]
virtual [<virtual key list> | all] fallback persist [show]
virtual [<virtual key list> | all] httpclass [show]
virtual [<virtual key list> | all] ip protocol [show]
virtual [<virtual key list> | all] limit [show]
virtual [<virtual key list> | all] lasthop pool [show]
virtual [<virtual key list> | all] mask [show]
virtual [<virtual key list> | all] mirror [show]
virtual [<virtual key list> | all] name [show]
virtual [<virtual key list> | all] partition [show]
virtual [<virtual key list> | all] persist [show]
virtual [<virtual key list> | all] pool [show]
virtual [<virtual key list> | all] profiles [show]
virtual [<virtual key list> | all] rate class [show]
virtual [<virtual key list> | all] rules [show]
virtual [<virtual key list> | all] snat [show]
virtual [<virtual key list> | all] snatpool [show]
virtual [<virtual key list> | all] stats [show]
virtual [<virtual key list> | all] translate address [show]
virtual [<virtual key list> | all] translate service [show]
virtual [<virtual key list> | all] type [show]
virtual [<virtual key list> | all] vlans [show]
A - 342
Delete
virtual (<virtual key list> | all) delete
Description
The virtual command creates, deletes, modifies properties on, and displays
information about virtual servers. Virtual servers are externally visible IP
addresses that receive client requests, and instead of sending the requests
directly to the destination IP address specified in the packet header, sends
the requests to any of several content servers that make up a load balancing
pool. Virtual servers also apply various behavioral settings to multiple
traffic types, enable persistence for multiple traffic types, and direct traffic
according to user-written iRules. For more information see, the
Configuration Guide for BIG-IP Local Traffic Management.
Examples
Create a virtual server named myV20, which uses the source address
persistence method:
virtual myV20 { destination 11.11.11.12:* persist source addr pool myPool }
Delete the virtual servers named myV4, myV5, myV6, myV7, myV8,
myV9, and myV10:
virtual myV4 myV5 myV6 myV7 myV8 myV9 myV10 delete
Options
You can use these options with the virtual command:
auth
Specifies a list of authentication profile names separated by spaces that
the virtual server uses to manage authentication.
clone pools
Specifies clone pools that the virtual server uses to replicate either
client-side traffic (that is, prior to address translation) or server-side
traffic (that is, after address translation) to a member of the specified
clone pool. This feature is used for intrusion detection.
cmp
Enables or disables clustered multi-processor (CMP) acceleration. This
feature applies to certain platforms only. The default is enable.
cmp mode
Displays the CMP mode for a virtual server.
A - 343
Appendix A
cmp processor
Specifies the processor for CMP acceleration. This feature applies to
certain platforms only.
destination
Specifies the IP address and service on which the virtual server listens for
connections.
(enable | disable)
Specifies the state of the virtual server. The default is enable. Note that
when you disable a virtual server, the virtual server no longer accepts
new connection requests. However, it allows current connections to
finish processing before going to a down state.
fallback persist
Specifies a fallback persistence profile for the virtual server to use when
the default persistence profile is not available.
httpclass
Specifies a list of httpclass profiles, separated by spaces, with which the
virtual server works to increase the speed at which the virtual server
processes HTTP requests.
(ip forward | l2 forward | reject)
Specifies whether to enable IP forwarding or Layer 2 (L2) forwarding, or
to reject forwarding for the virtual server. IP forwarding allows the
virtual server to simply forward packets directly to the destination IP
address specified in the client request.
ip protocol
Specifies the IP protocol for which you want the virtual server to direct
traffic. Sample protocol names are TCP and UDP. Note that you do not
use this setting when creating an httpclass virtual server.
lasthop pool
Specifies the name of the last hop pool that you want the virtual server to
use to direct reply traffic to the last hop router.
limit
Specifies the maximum number of concurrent connections you want to
allow for the virtual server.
mask
Specifies the netmask for a network virtual server only. This setting is
required for a network virtual server. The netmask clarifies whether the
host bit is an actual zero or a wildcard representation.
mirror
Enables or disables state mirroring. You can use state mirroring to
maintain the same state information in the standby unit that is in the
active unit, allowing transactions such as FTP file transfers to continue as
though uninterrupted. The default is enable.
name
Specifies a unique name for the virtual server. This setting is required.
partition
Displays the name of the partition within which the virtual server resides.
A - 344
persist
Specifies a list of profiles separated by spaces that the virtual server uses
to manage connection persistence.
pool
Specifies a default pool to which you want the virtual server to
automatically direct traffic.
profiles
Specifies a list of profiles for the virtual server to use to direct and
manage traffic.
rate class
Specifies the name of an existing rate class you that you the virtual server
to use to enforce a throughput policy for incoming network traffic.
rules
Specifies a list of iRules separated by spaces that customizes the virtual
server to direct and manage traffic.
snat
Indicates to enable SNAT automap for the virtual server.
snatpool
Specifies the name of an existing SNAT pool that you want the virtual
server to use to implement selective and intelligent SNATs.
translate address
Enables or disables address translation for the virtual server. Turn
address translation off for a virtual server if you want to use the virtual
server to load balance connections to any address. This option is useful
when the system is load balancing devices that have the same IP address.
translate service
Enables or disables port translation. Turn port translation off for a virtual
server if you want to use the virtual server to load balance connections to
any service.
vlan (enable | disable)
Specifies a list of names of external VLANs from which you want the
virtual server to accept traffic. Indicates whether or not the VLAN is
enabled or disabled. The default is vlans all enable.
virtual edit
Displays in a text editor the running configuration of all objects created
using the command virtual. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
A - 345
Appendix A
See also
pool(1), profile auth(1), profile persist(1), rule(1), vlan(1), vlangroup(1),
bigpipe(1)
A - 346
virtual address
Configures virtual addresses.
Syntax
Use this command to enable, disable, display, or delete a virtual address.
Modify
virtual address <virtual address key list> {}
virtual address (<virtual address key list> | all) [{] <virtual address arg list> [}]
<virtual address key> ::=
(<ip addr> | none)
<virtual address arg> ::=
(enable | disable)
arp (enable | disable)
floating (enable | disable)
limit <number>
mask (<ip mask> | none)
route advertisement (enable | disable)
server (all | any | none)
unit <number>
virtual address [<virtual address key list> | all] stats reset
virtual address edit
Display
virtual address [<virtual address key list> | all] [show [all]]
virtual address [<virtual address key list> | all] list [all]
virtual address [<virtual address key list> | all] address [show]
virtual address [<virtual address key list> | all] arp [show]
virtual address [<virtual address key list> | all] floating [show]
virtual address [<virtual address key list> | all] enabled [show]
virtual address [<virtual address key list> | all] limit [show]
virtual address [<virtual address key list> | all] mask [show]
virtual address [<virtual address key list> | all] partition [show]
virtual address [<virtual address key list> | all] route advertisement [show]
virtual address [<virtual address key list> | all] server [show]
virtual address [<virtual address key list> | all] stats [show]
virtual address [<virtual address key list> | all] unit [show]
Delete
virtual address (<virtual address key list> | all) delete
A - 347
Appendix A
Description
Provides the ability to enable, disable, display and delete virtual addresses.
You can also list the virtual address configuration.
Examples
Disables the virtual address 10.10.10.20:
virtual address 10.10.10.20 disable
Options
You can use these options with the virtual address command:
arp
Enables or disables ARP for the specified virtual address. The default is
enable.
(enable | disable)
Enables or disables the specified virtual address. The default is enable.
floating
Enables or disables floating self IP addresses for the specified virtual
address. The default is enable. A floating self IP address is an additional
self IP address for a VLAN that serves as a shared address by both units
of a BIG-IP redundant system.
limit
Sets a concurrent connection limit in seconds for one or more virtual
servers. The default is 0 seconds.
mask
Sets the netmask or one or more network virtual servers only. This
setting is required for network virtual servers.
partition
Displays the partition within which the virtual address resides.
route advertisement
Enables or disables route advertisement for the specified virtual address.
The default is disable.
server
Specifies the server that uses the specified virtual address. The options
are none, any, or all.
unit
Specifies the unit number of a redundant pair that uses the specified
virtual address. The default is 0.
A - 348
See also
virtual(1), bigpipe(1)
A - 349
Appendix A
vlan
Configures a virtual local area network (VLAN).
Syntax
Use this command to create, modify, display, or delete a VLAN.
Create/Modify
vlan <vlan key list> {}
vlan (<vlan key list> | all) [{] <vlan arg list> [}]
<vlan key> ::=
<name>
<vlan arg> ::=
tag <number>
interfaces (<interface list> | none) [add | delete]
interfaces [tagged] (<interface list> | none) [add | delete]
trunks (<trunk list> | none) [add | delete]
trunks [tagged] (<trunk list> | none) [add | delete]
failsafe (enable | disable)
failsafe (restart | failover | failover restart | go active | no action | reboot |
restart all | failover abort tm)
timeout (<number> | immediate | indefinite)
mac masq (<mac addr> | none)
fdb (<l2 forward list> | none) [add | delete]
learning (enable | disable forward | disable drop)
mtu <number>
source check (enable | disable)
<l2 forward> ::=
<l2 forward key list> [{] <l2 forward arg list> [}]
<l2 forward key> ::=
<mac addr>
(dynamic | static)
<l2 forward arg> ::=
(dynamic | static)
interface <interface>
trunk <trunk>
vlan edit
Display
vlan [<vlan key list> | all] [show [all]]
vlan [<vlan key list> | all] list [all]
vlan [<vlan key list> | all] failsafe [show]
vlan [<vlan key list> | all] fdb [show]
A - 350
Delete
vlan (<vlan key list> | all) delete
Description
This command creates, displays and modifies settings for VLANs. VLANs
are part of the configuration of the BIG-IP network components. VLANs
can be based on either ports or tags.
When creating a VLAN, a tag value for the VLAN is automatically chosen
unless you specify a tag value on the command line. VLANs can have both
tagged and untagged interfaces. You can add an interface to a single VLAN
as an untagged interface. You can also add an interface to multiple VLANs
as a tagged interface.
Examples
Create the VLAN myvlan that includes the interfaces 1.2, 1.3, and 1.4:
vlan myvlan interface 1.2 1.3 1.4
Options
You can use these options with the vlan command:
failsafe
Enables a fail-safe mechanism that causes the active unit to fail over to a
redundant unit when loss of traffic is detected on a VLAN, and traffic is
not restored during the failover timeout period for that VLAN. The
default action set with VLAN fail-safe is restart all. When the fail-safe
mechanism is triggered, all the daemons are restarted and the unit fails
over. The default is disable.
A - 351
Appendix A
fdb
Specifies the forwarding database. You can edit the Layer 2 forwarding
table to enter static MAC address assignments. The forwarding database
has an entry for each node in the VLAN and associates the MAC address
of that node with the traffic management system.
interfaces
Specifies a list of interfaces that you want to assign to the VLAN.
interfaces tagged
Specifies a list of tagged interfaces. A tagged interface is an interface that
you assign to a VLAN in a way that causes the system to add a VLAN
tag into the header of any frame passing through that interface. Use
tagged interfaces when you want to assign a single interface to multiple
VLANs.
learning
Specifies whether switch ports placed in the VLAN are configured for
switch learning, forwarding only, or dropped. Possible values are:
enable, disable forward, or disable drop. The default is enable.
mac masq
Configures a shared MAC masquerade address. You can share the media
access control (MAC) masquerade address between units in a redundant
system. This has the following advantages:
Increased reliability and failover speed, especially in lossy networks
Interoperability with switches that are slow to respond to the network
changes
Interoperability with switches that are configured to ignore network
changes
A - 352
mtu
Sets a specific maximum transition unit (MTU) for the VLAN. The
default is 1500.
source check
Specifies that only connections that have a return route in the routing
table are accepted. The default is disable.
tag
Specifies a number that the system adds into the header of any frame
passing through the VLAN.
timeout
Specifies the number of seconds that an active unit can run without
detecting network traffic on this VLAN before it initiates a failover. The
default is 90 seconds.
trunks
Specifies a list of trunks. A trunk is a combination of two or more
interfaces and cables configured as one link.
trunks tagged
Specifies a list of tagged trunks. A tagged trunk is a trunk that you assign
to a VLAN in a way that causes the system to add a VLAN tag into the
header of any frame passing through the trunk. Use tagged trunks when
you want to assign a single trunk to multiple VLANs.
vlan edit
Displays in a text editor the running configuration of all objects created
using the command vlan. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
See also
interface(1), self(1), vlangroup(1), virtual(1), bigpipe(1)
A - 353
Appendix A
vlangroup
Configures a VLAN group.
Syntax
Use this command to create, modify, display, or delete a VLAN group.
Create/Modify
vlangroup <vlangroup key list> {}
vlangroup (<vlangroup key list> | all) [{] <vlangroup arg list> [}]
<vlangroup key> ::=
<name>
<vlangroup arg> ::=
bridge all (enable | disable)
bridge in standby (enable | disable)
mac masq (<mac addr> | none)
members (<vlan key list> | none) [add | delete]
proxy excludes (<ip list> | none) [add | delete]
tag <number>
transparency (opaque | translucent | transparent)
vlan group edit
Display
vlangroup [<vlangroup key list> | all] [show [all]]
vlangroup [<vlangroup key list> | all] list [all]
vlangroup [<vlangroup key list> | all] bridge all [show]
vlangroup [<vlangroup key list> | all] bridge in standby [show]
vlangroup [<vlangroup key list> | all] mac masq [show]
vlangroup [<vlangroup key list> | all] members [show]
vlangroup (<vlangroup key list> | all) proxy excludez [show]
vlangroup [<vlangroup key list> | all] tag [show]
vlangroup [<vlangroup key list> | all] transparency [show]
Delete
vlangroup (<vlangroup key list> | all) delete
Description
The vlangroup command defines a VLAN group, which is a grouping of
two or more VLANs belonging to the same IP network for the purpose of
allowing Layer 2 packet forwarding between those VLANs.
A - 354
The VLANs between which the packets are to be passed must be on the
same IP network, and they must be grouped using the vlangroup command.
For example:
vlangroup network11 { vlans add internal external }
Examples
Creates a VLAN group named myvlangroup that consists of VLANs
named vlan1 and vlan2:
vlangroup myvlangroup member vlan1 vlan2
Shows the statistics for all elements of the specified VLAN group:
vlangroup myvlangroup show
Options
You can use these options with the vlangroup command:
bridge all
When enabled, specifies that the VLAN group forwards all frames,
including non-IP traffic. The default is disable.
bridge in standby
When enabled, specifies that the VLAN group forwards packets, even
when the system is the standby unit in a redundant system. Note that this
setting is designed for deployments in which the VLAN group exists on
only one of the units. If that does not match your configuration, using
this setting may cause adverse effects. The default is enable.
mac masq
Specifies a MAC address to be used with a redundant system. This is a
6-byte ethernet address in not case-sensitive hexadecimal colon notation,
for example, 00:0b:09:88:00:9a.
members
The names of the VLANs you want to add to the VLAN group.
proxy excludes
Specifies the IP addresses that you want to include in the proxy ARP
exclusion list. If you use VLAN groups, you must configure a proxy
ARP forwarding exclusion list. F5 recommends that you configure this
feature if you use VLAN groups with a redundant system. The reason is
that both units need to communicate directly with their gateways and the
back-end nodes. Creating a proxy ARP exclusion list prevents traffic
from being proxied through the active unit due to proxy ARP. This traffic
needs to be sent directly to the destination, not proxied.
A - 355
Appendix A
tag
Specifies a number to be the tag for the VLAN. A VLAN tag is an
identification number the system inserts into the header of a frame that
indicates the VLAN to which the destination device belongs. Use VLAN
tags when a single interface forwards traffic for multiple VLANs.
transparency
Specifies the level of exposure of remote MAC addresses within VLAN
groups. Possible values are: opaque, translucent, or transparent. The
default is translucent.
Use opaque when you have a Cisco router in the network sending
CDP packets to the system. Because opaque VLAN groups require a
source and destination MAC address and CDP packets do not contain
a source and destination MAC address, the CDP packets are not
forwarded through the VLAN group. This mode changes the MAC
address to the MAC address assigned to the VLAN group. A proxy
ARP with Layer 3 forwarding.
Use transparent when you want to leave the MAC address
unchanged by the traffic management system. Layer 2 forwarding
with the original MAC address of the remote system preserved across
VLANs.
Use translucent when you want to use the real MAC address of the
requested host with the locally unique bit toggled. Layer 2 forwarding
with locally-unique bit, toggled in ARP response across VLANs.
vlangroup edit
Displays in a text editor the running configuration of all objects created
using the command vlangroup. You can edit the value of any parameter
displayed. When you exit the editor, the BIG-IP system modifies the
running configuration based on your changes. To save your changes to
the stored configuration files, run the save all command.
When the text editor opens, if it is empty, you can type bigpipe
command syntax in the editor to create any type of object. When you exit
the editor, the BIG-IP system modifies the running configuration based
on the syntax you entered. You must run the save all command to save
this change to the stored configuration files.
Note that the default text editor is vi.
See also
interface(1), self(1), vlan(1), virtual(1), bigpipe(1)
A - 356
B
Configuring bigdb Database Variables
The db command
You can reset bigdb database variable values directly using the db
command. This command is useful if you prefer not to use the
Configuration utility to configure a BIG-IP system feature, or if
configuration of a particular aspect of BIG-IP system behavior is not
available through the Configuration utility. For more information on
using the db command, see Appendix A, bigpipe Command Reference,
and specifically, db, on page A-57.
The syntax for displaying and setting bigdb database variables is:
db all list
db <key name> <value>
This appendix contains information about bigdb database variables that you
can configure manually. The bigdb database variables in the following
sections are not automatically set by the Configuration utility, and are not
editable using the db command.
WARNING
B-1
Appendix B
Default Value
Description
Failover.DbgFile
/var/log/sodlog
Specifies the file into which the sod service logs the failover
debug information.
Failover.FailbackDelay
60
Failover.FailedStandbyActive
disable
Failover.ManFailBack
disable
Failover.MemoryRestartPercent
97
Failover.PrintPeerState
disable
Failover.UseTty00
disable
Failover.UseTty01
disable
B-2
Default Value
Description
StateMirror.PeerListenPort
1028
Default Value
Description
Configsync.LocalConfigTime
Specifies the most recent date and time that the configuration
of the current unit changed.
Configsync.LocalSyncedTime
Specifies the date and time that the configuration of this unit
was synchronized with the peer unit.
Configsync.PeerConfigTime
Specifies the most recent date and time that the configuration
of the peer unit changed.
Configsync.PeerState
unknown
Configsync.PeerUpdatedTime
Configsync.State
-1
B-3
Appendix B
Default Value
Description
User.AcceptedEULA
none
Users.LocalOnly
root,admin
Users.Name.[user name]
127
Default Value
Description
log.config.level
Notice
log.ipnet.level
Notice
B-4
Default
Value
Compression.Adaptive.AHA.UseAtGzip1
Disable
Description
Use only with the Compression.Strategy bigdb
database variable set to adaptive.
When disabled, the hardware compression provider
performs server response compression only when
the software compression providers are fully utilized.
When enabled, and the gzip Compression level
parameter in the HTTP profile is set to 1, the system
uses the hardware card to compress response data
at gzip level 1.
Compression.Adaptive.AllowNullCompression
Disable
Compression.Adaptive.MaxReduction
10
Compression.Hardware.Ratio
Compression.Offload.Ratio
B-5
Appendix B
Default
Value
Compression.Providerbusy
100
Compression.Strategy
speed
Description
B-6
Default Value
Description
RamCache.MaxMemoryPercent
50
Table B.7 bigdb database variable pertaining to the HTTP RAM Cache feature
Default Value
Description
Vlan.MacAssignment
Table B.8 bigdb database variable pertaining to the MAC address that is associated with a VLAN
B-7
Appendix B
Enabling debugging fills your log file with numerous additional entries.
The following bigdb database variable settings are available for debugging.
bigdb Database Variable Name
Default Value
Description
Bigd.Debug
Disable
Failover.Debug
Disable
GTM.DebugProbeLogging
Disable
When enabled, the gtmd and big3d daemons log all of the
probing messages they receive and send to /var/log/gtm.
It is important to note that enabling this bigdb database
variable creates a large number of debug messages;
therefore, F5 recommends that you disable this bigdb
database variable when debugging is complete.
B-8
Default Value
Description
Log.Lacpd.DebugMask
Disable
POLICY:
PORT:
2
4
LAG:
CONFIG:
16
HAL:
32
PDU:
Log.Stpd.DebugStr
Disable
64
SEQUENCE:
128
TIMER:
256
inbound packets
outbound packets
overdue packets
role transitions
state transitions
clock ticks
updtrolesBridge()
B-9
Appendix B
Default Value
Description
Pva.SynCookies.ConnectionThreshold
0
packets/second
Pva.SynCookies.SynRateThreshold
200,000
packets/second
Table B.10 bigdb database variables pertaining to configuring the PVA10 Syn Cookie feature
B - 10
Default Value
Description
zebOS.rip.router.GoActiveCmd
No default value
zebOS.rip.router.GoStandbyCmd
No default value
zebos.ospf.interfaces.GoActiveCmd
no ip ospf cost
zebos.ospf.interfaces.GoStandbyCmd
zebos.ospf.router.GoActiveCmd
no summary-address 0.0.0.0/0
zebos.ospf.router.GoStandbyCmd
summary-address 0.0.0.0/0
not-advertise
B - 11
Appendix B
B - 12
Glossary
Glossary
Glossary - 1
Glossary
certificate
A certificate is an online credential signed by a trusted certificate authority
and used for SSL network traffic as a method of authentication. certificate
authority (CA). A certificate authority is an external, trusted organization
that issues a signed digital certificate to a requesting computer system for
use as a credential to obtain authentication for SSL network traffic. See also
certificate authority.
certificate authority
A certificate authority is an external, trusted organization that issues a
signed digital certificate to a requesting computer system for use as a
credential to obtain authentication for SSL network traffic. See also
certificate.
certificate revocation list
A certificate revocation list (CRL) is a list that an authenticating system
checks to see if the SSL certificate that the requesting system presents for
authentication has been revoked. See also certificate.
certificate verification
Certificate verification is the part of an SSL handshake that verifies that a
clients SSL credentials have been signed by a trusted certificate authority.
See also certificate.
class
A class is a list of data that you define and use with iRules operators.
Internal classes are stored in the bigip.conf file. External classes are stored
in external files that you define.
clone pool
A clone pool replicates all traffic coming into it and sends that traffic to a
duplicate pool. See also pool.
configuration object
A configuration object is a user-created object that the BIG-IP system uses
to implement a PAM authentication module. There is one type of
configuration object for each type of authentication module that you create.
Configuration utility
The Configuration utility is the browser-based application that you use to
configure the BIG-IP system.
connection persistence
Connection persistence is an optimization technique whereby a network
connection is intentionally kept open for the purpose of reducing
handshaking.
Glossary - 2
Glossary
cookie persistence
Cookie persistence is a mode of persistence where the BIG-IP system stores
persistent connection information in a cookie.
CRL
See certificate revocation list.
current partition
When a user logs in, the system determines the default current partition
(usually the Common partition) based on the users account. If the users
account grants permission to access more than one partition, the user can
change the current partition, and can also change the default current
partition. See also administrative partition.
custom monitor
A custom monitor is a user-created monitor. See also monitor.
custom profile
A custom profile is a profile that you create. A custom profile can inherit its
default settings from a parent profile that you specify. See also profile.
default-deny policy
A default-deny policy restricts Internet access to everything that is not
explicitly permitted.
failover
Failover is the process whereby a standby unit in a redundant system takes
over when a software failure or a hardware failure is detected on the active
unit. See also redundant system.
floating IP address
An IP address assigned to a VLAN and shared between two computer
systems is known as a floating IP address. See also VLAN (virtual local area
network).
hash persistence
Hash persistence allows you to create a persistence hash based on an
existing iRule. See also iRule.
health monitor
A health monitor checks a node to see if it is up and functioning for a given
service. If the node fails the check, it is marked down. Different monitors
exist for checking different services. See also monitor.
Glossary - 3
Glossary
HTTP redirect
An HTTP redirect sends an HTTP 302 Object Found message to clients.
You can configure a pool with an HTTP redirect to send clients to another
node or virtual server if the members of the pool are marked down. See also
virtual server and pool.
ICMP
See internet control message protocol.
interface
A physical port on a BIG-IP system is called an interface.
internet control message protocol
Internet Control Message Protocol (ICMP) is an Internet communications
protocol used to determine information about routes to destination
addresses.
iRule
An iRule is a user-written script that controls the behavior of a connection
passing through the BIG-IP system. iRules are an F5 Networks feature
and are frequently used to direct certain connections to a non-default load
balancing pool. However, iRules can perform other tasks, such as
implementing secure network address translation and enabling session
persistence.
last hop
A last hop is the final hop a connection takes to get to the BIG-IP system.
You can allow the BIG-IP system to determine the last hop automatically to
send packets back to the device from which they originated. You can also
specify the last hop manually by making it a member of a last hop pool. See
also pool.
Layer 1 through Layer 7
Layers 1 through 7 refer to the seven layers of the Open System
Interconnection (OSI) model. Thus, Layer 2 represents the data-link layer,
Layer 3 represents the IP layer, and Layer 4 represents the transport layer
(TCP and UDP). Layer 7 represents the application layer, handling traffic
such as HTTP and SSL.
LDAP
See lightweight directory access protocol.
LDAP authentication module
An LDAP authentication module is a user-created module that you
implement on an BIG-IP system to authenticate client traffic using a remote
LDAP server. See also lightweight directory access protocol.
Glossary - 4
Glossary
Glossary - 5
Glossary
monitor
The BIG-IP system uses monitors to determine whether nodes are up or
down. There are several different types of monitors, and they use various
methods to determine the status of a server or service.
monitor association
A monitor association is an association that a user makes between a health
or performance monitor and a pool, pool member, or node. See also
monitor.
NAT (network address translation)
A Network Address Translation (NAT) is an alias IP address that identifies
a specific node managed by the BIG-IP system to the external network.
network virtual server
A network virtual server is a virtual server whose IP address has no bits set
in the host portion of the IP address (that is, the host portion of its IP address
is 0). There are two kinds of network virtual servers: those that direct client
traffic based on a range of destination IP addresses, and those that direct
client traffic based on specific destination IP addresses that the BIG-IP
system does not recognize. See also virtual server.
node
A node address is the IP address associated with one or more nodes. This IP
address can be the real IP address of a network server, or it can be an alias IP
address on a network server.
non-terminated SSL session
A non-terminated SSL session is a session in which the system does not
perform the tasks of SSL certificate authentication, encryption and
re-encryption. See also secure sockets layer.
OCSP
See online certificate status protocol.
OCSP responder
An OCSP responder is an external server used for communicating SSL
certificate revocation status to an authentication server such as the BIG-IP
system. See also online certificate status protocol.
OneConnect
The F5 Networks OneConnect feature optimizes the use of network
connections by keeping server-side connections open and pooling them for
re-use.
Glossary - 6
Glossary
Glossary - 7
Glossary
Glossary - 8
Glossary
Glossary - 9
Glossary
ToS level
See type of service level.
traffic management microkernel service
The Traffic Management Microkernel (TMM) service is the process running
on the BIG-IP system that performs most traffic management for the
product.
trunking
Trunking is link aggregation that allows multiple physical links to be treated
as one logical link. The main objective of link aggregation is to provide
increased bandwidth at a lower cost, without having to upgrade hardware.
The bandwidth of the aggregated trunk is the sum of the capacity of
individual member links. Thus it provides an option for linearly incremental
bandwidth as opposed to bandwidth options available through physical layer
technology. The traffic management system supports link aggregation
control protocol (LACP).
trusted MAC address
A trusted MAC address is a MAC address that passes MAC address-based
authentication. See also MAC address.
type of service level
The Type of Service (ToS) level is another means, in addition to the QoS
level, by which network equipment can identify and treat traffic differently
based on an identifier. See also quality of service level.
user role
A user role is a type and level of access that you assign to a BIG-IP system
user account. By assigning user roles, you can control the extent to which
BIG-IP system administrators can view or modify the BIG-IP system
configuration.
virtual address
A virtual address is an IP address associated with one or more virtual servers
managed by the BIG-IP system.
virtual server
A virtual server is a specific combination of virtual address and virtual port,
associated with a content site that is managed by an BIG-IP system or other
type of host server.
Glossary - 10
Glossary
Glossary - 11
Glossary
Glossary - 12
Index
Index
A
access control 3-8
active script 4-24
active-active mode
updating fail-over daemon B-1
active-active mode, updating fail-over daemon B-1
adaptive compression 5-9
configuring 5-12
configuring on 6400, 6800, and 8400 5-13
configuring on 8800 5-13
introducing 5-10
adaptive compression strategy 5-11
additional information
in bigpipe online man pages 1-3
in Tcl reference books 1-3
in the BIG-IP Network and System Management
Guide 1-5
in the BIG-IP Quick Start Instructions 1-5
in the Configuration Guide for BIG-IP Local Traffic
Management 1-5
in the Configuration Worksheet 1-5
in the Installation, Licensing, and Upgrades for
BIG-IP Systems guide 1-5
in the Linux syslog-ng man page 1-3
in the Platform Guide 1-5
on Configuration utility Welcome screen 1-8
on tech.f5.com 1-8
admin user account 4-17, 4-18
Administrator role 4-17
Administrator user role 4-2
application traffic, managing 5-2
arp command 2-6, A-3
ARP protocol
customizing base network components 3-1
ASN.1 DER format 5-19
auditing user access 4-23
auth crldp command 2-6, 5-21, A-6
auth ldap command 2-6, 5-20, A-9
auth radius command 2-6, A-14
auth ssl cc ldap command 2-6, 5-21, A-17
auth ssl ocsp command 2-6, 5-21, A-22
auth tacacs command 2-6, 5-21, A-24
authorized_keys file 3-7
auto last hop feature 5-3
B
backup of product image, creating 4-36
base network components 3-1
base network configuration, customizing 3-1
bcm56xxd service, handling failure of 4-24
bigd service, handling failure of 4-24
bigdb database 4-30
BIG-IP Command Line Interface Guide
Index - 1
Index
C
CA certificates, generating 5-16
certificate association 5-19
certificate information, viewing 5-19
certificate revocation lists
See CRLs.
certificate signing request files, generating 5-16
certificate verification 5-19
certificates, revoking 5-18
chunking 5-8
class command 2-7, A-29
cli audit command 2-4, 2-7
cli command A-33
cli import save command 4-11
client authentication 5-16
client certificates, creating 5-17
Client SSL profile 5-1
clone pools, configuring 5-3
command completion 2-4
command continuation 2-4, A-309
command editing 2-3
command history 2-2
command summary 2-6
command syntax, identifying 1-6
commands
See individual command entries.
Common partition 4-17
compression providers
hardware 5-9, B-6
software 5-9, B-6
compression providers, understanding 5-8
compression strategies
described 5-10
understanding 5-9
compression, configuring 5-5
config command 2-7, 4-2, A-36
config utility, defined 1-2
configsync command 2-7, A-39
configuration files, defined 4-6
Configuration Guide for BIG-IP Local Traffic Management
1-5
configuration information, storing 4-30
configuration synchronization, using bigdb database
variables B-3
Configuration utility
about Welcome screen 1-8
and bigdb database variables B-1
using online help 1-8
Configuration Worksheet 1-5
conn command 2-7, A-42
connection mirroring, using bigdb database variables B-3
connection persistence, configuring 5-22
connection pooling 5-22
connection processing 4-25
cookie 5-6
cookie encryption, enabling or disabling 5-6
Index - 2
D
daemon bigdbd command A-50
daemon command 2-7, 4-24, A-47
daemon mcpd command A-52
daemon tmm command A-54
daemon_bigdbd command 2-7
daemon_mcpd command 2-7
daemon_tmm command 2-7
daemons, listed 4-24
data compression, configuring 5-5
db command 2-7, 4-30, 5-7, A-57, B-1
default partition 4-20
default profiles 5-2
default SNATs 4-26
default unit IDs 4-25
denial-of-service (DoS) attacks, managing 5-7
Destination Address Affinity persistence 5-22
dirname-based addresses 5-17
dns command 2-7, A-59
dynamic routing, using bigdb database variables B-11
E
edit feature
See individual command entries.
using 2-3
email, sending 4-32
embedded distribution points 5-17
encrypted remote logging
and prerequisites 3-3
and tasks 3-4
encrypted tunnels, opening and closing 3-5
escape feature, using in the bigpipe shell 2-6
event logging, using bigdb database variables B-4
events, tracking 4-32
exit command 2-2, 2-7, A-62
export command 2-7, 4-10, 4-11, A-63
F
f5active script 4-24
f5adduser command 2-7, 4-22, A-65
f5standby script 4-24
Index
failover
and bigdb database variables B-2
configuring user-defined scripts 4-24
locating directory 4-24
failover command 2-7, A-67
fallback hosts 5-5
Fast HTTP profile 5-6, 5-22
Fast L4 profile 5-24
fasthttp command 2-7, 4-26, A-71
fastL4 command A-72
fastl4 command 2-7, 4-26, A-71
FFP-supported platforms 3-8
filters, for packets 3-8
find_keys command 4-35
finding help 1-8
fipscardsync command 4-3, A-73
fipsutil command 4-2, A-74
formatting conventions 1-6
ftp command 2-7, 4-26, A-77
FTP profile 5-1
G
gencert utility
defined 1-2
running 5-16
using to generate a temporary certificate and
request file 5-16
using to generate SSL certificates and keys 5-1
genconf utility, using to generate a key 5-1
genkey utility, using to generate SSL certificates 5-1
global command 2-7, 4-26, A-78
grep functionality 2-5
gzip Compression level 5-11, B-5
H
ha table command 2-7, A-79
halt command 4-3
hardware command 2-7, A-81
hardware compression provider 5-9
hardware compression providers
viewing 5-9
hardware syncookie feature 5-7
headers, inserting and erasing 5-6
health monitors, associating 5-25
help command 2-7, 4-3, A-82
help, finding 1-8
hostname command 4-3
hosts file 4-8
hosts.allow file 4-8
hosts.deny file 4-8
HTTP Class profile 5-7
http command 2-8, 4-26, A-83
HTTP compression 5-8
configuring 5-5
using bigdb database variables B-5
BIG-IP Command Line Interface Guide
I
icmp command 2-8, 4-26, A-88
import command 2-8, 4-11, A-89
import default command 4-15
Installation, Licensing, and Upgrades for BIG-IP Systems
1-5
interface command 2-8, A-91
interfaces, customizing base network components 3-1
internal trunk distribution 3-8
ip command 2-8, 4-26, A-95
iRules
and SNATs 5-4
and Tcl commands 1-2
associating with virtual servers 5-28
implementing 5-28
modifying profile settings 5-2
J
JDBC connections, monitoring 5-26
JDBC services, monitoring 5-26
K
Keep-Alive headers 5-22
key association 5-19
keys, generating 5-16, 5-17
L
last hop routers 5-3
Layer 4 profile 5-1
LDAP CRL distribution point 5-18
LDAP servers 5-20
less file page utility 4-32
licenses, viewing 4-35
Linux syslog-ng man page 1-3
list command 2-8, A-96
load and save commands, compared 4-4
load balancing pool, associating with monitors 5-25
load balancing, setting up basic configuration 5-2
load command 2-8, 4-11, 4-27, A-97
local traffic management 5-1
log file 2-3
managing 3-1, 4-32
resizing 4-33
Index - 3
Index
M
MAC address configuration, using bigdb database
variables B-7
management port
adding routes 3-8
configuring 4-17
managing network traffic 5-2
managing the size of the log file 3-1
manual resume, configuring for monitors 5-27
marking node up 5-27
marking pool member up 5-27
mcp command 2-8, A-107
MCPD service
handling failure of 4-24
restarting 4-27
memory command 2-8, A-108
merge command 2-8, A-109
messages, logging to remote machine 3-6
mgmt command 2-8, 4-17, A-111
MGMT port, configuring 4-17
mgmt route command 2-8, A-113
mirror command 2-8, A-116
monitor command 2-8, 5-25, 5-26, 5-27, A-118
monitoring JDBC connections 5-26
monitors
associating with pools or nodes 5-25
configuring manual resumption 5-27
creating custom 5-25
using pre-configured 5-25
MSRDP persistence 5-22
N
nat command 2-8, A-130
ndp command 2-8, A-133
netsnmp.conf file 4-8
network management tasks, performing 3-1
node command 2-8, 4-35, 5-25, 5-26, 5-27, A-135
nodes
configuring manual resumption 5-3
marking up 5-27
removing and returning to service 4-34
removing from service 4-34
removing individual nodes from service 4-35
returning individual nodes to service 4-35
returning to service 4-34
setting status manually 5-27
viewing 4-35
ntp command 2-8, A-138
ntp.conf file 4-8
Index - 4
O
ocsp responder command 2-8, 5-20, 5-21, A-140
oneconnect 5-23
oneconnect command 2-9, 4-26, A-145
online help 1-8
online man pages
about 1-3
accessing from the shell prompt 1-3, A-1
accessing from the system prompt 1-3, A-1
open connections 5-23
opening brace, using in command syntax 2-5
OpenSSL 0.9.8.x 5-17
openssl utility 1-3, 5-1, 5-16, 5-17, 5-18, 5-19
openssl.conf 4-7, 4-8
P
packet activity, displaying 4-29
packet filter command 2-9, 3-8, 5-25, A-146
packet filter rules 5-25
packet filters
customizing base network components 3-1
Packet Velocity ASIC 10 (PVA10) Syn Cookie feature, and
bigdb database variables B-10
pager notifications, activating 4-32
partition command 2-9, 4-18, A-152
partitions
about Common 4-17
about current 4-19
about Read partition 4-19
about Write partition 4-19
accessing 4-18
changing current 4-18
creating 4-18
creating and managing 4-17
defined 4-17
setting default 4-20
password policy command 2-9, A-154
passwords, adding and stripping 5-19
PEM format conversion 5-19
persist command 2-9, A-157
persistence 5-22
persistence types 5-22
PKCS12 file, creating 5-17
platform command 2-9, A-161
Platform Guide 1-5
pool assignation 5-26
pool command 2-9, 5-2, 5-3, 5-24, 5-25, 5-27, A-163
pool members
configuring manual resumption 5-3
marking up 5-27
removing from service 4-34
returning to service 4-34
setting status manually 5-27
Index
Q
Quality of Service (QoS) levels, setting 5-24
quit command 2-2, 2-10
R
radius server command 2-10, 5-20, 5-21
RADIUS servers 5-20
RAM Cache implementation, using bigdb database
variables B-7
rate class command 2-10, 5-25
rate shaping 5-25
rateclass.conf 4-8
RCP services, checking health of 5-26
Read access 4-18
Read partition 4-19
real-time statistics, displaying 4-29
reboot command 4-3
redirections, rewriting 5-5
redundant system configuration 4-23
references to other documents, identifying 1-6
refresh interval, resetting 4-29
remote hosts, and logging 3-3
remote logging tasks 3-4
remote logging, encrypted 3-3
remote server authentication 5-20
BIG-IP Command Line Interface Guide
S
save command 2-10, 4-11, A-271
scripts
using active 4-24
using f5active 4-24
using f5standby 4-24
using resize-logFS 4-33
using standby 4-24
sctp command 2-10, 4-3, A-273
self allow command 2-10
self command 2-10
self IP addresses
and unit IDs 4-24, 4-25
customizing base network components 3-1
server authentication 5-18
server certificates, creating 5-18
Server SSL profile 5-1
server-side connections 5-22
service failure 4-24
services, listed 4-24
session persistence 5-22
Setup utility 3-1
shell command
defined 2-10
man page for A-278
setting Read partition 4-19
setting Write partition 4-19
shell prompt, accessing online man pages from 1-3, A-1
simultaneous connection processing 4-25
single configuration file
creating 4-12
defined 4-9
using to configure a system 4-13
using to restore a system 4-14
SIP persistence 5-22
Index - 5
Index
Index - 6
T
TACACS+ servers 5-20
Tcl commands 5-28
Tcl reference books, using 1-3
Tcl, defined 1-3
tcp command 2-11, 4-26, A-329
TCP profile 5-1, 5-24
TCP traffic
optimizing using profiles 5-15
setting service levels on packets 5-24
technical support 1-8
terminal access 4-18
timeout values, setting 5-24
tmm command 2-11, A-330
tmm service
about status 4-28
handling failure of 4-24
tmstat compress command 5-14
tmstat utility 5-14
Tools Command Language 1-3
Index
U
udp command 2-11, 4-26, A-335
UDP profile 5-1, 5-24
UDP traffic 5-24
unchunking 5-8
unit command 2-11, A-336
unit IDs
associating 4-24
viewing 4-25
Universal persistence 5-22
user access, auditing 4-23
user account administration, using bigdb database
variables B-4
user accounts
creating and managing 4-21
modifying and deleting 4-22
user command 2-1, 2-11, 4-21, 4-22, A-337
userroles file 4-7
V
version command 2-11, A-340
virtual address command 2-11, A-347
virtual addresses
enabling and disabling 4-35
removing from service 4-34
returning to service 4-34
virtual command
and command syntax A-341
and logs 4-32
assigning a last hop pool to a virtual server 5-3
assigning a persistence profile to a virtual server
5-22
assigning a pool to a virtual server 5-26
assigning a profile to a virtual server 5-3
assigning an HTTP profile to a virtual server 5-5, 5-8
associating an authentication profile with a virtual
server 5-21
configuring virtual servers 4-35
creating an authentication profile 5-20
creating or modifying a virtual server 5-3
described 2-11
displaying virtual servers 4-35
managing network traffic 5-2
setting up basic load balancing 5-2
verifying assignation of pool or profile 5-24
virtual ports
removing from service 4-34
returning to service 4-34
virtual server mappings 4-35
virtual servers
and unit IDs 4-24, 4-25
enabling and disabling 4-35
removing from service 4-34
returning to service 4-34
viewing 4-35
vlan command 2-11, A-350
VLAN groups
customizing base network components 3-1
vlangroup command 2-11, A-354
VLANs
customizing base network components 3-1
W
WebAccelerator module 5-7
Welcome screen, in the Configuration utility 1-8
Write access 4-18
Write partition 4-19
Index - 7
Index
Index - 8