Bigpipe Utility Reference Guide

Bigpipe Utility Reference Guide
version 10.1
MAN-0287-01
Product Version
This manual applies to product version 10.1 of the BIG-IP ® product family.
Publication Date
This manual was published on November 23, 2009.
Legal Notices
Copyright
Copyright 2008-2009, F5 Networks, Inc. All rights reserved.
F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5
assumes no responsibility for the use of this information, nor any infringement of patents or other rights of
third parties which may result from its use. No license is granted by implication or otherwise under any
patent, copyright, or other intellectual property right of F5 except as specifically described by applicable
user licenses. F5 reserves the right to change specifications at any time without notice.
Trademarks
F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, Access Policy Manager, APM, Acopia, Acopia Networks,
Application Accelerator, Ask F5, Application Security Manager, ASM, ARX, Data Guard, Enterprise
Manager, EM, FirePass, FreedomFabric, Global Traffic Manager, GTM, iControl, Intelligent Browser
Referencing, Internet Control Architecture, IP Application Switch, iRules, Link Controller, LC, Local
Traffic Manager, LTM, Message Security Module, MSM, NetCelera, OneConnect, Packet Velocity,
Protocol Security Module, PSM, SSL Accelerator, SYN Check, Traffic Management Operating System,
TMOS, TrafficShield, Transparent Data Reduction, uRoam, VIPRION, WANJet, WAN Optimization
Module, WOM, WebAccelerator, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc.,
in the U.S. and other countries, and may not be used without F5's express written consent.
Patents
This product protected by U.S. Patent[s] 6,374,300; 6,473,802; 6,970,933; 7,051,126; 7,102,996;
7,146,354; 7,197,661; 7,206,282; 7,287,084; 6,327,242; 6,374,300; 6,473,802; 6,970,933; 7,051,126;
7,102,996; 7,146,354; 7,197,661; 7,206,282; 7,287,084. Other patents pending.
Export Regulation Notice

This product may include cryptographic software. Under the Export Administration Act, the United States
government may consider it a criminal offense to export this product from the United States.
RF Interference Warning
This is a Class A product. In a domestic environment this product may cause radio interference, in which
case the user may be required to take adequate measures.
FCC Compliance
This equipment has been tested and found to comply with the limits for a Class A digital device pursuant
to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful
interference when the equipment is operated in a commercial environment. This unit generates, uses, and
can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual,
may cause harmful interference to radio communications. Operation of this equipment in a residential area
is likely to cause harmful interference, in which case the user, at his own expense, will be required to take
whatever measures may be required to correct the interference.
Any modifications to this device, unless expressly approved by the manufacturer, can void the user's
authority to operate this equipment under part 15 of the FCC rules.
Bigpipe Utility Reference Guide i

Canadian Regulatory Compliance
This Class A digital apparatus complies with Canadian ICES-003.
Standards Compliance
This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to
Information Technology products at the time of manufacture.
Acknowledgments
This product includes software developed by the University of California, Berkeley and its contributors.
This product includes software developed by the Computer Systems Engineering Group at the Lawrence
Berkeley Laboratory.
This product includes software developed by the NetBSD Foundation, Inc. and its contributors.
This product includes software developed by Christopher G. Demetriou for the NetBSD Project.
This product includes software developed by Adam Glass.
This product includes software developed by Christian E. Hopps.
This product includes software developed by Dean Huxley.
This product includes software developed by John Kohl.
This product includes software developed by Paul Kranenburg.
This product includes software developed by Terrence R. Lambert.
This product includes software developed by Philip A. Nelson.
This product includes software developed by Herb Peyerl.
This product includes software developed by Jochen Pohl for the NetBSD Project.
This product includes software developed by Chris Provenzano.
This product includes software developed by Theo de Raadt.
This product includes software developed by David Muir Sharnoff.
This product includes software developed by SigmaSoft, Th. Lockert.
This product includes software developed for the NetBSD Project by Jason R. Thorpe.
This product includes software developed by Jason R. Thorpe for And Communications,
http://www.and.com.
This product includes software developed for the NetBSD Project by Frank Van der Linden.
This product includes software developed for the NetBSD Project by John M. Vinopal.
This product includes software developed by Christos Zoulas.
This product includes software developed by Charles Hannum.
This product includes software developed by Charles Hannum, by the University of Vermont and State
Agricultural College and Garrett A. Wollman, by William F. Jolitz, and by the University of California,
Berkeley, Lawrence Berkeley Laboratory, and its contributors.
This product includes software developed by the University of Vermont and State Agricultural College and
Garrett A. Wollman.
In the following statement, "This software" refers to the Mitsumi CD-ROM driver: This software was
developed by Holger Veit and Brian Moore for use with "386BSD" and similar operating systems.
"Similar operating systems" includes mainly non-profit oriented systems for research and education,
including but not restricted to "NetBSD," "FreeBSD," "Mach" (by CMU).
In the following statement, "This software" refers to the parallel port driver: This software is a component
of "386BSD" developed by William F. Jolitz, TeleMuse.
This product includes software developed by the Apache Group for use in the Apache HTTP server project
(http://www.apache.org/).
This product includes software developed by Darren Reed. (© 1993-1998 by Darren Reed).
This product includes software licensed from Richard H. Porter under the GNU Library General Public
License (© 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.
This product includes the standard version of Perl software licensed under the Perl Artistic License (©
1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current
standard version of Perl at http://www.perl.com.
ii
Table of Contents
Table of Contents
1
The Bigpipe Utility
About the bigpipe utility ................................................................................................................1-1
About the bigpipe shell .........................................................................................................1-1
The bigpipe shell command history feature .....................................................................1-2
The bigpipe shell audit feature ............................................................................................1-2
The bigpipe shell command completion feature .............................................................1-3
The bigpipe shell command continuation feature ..........................................................1-3
grep functionality in the bigpipe shell ................................................................................1-4
Customizing the bigpipe shell ..............................................................................................1-4
The bigpipe shell escape feature .........................................................................................1-5
Additional command line utilities and tools ....................................................................1-5
Stylistic conventions .......................................................................................................................1-6
Technical support resources ........................................................................................................1-8
2
Bigpipe Utility Command Reference
Introduction to command syntax ................................................................................................2-1
The all keyword .....................................................................................................................2-1
Command types .....................................................................................................................2-1
Basic definitions ......................................................................................................................2-2
Alphabetical list of commands ......................................................................................................2-2
arp .......................................................................................................................................................2-3
auth crldp ..........................................................................................................................................2-6
auth krbdelegate ..............................................................................................................................2-8
auth ldap ......................................................................................................................................... 2-10
auth radius ..................................................................................................................................... 2-15
auth ssl cc ldap .............................................................................................................................. 2-18
auth ssl ocsp .................................................................................................................................. 2-23
auth tacacs ..................................................................................................................................... 2-25
bigpipe shell ................................................................................................................................... 2-28
class ................................................................................................................................................. 2-30
cli ...................................................................................................................................................... 2-35
config ............................................................................................................................................... 2-38
configsync ....................................................................................................................................... 2-41
conn ................................................................................................................................................. 2-44
crldp server ................................................................................................................................... 2-46
daemon ........................................................................................................................................... 2-48
daemon mcpd ............................................................................................................................... 2-51
daemon tmm ................................................................................................................................. 2-53
db ..................................................................................................................................................... 2-56
dns ................................................................................................................................................... 2-58
exit ................................................................................................................................................... 2-60
export ............................................................................................................................................. 2-61
f5adduser ........................................................................................................................................ 2-63
failover ............................................................................................................................................ 2-65
fasthttp ............................................................................................................................................ 2-69
fastL4 ............................................................................................................................................... 2-70
fipscardsync ................................................................................................................................... 2-71
fipsutil .............................................................................................................................................. 2-72
ftp ..................................................................................................................................................... 2-75
global ............................................................................................................................................... 2-76
ha group ......................................................................................................................................... 2-77
ha table ........................................................................................................................................... 2-80
Bigpipe Utility Reference Guide v

Table of Contents
hardware ........................................................................................................................................ 2-82

help .................................................................................................................................................. 2-83
http .................................................................................................................................................. 2-84
httpd ................................................................................................................................................ 2-85
icmp ................................................................................................................................................. 2-89
import ............................................................................................................................................. 2-90
interface .......................................................................................................................................... 2-92
ip ...................................................................................................................................................... 2-96
ip addr ............................................................................................................................................. 2-97
list .................................................................................................................................................... 2-99
load ................................................................................................................................................ 2-100
logrotate ....................................................................................................................................... 2-103
ltm .................................................................................................................................................. 2-105
mac addr ...................................................................................................................................... 2-109
mcp ................................................................................................................................................ 2-110
memory ........................................................................................................................................ 2-111
merge ............................................................................................................................................ 2-112
mgmt ............................................................................................................................................. 2-114
mgmt route .................................................................................................................................. 2-116
mirror ........................................................................................................................................... 2-118
monitor ........................................................................................................................................ 2-120
nat .................................................................................................................................................. 2-137
ndp ................................................................................................................................................. 2-140
node .............................................................................................................................................. 2-142
ntp .................................................................................................................................................. 2-145
ocsp responder ........................................................................................................................... 2-147
oneconnect .................................................................................................................................. 2-152
packet filter .................................................................................................................................. 2-153
partition ........................................................................................................................................ 2-159
password policy .......................................................................................................................... 2-161
persist ........................................................................................................................................... 2-164
platform ........................................................................................................................................ 2-168
pool ............................................................................................................................................... 2-170
profile ............................................................................................................................................ 2-176
profile auth .................................................................................................................................. 2-177
profile clientssl ............................................................................................................................ 2-182
profile dns .................................................................................................................................... 2-190
profile diameter .......................................................................................................................... 2-192
profile fasthttp ............................................................................................................................ 2-194
profile fastl4 ................................................................................................................................. 2-199
profile ftp ..................................................................................................................................... 2-204
profile http ................................................................................................................................... 2-206
profile httpclass .......................................................................................................................... 2-217
profile oneconnect ..................................................................................................................... 2-220
profile persist .............................................................................................................................. 2-223
profile rtsp ................................................................................................................................... 2-230
profile sctp ................................................................................................................................... 2-233
profile serverssl .......................................................................................................................... 2-237
profile sip ..................................................................................................................................... 2-245
profile stats .................................................................................................................................. 2-248
profile stream .............................................................................................................................. 2-250
profile tcp ..................................................................................................................................... 2-252
profile udp .................................................................................................................................... 2-259
provision ...................................................................................................................................... 2-261
pva ................................................................................................................................................. 2-264
radius server ............................................................................................................................... 2-265
vi
Table of Contents
rate class ...................................................................................................................................... 2-267

remote users ............................................................................................................................... 2-271
remoterole .................................................................................................................................. 2-273
route ............................................................................................................................................. 2-277
route domain .............................................................................................................................. 2-279
rtsp ................................................................................................................................................ 2-281
rule ................................................................................................................................................ 2-282
save ................................................................................................................................................ 2-285
sctp ................................................................................................................................................ 2-287
self .................................................................................................................................................. 2-288
self allow ....................................................................................................................................... 2-290
shell ............................................................................................................................................... 2-292
snat ................................................................................................................................................ 2-294
snat translation ........................................................................................................................... 2-296
snatpool ........................................................................................................................................ 2-298
snmpd ........................................................................................................................................... 2-300
software ....................................................................................................................................... 2-313
sshd ................................................................................................................................................ 2-318
ssl ................................................................................................................................................... 2-322
statemirror .................................................................................................................................. 2-323
stop ................................................................................................................................................ 2-325
stp .................................................................................................................................................. 2-326
stp instance .................................................................................................................................. 2-329
stream ........................................................................................................................................... 2-333
sys-icheck ..................................................................................................................................... 2-334
sys-reset ....................................................................................................................................... 2-335
syslog ............................................................................................................................................. 2-336
system ........................................................................................................................................... 2-340
tcp .................................................................................................................................................. 2-345
tmm ............................................................................................................................................... 2-346
traffic class ................................................................................................................................... 2-347
trunk .............................................................................................................................................. 2-350
udp ................................................................................................................................................. 2-353
unit ................................................................................................................................................. 2-354
user ................................................................................................................................................ 2-355
version .......................................................................................................................................... 2-358
virtual ............................................................................................................................................ 2-359
virtual address ............................................................................................................................. 2-365
vlan ................................................................................................................................................ 2-368
vlangroup ...................................................................................................................................... 2-372
3
Access Policy Manager Command Reference
Introduction to Access Policy Manager commands ................................................................3-1
aaa active directory server ...........................................................................................................3-2
aaa ldap server .................................................................................................................................3-5
aaa radius server .............................................................................................................................3-8
aaa securid server ........................................................................................................................ 3-11
aaa acct radius ............................................................................................................................... 3-14
access .............................................................................................................................................. 3-16
access policy .................................................................................................................................. 3-17
access policy item ........................................................................................................................ 3-21
access session ............................................................................................................................... 3-25
acl ..................................................................................................................................................... 3-26
Bigpipe Utility Reference Guide vii

Table of Contents
agent ................................................................................................................................................ 3-30

agent aaa active directory .......................................................................................................... 3-32
agent aaa client cert ..................................................................................................................... 3-36
agent aaa ldap ................................................................................................................................ 3-38
agent aaa radius ............................................................................................................................ 3-42
agent decision box ....................................................................................................................... 3-44
agent ending denied ..................................................................................................................... 3-46
agent ending redirect .................................................................................................................. 3-48
agent ending webtop ................................................................................................................... 3-50
agent endpoint linux check file ................................................................................................. 3-52
agent endpoint windows browser cache cleaner ................................................................. 3-55
agent endpoint windows check av ........................................................................................... 3-58
agent endpoint windows check file .......................................................................................... 3-61
agent endpoint windows check fw ........................................................................................... 3-65
agent endpoint windows check process ................................................................................. 3-68
agent endpoint windows check registry ................................................................................. 3-71
agent endpoint windows group policy .................................................................................... 3-74
agent endpoint windows info os ............................................................................................... 3-76
agent external logon page .......................................................................................................... 3-78
agent logging .................................................................................................................................. 3-81
agent logon page ........................................................................................................................... 3-84
agent message box ....................................................................................................................... 3-86
agent resource assign .................................................................................................................. 3-88
agent traffic control ..................................................................................................................... 3-91
agent variable assign .................................................................................................................... 3-93
agent vlan selection ...................................................................................................................... 3-96
connectivity resource ................................................................................................................. 3-98
connectivity resource ............................................................................................................... 3-100
client rate class ........................................................................................................................... 3-102
client traffic classifier ................................................................................................................. 3-105
connectivity resource group ................................................................................................... 3-108
connectivity resource network access .................................................................................. 3-110
connectivity resource web application ................................................................................. 3-118
customization group .................................................................................................................. 3-125
leasepool ...................................................................................................................................... 3-128
profile access ............................................................................................................................... 3-130
profile certificate authority ...................................................................................................... 3-135
profile ppp .................................................................................................................................... 3-138
profile rewrite ............................................................................................................................. 3-140
profile vpn .................................................................................................................................... 3-142
sso config ..................................................................................................................................... 3-146
sys-icheck ..................................................................................................................................... 3-150
sys-reset ....................................................................................................................................... 3-151
traffic class ................................................................................................................................... 3-152
vlan gateway ................................................................................................................................ 3-156
webtop .......................................................................................................................................... 3-158
windows group policy ............................................................................................................... 3-160
4
VIPRION System Command Reference
Introduction to VIPRION system commands ..........................................................................4-1
cluster ................................................................................................................................................4-2
daemon ..............................................................................................................................................4-6
failover ...............................................................................................................................................4-9
viii
Table of Contents
pool ................................................................................................................................................. 4-14

profile udp ...................................................................................................................................... 4-20
software ......................................................................................................................................... 4-23
system ............................................................................................................................................. 4-28
vlan .................................................................................................................................................. 4-33
5
WAN Optimization Command Reference
Introduction to WAN Optimization commands .....................................................................5-1
datastor .............................................................................................................................................5-2
deduplication ....................................................................................................................................5-4
drop policy ........................................................................................................................................5-5
endpoint advertised route ............................................................................................................5-8
endpoint discovery ...................................................................................................................... 5-10
endpoint local ............................................................................................................................... 5-13
endpoint remote .......................................................................................................................... 5-16
endpoint remote route ............................................................................................................... 5-20
profile cifs ....................................................................................................................................... 5-22
profile isession .............................................................................................................................. 5-25
profile mapi .................................................................................................................................... 5-29
rate class ........................................................................................................................................ 5-31
shaping policy ................................................................................................................................ 5-35
shaping queue ................................................................................................................................ 5-38
wccp ................................................................................................................................................ 5-41
Glossary
Index
Bigpipe Utility Reference Guide ix

Table of Contents
x
1
The Bigpipe Utility
• About the bigpipe utility
• Stylistic conventions
• Technical support resources

The Bigpipe Utility
About the bigpipe utility

The BIG-IP® system includes a tool known as the bigpipe utility. The
bigpipe utility consists of an extensive set of commands that you can use to
configure and manage the system from the command line. Using the
bigpipe utility, you can configure system features and set up network
elements. You can also configure the BIG-IP system to manage local and
global traffic passing through the system, and view statistics and system
performance data.
You can use the bigpipe utility in conjunction with the Traffic Management
Shell (tmsh) and the Configuration utility, which is the browser-based
BIG-IP system and network management tool.
The bigpipe utility includes an interactive shell that eases the task of typing
bigpipe commands. You can invoke this shell by typing the bigpipe shell
command at a BIG-IP® system prompt.
You can run bigpipe commands in the following ways:
• You can issue a single bigpipe command at the BIG-IP system prompt.
You must use underscores between the words in the command name. For
example:
auth_crldp
• You can open the bigpipe shell by typing the bigpipe shell command.
This displays the prompt: bp>. At this prompt, you can type any bigpipe
command sequence, using the syntax described in Chapter 2, Bigpipe
Utility Command Reference. Do not use underscores between the words
in the command name. For example:
bp> auth crldp
The bigpipe shell includes several features designed to optimize your use of
the bigpipe utility. The following sections describe these features.
About the bigpipe shell

You use the bigpipe shell command at the BIG-IP system prompt to invoke
the bigpipe shell. If you include the prompt <string> option, the bigpipe
shell command customizes the shell prompt. For more information, see
Customizing the bigpipe shell, on page 1-4.
The shell itself has also its own set of subcommands that you can use:
• exit
Use this command to exit the bigpipe shell.
• quit
Use this command to exit the bigpipe shell (same as the exit command).
• stop
Use this command to discontinue command continuation. For more
information, see The bigpipe shell command completion feature, on page
1-3.
Bigpipe Utility Reference Guide 1-1

Chapter 1
The bigpipe shell command history feature

The bigpipe shell saves each command that you enter at the bigpipe shell
prompt in a command history file. The command history persists when you
log off of the system. The next time you log on to the system, you can
access and edit the bigpipe commands that you entered in previous sessions.
The bigpipe command history persists even through a reboot of the BIG-IP
system. The only limit on the command history is the number of commands
that the bigpipe shell saves in the command history file.
You use the shell history command to set the maximum number of
commands that you want the bigpipe shell to save in the command history
file. The default is 50 commands. If you do not want to use the command
history feature, you set the maximum number of commands to 0 (zero). This
means that the bigpipe shell does not save any commands in history.
To access commands in the bigpipe history

1. At the bigpipe shell prompt, press the up arrow key.
The previously used commands display in the reverse order of use.
2. After you locate the command that you want to use again, press
Enter, or edit the command and then press Enter.
The command runs.
The bigpipe shell audit feature

The BIG-IP system contains a read-only audit file, /var/log/audit, which
includes the following information, automatically provided by the bigpipe
shell:
• All commands that users enter in the bigpipe shell, including commands
that do not change the configuration of the BIG-IP system, such as show
commands
• The user ID of the user who entered each command
• The date and time each command was entered
• All commands that are run by user-entered commands, based on the
specified audit level, such as commands run by the merge command
• Some of the commands run by the system
Note
The bigpipe shell does not audit the commands run by system daemons, for
example, the commands run by the mcpd daemon.
Tip
The audit file may be larger than you expect, because the bigpipe shell
audits some of the commands that the system runs.
1-2
The Bigpipe Utility
The audit file merges consecutive white spaces into single spaces. This
means that each command is a single, possibly very long, line.
You use the cli audit command to enable auditing for the bigpipe shell and
to specify the level of auditing that you want the bigpipe shell to perform.
There are four different levels of auditing available, including:
• disable
The bigpipe shell does not audit any commands. This is the default.
• enable
The bigpipe shell audits all commands that users enter, and the
commands run by the merge command, but not the commands run by the
load and import commands.
• verbose
The bigpipe shell audits all of the commands that users enter, and the
commands run by the merge command. Additionally, the bigpipe shell
audits the commands run by the load and import commands, except for
those commands that are found in these four system configuration files:
config_base.conf, base_monitors.conf, profile_base.conf, and
daemon.conf.
• all
The bigpipe shell audits all commands.
The bigpipe shell command completion feature

At any point while typing or editing a command, you can press the Tab key,
and the bigpipe shell completes the word you are currently typing. If the
command has only one option, the shell fills in the remainder of the word
with that option. If the command has more than one option, you can press
the Tab key a second time to list all available options. If the shell displays
nothing after you press Tab, no options exist to complete the word.
Unlike other shell features, command completion works not only from
inside the bigpipe shell, but also from the BIG-IP system prompt.
The bigpipe shell command continuation feature

If you type any command using an unbalanced opening brace, the bigpipe
shell stores the command entered up to that point. The shell stores any
subsequent commands in a similar way until you type a command that
closes all open braces, or you type the stop command.
For example, suppose you type the auth radius command, with an opening
brace, but no closing brace:
bp> auth radius rad-1 {
The shell does nothing and presents an empty prompt for continuing:
bp>

Chapter 1
At this point, you can continue to type more options for the auth radius
command:
debug enable
retries 4
The shell continues to gather the syntax for the command. When finished
typing, you can either type a command containing a closing brace ( } ), in
which case the shell runs the full command sequence that you typed, or you
can type:
stop
This discards the stored command sequence, without running the command.
Note
An opening brace that starts a continuation does not have to be the last
character on the line. Also, you can use more than one brace on a single
line.
grep functionality in the bigpipe shell

The bigpipe shell supports grep functionality. grep is a command line
search utility. You can pipe the output of any bigpipe command through the
grep utility. Piping allows the output of a bigpipe command to be used as
input to the grep utility. You use the same syntax that you use in the system
shell:
<command> | grep <grep options>
For more information about grep, see http://www.gnu.org/software/grep/.
Customizing the bigpipe shell

You can customize the bigpipe shell by changing the default prompt (bp>)
to a prompt of your choice.
To customize the bigpipe shell prompt

At the bp> prompt, type the shell command with the prompt option and the
text for the new prompt:
bp> shell prompt <string>
The prompt option sets the shell's prompt to the given string value.
For example, when you type
bp> shell prompt BIG-IP>
the system changes the shell prompt to:

BIG-IP>
1-4
The Bigpipe Utility
The bigpipe shell escape feature

The bigpipe shell does not directly support Linux® commands. You can
type Linux commands by either exiting the bigpipe shell (returning to the
BIG-IP system prompt) or by using the bigpipe shell escape feature. The
shell escape is simply an exclamation point, followed by the Linux
command itself. For example:
bp> !ls
You can disable this feature by typing the following command at the BIG-IP
system prompt:
bigpipe shell -s
Additional command line utilities and tools

There are several command line utilities and tools that you can use to
manage the BIG-IP system from the BIG-IP system prompt:
◆ The config utility
You use the config utility to define the IP address, network mask, and
gateway for the management (MGMT) port, when you initially set up
your BIG-IP system.
◆ The bigpipe utility
The bigpipe utility is a set of commands that you can use to configure
elements of the BIG-IP system such as VLANs, load balancing pools,
and virtual servers. Using bigpipe commands, you can manage the
BIG-IP system and the BIG-IP network components, and control local
application traffic to suit your exact needs.
◆ The bigtop command
The bigtop command displays real-time statistics for local traffic. You
can set a refresh interval and specify a sort order for this statistical
information.
◆ The bigstart command
With the bigstart command, you can start, stop, restart, and check the
status of various daemons, such as snmpd.
◆ The gencert utility
You can use the gencert utility to generate a key, a temporary certificate
and a certificate signing request file. You then submit the request file to a
certificate authority to obtain an SSL certificate.
◆ Traffic Management Shell
The Traffic Management Shell (tmsh) is a set of commands that you can
use to configure elements of the BIG-IP system and network
components, and control local application traffic. Using tmsh
commands, you can also configure the Global Traffic Manager resources.
For more information about tmsh, see the Traffic Management Shell
(tmsh) Reference Guide.

Chapter 1
The industry-standard tools that you can also use to manage the BIG-IP
system are:
◆ The Tools Command Language (Tcl) programming language
The Tools Command Language (Tcl) programming language is an
industry-standard programming language that you can use to create
BIG-IP system iRules™. iRules™ are scripts you can write to direct and
manipulate the way that the BIG-IP system manages application traffic.
◆ The OpenSSL utility
A component of the industry-standard OpenSSL toolkit, the OpenSSL
utility is a set of commands that perform various cryptographic functions,
such as generating SSL certificates and keys.
Stylistic conventions
To help you easily identify and understand important information, all of our
documentation uses the stylistic conventions described here.
Identifying references to objects, names, and commands

We apply bold formatting to a variety of items to help you easily pick them
out of a block of text. These items include web addresses, IP addresses,
utility names, and portions of commands, such as variables and keywords.
For example, with the bp> self <ip_address> show command, you can
specify a specific self IP address to show by specifying an IP address for the
<ip_address> variable.
Identifying command syntax

We show complete commands in bold Courier text. In this guide, we include
the corresponding screen prompt when the command is shown in a figure
that depicts an entire command line screen. We also include the
corresponding screen prompt when the command is used in the bigpipe
shell or tmsh. For example:
• This command shows the configuration of the self IP address in the
bigpipe shell:
bp> self <ip_address> show
• This command shows the configuration of the self IP address in tmsh:
(tmos)#>/ net show self <ip_address>
For more information about the bigpipe shell see About the bigpipe utility,
on page 1-1. For more information about tmsh, see the Traffic
Management Shell (tmsh) Reference Guide.
Note that we do not include the corresponding screen prompt when a
command is used at the BIG-IP system prompt. For example, this command
configures the network address for the system:
config
1-6
The Bigpipe Utility
Table 1.1 explains additional special conventions used in command line

syntax.
Item in text Description
\ Indicates that the command continues on the following line, and that users should type the entire
command without typing a line break.
< > Identifies a user-defined parameter in the bigpipe shell. For example, if the command has <your
name>, type in your name, but do not include the brackets.
| Indicates a choice between options on either side of the pipe.
[] Indicates that syntax inside the brackets is optional in the bigpipe shell, but required in tmsh.
() Indicates that the syntax inside the parentheses is optional in tmsh.
... Indicates that you can type a series of items.
::= Indicates the options that you can use in the bigpipe shell.
Table 1.1 Command line syntax conventions

Chapter 1
Technical support resources

You can find additional technical documentation and product information in
the following locations:
◆ bigpipe man pages
The BIG-IP product includes a complete set of man pages for the
commands that make up bigpipe and tmsh.
You can access the man pages for bigpipe commands in one of two
ways:
• From the BIG-IP system prompt, type man followed by the
command name. You must use underscores between the words in the
command name. For example:
man stp_instance
• From the bigpipe shell prompt, use the command name followed by
help. Do not use underscores between the words in the command
name. For example:
bp> auth crldp help
You can access the man pages for tmsh commands from the tmsh
prompt. You use the syntax / [module name] [component name] help.
For example: (tmos) # / net arp help.
◆ Welcome screen in the Configuration utility
The Welcome screen in the Configuration utility contains links to many
useful web sites and resources, including:
• The Ask F5SM Knowledge Base web site
• The F5 Solution Center
• The F5 DevCentral web site
• Plug-ins, SNMP MIBs, and SSH clients
• User documentation
◆ F5 Networks Technical Support web site
The F5 Networks Technical Support web site, https://support.f5.com,
provides the latest documentation for the product, including:
• Release notes for the BIG-IP system, current and past
• Updates for guides (in PDF format)
• Technical notes
• Answers to frequently asked questions
• The Ask F5SM Knowledge Base
To access this site, you need to register at https://support.f5.com.
1-8
2
• Introduction to command syntax
• Alphabetical list of commands

Introduction to command syntax

This chapter contains the command syntax for specific BIG-IP® system
commands and each bigpipe command. Use the BIG-IP system commands
at the BIG-IP system prompt. Use the bigpipe commands at the bigpipe
shell prompt: bp>. In this chapter, we do not include the corresponding
screen prompt. You can also find information about bigpipe command
syntax in the man pages. For more information on viewing man pages, see
Technical support resources, on page 1-8.
For more information about the bigpipe shell, see About the bigpipe utility,
on page 1-1.
The all keyword

When using bigpipe commands, you can globally modify or delete objects
of a specified type only when all objects of that type reside in a single
partition. In other words, it is important to note that when you use the all
keyword with an object type, the action you are performing applies only to
objects of the specified type in the current Write partition. For more
information about partitions, see Understanding partitions and user
accounts in the TMOS™ Management Guide for BIG-IP® Systems.
Command types
In the See also sections of this chapter, commands are followed by an
industry-standard identifying number. The types that are listed in this
chapter include:
• User commands, which are identified by (1), for example:
arp(1)
• System management commands, which are identified by (8), for
example:
sys-reset(8)

Chapter 2
Basic definitions
The following are basic definitions that apply to bigpipe commands.
<if name> ::= mgmt | <number> . <number>
<ip addr> ::= <IPv4 address> | <IPv6 address> | <node address screen name> |
<host name> | any | any6 | *
<ip mask> ::= <IPv4 netmask> | <IPv6 netmask> | none
<mac addr> ::= <six hexadecimal numbers separated by colons>
<member> ::= <IPv4 address> : <service> | <IPv6 address> . <service>
<name> ::= <letter> <letters, numbers, periods, hyphens, underscores>
<network ip> ::= (<ip addr> [mask <ip mask> | (prefixlen | /) <number>] |
default [inet | inet6])
<number> ::= <digit> ... | <digits> . <digits> (K | M | G)
<protocol> ::= <number> | <name> | any | *
<service> ::= <number> | <name> | any | *
<string> ::= <any set of characters; enclose in double quotes if including spaces, \
braces or reserved words; use a backslash (\) to escape characters>
Most attributes accept a value of default, which sets the attribute to its
default value.
Alphabetical list of commands

The remainder of this chapter lists specific BIG-IP system commands and
all of the bigpipe commands.
2-2
arp
Manages static and dynamic Address Resolution Protocol (ARP) entries in
the routing table. Provides the ability to add static ARP entries to the route
table. Also provides the ability to display and delete static and dynamic
route mappings between IP addresses and MAC addresses.
Syntax
Use this command to configure entries in the ARP cache.
Create/Modify
arp <arp key> {}
arp (<arp key> | all) [{] <arp arg list> [}]
<arp key> ::=
<ip addr>
(dynamic | static)
<arp arg> ::=
<ip addr>
(<mac addr> | none)
partition id <partition key>
(dynamic | static)
Display
arp [<arp key> | all] [show [all]]
arp [<arp key> | all] list [all]
arp (<arp key> | all) edit
arp (<arp key> | all) ip addr [show]
arp (<arp key> | all) mac addr [show]
arp (<arp key> | all) partition id [show]
arp (<arp key> | all) type [show]
Delete
arp (<arp key> | all) delete
Description
You can use the arp command to create static ARP entries for IPv4
addresses to link-layer addresses, such as Ethernet MAC addresses. In
addition to creating static ARP entries, you can view and delete static and
dynamic ARP entries.
You can also use the db command to configure how the system handles
ARP entries for dynamic timeout, maximum dynamic entries, add
reciprocal, and maximum retries. For more information, see db, on page
2-56, or the db command man page.

Chapter 2
Examples
Creates an ARP mapping of the IP address 10.10.10.20 to the MAC address
00:0b:09:88:00:9a:
b arp 10.10.10.20 00:0b:09:88:00:9a
Displays dynamic ARP entries specific to route domain 0:

b arp show
Displays dynamic ARP entries specific to route domain 1:

b arp any%1
Displays dynamic ARP entries across all route domains:

b arp any%65535
Displays all dynamic ARP entries for the system:

b arp dynamic show
Displays all static ARP entries for the system:

b arp list
Displays the ARP entry for the IP address 10.10.10.20:

b arp 10.10.10.20 show
Deletes the ARP entry for the IP address 10.10.10.20:

b arp 10.10.10.20 delete
Deletes all static ARP entries for the system:

b arp static delete
Deletes all dynamic arp entries specific to route domain 0:

b arp all delete
Deletes all dynamic arp entries specific to route domain 2:

b arp any%2 delete
Options
You can use these options with the arp command:
◆ ip addr
Specifies the IP address, for which you want to create an ARP entry, in
one of four formats:
• IPv4 address in dotted-quad notation, for example: 10.10.10.1
• IPv6 address, for example: 1080::8:800:200C:417A
• host name, for example: www.f5.com
• node screen name, for example: node1
2-4
◆ mac addr
Specifies a 6-byte Ethernet address in not case-sensitive hexadecimal
colon notation, for example: 00:0b:09:88:00:9a. You must specify a
MAC address when you create an ARP entry.
◆ partition id
Displays the partition within which the object resides.
◆ type
Specifies if the IP address for an ARP entry is static or dynamic.
See also
db(1), ndp(1), bigpipe(1)

Chapter 2
auth crldp
Configures a Certificate Revocation List Distribution Point (CRLDP)
configuration object for implementing CRLDP to manage certificate
revocation.
Syntax
Use this command to configure a CRLDP configuration object.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all administrative partitions, then before you create an
object in a specific partition, you must use the bigpipe shell command to set
your Write partition to the partition in which you want to create the object.
For more information, see the Configuring Administrative Partitions and
Managing User Accounts chapters in the TMOS™ Management Guide for
BIG-IP® Systems.
auth crldp <auth crldp key> {}

auth crldp (<auth crldp key> | all) [{] <auth crldp arg list> [}]
<auth crldp key> ::=
<name>
<auth crldp arg> ::=
conn timeout (<number> | immediate | indefinite)
name <name>
servers (<crldp server key list> | none) [add | delete]
update interval <number>
use issuer (enable | disable)
Display
auth crldp [<auth crldp key> | all] [show [all]]
auth crldp [<auth crldp key> | all] list [all]
auth crldp (<auth crldp key> | all) conn timeout [show]
auth crldp (<auth crldp key> | all) name [show]
auth crldp (<auth crldp key> | all) partition [show]
auth crldp (<auth crldp key> | all) servers [show]
auth crldp (<auth crldp key> | all) update interval [show]
auth crldp (<auth crldp key> | all) use issuer [show]
Delete
auth crldp (<auth crldp key> | all) delete
2-6
Description
CRLDP authentication is a mechanism for checking certificate revocation
status for client connections passing through the BIG-IP system. This
module is useful when your authentication data is stored on a remote
CRLDP server. You configure a CRLDP authentication module by defining
a CRLDP server (using the crldp server command), creating a CRLDP
configuration object (using the auth crldp command) and assigning
CRLDP servers to the object, creating a CRLDP profile (using the profile
auth command) and assigning the CRLDP configuration object to the
profile, and assigning the CRLDP profile to a virtual server.
Examples
Creates a configuration object named my_auth_crldp:
auth crldp my_auth_crldp {}
Deletes the configuration object named my_auth_crldp:

auth crldp my_auth_crldp delete
Options
You can use these options with the auth crldp command:
◆ connection timeout
Specifies the number of seconds before the connection times out. The
default value is 15 seconds.
◆ servers
Specifies the CRLDP server that you want to either assign to or remove
from the CRLDP configuration object.
◆ update interval
Specifies an update interval for CRL distribution points. The update
interval for distribution points ensures that CRL status is checked at
regular intervals, regardless of the CRL timeout value. This helps to
prevent CRL information from becoming outdated before the BIG-IP
system checks the status of a certificate. The default value is zero, which
indicates an internal default value is active.
◆ use issuer
Indicates whether the CRL distribution point should be extracted from
the certificate of the client certificate issuer. The default value is disable.
See also
profile auth(1), bigpipe(1)

Chapter 2
auth krbdelegate
Configures a Kerberos delegation object. The Kerberos delegation module
essentially acts like a proxy for Kerberos credentials. When connecting to a
server that is inside its domain, the browser client fetches Kerberos
credentials. These credentials should be known as delegated credentials.
They are passed on to the system. Once the system has these credentials, it
retrieves credentials for the real server that is on the back end, and passes
those credentials back.
Each user is assigned a unique cookie that describes a session on the system.
This cookie is encrypted in a cookie key.
Syntax
Use this command to configure a Kerberos delegation object.
Create/Modify
Important
BIG-IP® Systems.
auth krbdelegate <auth krbdelegate key> {}

auth krbdelegate (<auth krbdelegate key> | all) [{] <auth krbdelegate arg list> [}]
<auth krbdelegate key> ::=
<name>
<auth krbdelegate arg> ::=
client principal (<string> | none)
debug (enable | disable)
name <name>
server principal (<string> | none)
Display
auth krbdelegate [<auth krbdelegate key> | all] [show [all]]
auth krbdelegate [<auth krbdelegate key> | all] list [all]
auth krbdelegate (<auth krbdelegate key> | all) client principal [show]
auth krbdelegate (<auth krbdelegate key> | all) debug [show]
auth krbdelegate (<auth krbdelegate key> | all) name [show]
auth krbdelegate (<auth krbdelegate key> | all) partition [show]
auth krbdelegate (<auth krbdelegate key> | all) server principal [show]
2-8
Delete
auth krbdelegate (<auth krbdelegate key> | all) delete
Description
The Kerberos delegation module obtains delegated Kerberos credentials for
the client principal, and then retrieves Kerberos credentials for the
server-side principal. The Kerberos delegation module essentially acts as a
proxy for Kerberos credentials. When connecting to a server that is inside its
domain, the browser client fetches Kerberos credentials. These credentials,
known as delegated credentials, are passed to the BIG-IP system, which in
turn retrieves credentials for the real server that is on the backend, and
passes those credentials back.
Examples
Creates a configuration object named my_auth_krbdelegate with the
values shown:
bigpipe auth krbdelegate my_auth_krbdelegate \
{ client principal HTTP/appserver.siterequest.com \
server principal HTTP/myserver1.siterequest.com }
Deletes the configuration object named my_auth_krbdelegate:

bigpipe auth krbdelegate my_auth_krbdelegate delete
Options
You can use these options with the auth ldap command:
◆ client principal
Specifies the principal that the client sees. This is usually a value such as
HTTP/<fqdn>. This principal may be in a different domain from the
server principal.
◆ server principal
Specifies the principal of the back-end web server. This is usually a value
such as HTTP/<fqdn of server>. This may be in a different domain
from the client principal.
See also

Chapter 2
auth ldap
Configures an LDAP configuration object for implementing remote
LDAP-based client authentication.
Syntax
Use this command to configure an LDAP configuration object.
Create/Modify
Important
BIG-IP® Systems.
auth ldap <auth ldap key> {}

auth ldap (<auth ldap key> | all) [{] <auth ldap arg list> [}]
<auth ldap key> ::=
<name>
<auth ldap arg> ::=
bind dn (<string> | none)
bind pw (<string> | none)
bind timeout <number>
check host attr (enable | disable)
filter (<string> | none)
group dn (<string> | none)
group member attr (<string> | none)
idle timeout <number>
ignore authinfo unavail (enable | disable)
login attr (<string> | none)
name <name>
scope (base | one | sub)
search base dn (<string> | none)
search timeout <number>
servers (<string list> | none) [add | delete]
service (<service> | none)
ssl (disable | enable)
ssl ca cert file (<string> | none)
ssl check peer (enable | disable)
2 - 10
ssl ciphers (<string> | none)

ssl client cert (<string> | none)
ssl client key (<string> | none)
user template (<string> | none)
version <number>
warnings (enable | disable)
Display
auth ldap [<auth ldap key> | all] [show [all]]
auth ldap [<auth ldap key> | all] list [all]
auth ldap (<auth ldap key> | all) bind dn [show]
auth ldap (<auth ldap key> | all) bind pw [show]
auth ldap (<auth ldap key> | all) bind timeout [show]
auth ldap (<auth ldap key> | all) check host attr [show]
auth ldap (<auth ldap key> | all) debug [show]
auth ldap (<auth ldap key> | all) filter [show]
auth ldap (<auth ldap key> | all) group dn [show]
auth ldap (<auth ldap key> | all) group member attr [show]
auth ldap (<auth ldap key> | all) idle timeout [show]
auth ldap (<auth ldap key> | all) ignore authinfo unavail [show]
auth ldap (<auth ldap key> | all) login attr [show]
auth ldap (<auth ldap key> | all) name [show]
auth ldap (<auth ldap key> | all) partition [show]
auth ldap (<auth ldap key> | all) scope [show]
auth ldap (<auth ldap key> | all) search base dn [show]
auth ldap (<auth ldap key> | all) search timeout [show]
auth ldap (<auth ldap key> | all) servers [show]
auth ldap (<auth ldap key> | all) service [show]
auth ldap (<auth ldap key> | all) ssl [show]
auth ldap (<auth ldap key> | all) ssl ca cert file [show]
auth ldap (<auth ldap key> | all) ssl check peer [show]
auth ldap (<auth ldap key> | all) ssl ciphers [show]
auth ldap (<auth ldap key> | all) ssl client cert [show]
auth ldap (<auth ldap key> | all) ssl client key [show]
auth ldap (<auth ldap key> | all) user template [show]
auth ldap (<auth ldap key> | all) version [show]
auth ldap (<auth ldap key> | all) warnings [show]
Delete
auth ldap (<auth ldap key> | all) delete
Bigpipe Utility Reference Guide 2 - 11

Chapter 2
Description
LDAP authentication is a mechanism for authenticating or authorizing client
connections passing through the system. LDAP authentication is useful
when your authentication or authorization data is stored on a remote LDAP
server or a Microsoft® Windows Active Directory server, and you want the
client credentials to be based on basic HTTP authentication (that is, user
name and password). You configure an LDAP authentication module by
creating an LDAP configuration object, creating an LDAP profile, and
assigning the profile and a default iRule to the virtual server.
Examples
Creates a configuration object named my_auth_ldap:
auth ldap my_auth_ldap
Deletes the configuration object named my_auth_ldap:

auth ldap my_auth_ldap delete
Options
You can use these options with the auth ldap command:
◆ bind dn
Specifies the distinguished name of an account to which to bind, in order
to perform searches. The admin account can be used as the search
account. If no administrator DN is specified, then no bind is attempted.
This setting is required only when a site does not allow anonymous
searches. If the remote server is a Microsoft Windows Active Directory
server, the distinguished name must be in the form of an email address.
Possible values are a user-specified string, and none.
◆ bind pw
Specifies the password for the search account created on the LDAP
server. This setting is required if you use a bind DN. Possible values are
a user-specified string, and none.
◆ bind timeout
Specifies a bind timeout limit, in seconds. The default value is 30
seconds.
◆ check host attr
Confirms the password for the bind distinguished name. This setting is
optional. The default value is disable.
◆ debug
Enables or disables syslog-ng debugging information at LOG DEBUG
level. Not recommended for normal use. The default value is disable.
◆ filter
Specifies a filter. This setting is used for authorizing client traffic.
2 - 12
◆ group dn
Specifies the group distinguished name. This setting is used for
authorizing client traffic. Possible values are a user-specified string, and
none.
◆ group member attr
Specifies a group member attribute. This setting is used for authorizing
client traffic. Possible values are a user-specified string, and none.
◆ idle timeout
Specifies the idle timeout, in seconds, for connections. The default value
is 3600 seconds.
◆ ignore authinfo unavail
Ignores the authentication information if it is not available. The default
value is disable.
◆ login attr
Specifies a logon attribute. Normally, the value for this setting is uid;
however, if the server is a Microsoft Windows Active Directory server,
the value must be the account name SAMACCOUNTNAME (not
case-sensitive). Possible values are a user-specified string, and none.
◆ scope
Specifies the scope. Possible values are: base, one, and sub. The default
value is sub.
◆ search base dn
Specifies the search base distinguished name. You must specify a search
base distinguished name when you create an LDAP configuration object.
◆ search timeout
Specifies the search timeout, in seconds. The default value is 30 seconds.
◆ servers
Specifies the LDAP servers that the system must use to obtain
authentication information. You must specify a server when you create
an LDAP configuration object.
◆ service
Specifies the port number for the LDAP service. Port 389 is typically
used for non-SSL and port 636 is used for an SSL-enabled LDAP
service.
◆ ssl
Enables or disables SSL. The default value is disable. Note that when
you use the command line interface to enable SSL for an LDAP service,
the system does not change the service port number from 389 to 636, as
is required. To change the port number from the command line, use the
service option of this command (see above), for example: auth ldap
<name> ssl enable service 636.
◆ ssl ca cert file
Specifies the name of an SSL CA certificate. Possible values are: none
and specify full path.

Chapter 2
◆ ssl check peer

Checks an SSL peer. The default value is disable.
◆ ssl ciphers
Specifies SSL ciphers. Possible values are a user-specified string, and
none.
◆ ssl client cert
Specifies the name of an SSL client certificate. Possible values are a
user-specified string, and none.
◆ ssl client key
Specifies the name of an SSL client key. Possible values are a
user-specified string, and none.
◆ version
Specifies the version number of the LDAP application. The default value
is 3.
◆ warnings
Enables or disables warning messages. The default value is enable.
See also
2 - 14
auth radius
Configures a RADIUS configuration object for implementing remote
RADIUS-based client authentication.
Syntax
Use this command to configure a RADIUS authentication configuration
object.
Create/Modify
Important
BIG-IP® Systems.
auth radius <auth radius key> {}

auth radius (<auth radius key> | all) [{] <auth radius arg list> [}]
<auth radius key> ::=
<name>
<auth radius arg> ::=
accounting bug (enable | disable)
client (<string> | none)
name <name>
retries <number>
servers (<radius server key list> | none) [add | delete]
Display
auth radius [<auth radius key> | all] [show [all]]
auth radius [<auth radius key> | all] list [all]
auth radius (<auth radius key> | all) accounting bug [show]
auth radius (<auth radius key> | all) client [show]
auth radius (<auth radius key> | all) debug [show]
auth radius (<auth radius key> | all) name [show]
auth radius (<auth radius key> | all) partition [show]
auth radius (<auth radius key> | all) retries [show]
auth radius (<auth radius key> | all) servers [show]

Chapter 2
Delete
auth radius (<auth radius key> | all) delete
Description
By creating a RADIUS configuration object, a RADIUS profile, and one or
more RADIUS server objects, you can implement the RADIUS
authentication module as the mechanism for authenticating client
connections passing through the traffic management system. You use this
module when your authentication data is stored on a remote RADIUS
server. In this case, client credentials are based on basic HTTP
authentication (that is, user name and password). You can use this
configuration object in conjunction with a RADIUS profile and a RADIUS
server object.
To use these commands, you must first create a RADIUS server object using
the radius command.
Examples
Creates a RADIUS configuration object named my_auth_radius:
auth radius my_auth_radius {}
Displays all auth radius configuration objects:

auth radius all
Deletes the auth radius configuration object named my_auth_radius:

auth radius my_auth_radius delete
Options
You can use these options with the auth radius command:
◆ accounting bug
Enables or disables validation of the accounting response vector. This
option should be necessary only on older servers. The default value is
disable.
◆ client
Sends a NAS-Identifier RADIUS attribute with string bar. If you do not
specify a value for the Client ID setting, the system uses the pluggable
authentication module (PAM) service type. You can disable this feature
by specifying a blank client ID. Possible values are a user-specified
string and none.
◆ debug
Enables or disables syslog-ng debugging information at LOG DEBUG
level. Not recommended for normal use. The default value is disable.
◆ retries
Specifies the number of authentication retries that the BIG-IP local
traffic management system allows before authentication fails. The
default value is 3.
2 - 16
◆ servers
Lists the IP addresses of the RADIUS servers that the BIG-IP local
traffic management system uses to obtain authentication data. Note that
for each server listed, you must create a corresponding RADIUS server
object. A RADIUS server object specifies the server name, port number,
RADIUS secret, and timeout value. Possible values are a user-specified
list of IP addresses and none.
See also
profile auth(1), radius(1), bigpipe(1)

Chapter 2
auth ssl cc ldap

Configures an SSL client certificate configuration object for remote
SSL-based LDAP authorization for client traffic passing through the traffic
management system.
Syntax
Use this command to configure an SSL certificate-based LDAP
configuration object.
Create/Modify
Important
BIG-IP® Systems.
auth ssl cc ldap <auth ssl cc ldap key> {}

auth ssl cc ldap (<auth ssl cc ldap key> | all) [{] <auth ssl cc ldap arg list> [}]
<auth ssl cc ldap key> ::=
<name>
<auth ssl cc ldap arg> ::=
admin dn (<string> | none)
admin pw (<string> | none)
cache size <number>
cache timeout (<number> | immediate | indefinite)
certmap base (<string> | none)
certmap key (<string> | none)
certmap use serial (enable | disable)
group base (<string> | none)
group key (<string> | none)
group member key (<string> | none)
name <name>
role key (<string> | none)
search (user | certmap | cert)
secure (enable | disable)
user base (<string> | none)
2 - 18
user class (<string> | none)

user key (<string> | none)
valid groups (<string list> | none) [add | delete]
valid roles (<string list> | none) [add | delete]
Display
auth ssl cc ldap [<auth ssl cc ldap key> | all] [show [all]]
auth ssl cc ldap [<auth ssl cc ldap key> | all] list [all]
auth ssl cc ldap (<auth ssl cc ldap key> | all) admin dn [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) admin pw [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) cache size [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) cache timeout [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) certmap base [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) certmap key [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) certmap use serial [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) group base [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) group key [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) group member key [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) name [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) partition [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) role key [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) search [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) secure [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) servers [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) user base [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) user class [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) user key [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) valid groups [show]
auth ssl cc ldap (<auth ssl cc ldap key> | all) valid roles [show]
Delete
auth ssl cc ldap (<auth ssl cc ldap key> | all) delete
Description
You can use the auth ssl cc ldap command to configure SSL client
certificate-based remote LDAP authorization for client traffic passing
through the traffic management system.

Chapter 2
Options
You can use these options with the auth ssl c ldap command:
◆ admin dn
Specifies the distinguished name of an account to which to bind, in order
to perform searches. This search account is a read-only account used to
do searches. The admin account can also be used as the search account. If
no administrator DN is specified, then no bind is attempted. This
parameter is required only when an LDAP database does not allow
anonymous searches. Possible values are a user-specified string, and
none.
◆ admin pw
Specifies the password for the admin account. See the admin dn option
above. Possible values are a user-specified string, and none.
◆ cache size <number>
Specifies the maximum size, in bytes, allowed for the SSL session cache.
Setting this value to 0 disallows SSL session caching. The default value
is 20000 bytes (that is 20KB).
◆ cache timeout <number> | immediate | indefinite
Specifies the number of usable lifetime seconds of negotiable SSL
session IDs. When this time expires, a client must negotiate a new
session. Allowed values are: <number>, immediate, and indefinite.
The default value is 300 seconds.
◆ certmap base
Specifies the search base for the subtree used by the certmap search
method. A typical search base is: ou=people,dc=company,dc=com.
◆ certmap key
Specifies the name of the certificate map found in the LDAP database.
Used by the certmap search method. Possible values are a user-specified
string, and none.
◆ certmap use serial
Enables or disables the use of the client certificate's subject or serial
number (in conjunction with the certificate's issuer) when trying to match
an entry in the certificate map subtree. A setting of enable uses the serial
number. A setting of disable uses the subject. The default value is
disable.
◆ group base
Specifies the search base for the subtree used by group searches. This
parameter is only used when specifying the valid groups option. The
typical search base is similar to: ou=groups,dc=company,dc=com.
◆ group key
Specifies the name of the attribute in the LDAP database that specifies
the group name in the group subtree. An example of a typical key is cn
(common name for the group). Possible values are a user-specified
string, and none.
2 - 20
◆ group member key

Specifies the name of the attribute in the LDAP database that specifies
members (DNs) of a group. A typical key would be member. Possible
values are a user-specified string, and none.
◆ role key
Specifies the name of the attribute in the LDAP database that specifies a
user's authorization roles. This key is used only with the valid roles
option. A typical role key might be authorizationRole. Possible values
are a user-specified string, and none.
◆ search
Specifies the type of LDAP search that is performed based on the client's
certificate. Possible values are:
• user
Searches for a user based on the common name found in the
certificate.
• cert
Searches for the exact certificate.
• certmap
Searches for a user by matching the certificate issuer and the
certificate serial number or certificate.
The default value is user.
◆ secure
Enables or disables an attempt to use secure LDAP (LDAP over SSL).
The alternative to using secure LDAP is to use insecure (clear text)
LDAP. Secure LDAP is a consideration when the connection between
the BIG-IP system and the LDAP server cannot be trusted. The default
value is disable.
◆ servers
Specifies a list of LDAP servers you want to search. Possible values are a
user-specified list of servers and none. You must specify a server when
you create an SSL client certificate configuration object.
◆ user base
Specifies the search base for the subtree used by the user and cert search
methods. A typical search base is: ou=people,dc=company,dc=com.
Possible values are a user-specified string, and none. You must specify a
user base when you create an SSL client certificate configuration object.
◆ user class
Specifies the object class in the LDAP database to which the user must
belong to be authenticated.
◆ user key
Specifies the key that denotes a user ID in the LDAP database (for
example, the common key for the user setting is uid). Possible values are
a user-specified string, and none. You must always specify a user key
when you create an SSL client certificate configuration object.

Chapter 2
◆ valid groups
Specifies a space-delimited list specifying the names of groups in which
the client must belong to be authorized (matches against the group key in
the group subtree). The client needs to be a member of only one of the
groups in the list. Possible values are a user-specified string or none.
◆ valid roles
Specifies a space-delimited list specifying the valid roles that clients
must have to be authorized. Possible values are a user-specified string
and none.
See also
2 - 22
auth ssl ocsp

Configures an OCSP configuration object for implementing remote
OCSP-based client authentication.
Syntax
Use this command to create, display, modify, or delete an OCSP
configuration object.
Create/Modify
Important
BIG-IP® Systems.
auth ssl ocsp <auth ssl ocsp key> {}

auth ssl ocsp (<auth ssl ocsp key> | all) [{] <auth ssl ocsp arg list> [}]
<auth ssl ocsp key> ::=
<name>
<auth ssl ocsp arg> ::=
name <name>
responders (<ocsp responder key list> | none) [add | delete]
Display
auth ssl ocsp [<auth ssl ocsp key> | all] [show [all]]
auth ssl ocsp [<auth ssl ocsp key> | all] list [all]
auth ssl ocsp (<auth ssl ocsp key> | all) name [show]
auth ssl ocsp (<auth ssl ocsp key> | all) partition [show]
auth ssl ocsp (<auth ssl ocsp key> | all) responders [show]
Delete
auth ssl ocsp (<auth ssl ocsp key> | all) delete

Chapter 2
Description
Online Certificate Status Protocol (OCSP) is an industry-standard protocol
that offers an alternative to a certificate revocation list (CRL) when using
public-key technology. A CRL is a list of revoked client certificates, which
a server system can check during the process of verifying a client certificate.
To use these commands, you must first create an OCSP responder object
using the ocsp responder command.
Options
You can use these options with the auth ssl ocsp command:
◆ partition
Displays the partition within which the auth ssl ocsp object resides.
◆ responders
Specifies a list of OCSP responders that you configured using the ocsp
responder command.
See also
profile auth(1), ocsp responder(1), bigpipe(1)
2 - 24
auth tacacs
Configures a TACACS+ configuration object for implementing remote
TACACS+-based client authentication.
Syntax
Use this command to configure a TACACS+ configuration object.
Create/ Modify
Important
BIG-IP® Systems.
auth tacacs <auth tacacs key> {}

auth tacacs (<auth tacacs key> | all) [{] <auth tacacs arg list> [}]
<auth tacacs key> ::=
<name>
<auth tacacs arg> ::=
acct all (enable | disable)
encrypt (enable | disable)
first hit (enable | disable)
name <name>
protocol (<string> | none)
secret (<string> | none)
service (<string> | none)
Display
auth tacacs [<auth tacacs key> | all] [show [all]]
auth tacacs [<auth tacacs key> | all] list [all]
auth tacacs (<auth tacacs key> | all) acct all [show]
auth tacacs (<auth tacacs key> | all) debug [show]
auth tacacs (<auth tacacs key> | all) encrypt [show]
auth tacacs (<auth tacacs key> | all) first hit [show]
auth tacacs (<auth tacacs key> | all) name [show]
auth tacacs (<auth tacacs key> | all) partition [show]
auth tacacs (<auth tacacs key> | all) protocol [show]

Chapter 2
auth tacacs (<auth tacacs key> | all) secret [show]

auth tacacs (<auth tacacs key> | all) servers [show]
auth tacacs (<auth tacacs key> | all) service [show]
Delete
auth tacacs (<auth tacacs key> | all) delete
Description
Using a TACACS+ configuration object and profile, you can implement the
TACACS+ authentication module as the mechanism for authenticating
client connections passing through the BIG-IP local traffic management
system. You use this module when your authentication data is stored on a
remote TACACS+ server. In this case, client credentials are based on basic
HTTP authentication (that is, user name and password). You configure a
TACACS+ authentication module by creating a TACACS+ configuration
object, creating a TACACS+ profile, and assigning the profile to a virtual
server.
Examples
Enables encryption for TACACS+ packets:
auth tacacs encrypt
Provides the ability to send accounting start and stop packets to all servers:
auth tacacs myauth2 myauth3 acct all enable
Options
You can use these options with the auth tacacs command:
◆ acct all
If multiple TACACS+ servers are defined and pluggable authentication
module (PAM) session accounting is enabled, sends accounting start and
stop packets to the first available server or to all servers. Possible values
are:
• enable
Sends to first available server.
• disable
Sends to all servers.
The default value is disable.
◆ debug
Enables syslog-ng debugging information at LOG DEBUG level. Not
recommended for normal use. The default value is disable.
◆ encrypt
Enables or disables encryption of TACACS+ packets. Recommended for
normal use. The default value is enable.
2 - 26
◆ first hit
Confirms the secret key supplied for the Secret setting. This setting is
required. The default value is disable.
◆ partition
Displays the partition within which the auth tacacs object resides.
◆ protocol
Specifies the protocol associated with the value specified in the service
option, which is a subset of the associated service being used for client
authorization or system accounting.
◆ secret
Sets the secret key used to encrypt and decrypt packets sent or received
from the server. This setting is required. Possible values are a
user-specified string and none.
◆ servers
Specifies a host name or IP address for the TACACS+ server. This
setting is required. Possible values are a user-specified string, and none.
You must specify a server when you create a TACACS+ configuration
object.
◆ service
Specifies the name of the service that the user is requesting to be
authenticated to use. Identifying the service enables the TACACS+
server to behave differently for different types of authentication requests.
This setting is required.
See also
profile auth(1), profile http(1), bigpipe(1), shell(1)

Chapter 2
bigpipe shell
When typed at the BIG-IP system prompt, starts the bigpipe utility in its
shell mode and configures the shell.
Modify
bigpipe shell [{] <shell arg list> [}]
<shell arg> ::=
history <number>
partition <partition key>
prompt <string>
read partition (<partition key> | all)
write partition <partition key>
Display
bigpipe shell [show [all]]
bigpipe shell list [all]
bigpipe shell history [show]
bigpipe shell partition [show]
bigpipe shell prompt [show]
bigpipe shell read partition [show]
bigpipe shell write partition [show]
Description
When typed at the BIG-IP system prompt, the bigpipe shell command starts
the bigpipe utility in its shell mode and presents a prompt at which you can
type bigpipe commands. You can also use the bigpipe shell command from
the BIG-IP system prompt to configure the shell.
Examples
From the BIG-IP system prompt, starts the bigpipe utility in its shell mode
and presents a prompt at which you can type bigpipe commands:
bigpipe shell
Customizes the bigpipe shell prompt to display as F5:

bigpipe shell prompt F5
For users with access to all partitions, changes the partition to which you
have Write access to partition application1:
bigpipe shell write partition application1
have Read and Write access to partition application2:
bigpipe shell partition application2
2 - 28
Options
You can use these options with the bigpipe shell command:
◆ partition
Changes the partition to which you have Read and Write access to the
partition you specify. This option is only available to users with access to
all partitions.
◆ prompt
Specifies a string to use for the bigpipe shell prompt. The default prompt
is bp>.
◆ read partition
Changes the partition to which you have Read access to the partition you
specify. This option is only available to users with access to all partitions.
◆ write partition
Changes the partition to which you have Write access to the partition you
See also
partition(1), bigpipe(1)

Chapter 2
class
Configures classes.
Syntax
Use this command to configure classes.
Create/Modify
Important
BIG-IP® Systems.
class <class key> {}

class (<class key> | all) [{] <class arg list> [}]
<class key> ::=
<name>
<class arg> ::=
filename (<file name> | none)
(<class ip item list> | none) [add | delete]
mode (read | rw)
name <name>
separator (<string> | none)
(<class string item list> | none) [add | delete]
type (ip | string | value)
(<class value item list> | none) [add | delete]
<class ip item> ::= (<class ip item key> | all)
[{] <class ip item arg list> [}]
<class ip item key> ::=
<IP class item>
<class ip item arg> ::=
<string>
<IP class item>
<IP class item> ::= host <ip addr> | network <network ip>
<class string item> ::= (<class string item key> | all) [{]
<class string item arg list> [}]
<class string item key> ::=
<quoted string>
<class string item arg> ::=
<string>
2 - 30
<quoted string>
<class value item> ::= (<class value item key> | all) [{]
<class value item arg list> [}]
<class value item key> ::=
<number>
<class value item arg> ::=
<string>
<number>
Display
class [<class key> | all] [show [all]]
class [<class key> | all] list [all]
class (<class key> | all) filename [show]
class (<class key> | all) ip [<class ip item key> | all] \
[show [all]]
class (<class key> | all) ip [<class ip item key> | all] \
list [all]
class (<class key> | all) ip (<class ip item key> | all) \
data [show]
host [show]
name [show]
class (<class key> | all) mode [show]
class (<class key> | all) name [show]
class (<class key> | all) partition [show]
class (<class key> | all) separator [show]
class (<class key> | all) string \
[<class string item key> | all] [show [all]]
[<class string item key> | all] list [all]
(<class string item key> | all) data [show]
(<class string item key> | all) name [show]
(<class string item key> | all) value [show]
class (<class key> | all) type [show]
class (<class key> | all) value \
[<class value item key> | all] [show [all]]
[<class value item key> | all] list [all]
(<class value item key> | all) data [show]
(<class value item key> | all) name [show]
(<class value item key> | all) value [show]

Chapter 2
Delete
class (<class key> | all) delete
Description
Classes are lists of data that you define and use with iRules™ operators. The
system includes a number of predefined lists that you can use. They are:
• AOL Network
• Image Extensions
• Private class IP addresses
The above lists are located in the file /config/profile_base.conf. The load
command loads these lists; however, unless the lists are modified, the load
command does not save the lists to the bigip.conf file.
Classes are either internal or external. Internal classes are stored in the
bigip.conf file. External classes are stored in external files that you define.
Note that external classes can be very large, which is one reason why these
classes are saved to external files. For example, a phone company may store
a list of thousands of phone numbers in an external class.
Internal classes can be one of three types: class ip item key, class string
item key, or class value item key. When running the command from the
system prompt, strings must be surrounded by escaped quotation marks.
When running the command from the bigpipe shell, strings must be
surrounded by quotation marks (not escaped). Numbers can be either
positive or negative. You can also associate a string data value, enclosed
with braces, with any value in a class.
External classes are lists that specify:
• A file name where the list is saved
• The type, indicated by a list of ip addresses, strings, or values
• A permission mode that defines access to the class as either read or rw
(Read/Write)
You can update the external class file by issuing the load command.
Note
When you use the bigpipe class command at the BIG-IP system prompt, you
must use escape characters around the strings in the syntax to stop the
operating system from interpreting the string literally.
Examples
Creates an internal class named MyNewClass that contains a single IP
address:
class MyNewClass host 10.0.0.0
2 - 32
Creates an internal class named MyNewClass2 that contains a list of three

network addresses: 192.1.1.0/24, 192.2.1.1, and 10.0.0.5/24:
class MyNewClass2 network 192.1.1.0 mask 255.255.255.0 host
192.2.1.1 network 10.0.0.5/24
Creates an internal class named AnotherNewClass that contains a list of

four values:
class AnotherNewClass 111 222 333 444
Modifies the internal class named AnotherNewClass by adding the value

555:
class AnotherNewClass "555" add
Creates an internal class named ThirdNewClass that contains a list of

strings:
class ThirdNewClass "aaaa" "bbbb" "cccccc" "dd"
Modifies the internal class named ThirdNewClass by deleting the member

aaaa from the list of strings:
class ThirdNewClass "aaaa" delete
Creates an external class named MyExternalClass that contains IP

addresses that are stored in the MyOtherNewClass.cls file. The external
class has Read and Write permissions assigned to it:
class MyExternalClass type ip filename MyOtherNewClass.cls mode
rw
Displays the file name where the class list information is stored:
class MyExternalClass filename show
Defines a basic class using a string data value:

class cls-1 { 18 33 6 88 }
Defines a class that acts as a lookup table, by associating data values with
each value:
class cls-1 { 18 { "Job 1" } 33 { "Job 2" } 6 { "Job 3" } 88 { "Job 4" } }
Defines a class with data values that are associated with string class
members:
class cls-2 { "AL" { "Alabama" } "AK" { "Alaska" } “AZ” { "Arizona" } "AR" { "Arkansas" } }
Defines a class with data values that are associated with address class
members:
class cls-3 { host 10.4.5.2 { "www.aa.net" } host 10.88.4.17 { "www.bb.net" } }

Chapter 2
Options
You can use these options with the class command:
◆ filename
Specifies the path and file name that contains the list of data defined by
the external class.
◆ mode (read | rw)
Specifies a permission mode for the external class. Valid values are
read and rw (read/write).
◆ name
Specifies a unique string identifying the class.
◆ partition
Displays the partition within which the internal or external class
resides.
◆ separator
Specifies the separator used to separate the class member value from the
string value (if present) when used with an external class. The default
value is :=.
◆ type (ip | string | value)
Specifies the type of data you want to add to, modify, display, or delete
from an external class. This setting is required for external classes.
Specify the type by including a list of strings, values, or IP addresses.
Strings must be surrounded by quotation marks. Values (numbers) can be
either positive or negative. IP addresses can be in any of the following
four formats:
• network <ip addr> mask < ip mask>
• network <ip addr> prefixlen <number>
• network <ip addr> / <number>
• host <ip addr>
◆ <class ip item key>, <class string item key>, <class value item key>
Specifies the data you want to add to, modify, display, or delete from an
internal class. This setting is required for internal classes. Strings must
be surrounded by quotation marks. Numbers can be either positive or
negative.
See also
rule(1), bigpipe(1)
2 - 34
cli
Configures the bigpipe shell.
Syntax
Use this command to configure the bigpipe shell.
Create/Modify
Important
BIG-IP® Systems.
cli [{] <cli arg list> [}]

<cli arg> ::=
audit (enable | disable | verbose | all)
hostname lookup (enable | disable)
import save <number>
ip addr (name | number)
service (name | number)
Display
cli [show [all]]
cli list [all]
cli audit [show]
cli hostname lookup [show]
cli import save [show]
cli ip addr [show]
cli service [show]
Description
This command provides the ability to configure the bigpipe shell to meet
your specific needs.

Chapter 2
Examples
Sets the audit level of the bigpipe shell to enable:
cli audit enable
Configures the bigpipe shell to store three backup single configuration files
(config/backup.scf, /config/backup-1.scf, and /config/backup-2.scf), and
to display IP addresses and services by number, for example:
192.168.10.20:80:
cli import 3 ip addr number service number
Options
You can use these options with the cli command:
◆ audit
Specifies the global audit level of the bigpipe shell. The audited
commands are stored in /var/log/audit. The audit levels are:
• disable
The bigpipe utility does not log any commands entered by users. This
is the default value.
• enable
The bigpipe utility audits all commands entered by users, including
the commands that the merge command runs. This does not include
the commands that the load and import commands run.
• verbose
The bigpipe utility audits all commands entered by users, including
the commands that the merge command runs. The bigpipe shell also
audits the commands that the load and import commands run, except
for those included in the system configuration files:
config_base.conf, base_monitors.conf, profile_base.conf, and
daemon.conf.
• all
The bigpipe utility audits all the commands that are run from all
sources.
◆ hostname lookup
When enabled, specifies that the bigpipe shell accepts host names in
place of IP addresses in the syntax of bigpipe commands. The default
value is disable.
◆ import
Specifies the number of backup single configuration files that the system
stores. Each time you run the import command, the bigpipe shell saves
the single configuration file. For example, if you set the import parameter
to 3, after you run the import command for the third time, you see three
files on your system:
• /config/backup.scf
• /config/backup-1.scf
• /config/backup-2.scf
2 - 36
The newest backup file is /config/backup.scf. By default, the system

saves only two backup single configuration files.
◆ ip addr
Specifies the format with which the bigpipe shell displays an IP address.
Possible values are:
• name
The bigpipe shell displays an IP address using a host name, for
example: www.myhostname.com. This is the default value.
• number
The bigpipe shell displays an IP address using a numeric address, for
example: 192.168.10.20.
◆ partition
Displays the partition within which the object resides.
◆ service
Specifies the format in which the bigpipe shell displays a service.
Possible values are:
• name
The bigpipe shell displays a service using a host name, for example:
HTTP.
• number
The bigpipe shell displays a service using a numeric value, for
example, 192.168.10.20:80, where 80 indicates HTTP. This is the
default value.
See also
bigpipe(1)

Chapter 2
config
Manages the BIG-IP system user configuration sets.
Syntax
Use this command to manage or display configuration data.
Modify
config check [all]
config diff <file name> [<file name>]
config install [all] <file name> [passphrase [<string>]]
[excludes <file name>]
config [support] save <file name> [passphrase [<string>]]
config sync [all]
config sync min
config sync pull
config sync show
Display
config show <file name>
Description
The config command manages user configuration sets. A user configuration
set (UCS) is the set of all configuration files that a user may edit to
configure a BIG-IP system. A UCS file is an archive that contains all the
configuration files in a UCS.
The config command enables you to save the BIG-IP system configuration
to a UCS file, install the configuration from a password-protected UCS file,
or synchronize the configuration with the other BIG-IP system in a
redundant system configuration.
Examples
Saves <file.ucs>, overwriting all configuration files, including
/config/bigip.conf:
config [support] save <file.ucs> [passphrase [<string>]]
Unpacks and installs myconfiguration.ucs, overwriting all configuration

files, including /config/bigip.conf:
config install myconfiguration.ucs>
Displays the status of the configuration synchronization system and the date
and time the last configuration change was made:
config sync show
2 - 38
Unpacks and installs <file.ucs>, overwriting all configuration files,

including /config/bigip.conf:
config install <file.ucs>
Copies a UCS file, without the license file, from one system to another:
config install all <file.ucs> [passphrase [<string>]] \
[excludes <file.ucs>]
Note that when copying the UCS file, using the above command, the
system:
• Checks to see whether a license file exists and if so, checks whether the
file is valid. If no license file exists or the license file is not valid, the
bigpipe utility exits.
• Sets the system host name according to the host name in the UCS file.
• Saves the running configuration to the location
/var/local/ucs/cs_backup.ucs.
• Installs the configuration from the UCS file onto the system, excluding
the license file.
Saves the currently running configuration to /config/bigip.conf. Copies

/config/bigip.conf to the other BIG-IP system in a redundant system
configuration, and loads /config/bigip.conf on the other BIG-IP system:
config sync min
Creates a temporary UCS file and transfers it to the other BIG-IP system.
Installs the UCS file on the other BIG-IP system:
config sync all
Runs a syntax check on the configuration files in the configuration

synchronization system:
config check all
Use the following command to pull the configuration from the peer device
and install it on the local device. This command saves the UCS file on the
remote peer, then transfers the UCS file to the local system, and installs it on
the local system. This command provides the ability to synchronize the
configuration from the local device without having to log on to the peer
device to push the configuration back:
config sync pull
Use the following command to configure a BIG-IP system using the UCS
file of another BIG-IP system. To do this, copy the UCS file from a BIG-IP
system, save it to the BIG-IP system that you want to configure, and then
run the following command on the system that you want to configure:
config install [all] file_name.ucs passphrase mypassword

Chapter 2
Options
You can use these options with the config command:
◆ diff
Displays the differences between two specified configuration files.
◆ <file.ucs>
Specifies the name of a UCS file that you want to install or save.
◆ excludes
◆ install
Installs the specified UCS file, overwriting the existing UCS file.
◆ save
Saves the password-protected configuration file that has a UCS file
extension.
◆ sync
Saves the running configuration and copies it to the other unit in the
Note that the configsync command enables you to set the parameters for
the task of running the configuration synchronization. For more
information, see configsync, on page 2-41.
◆
See also
bigpipe(1), configsync(1)
2 - 40
configsync
Specifies the parameters for the task of synchronizing the configurations of
two BIG-IP units in a redundant system configuration.
Syntax
Use this command to set up the environment for a configuration
synchronization of two BIG-IP units in a redundant system configuration.
Create/Modify
Important
BIG-IP® Systems.
configsync [{] <configsync arg list> [}]

<configsync arg> ::=
auto detect (enable | disable)
custom peer addr (<ip addr> | none)
encrypt (enable | disable)
passphrase (crypt (<string> | none) | <string> | none)
password (crypt (<string> | none) | <string> | none)
peer update interval <number>
time diff <number>
user (<string> | none)
Display
configsync [show [all]]
configsync list [all]
configsync auto detect [show]
configsync custom peer addr [show]
configsync encrypt [show]
configsync passphrase [show]
configsync password [show]
configsync peer update interval [show]
configsync time diff [show]
configsync user [show]

Chapter 2
Description
You can use the configsync command to set up a the parameters for the task
of synchronizing the configuration of two BIG-IP units in a redundant
system configuration.
Examples
Indicates that a user with the user name admin will have to enter the
password 15GmA*4 when attempting to perform a configuration
synchronization between two BIG-IP systems:
configsync encrypt enable password 15GmA*4 user admin
Options
You can use these options with the configsync command:
◆ auto detect
Enables or disables the automatic detection of a difference in the
configurations of two systems in a redundant system configuration. The
default value is disable.
◆ custom peer addr
Specifies the IP address of the other BIG-IP system in a redundant
system configuration. This is the IP address of the system to which you
want to synchronize the configuration. The default value is the value of
the statemirror peer addr field.
◆ encrypt
Enables or disables the encryption of the configuration synchronization
action. When enabled, the system automatically requests a password
when a user attempts to synchronize the configurations of two BIG-IP
systems in a redundant system configuration. The default value is
disable.
◆ partition
Displays the partition within which the configsync object resides.
◆ passphrase
When the encrypt parameter is enabled, specifies the passphrase that you
must enter during a configuration synchronization of two systems in a
redundant system configuration to decrypt any encrypted data. The
system prompts you to enter this passphrase twice. Once to create the
UCS file on one unit of a redundant system configuration, and a second
time to unpack and install that UCS file on the peer unit.
◆ password
Specifies the password that is required to perform the configuration
synchronization of two BIG-IP systems. By default, this value is the
password for the admin user account.
◆ peer update interval
When auto detect is enabled, specifies how often the system monitors
the configuration of the two units in a redundant system configuration.
2 - 42
◆ time diff
Specifies the maximum number of seconds of difference there can be in
the time settings of the units in a redundant system configuration before a
configuration synchronization occurs. The default time difference is 600
seconds.
◆ user
Specifies the name of the user account that has the necessary permissions
to run the configsync command. You must specify an existing local user
account. The default value is admin. It is important to note that if you
change this option, F5 recommends that you also change the password
option.
See also
bigpipe(1), config(1)

Chapter 2
conn
Sets idle timeout for, displays, and deletes active connections on the BIG-IP
system.
Syntax
Use this command to set the idle timeout for, display, or delete active
connections on the BIG-IP system.
Create/Modify
conn (<conn key> | all) [{] <conn arg list> [}]
<conn key> ::=
[client (<ip addr> | <member>)] [server (<ip addr> | <member>)] \
[(any | local | mirror)] [protocol <protocol>] [age <number>]
<conn arg> ::=
age <number>
client (<ip addr> | <member>)
idle timeout (<number> | immediate | indefinite)
protocol <protocol>
server (<ip addr> | <member>)
(any | local | mirror)
Display
conn [<conn key> | all] [show [all]]
conn (<conn key> | all) stats reset
Delete
conn (<conn key> | all) delete
Description
The conn command displays the current connections on the BIG-IP system,
sets the idle timeout for a connection, or deletes the connection.
You can specify the <protocol> value using either a number or a name
(http or 80).
If you do not specify a port or service, the system deletes all connections
with the client-side source that match just the IP address. If you do not
specify an IP address, the system deletes all connections, including mirrored
connections.
2 - 44
Examples
Shows basic connection information for all connections:
conn all show
Shows verbose connection information for all connections:

conn all show all
Shows idle timeout connection information for all connections:

conn all idle timeout show
Options
You can use this option with the conn command:
◆ <protocol>
Specifies a port or service.
See also
bigpipe(1)

Chapter 2
crldp server
Creates a Certificate Revocation List Distribution Point (CRDLP) server
object for implementing a CRLDP authentication module.
Syntax
Use this command to configure a CRLDP server object.
Create/Modify
Important
BIG-IP® Systems.
crldp server <crldp server key> {}

crldp server (<crldp server key> | all) [{] <crldp server arg list> [}]
<crldp server key> ::=
<name>
<crldp server arg> ::=
base dn (<string> | none)
name <name>
reverse dn (enable | disable)
server (<string> | none)
Display
crldp server [<crldp server key> | all] [show [all]]
crldp server [<crldp server key> | all] list [all]
crldp server (<crldp server key> | all) base dn [show]
crldp server (<crldp server key> | all) name [show]
crldp server (<crldp server key> | all) partition [show]
crldp server (<crldp server key> | all) reverse dn [show]
crldp server (<crldp server key> | all) server [show]
crldp server (<crldp server key> | all) service [show]
Delete
crldp server (<crldp server key> | all) delete
2 - 46
Description
CRLDP authentication is a mechanism for checking certificate revocation
status for client connections passing through the BIG-IP system. This
module is useful when your authentication data is stored on a remote
CRLDP server. You configure a CRLDP authentication module by defining
a CRLDP server (using the crldp server command), creating a CRLDP
configuration object (using the auth crldp command), creating a CRLDP
profile (using the profile auth command), and assigning the profile to the
virtual server.
Examples
Creates a CRLDP server named my_crldp_server:
crldp server my_auth_crldp {}
Deletes the CRLDP server named my_crldp_server:

crldp server my_crldp_server delete
Options
You can use these options with the crldp server command:
◆ base dn
Specifies the LDAP base directory name for certificates that specify the
CRL distribution point in directory name (dirName) format. Used when
the value of the X509v3 attribute crlDistributionPoints is of type
dirName. In this case, the BIG-IP system attempts to match the value of
the crlDistributionPoints attribute to the base dn value. An example of
a base dn value is cn=lxxx,dc=f5,dc=com.
◆ partition
Displays the partition within which the crldp server object resides.
◆ reverse dn
Specifies in which order the system is to attempt to match the Base DN
value to the value of the X509v3 attribute crlDistributionPoints. When
enabled, the system matches the base DN from left to right, or from the
beginning of the DN string, to accommodate dirName strings in
certificates such as C=US,ST=WA,L=SEA,OU=F5,CN=xxx. The
◆ server
Specifies an IP address for the CRLDP server. This setting is required.
◆ service
Specifies the port for CRLDP authentication traffic. The default service
is 389.
See also
auth crldp(1), profile auth(1), bigpipe(1)

Chapter 2
daemon
Tunes the high availability functionality that is built into daemons.
Syntax
Use this command to modify or display daemons.
Modify
daemon <daemon key> {}
daemon (<daemon key> | all) [{] <daemon arg list> [}]
<daemon key> ::=
<name>
<daemon arg> ::=
heartbeat monitor (enable | disable)
heartbeat monitor (reboot | restart | failover | go active | no action | \
restart all | failover restart tm | failover abort tm | go offline | \
go offline restart | go offline abort tm | go offline downlinks | \
go offline downlinks restart)
heartbeat monitor redundant (reboot | restart | failover | go active | \
no action | restart all | failover restart tm | failover abort tm | \
go offline | go offline restart | go offline abort tm | go offline downlinks | \
heartbeat monitor stand alone (reboot | restart | failover | go active | \
name <name>
proc not run action (reboot | restart | failover | go active | no action | \
running (enable | disable)
running timeout <number>
Display
daemon [<daemon key> | all] [show [all]]
daemon [<daemon key> | all] list [all]
daemon (<daemon key> | all) heartbeat monitor [show]
daemon (<daemon key> | all) heartbeat monitor redundant [show]
daemon (<daemon key> | all) heartbeat monitor stand alone [show]
daemon (<daemon key> | all) name [show]
daemon (<daemon key> | all) proc not run action [show]
daemon (<daemon key> | all) running [show]
daemon (<daemon key> | all) running timeout [show]
2 - 48
Delete
daemon (<daemon key> | all) delete
Description
This command provides the ability to fine-tune the daemons that provide
high availability functionality.
Examples
Enables the system to fail over and reboot due to lack of a detected heartbeat
from the sod daemon:
daemon sod heartbeat monitor enable
Options
You can use these options with the daemon command:
◆ heartbeat monitor
Enables or disables the heartbeat on the specified daemon, or performs an
action. Typically, if a daemon does not periodically connect with its
heartbeat location, it is restarted automatically. This command enables
you to disable automatic restart. The daemons that supply a heartbeat are:
tmm, mcpd, bigd, sod, and bcm56xxd. The default value is enable.
Specify the action the daemon should take if no heartbeat is detected.
Possible values are reboot, restart, failover, failover restart, go active
no action, restart all, failover restart tm, go offline, go offline restart,
go offline abort tm, go offline downlinks, go offline downlinks
restart, and failover abort tm. The default value is restart.
◆ heartbeat monitor redundant
Specify the action the daemon should take if no heartbeat is detected on
the redundant heartbeat monitor. Possible values are reboot, restart,
failover, failover restart, go active no action, restart all, failover
restart tm, go offline, go offline restart, go offline abort tm, go offline
downlinks, go offline downlinks restart, and failover abort tm. The
default value is restart.
◆ heartbeat monitor stand alone
Specify the action the daemon should take if no heartbeat is detected on a
standalone heartbeat monitor. Possible values are reboot, restart,
failover, failover restart, go active no action, restart all, failover
restart tm, go offline, go offline restart, go offline abort tm, go offline
downlinks, go offline downlinks restart, and failover abort tm. The
default value is restart.

Chapter 2
◆ proc not run action

Specify the action the daemon should take if a configured traffic or
system management action is not run. Possible values are reboot,
restart, failover, failover restart, go active no action, restart all,
failover restart tm, go offline, go offline restart, go offline abort tm,
go offline downlinks, go offline downlinks restart, and failover abort
tm. The default value is failover.
◆ running
Enables or disables actions configured for the traffic management and
system management daemons. You can use this feature to disable the
action a daemon takes during failover. For example, when you want to
stop a daemon and you do not want the unit to failover, you can issue the
running disable command for the daemon. The default value is disable.
◆ running timeout
Specify the length of time you want disabled actions to remain disabled.
See also
ha table(1), bigpipe(1)
2 - 50
daemon mcpd
Sets internal settings for the mcpd daemon.
Syntax
Use this command to set the system log levels for the mcpd daemon.
Create/Modify
Important
BIG-IP® Systems.
daemon mcpd [{] <daemon mcpd arg list> [}]

<daemon mcpd arg> ::=
audit (enable | disable | verbose | all)
loglevel (panic | emergency | alert | critical | error | warning | notice | \
informational | debug)
Display
daemon mcpd [show [all]]
daemon mcpd list [all]
daemon mcpd audit [show]
daemon mcpd loglevel [show]
Description
You use this command to enable auditing and to set the system log levels for
the mcpd daemon.
Examples
The following command sets the log level of the mcpd daemon to critical.
This means that the system logs critical, alert, emergency and panic
messages from the daemon.
daemon mcpd loglevel critical

Chapter 2
Options
You can use these options with the daemon mcpd command:
◆ audit
Enables or disables auditing for the mcpd daemon, and specifies verbose
or all as the auditing level. The default value is disable.
◆ loglevel
Specifies the lowest level of mcp daemon messages to include in the
system log. The default value is notice.
◆ partition
Displays the partition within which the mcpd daemon resides.
See also
bigpipe(1), daemon(1), daemon tmm(1)
2 - 52
daemon tmm
Sets internal settings for the tmm daemon.
Syntax
Use this command to set the system log levels for the tmm daemon.
Create/Modify
Important
BIG-IP® Systems.
daemon tmm [{] <daemon tmm arg list> [}]

<daemon tmm arg> ::=
arp loglevel (error | warning | notice | informational | debug)
http compression loglevel (error | warning | notice | informational | debug)
http loglevel (error | warning | notice | informational | debug)
ip loglevel (warning | notice | informational | debug)
layer4 loglevel (notice | informational | debug)
net loglevel (critical | error | warning | notice | informational | debug)
os loglevel (emergency | alert | critical | error | warning | notice | \
pva loglevel (debug | informational | notice)
rules loglevel (error | warning | notice | informational | debug)
ssl loglevel (emergency | alert | critical | error | warning | notice | \
Display
daemon tmm [show [all]]
daemon tmm list [all]
daemon tmm arp loglevel [show]
daemon tmm http compression loglevel [show]
daemon tmm http loglevel [show]
daemon tmm ip loglevel [show]
daemon tmm layer4 loglevel [show]
daemon tmm net loglevel [show]

Chapter 2
daemon tmm os loglevel [show]

daemon tmm pva loglevel [show]
daemon tmm rules loglevel [show]
daemon tmm ssl loglevel [show]
Description
You use this command to set the system log levels for the tmm daemon.
Examples
The following command sets the ARP message log level for the tmm
daemon to error. This means that the system logs only ARP error messages
from the daemon.
daemon tmm arp loglevel error
Options
You can use these options with the daemon tmm command:
◆ arp loglevel
Specifies the lowest level of ARP messages from the tmm daemon to
include in the system log. The default value is warning.
◆ http loglevel
Specifies the lowest level of HTTP messages from the tmm daemon to
include in the system log. The default value is error.
◆ http compression loglevel
Specifies the lowest level of HTTP compression messages from the tmm
daemon to include in the system log. The default value is error.
◆ ip loglevel
Specifies the lowest level of IP address messages from the tmm daemon
to include in the system log. The default value is warning.
◆ layer4 loglevel
Specifies the lowest level of Layer 4 messages from the tmm daemon to
include in the system log. The default value is notice.
◆ net loglevel
Specifies the lowest level of network messages from the tmm daemon to
◆ os loglevel
Specifies the lowest level of operating system messages from the tmm
daemon to include in the system log. The default value is notice.
◆ partition
Displays the partition within which the tmm daemon resides.
◆ pva loglevel
Specifies the lowest level of PVA messages from the tmm daemon to
include in the system log. The default value is informational.
2 - 54
◆ rules loglevel
Specifies the lowest level of iRule messages from the tmm daemon to
◆ ssl loglevel
Specifies the lowest level of SSL messages from the tmm daemon to
See also
bigpipe(1), daemon(1), daemon mcpd(1)

Chapter 2
db
Displays or modifies bigdb database entries.
Syntax
Use this command to modify or display configuration database entries.
Modify
db (<db key> | all) [{] <db arg list> [}]
<db key> ::=
<name>
<db arg> ::=
name <name>
<string>
Display
db [<db key> | all] [show [all]]
db [<db key> | all] list [all]
db (<db key> | all) reset
db (<db key> | all) name [show]
db (<db key> | all) value [show]
Description
The db command enables you to modify and retrieve the data that is stored
in the bigdb configuration database.
Important
After you change a bigdb database variable using the db command, you
must run the save all command. If you do not, the next time that you run the
load command, the value of the bigdb database variable may be reset to the
value in the stored configuration.
Examples
Resets each database entry and setting to its default:
db all reset
Sets the database entry, SYN Check™ Activation Threshold, back to the
default value:
db Connection.SynCookies.Threshold 16384
2 - 56
Options
Use these options with the db command:
◆ name
The name of the database entry that you want to modify or display.
◆ value
The value that you want to assign to the database entry that you are
modifying. When you are modifying a configuration database entry, this
value is required.
See also
bigpipe(1)

Chapter 2
dns
Configures the Domain Name Service (DNS) for the BIG-IP system. Also,
displays and resets statistics for the DNS profile.
Syntax
Use this command to configure DNS for the system.
Create/Modify
Important
BIG-IP® Systems.
dns [{] <dns arg list> [}]

<dns arg> ::=
include (<string> | none)
nameservers (<ip addr list> | none) [add | delete]
search (<string list> | none) [add | delete]
Display
dns [show [all]]
dns list [all]
dns include [show]
dns nameservers [show]
dns search [show]
Description
You can use this command to manage configurations by server grouping, in
this case, DNS servers.
Examples
The following commands display the global statistics for the DNS profile:
dns
dns show
Adds DNS name servers with the IP addresses, 192.168.10.20 and

192.168.10.22, to the BIG-IP system:
dns nameservers 192.168.10.20 192.168.10.22 add
2 - 58
The following command syntax adds the host names, siterequest.com,

store.siterequest.com, and london.siterequest.com, to the DNS search
configuration for the BIG-IP system. When DNS searches for the host,
siterequest, which is not a fully qualified domain name, it uses the IP
address of the first match, in this case, siterequest.com.
dns search siterequest.com store.siterequest.com \
london.siterequest.com
Options
Use these options with the dns command:
◆ include
Warning: Do not use this parameter without assistance from the F5
Technical Support team. The system does not validate the commands
issued using the include parameter. If you use this parameter
incorrectly, you put the functionality of the system at risk.
◆ nameservers
Adds a group of DNS name servers to or deletes a group of DNS name
servers from the BIG-IP system.
◆ partition
Displays the partition within which the dns object resides.
◆ search
Adds a list of domain names in a specific order. DNS uses that order
when searching for host names that are not fully qualified. You can also
use this option to delete domain names in the list.
See also
bigpipe(1), profile dns(1)

Chapter 2
exit
Exits the bigpipe shell.
Syntax
Use this command to exit the bigpipe shell.
Usage
exit
Description
You can use this command at the bigpipe shell prompt to exit the shell and
return to the BIG-IP system prompt.
Examples
When you are finished running commands at the bigpipe shell prompt, type
exit to exit the shell and return to the system prompt:
exit
See also
bigpipe(1)
2 - 60
export
Creates a single configuration file (SCF) that you can use to configure
another BIG-IP system using the import command.
Important
The export command is independent of and distinct from the save all
command. For more information on the save all command, see save, on
page 2-285.
Syntax
Use this command to create a single configuration file (SCF).
Create/Modify
export [oneline] [<file name> | -]
Description
You use the export command to save the running configuration in a flat,
text file with the extension .scf.
Examples
Creates the SCF, myconfiguration.scf, which contains the running
configuration of the system:
export myconfiguration
Note
The system appends the specified file name with the extension .scf.
Creates the SCF, default.scf, which contains the running configuration of

the system:
export /shared/default
WARNING
You cannot use the export command to create an SCF file named default,
unless you explicitly include a path name to the file, as shown in the
example above.

Chapter 2
Options
Use these options with the export command:
◆ oneline
Specifies that each command in the file is written on one line without
line feeds, and that there is one line feed after each command. This
parameter can create very long lines of text. Note that if you do not use
this parameter, each command is written with line feeds between the
attributes and values for readability.
◆ <file name>
Specifies the name of the SCF you are creating. The system appends this
name with the extension .scf.
See also
bigpipe(1), import(1)
2 - 62
f5adduser
Adds local user accounts to the BIG-IP system.
Syntax
Use this command at the BIG-IP system prompt to add one or more local
users.
Create
f5adduser [-r <role name>|<role number>] [-n] [-s] -p <partition name> <username> ...
Description
You can use this command at the BIG-IP system prompt to add one or more
local users.
Examples
Adds a user account with the user role of Manager and access to all
partitions for Jim Smith:
f5adduser -r manager jsmith
Options
You can use these options with the f5adduser command at the BIG-IP
system prompt:
◆ -r
Specifies the user role you are assigning to the user. The default user role
is guest. The available user roles are:
• administrator
• resource admin
• user manager
• manager
• app editor
• operator
• guest
• policy editor
• none (no access)
◆ -n
Indicates no password for the user account. If you indicate no password,
the user cannot log on until an Administrator creates a password for the
account. If you do not use this option, the system prompts you to enter a
password, and then to confirm that password.

Chapter 2
◆ -s
If you are creating a user account with the user role of administrator,
the user is given access to the system prompt. If you are creating a user
account with a user role other than administrator, the user is given
access to the bigpipe shell.
◆ -p
Specify a partition name. If you do not specify a partition, the user
account is valid in all partitions.
See also
user(1)
2 - 64
failover
Configures and controls failover for a redundant system configuration.
Syntax
Use this command to control the failover of a system and configure the
failover feature for the system.
Create/Modify
Important
BIG-IP® Systems.
Use this syntax to control failover of a system:

failover (failback | offline | online | slave | standby)
Use this syntax to configure the failover feature for a system:

failover [{] <failover arg list> [}]
<failover arg> ::=
active-active mode (enable | disable)
force active (enable | disable)
force standby (enable | disable)
multicast peer (<multicast peer list> | none) [add | delete]
network failover (enable | disable)
peer mgmt addr (<ip addr> | none)
redundant (enable | disable)
standby link down time <float>
unicast peer (<unicast peer list> | none) [add | delete]
unit <number>
<multicast peer> ::= (<multicast peer key> | all) [{] <multicast peer arg list> [}]
<multicast peer key> ::=
<name>
<multicast peer arg> ::=
addr (<ip addr> | none)
interface (eth0 | mgmt)
name <name>
port <number>
<unicast peer> ::= (<unicast peer key> | all) [{] <unicast peer arg list> [}]

Chapter 2
<unicast peer key> ::=

<name>
<unicast peer arg> ::=
dest addr (<ip addr> | none)
name <name>
port <number>
source addr (<ip addr> | none)
Display
failover [show [all]]
failover list [all]
failover active-active mode [show]
failover force active [show]
failover force standby [show]
failover multicast peer [<multicast peer key> | all] [show [all]]
failover multicast peer [<multicast peer key> | all] list [all]
failover multicast peer (<multicast peer key> | all) addr [show]
failover multicast peer (<multicast peer key> | all) interface [show]
failover multicast peer (<multicast peer key> | all) name [show]
failover multicast peer (<multicast peer key> | all) port [show]
failover network failover [show]
failover peer mgmt addr [show]
failover redundant [show]
failover standby link down time [show]
failover unicast peer [<unicast peer key> | all] [show [all]]
failover unicast peer [<unicast peer key> | all] list [all]
failover unicast peer (<unicast peer key> | all) dest addr [show]
failover unicast peer (<unicast peer key> | all) name [show]
failover unicast peer (<unicast peer key> | all) port [show]
failover unicast peer (<unicast peer key> | all) source addr [show]
failover unit [show]
Delete
failover multicast cluster peer (<multicast cluster peer list> | none) delete
failover unicast cluster peer (<unicast cluster peer list> | none) delete
Description
Failover is a process that occurs when one unit in a redundant system
configuration becomes unavailable, thereby requiring the peer unit to
assume the processing of traffic originally targeted for the unavailable unit.
To facilitate coordination of the failover process, each unit has a unit ID (1
or 2).
2 - 66
You can use the failover command to switch the active unit to be the
standby unit in a redundant configuration. Be careful about using the
failover command to control the unit. It is provided only for special
situations. The unit automatically switches between active and standby
modes, without operator intervention.
Examples
Causes the active unit to go into the standby state, forcing the other unit in
the redundant system configuration to become active:
failover standby
Restores an active-active configuration after a failure:

failover failback
Options
Use these options to control failover of the system:
◆ failback
Initiates failback for an active-active system. Failback re-establishes
normal BIG-IP system processing when a previously-unavailable BIG-IP
system becomes available again.
◆ offline
Changes the status of a unit to Forced Offline.
◆ online
Changes the status of a unit from Forced Offline to either Active or
Standby, depending upon the status of the other unit in a redundant
◆ standby
Specifies that the active unit fails over to a standby state, causing the
standby unit to become active.
Use these options to configure failover for the system:

◆ active-active mode
Enables or disables active mode for a unit in a redundant system
configuration. The default value is disable.
◆ force active
When enabled, makes the unit prefer to be the active unit. The default
value is disable.
◆ force standby
When enabled, makes the unit prefer to be the standby unit. The default
value is disable.

Chapter 2
◆ multicast peer
Adds a multicast peer or deletes a multicast peer from the specified unit
for failover purposes. When you add a multicast peer you include the
following options:
• addr
• interface
• name
• port
◆ network failover
Specifies, when enabled, that this unit utilizes the network to determine
the status of the peer unit. You can use network failover in addition to, or
instead of, hard-wire failover. The default value is disable.
◆ partition
Displays the partition within which the failover object resides.
◆ peer mgmt addr
Specifies the floating management IP address of the peer unit.
◆ redundant
Enables or disables redundancy for a unit in a redundant system
◆ standby link down time
Specifies the amount of time, within the valid range of 0 - 10 seconds,
that the interfaces are down before the unit fails over to standby. Use this
setting to prompt peer switches to reset and relearn their Address
Resolution Protocol (ARP) tables after a failover. The default value is 0
(zero) seconds, which disables this option.
When using network failover, do not enable this feature unless you
configure the custom addr and custom peer addr settings to use the
management port.
◆ unicast peer
Adds a unicast peer or deletes a unicast peer from the specified unit for
failover purposes. When you add a unicast peer you include the
following options:
• dest addr
• name
• port
• source addr
◆ unit
Specifies a number for a unit in a BIG-IP redundant system
configuration. The default value is 1.
See also
bigpipe(1), statemirror(1)
2 - 68
fasthttp
Displays and resets global statistics for the Fast HTTP profile on the BIG-IP
system.
Syntax
Use this command to display and reset statistics for the Fast HTTP profile.
Modify
fasthttp stats reset
Display
fasthttp [show [all]]
Description
You can use this command to display and reset global statistics for the Fast
HTTP profile.
Examples
The following commands display the global statistics for the Fast HTTP
profile:
fasthttp
fasthttp show
Resets all statistics for the Fast HTTP profile on the system:
fasthttp stats reset
See also
profile fasthttp (1)

Chapter 2
fastL4
Displays and resets statistics for the Fast Layer 4 profile on the BIG-IP
system.
Syntax
Use this command to display and reset statistics for the Fast Layer 4 profile.
Modify
fastl4 stats reset
Display
fastl4 [show [all]]
Description
Display detailed Fast Layer 4 profile statistics. These statistics include
connectivity statistics, errors generated, and SYN cookies used.
Examples
The following commands display statistics for the Fast Layer 4 profile:
fastl4
fastl4 show
Resets all statistics for the Fast Layer 4 profile on the system:
fastl4 stats reset
See also
profile fastl4 (1)
2 - 70
fipscardsync
Synchronizes the FIPS hardware security modules (HSMs) of a redundant
Syntax
Use this command at the BIG-IP system prompt to synchronize the FIPS
HSMs of a redundant system configuration.
Modify
fipscardsync peer
Description
Synchronizes the FIPS hardware security modules (HSMs) of a redundant
system configuration. Note that synchronizing the HSMs provides the
ability to exchange keys between the units of a redundant system
configuration.
Examples
Run this command at the console of the active unit to synchronize the FIPS
HSMs of a redundant system configuration:
fipscardsync peer
See also
fipsutil(1)

Chapter 2
fipsutil
Configures and maintains a FIPS security domain on a BIG-IP redundant
Syntax
Use this command at the console to configure and maintain a FIPS security
domain for a BIG-IP redundant system configuration.
Modify
fipsutil [flags] <action>
[flags] ::=
-d
-f
-v
<action> ::=
clean
crash
dump
fwcheck
fwupdate
genpbekey
init
labelcheck
monitor
login
logout
postfwupdate
reset
scupdate
test
Description
You can use this command to initialize the FIPS hardware security module
(HSM), and to create a security officer (SO) password and a security domain
name on the active unit of a BIG-IP redundant system configuration. After
you do this on the active unit, use the same security domain name and SO
password to initialize and configure the other unit of the redundant system
configuration.
2 - 72
Examples
Initializes the HSM, prompts you to create an SO password, and then
prompts you to create a security domain name:
fipsutil -f init
Options
You can use these options with the fipsutil command:
◆ flags
The flags include:
• -d
Indicates to use the default SO Password. You are not prompted to
create a password.
• -f
Re-initializes the Nitrox FIPS board (NFB) or installs older firmware.
• -v
Displays verbose information about the FIPS security domain.
◆ actions
The actions include:
• clean
Do not use this parameter without assistance from the F5 Technical
Support team.
• crash
Support team.
• dump
Support team.
• fwcheck
Checks for available NFB firmware updates.
• fwupdate
Updates NFB firmware, if necessary.
• genpbekey
This option is not used.
• init
Initializes and logs you in to the NFB, and sets the security domain
name.
• labelcheck
Checks to see if the FIPS card is set to the default.
• login
Support team.
• logout
Support team.

Chapter 2
• monitor
Support team.
• postfwupdate
Support team.
• reset
Support team.
• scupdate
Support team.
• test
Support team.
See also
fipscardsync(1)
2 - 74
ftp
Displays and resets global statistics for the FTP profile on the BIG-IP
system.
Syntax
Use this command to display and reset the statistics for the FTP profile.
Modify
ftp stats reset
Display
ftp [show [all]]
Description
You can use the ftp command to display and reset global statistics for the
FTP profile.
Examples
The following commands display the global statistics for the FTP profile:
ftp
ftp show
Resets all statistics for the FTP profile on the system:

ftp stats reset
See also
profile ftp (1)

Chapter 2
global
Displays and resets global statistics for the BIG-IP system.
Syntax
Use this command to display or reset global statistics for the system.
Display
global [show [all]]
Delete
global stats reset
Description
Display and reset global system statistics. These statistics include client
side, server side, PVA connections, TMM cycles, denials, CPU usage,
memory, packets, authorization, and OneConnect™ information.
Examples
Displays all global statistics:
global stats show
Resets all global statistics:

global stats reset
See also
bigpipe(1)
2 - 76
ha group
Configures the high availability (HA) scoring mechanism for a unit in a
Syntax
Use this command to configure high availability.
Create/Modify
ha group <ha group key> {}
ha group (<ha group key> | all) [{] <ha group arg list> [}]
<ha group key> ::=
<name>
<ha group arg> ::=
active bonus <number>
clusters (<ha group cluster list> | none) [add | delete]
(enable | disable)
name <name>
pools (<ha group pool list> | none) [add | delete]
trunks (<ha group trunk list> | none) [add | delete]
<ha group cluster> ::= (<ha group cluster key> | all) [{] <ha group cluster arg list>
[}]
<ha group cluster key> ::=
<cluster key>
<ha group cluster arg> ::=
attribute (percent up members)
cluster <cluster key>
scoring <ha group score params>
<ha group score params> ::= [{] <ha group score params arg list> [}]
<ha group score params arg> ::=
threshold <number>
weight <number>
<ha group pool> ::= (<ha group pool key> | all) [{] <ha group pool arg list> [}]
<ha group pool key> ::=
<pool key>
<ha group pool arg> ::=
pool <pool key>
threshold <number>
weight <number>
<ha group trunk> ::= (<ha group trunk key> | all) [{] <ha group trunk arg list> [}]

Chapter 2
<ha group trunk key> ::=

<trunk key>
<ha group trunk arg> ::=
trunk <trunk key>
threshold <number>
weight <number>
Display
ha group [<ha group key> | all] [show [all]]
ha group [<ha group key> | all] list [all]
ha group (<ha group key> | all) active bonus [show]
ha group (<ha group key> | all) clusters [<ha group cluster key> | all] [show [all]]
ha group (<ha group key> | all) clusters [<ha group cluster key> | all] list [all]
ha group (<ha group key> | all) clusters (<ha group cluster key> | all) attribute [show]
ha group (<ha group key> | all) clusters (<ha group cluster key> | all) cluster [show]
ha group (<ha group key> | all) clusters (<ha group cluster key> | all) group [show]
ha group (<ha group key> | all) clusters (<ha group cluster key> | all) scoring [show]
ha group (<ha group key> | all) enable [show]
ha group (<ha group key> | all) name [show]
ha group (<ha group key> | all) pools [<ha group pool key> | all] [show [all]]
ha group (<ha group key> | all) pools [<ha group pool key> | all] list [all]
ha group (<ha group key> | all) pools (<ha group pool key> | all) attribute [show]
ha group (<ha group key> | all) pools (<ha group pool key> | all) group [show]
ha group (<ha group key> | all) pools (<ha group pool key> | all) pool [show]
ha group (<ha group key> | all) pools (<ha group pool key> | all) scoring [show]
ha group (<ha group key> | all) total score [show]
ha group (<ha group key> | all) trunks [<ha group trunk key> | all] [show [all]]
ha group (<ha group key> | all) trunks [<ha group trunk key> | all] list [all]
ha group (<ha group key> | all) trunks (<ha group trunk key> | all) attribute [show]
ha group (<ha group key> | all) trunks (<ha group trunk key> | all) group [show]
ha group (<ha group key> | all) trunks (<ha group trunk key> | all) scoring [show]
ha group (<ha group key> | all) trunks (<ha group trunk key> | all) trunk [show]
Delete
ha group (<ha group key> | all) delete
2 - 78
Description
Configures a high availability (HA) group that determines the HA scoring
mechanism for a unit in a redundant system configuration. This mechanism
compares the relative health of the two units and the system with the highest
score becomes the active unit.
Examples
Creates a HA group named group1:
b ha group group1
Options
You can use these options with the ha group command:
◆ active bonus
Specifies the value to gets added to the score of whichever member of
the redundant system configuration is active. The system calculates an
HA score based on the number of available members for each object, the
weight that you define, and any specified threshold.
◆ clusters
Specifies the cluster members that make up the HA group.
◆ group
Specifies the pool to use as the gateway fail-safe pool. Typically, the
members of this pool are the routers for each of the units in the redundant
system.
◆ pools
Specifies the pool members that make up the HA group.
◆ threshold
Specifies the minimum number of object members that must be
available. If the threshold falls below this value, the system triggers
failover.
◆ trunks
Specifies the trunks that make up the HA group.
See also
daemon(1), bigpipe(1)

Chapter 2
ha table
Displays the settings for high availability on a system.
Syntax
Use this command to display high availability settings.
Display
<ha table key> ::=
[peer] [failures]
ha table [<ha table key> | all] [show [all]]
ha table (<ha table key> | all) failures [show]
ha table (<ha table key> | all) peer [show]
Description
Displays high availability settings for the system. These settings include
daemon settings and failover settings.
Examples
Displays all peer settings:
ha table peer
Displays all daemon and failover settings:

ha table show
Columns
The HA table consists of several columns including Feature, Key, Action,
En, Act, Proc, Time, and Data.
◆ Feature
Displays the high availability feature.
◆ Key
Displays the specific instance of the feature, for example which daemon's
heartbeat is represented.
◆ Action
Displays the action that should be taken when the Act (take action)
column is yes.
◆ En
Indicates whether the feature is enabled.
2 - 80
◆ Act
Indicates that you should take action. For example, if the VLAN fail-safe
functionality determined that the VLAN had failed, it would set this
setting to yes which would cause the daemon to reboot the BIG-IP
system.
◆ Proc
Indicates the process that is exclusively responsible for creating and
writing to this row in the HA table.
◆ Time
The meaning of this column varies depending on the feature associated
with it. Typically, this value is a timeout value. For example, the sod
daemon heartbeat time is set to 20 (seconds). That means that if sod does
not increment its heartbeat in 20 seconds, the BIG-IP system reboots.
◆ Data
The meaning of this column also varies depending on the feature. For
daemon heartbeats, for example, this value shows the daemon
incrementing the value of its heartbeat.
Options
You can use these options with the ha table command:
◆ failures
Displays information about system failures only.
◆ peer
Displays the IP address for the system to use as an alternate for mirroring
connections.
See also
daemon(1), bigpipe(1)

Chapter 2
hardware
Displays information about the system hardware.
Syntax
Use this command to display the baud rate of the system hardware.
Display
hardware [{] <hardware arg list> [}]
<hardware arg> ::=
baud rate <number>
hardware [show [all]]
Description
You can use the hardware command to display the baud rate of the system
hardware.
Examples
The following three commands display the baud rate of the system
hardware:
hardware
hardware show
hardware baud rate
See also
bigpipe(1)
2 - 82
help
Displays online help for bigpipe command syntax.
Syntax
Use this command to display the man page for a bigpipe command.
Display
<command> help
Description
You can use this command to access the man page for the specified
command.
Examples
Displays the man page for the specified command:
vlan help
See also
bigpipe(1)

Chapter 2
http
Displays or resets HTTP statistics on the BIG-IP system.
Syntax
Use this command to display or reset HTTP statistics.
Modify
http stats reset
Display
http [show [all]]
Description
Display and reset HTTP statistics. The statistics you can view are standard
HTTP statistics, including requests, responses, Set-Cookie header insertions,
and OneConnect idle connections.
You can also view compression statistics (in bytes), such as the following:
total, image, HTML, JS, XML, SGML, plain text, video, audio, and octet.
Tip
In the Compression Statistics, total bytes section of the http command
output, saved indicates the ratio between the amount of content before
compression and the amount of content after compression. null indicates
content that is wrapped in compression headers, but is not compressed. The
system wraps content in compression headers, but does not compress it
when one of two situations occurs. Either the system exceeds the amount of
compression (in megabytes) for which it is licensed, or the CPU saver is
active. For more information about the CPU saver setting, see profile http,
on page 2-206.
Examples
Displays all HTTP statistics including compression statistics:
http show all
Resets all HTTP statistics to zero:

http stats reset
See also
profile http(1), bigpipe(1)
2 - 84
httpd
Configures the HTTP daemon for the BIG-IP system.
Syntax
Use this command to configure the HTTP daemon for the system.
Create/Modify
Important
BIG-IP® Systems.
httpd [{] <httpd arg list> [}]

<httpd arg> ::=
allow (<string list> | none) [add | delete]
authname (<string> | none)
authpamidletimeout <number>
fastcgitimeout <number>
hostnamelookups (On | Off | Double)
loglevel (debug | info | notice | warn | error | \
crit | alert | emerg)
ssl include (<string> | none)
sslcertchainfile (<string> | none)
sslcertfile (<string> | none)
sslcertkeyfile (<string> | none)
sslciphersuite (<string> | none)
Display
httpd [show [all]]
httpd list [all]
httpd allow [show]
httpd authname [show]
httpd authpamidletimeout [show]
httpd fastcgitimeout [show]
httpd hostnamelookups [show]
httpd include [show]
httpd loglevel [show]

Chapter 2
httpd ssl include [show]

httpd sslcertchainfile [show]
httpd sslcertfile [show]
httpd sslcertkeyfile [show]
httpd sslciphersuite [show]
Description
You configure the HTTP daemon for the system using the httpd command.
Important
F5 recommends that users of the Configuration utility exit the utility before
changes are made to the system using the httpd command. This is because
making changes to the system using the httpd command causes a restart of
the HTTP daemon. Likewise, restarting the HTTP daemon creates the
necessity for a restart of the Configuration utility.
Examples
When you change the SSL key, you must also change the SSL certificate.
You change the certificate/key pair using following command:
httpd { sslcertfile <string> sslcertkeyfile <string> }
Sets the pluggable authentication module (PAM) cache timeout to half a day
(in seconds):
httpd authpamcachetimeout 43200
Creates the SSL certificate file, mycert.crt, for the system:

sslcertfile /etc/httpd/conf/ssl.crt/mycert.crt
Replaces the existing list of hosts that can connect to the HTTP daemon
with the hosts in the range, 172.27.0.0/255.255.0.0:
httpd allow 172.27.0.0/255.255.0.0
Options
You can use these options with the httpd command.
◆ allow
Adds or deletes IP addresses, partial IP addresses, and IP address ranges,
host names, partial host names, domain names, partial domain names,
and network and netmask pairs for the HTTP clients from which the
HTTP daemon accepts request. The default value is all.
Warning: Using the value none resets the HTTP daemon to allow all
HTTP clients access to the system. F5 recommends that you do not use
the value none with the httpd command.
◆ authname
Specifies the name for the authentication realm. The default value is
BIG-IP.
2 - 86
◆ authpamidletimeout
Specifies, in seconds, the timeout for PAM. The default value is 1200
seconds.
◆ fastcgitimeout
Specifies, in seconds, the timeout for FastCGI.
◆ hostnamelookups
The default value is Off.
◆ include
◆ loglevel
Specifies the minimum httpd message level to include in the system log.
The default value is warn.
◆ partition
Displays the partition within which the HTTP daemon resides.
◆ sslcertchainfile
Specifies the name of the file that contains the SSL certificate chain. The
default value is none.
◆ sslcertfile
Specifies the name of the file that contains the SSL certificate. The
default value is /etc/httpd/conf/ssl.crt/server.crt.
Note that the path to the file must start with /etc/httpd/conf/ssl.crt/ or
/config/httpd/conf/ssl.crt/ unless the path is a relative path. If the path is
a relative path, then it must start with conf/ssl.crt/.
◆ sslcertkeyfile
Specifies the name of the file that contains the SSL certificate key. The
default value is /etc/httpd/conf/ssl.key/server.key.
Note that the path to the file must start with /etc/httpd/conf/ssl.key/ or
/config/httpd/conf/ssl.key/ unless the path is a relative path. If the path
is a relative path, then it must start with conf/ssl.key/.
When you change the key file, you must also change the certificate file.
In other words, the following command does not work to change the key:
httpd sslcertkeyfile <string>. Instead, you must use the following
command:
{ httpd sslcertfile <string> sslcerkeyfile <string> }
◆ sslciphersuite
Specifies the ciphers that the system uses.
◆ ssl include

Chapter 2
See also
bigpipe(1), ntp(1), dns(1), sshd(1), snmpd(1)
2 - 88
icmp
Displays and resets ICMP statistics.
Syntax
Use this command to display or reset ICMP statistics.
Modify
icmp stats reset
Display
icmp [show [all]]]
Description
Display and reset ICMP statistics. The statistics you can view are standard
ICMP statics, including ICMPv4 packets and errors, and ICMPv6 packets
and errors.
Examples
Displays all ICMP statics including compression statistics:
icmp show all
Resets all ICMP statistics to zero:

icmp stats reset
See also
monitor(1), bigpipe(1)

Chapter 2
import
Saves a backup of the running configuration in the /var/local/scf/ directory,
and then replaces the running configuration with the configuration contained
in the single configuration file (SCF) that you are importing.
Syntax
Use this command to replace the running configuration of the system with
the values contained in the SCF that you are importing. If you want to write
the new running configuration to the stored configuration files, after you run
the import command, you must run the save all command.
If you want to modify the running configuration of the BIG-IP system,
rather than replace it, you must use the merge command. For more
information, see the man page for the merge command.
Create/Modify
import [<file> | default | -]
Description
You import an SCF that was exported from another BIG-IP system after you
edit the file to work on the system to which you are importing it.
Examples
Loads the SCF, myconfiguration.scf, on the system:
import myconfiguration.scf
Resets the running configuration to the factory defaults; however, this does
not reset the management IP address or the management default route:
import default
Options
You can use these options with the import command.
◆ - <contents of SCF>
Use this option to replace the running configuration of the system using
the data in an SCF. First copy the contents of an SCF. Then type
import - and press the Enter key. The system responds with a Reading...
message. When the system finishes responding, on the command line,
paste the contents of the SCF that you copied, and then type Ctrl-D.
After the command sequence runs, the system has replaced the running
configuration. If you want to save the running configuration to the stored
configuration files, run the save all command.
Warning: F5 recommends that you do not use this option to import an
SCF. Instead, you should use the <file> option.
2 - 90
◆ <file>
Specifies the name of the SCF that you want to import, with the format
file_name.scf (for example, newconfiguration.scf).
◆ default
Resets the running configuration of the system to the factory defaults.
However, note that this option does not change the management port
networking information.
See also
bigpipe(1), export(1)

Chapter 2
interface
Configures the parameters of interfaces.
Syntax
Use this command to modify or display interface settings.
Modify
interface <interface key> {}
interface (<interface key> | all) [{] <interface arg list> [}]
<interface key> ::=
<if name>
<interface arg> ::=
auto edge (enable | disable)
edge port (false | true)
(enable | disable)
link type (p2p | shared | auto)
media (auto | 10baseT half | 10baseT full | 100baseTX half | 100baseTX full | \
1000baseT half | 1000baseT full | 1000baseSX full | 1000baseLX full | \
10GbaseT full | 10GbaseSR full | 10GbaseLR full | 10GbaseER full)
media fixed (auto | 10baseT half | 10baseT full | 100baseTX half | \
100baseTX full | 1000baseT half | 1000baseT full | 1000baseSX full | \
1000baseLX full | 10GbaseT full | 10GbaseSR full | 10GbaseLR full | \
10GbaseER full)
media sfp (auto | 10baseT half | 10baseT full | 100baseTX half | \
100baseTX full | 1000baseT half | 1000baseT full | 1000baseSX full | \
1000baseLX full | 10GbaseT full | 10GbaseSR full | 10GbaseLR full | \
10GbaseER full)
name <if name>
pause (none | tx rx | rx tx | tx | rx)
prefer (fixed | sfp)
stp (enable | disable)
stp reset
interface (<interface key> | all) stats reset
Display
interface [<interface key> | all] [show [all]]
interface [<interface key> | all] list [all]
interface (<interface key> | all) auto edge [show]
interface (<interface key> | all) edge port [show]
interface (<interface key> | all) enabled [show]
interface (<interface key> | all) errors [show]
interface (<interface key> | all) link type [show]
interface (<interface key> | all) mac addr [show]
interface (<interface key> | all) media [show]
2 - 92
interface (<interface key> | all) media duplex [show]

interface (<interface key> | all) media fixed [show]
interface (<interface key> | all) media options [show]
interface (<interface key> | all) media options sfp [show]
interface (<interface key> | all) media sfp [show]
interface (<interface key> | all) media speed [show]
interface (<interface key> | all) name [show]
interface (<interface key> | all) pause [show]
interface (<interface key> | all) pending [show]
interface (<interface key> | all) prefer [show]
interface (<interface key> | all) stats [show]
interface (<interface key> | all) stp [show]
interface (<interface key> | all) trunk [show]
interface (<interface key> | all) vendor [show]
Description
This command displays and sets media options, duplex mode, and status for
an interface. In addition, this command provides the ability to set
per-interface spanning tree parameters such as link type, edge port status,
automatic edge port detection, and also whether the interface participates in
the spanning tree configuration.
Examples
Enables the interface named 1.1:
interface 1.1 enable
Disables the interface named 1.1:

interface 1.1 disable
Disables STP on the interface named 1.3:

interface 1.3 stp disable
Enables auto edge detection for STP on the interface named 1.3:
interface 1.3 auto edge enable
Sets the edge port attribute for STP on the interface named 1.3:
interface 1.3 edge port true
Options
You can use these options with the interface command:
◆ auto edge
When automatic edge port detection is enabled on an interface, the
system monitors the interface for incoming STP, RSTP, or MSTP
packets. If no such packets are received for a sufficient period of time
(about three seconds), the interface is automatically given edge port

Chapter 2
status. When automatic edge port detection is disabled on an interface,

the system never gives the interface edge port status automatically. By
default, automatic edge port detection is enabled on all interfaces. Any
STP setting set on a per-interface basis applies to all spanning tree
instances. The default value is enable.
◆ edge port
Possible values are true and false. The default value is true.
◆ enable | disable
Enables or disables the specified interface.
◆ errors
Displays the error statistics for an interface.
◆ <interface key>
Specifies an interface key.
◆ <if name>
Specifies an interface name, for example 3.1, where 3 is the physical slot
number holding the network interface hardware and 1 is the physical port
number of that interface on that hardware. Another example is mgmt, the
name given to the management interface.
◆ link type
The spanning tree system includes important optimizations that can be
used only on point-to-point links. That is, on links which connect just
two bridges. If these optimizations are used on shared links, incorrect or
unstable behavior may result. By default, the implementation assumes
that full-duplex links are point-to-point and that half-duplex links are
shared. Possible values are p2p, shared, and auto. The default value is
auto.
◆ mac addr
Displays the media access control (MAC) address for the interface.
◆ media
Specifies a media type for the specified interface. The options are: auto,
10baseT half, 10baseT full, 100baseTX half, 100baseTX full,
1000baseT half, 1000baseT full, 1000baseSX full, 1000baseLX full,
10GbaseT full, 10GbaseSR full, 10GbaseLR full, and 10GbaseER
full. Note that you use this option only with a non-combo port.
◆ media duplex
Displays the duplex type for the interface. This information comes from
the interface driver.
◆ media fixed
full. Note that you use this option only with a combo port to specify the
media type for the fixed interface.
◆ media options
Displays all media types that are available for the specified interface.
2 - 94
◆ media options sfp

Displays all media types that are available for the specified SFP
interface.
◆ media sfp
full. Note that you use this option only with a combo port to specify the
media type for the SFP interface.
◆ pause
Possible values are rx, rx tx, tx, tx rx, and none. The default value is tx
rx.
◆ prefer
Indicates which side of a combo port the interface uses. The options are
fixed and SFP. The default value is fixed.
If you use the prefer option, use the media option to specify a media
type for the interface. Note that for an SFP-only interface, the prefer
option is ignored and you must use either the media or media sfp option
to set the media type for the interface.
◆ stp
Enables or disables STP. If you disable STP, no STP, RSTP, or MSTP
packets are transmitted or received on the interface or trunk, and
spanning tree has no control over forwarding or learning on the port or
the trunk. The default value is enable.
◆ stp reset
Resets STP.
◆ trunk
Displays, if the interface is a member, the name of the trunk with which
the interface is associated.
See also
mirror(1), stp(1), vlan(1), vlangroup(1), bigpipe(1)

Chapter 2
ip
Manages IP statistics on the BIG-IP system.
Syntax
Use this command to display or delete IP statistics on the BIG-IP system.
Display
ip [show [all]]
Delete
ip stats reset
Description
Display and reset IP statistics. The statistics you can view are standard IP
statistics, including IPv4 and IPv6 packets, fragments, fragments
reassembled, and errors.
Examples
Displays all IP statistics for the system:
ip show all
Resets all IP statistics to zero:

ip stats reset
See also
bigpipe(1)
2 - 96
ip addr
Displays all IP addresses currently attached to a configuration object in the
system.
Syntax
Use this command to display IP addresses in use on the system or to display
information about a specific IP address in use on the system.
Display
ip addr [<ip addr key> | all] [show [all]]
ip addr (<ip addr key> | all) arp [show]
ip addr (<ip addr key> | all) attribute [show]
ip addr (<ip addr key> | all) interface [show]
ip addr (<ip addr key> | all) ip [show]
ip addr (<ip addr key> | all) object [show]
<ip addr key> ::=
<ip addr>
Description
You can use this command to view the IP addresses that are attached to a
configuration object on the system.
Examples
Displays information about all IP addresses in use on the system:
bigpipe ip addr
Displays information about how the IP address of 10.2.3.11 is used on the

system:
bigpipe ip addr 10.2.3.11 show
Displays how the IP addresses are used in the configuration for all IP
addresses:
bigpipe ip addr all object show
Options
You can use these options with the ip addr command:
◆ arp
Specifies that you want to display only the ARP status of the IP
addresses.
◆ attribute
Specifies that you want to display only the attribute information about
the IP addresses.

Chapter 2
◆ interface
Specifies that you want to display only the interface information about
the IP addresses.
◆ ip
Specifies that you want to display only the IP address information about
the IP addresses.
◆ object
Specifies that you want to display only the types of objects for the IP
addresses.
See also
arp(1), mgmt(1), mgmt_route(1), ndp(1), node(1), pool(1), route(1),
self(1), virtual(1), virtual_address(1), bigpipe(1)
2 - 98
list
Displays all objects the user has permission to view. Depending on the
user’s Read partition, all objects that are not in partitions and all objects in
partition Common may also display.
Syntax
Use this command to display objects based on your Read partition setting.
Display
[base] list [all]
Description
When the default Read partition is All, the list command displays all objects
the user has permission to view. When you specify a Read partition, this
command displays all objects the user has permission to view in the current
partition, all objects that are not in partitions, and all objects in partition
Common.
Options
You can use these options with the list command:
◆ base
Lists the output of the single configuration file (SCF), including the
configuration of the BIG-IP system network components: MGMT port
address, MGMT route, internal and external VLANs, VLAN groups,
self-IP addresses, and self-allow values.
◆ all
Displays the complete system configuration.
See also
bigpipe(1)

Chapter 2
load
Replaces the running configuration with the configuration in the stored
configuration files.
Syntax
Use this command to replace the running configuration with the
configuration in the stored configuration files.
Usage
[base] load [<file> | - ]
verify load
Description
You can also use the load command to replace the running configuration
with the configuration stored in a specified file.
If you want to modify the running configuration of the BIG-IP system,
rather than replace it, you must use the merge command. For more
information, see the man page for the merge command.
Examples
The following command replaces the running configuration with the
configuration in the stored configuration files. The configuration loads after
you type Ctrl-D.
load -
<Ctrl-D>
The following command replaces the bigip.conf file with the

myconfigurationfile.conf file:
load myconfigurationfile.conf
The base load command replaces the running configuration using the
contents of the following files in the order shown:
• /defaults/config_base.conf
• /config/bigip_base.conf
• /config/bigip_sys.conf
2 - 100
The load command replaces the entire running configuration using the
contents of the following files in the order shown:
• /defaults/config_base.conf
This file contains the commands, and their attributes and values, that
configure the basic system information for all of the components of the
BIG-IP system. When you run the base load or load commands, the
system resets portions of the running configuration to the values
contained in this file. When you run the base save or save all commands,
the system writes portions of the running configuration into this file.
configure the BIG-IP network components. When you run the base load
or load commands, the system resets portions of the running
configuration to the values contained in this file. When you run the base
save or save all commands, the system writes portions of the running
configuration into this file.
configure the BIG-IP network components, as well as the configuration
commands that are synchronized on both units of a redundant system
configuration when you run the configuration synchronization
commands. When you run the base load or load commands, the system
resets portions of the running configuration to the values contained in
this file. When you run the base save or save all commands, the system
writes portions of the running configuration into this file.
• /usr/bin/monitors/builtins/base_monitors.conf
This file contains the default monitors that are delivered with the system.
These monitors are the parents of all the new monitors that you add to the
system.
• /config/profile_base.conf
This file contains the default profiles that are delivered with the system.
These profiles are the parents of all the new profiles that you add to the
system.
• /config/daemon.conf
This file contains the high-availability configuration data for all of the
daemons that are delivered with the system.
• /config/bigip.conf
This file contains the configuration commands, and their attributes and
values, that you add to the system when you configure it to meet your
network and system management and local traffic management needs. It
also contains the configuration commands, and their attributes and
values, that are synchronized on both units of a redundant system
configuration when you run the configuration synchronization
commands. When you run the load command, the system resets portions
of the running configuration to the values contained in this file. When
you run the save all command, the system writes portions of the running
configuration into this file.

Chapter 2
• /config/bigip_local.conf
This file contains the configuration commands, and their attributes and
values, that you add to the system when you configure it to meet your
network and system management and local traffic management needs. It
also contains the configuration commands that are not synchronized on
both units of a redundant system configuration when you run the
configuration synchronization commands. These commands include the
non-floating virtual addresses and the virtual addresses of the servers
used by the BIG-IP® Global Traffic Manager. When you run the load
command, the system resets portions of the running configuration to the
values contained in this file. When you run the save all command, the
system writes portions of the running configuration into this file.
Options
You can use these options with the load command:
◆ <file>
Specifies a file name that replaces the /config/bigip.conf file.
◆ -
Specifies that the BIG-IP system loads configuration commands from the
standard input device after loading the configuration of the BIG-IP
network components. Using this option replaces all of the values in the
/config/bigip.conf file.
Use this option to replace only the values in the /config/bigip.conf file.
First copy the contents of an SCF. Then type load - and press the Enter
key. The system responds with a Reading... message. When the system
finishes responding, on the command line, paste the contents of the SCF
that you copied, and then type Ctrl-D. After the command sequence
runs, the system has replaced the running configuration. To save the new
values in the bigip.conf file, run the save all command.
Warning: This is not the preferred way to load an SCF. F5 recommends
that you use the import command. For more information, see import, on
page 2-90.
◆ base
Replaces the configuration of the BIG-IP system network components
with the values contained in the /config/bigip_base.conf and
/config/bigip_sys.conf files.
◆ log
Causes error messages to be written to /var/log/ltm, in addition to the
terminal.
◆ verify
Validates the specified configuration file.
See also
bigpipe(1), save(1)
2 - 102
logrotate
Configures log rotation for the BIG-IP system.
Syntax
Use this command to configure log rotation for the system.
Create/Modify
Important
F5 recommends that you create a monitor in the same partition in which the
object that it monitors resides. For more information, see the Configuring
Administrative Partitions and Managing User Accounts chapters in the
TMOS™ Management Guide for BIG-IP® Systems.
logrotate [{] <logrotate arg list> [}]

<logrotate arg> ::=
common backlogs <number>
common include (<string> | none)
mysql include (<string> | none)
syslog include (<string> | none)
tomcat include (<string> | none)
wa include (<string> | none)
Display
logrotate [show [all]]
logrotate list [all]
logrotate common backlogs [show]
logrotate common include [show]
logrotate include [show]
logrotate mysql include [show]
logrotate syslog include [show]
logrotate tomcat include [show]
logrotate wa include [show]
Description
You can configure the system to rotate the log files after a specified length
of time. This helps you to clear the hard drive of unneeded log files.

Chapter 2
Examples
Specifies that the system saves seven copies of the common log files:
logrotate common backlogs 7
Options
You can use these options with the logrotate command:
◆ common backlogs
Specifies the number of logs that you want the system to save. Select a
number from the valid range of 1 - 100.
◆ common include
◆ include
◆ partition
Displays the partition within which the logrotate object resides.
◆ syslog include
◆ tomcat include
◆ wa include
See also
bigpipe(1), ntp(1), dns(1), httpd(1), snmpd(1)
2 - 104
ltm
Configures the general properties for the BIG-IP local traffic management
system.
Syntax
Use this command to configure the general properties of the system.
Create/Modify
Important
ltm [{] <ltm arg list> [}]

<ltm arg> ::=
accept ip options (enable | disable)
accept ip source route (enable | disable)
adaptive reaper hiwater <number>
adaptive reaper lowater <number>
allow ip source route (enable | disable)
auto last hop (enable | disable)
continue matching (enable | disable)
fastest max idle time <number>
l2 cache timeout <number>
maint (enable | disable)
max icmp rate <number>
max reject rate <number>
min path mtu <number>
path mtu discovery (enable | disable)
preserve client port (enable | disable)
reject unmatched (enable | disable)
share single mac (first member | global)
snat packet forward (enable | disable)
syncookies threshold <number>
vlan keyed conn (enable | disable)

Chapter 2
Display
ltm [show [all]]
ltm list [all]
ltm accept ip options [show]
ltm accept ip source route [show]
ltm adaptive reaper hiwater [show]
ltm adaptive reaper lowater [show]
ltm allow ip source route [show]
ltm auto last hop [show]
ltm continue matching [show]
ltm fastest max idle time [show]
ltm l2 cache timeout [show]
ltm maint [show]
ltm max icmp rate [show]
ltm max reject rate [show]
ltm min path mtu [show]
ltm path mtu discovery [show]
ltm preserve client port [show]
ltm reject unmatched [show]
ltm share single mac [show]
ltm snat packet forward [show]
ltm syncookies threshold [show]
ltm vlan keyed conn [show]
Description
You can use this command to set up the local traffic management system.
Examples
Specifies that the maximum rate per second at which the BIG-IP system
issues reject packets (TCP RST or ICMP port unreach) is 1000 seconds:
ltm max reject rate 1000
Options
You can use these options with the ltm command:
◆ accept ip options
Specifies whether the system accepts IPv4 packets with IP options. The
◆ accept ip source route
Specifies whether the system accepts IPv4 packets with IP source route
options that are destined for Traffic Management Microkernel (TMM).
The default value is disable. To enable this option, you must also enable
the accept ip options setting.
2 - 106
◆ adaptive reaper hiwater

Specifies, in a percentage, the memory usage at which the system stops
establishing new connections. Once the system meets the reaper
high-water mark, the system does not establish new connections until the
memory usage drops below the reaper low-water mark. The default value
is 95. To disable the adaptive reaper, set the high-water mark to 100.
Note that the adaptive reaper settings help mitigate the effects of a
denial-of-service attack.
◆ adaptive reaper lowater
Specifies, in percent, the memory usage at which the system silently
purges stale connections, without sending reset packets (RST) to the
client. If the memory usage remains above the low-water mark after the
purge, then the system starts purging established connections closest to
their service timeout. The default value is 85. To disable the adaptive
reaper, set the low-water mark to 100.
◆ allow ip source route
Specifies whether the system allows IPv4 packets with IP source route
options enabled to be routed through Traffic Management Microkernel
(TMM). The default value is disable. To enable this option, you must
also enable the accept ip options setting.
◆ auto last hop
Specifies that the system automatically maps the last hop for pools. The
default value is enable.
◆ continue matching
Specifies whether the system matches against a less-specific virtual
server when the more-specific one is disabled. When continue matching
is disabled, the system drops connections that request a disabled virtual
server. In this case, the system rejects or drops packets depending on the
setting of the reject unmatched option.
◆ fastest max idle time
Specifies the number of seconds a node can be left idle by the fastest load
balancing mode. The system sends fewer connections to a node that is
responding slowly, and periodically recalculates the response time of the
slow node. The default value is 0 (zero), which indicates disabled.
◆ l2 cache timeout
Specifies, in seconds, the amount of time that records remain in the Layer
2 forwarding table, when the MAC address of the record is no longer
detected on the network. The default value is 300 seconds.
◆ maint
Specifies, when enabled, that the unit is in maintenance mode. In
maintenance mode, the system stops accepting new connections and
slowly finishes off existing connections.
◆ max icmp rate
Specifies the maximum rate per second at which the system issues
Internet Control Message Protocol (ICMP) errors. The default value is
100 errors per second. The range is from 1 to 1000 errors per second.
This option is useful for preventing ICMP-message storms.

Chapter 2
◆ max reject rate

Specifies the maximum rate per second that the system issues reject
packets (TCP RST or ICMP port unreach). The default value is 250
seconds.
◆ max path mtu
Specifies the minimum packet size that can traverse the path without
suffering fragmentation, also known as path Maximum Transmission
Unit (MTU). The default value is 296. The range is from 68 to 1500.
◆ partition
Displays the partition within which the ltm object resides.
◆ path mtu discovery
Specifies, when enabled, that the system discovers the maximum
transmission unit (MTU) that it can send over a path, without
fragmenting TCP packets. The default value is enable.
◆ preserve client port
Specifies that the system preserves the client port of the connection.
◆ reject unmatched
Specifies, when enabled, that the system returns a TCP RESET or
ICMP_UNREACH packet if no virtual servers on the system match the
destination address of the incoming packet. When this setting is disabled,
the system silently drops the unmatched packet. The default value is
enable.
◆ share single mac
Specifies the MAC address that the system assigns to a VLAN. The
default value is first member, which indicates that a VLAN uses the
MAC address of its first unused member. The global value indicates that
all of the VLANs on the system use the same MAC address.
◆ snat packet forward
Enables or disables SNAT packet forwarding. The default value is
disable.
◆ syncookies threshold
Specifies the number of new or untrusted TCP connections that can be
established before the system activates the SYN Cookies authentication
method for subsequent TCP connections. The default value is 16384.
◆ vlan keyed conn
Enables or disables VLAN-keyed connections. You use VLAN-keyed
connections when traffic for the same connection must pass through the
system several times, on multiple pairs of VLANs (or in different VLAN
groups). The default value is enable.
See also
bigpipe(1)
2 - 108
mac addr
Displays every MAC address currently attached to a configuration object in
a BIG-IP system.
Syntax
Use this command to display the MAC addresses currently attached to a
configuration object in the system.
Create/Modify
<mac addr key> ::=
<mac addr>
Display
mac addr [<mac addr key> | all] [show [all]]
mac addr (<mac addr key> | all) attribute [show]
mac addr (<mac addr key> | all) mac [show]
mac addr (<mac addr key> | all) object [show]
Description
You can use this command to view the MAC addresses that are attached to a
configuration object on the system.
Examples
Displays all MAC addresses:
mac addr all
Options
You can use these options with the mac addr command:
◆ attribute
Lists the attributes for specified objects.
◆ mac
Lists the MAC addresses for specified objects.
◆ object
Lists the objects for specified objects.
See also
bigpipe(1)

Chapter 2
mcp
Displays the Master Control Program (MCP) state.
Syntax
Use this command to display the state of the MCP.
Display
mcp [show [all]]
Delete
mcp stats reset
Note
This command is not currently implemented.
Description
Displays the state of the MCP, whether running or inactive.
Examples
Displays the state of the MCP:
mcp show all
See also
bigpipe(1)
2 - 110
memory
Displays memory usage statistics.
Syntax
Use this command to display memory statistics.
Display
memory [show [all]]
memory stats [show]
Description
Displays detailed memory usage statistics, including:
• Total memory available
• Total memory used
• How the memory is currently allocated to objects
• The size of the objects
• The maximum memory that can be allocated to a specified object
Examples
Displays all memory usage information:
memory show all
See also
bigpipe(1)

Chapter 2
merge
Loads the specified configuration file. This modifies the running
configuration.
Syntax
Use this command to load the specified configuration file or data to modify
the running configuration.
Usage
merge (<file> | -)
Description
The merge command loads the specified configuration file or data. This
modifies the running configuration. After you run the merge command, if
you want to save the modified running configuration in the stored
It is important to note that if you want to replace the running configuration
of the BIG-IP system, rather than modify it, you use the load command. For
more information, see the man page for the load command.
Options
You can use these options with the merge command:
◆ <file>
Specifies the file that you want to load to modify the running
configuration.
◆ -
Specifies that you want to load configuration commands from the
standard input device after loading the configuration of the BIG-IP
network components.
Use this option to modify the running configuration of the system using
the data in an SCF. First copy the contents of an SCF. Then type merge -
and press the Enter key. The system responds with a Reading...
message. When the system finishes responding, paste the contents of the
SCF that you copied on the command line, and then type Ctrl-D. After
the command sequence runs, the system has modified the running
configuration. If you want to save the running configuration to the stored
Warning: F5 recommends that you do not use this option. Instead, you
should use the <file> option.
2 - 112
See also
bigpipe(1), save(1)

Chapter 2
mgmt
Specifies network settings for the management interface (MGMT).
Syntax
Use this command to create or delete settings for the management interface.
Create/Modify
mgmt <mgmt key> {}
mgmt (<mgmt key> | all) [{] <mgmt arg list> [}]
<mgmt key> ::=
(<ip addr> | none)
<mgmt arg> ::=
netmask (<ip mask> | none)
Display
mgmt [<mgmt key> | all] [show [all]]
mgmt [<mgmt key> | all] list [all]
mgmt (<mgmt key> | all) addr [show]
mgmt (<mgmt key> | all) netmask [show]
Delete
mgmt (<mgmt key> | all) delete
Description
Specifies network settings for the management interface. The management
interface is available on all switch platforms and is designed for
management purposes. You can access the browser-based Configuration
utility and command line configuration utility through the management port.
You cannot use the management interface in traffic management VLANs.
You can only configure one IP address on the management interface.
After you make any changes using the mgmt command, issue the following
command to save the changes to the bigip_base.conf file:
base save
2 - 114
Examples
Creates the IP address 10.10.10.1 on the management interface:
mgmt 10.10.10.1
Creates the IP address 10.10.10.1 with a netmask of 255.255.255.0 on the

management interface:
mgmt 10.10.10.1 netmask 255.255.255.0
Options
You can use these options with the mgmt command:
◆ addr
Specifies the IP address in one of four formats:
• host name, for example: www.f5.com
• node screen name, for example: node1
◆ netmask <ip mask>
Specifies the netmask for the management interface IP address.
See also
route(1), bigpipe(1), mgmt route(1)

Chapter 2
mgmt route
Specifies route settings for the management interface (MGMT).
Syntax
Use this command to create, display, or delete route settings for the
management interface.
Create/Modify
mgmt route <mgmt route key> {}
mgmt route (<mgmt route key> | all) [{] <mgmt route arg list> [}]
<mgmt route key> ::=
<network ip>
<mgmt route arg> ::=
dest <network ip>
gateway (<ip addr> | none)
mtu <number>
(mgmt | reject)
Display
mgmt route [<mgmt route key> | all] [show [all]]
mgmt route [<mgmt route key> | all] list [all]
mgmt route (<mgmt route key> | all) dest [show]
mgmt route (<mgmt route key> | all) gateway [show]
mgmt route (<mgmt route key> | all) mtu [show]
mgmt route (<mgmt route key> | all) type [show]
Delete
mgmt route (<mgmt route key> | all) delete
Description
Specifies route settings for the management interface. You must configure a
route on the management interface if you want to access the management
network on the system by connecting from another network. The
management interface is available on all switch platforms. It is designed for
management purposes. All upgrades should be installed through the
management port. You can access the browser-based Configuration utility
and command line configuration utility through the management interface.
You cannot include the management interface in traffic management
VLANs.
2 - 116
Examples
Sets the management interface default gateway IP address to 10.10.10.254:
mgmt route default gateway 10.10.10.254
Either one of the following command sequences sets the management

interface to subnet 10.10.10.0/24, and the gateway to 172.24.74.62:
mgmt route 10.10.10.0 netmask 255.255.255.0 gateway 172.24.74.62
mgmt route 10.10.10.0/24 gateway 172.24.74.62
Options
You can use these options with the mgmt route command:
◆ gateway
Specifies that the system forwards packets to the destination through the
gateway with the specified IP address.
◆ mgmt
Specifies that the system forwards packets to the destination through the
management interface.
◆ mtu
Specifies the maximum transmission unit (MTU) for the management
interface. The value of the MTU is the largest size that the BIG-IP
system allows for an IP datagram passing through the management
interface.
◆ network ip
Specifies the network IP address, in one of four formats:
• Host name, for example: www.siterequest.com
• Node screen name, for example: node1
◆ reject
Specifies that the system drops packets that are sent to this destination.
See also
mgmt(1), bigpipe(1), route(1)

Chapter 2
mirror
Configures interface (port) mirroring.
Syntax
Use this command to configure interface mirroring.
Create/Modify
mirror <mirror key> {}
mirror (<mirror key> | all) [{] <mirror arg list> [}]
<mirror key> ::=
<if name>
<mirror arg> ::=
interfaces (<interface key list> | none) [add | delete]
name <if name>
Display
mirror [<mirror key> | all] [show [all]]
mirror [<mirror key> | all] list [all]
mirror (<mirror key> | all) interfaces [show]
mirror (<mirror key> | all) name [show]
Delete
mirror (<mirror key> | all) delete
Description
Use the mirror command to create, display, modify, or delete port
mirroring on given interfaces. You can mirror traffic from many ports to one
port. The mirror-to port is dedicated to mirroring and cannot be a VLAN or
a trunk member.
Examples
Creates a port mirror, 1.1, that includes interfaces 1.2, 1.3, 1.4. Traffic from
the interfaces 1.2, 1.3, and 1.4 is mirrored to the interface 1.1:
mirror 1.1 interfaces 1.2 1.3 1.4
Adds interfaces 1.2, 1.3, 1.4 to the existing port mirror 1.1:
mirror 1.1 interface 1.2 1.3 1.4 add
2 - 118
Options
You can use these options with the mirror command:
◆ add
Adds interfaces to an existing port mirror.
Important: If you do not use add, the list of interfaces you specify
replaces the existing interfaces on the port mirror.
◆ all
Provides the ability to apply a command to all existing port mirrors.
◆ delete
Deletes interfaces from an existing port mirror. The list of interfaces you
specify is deleted from the port mirror.
◆ <interface key>
Specifies an interface name, for example 3.1.
◆ <key>
Provides the ability to apply a command to a list of existing port mirrors.
See also
interface(1), bigpipe(1)

Chapter 2
monitor
Creates, modifies, and deletes monitor instances or templates.
Syntax
Use this command to configure monitor instances or monitors.
Create/Modify
Important
monitor <monitor key> {}

monitor (<monitor key> | all) [{] <monitor arg list> [}]
<monitor key> ::=
<name>
<monitor arg> ::=
<name> (<quoted string> | none)
accounting node (<quoted string> | none)
accounting port (<quoted string> | none)
acct application id (<quoted string> | none)
agent (<quoted string> | none)
agent type (<quoted string> | none)
aggregate dynamic ratios (<quoted string> | none)
args (<quoted string> | none)
auth application id (<quoted string> | none)
base (<quoted string> | none)
call id (<quoted string> | none)
cert (<quoted string> | none)
chasereferrals (<quoted string> | none)
cipherlist (<quoted string> | none)
cmd (<quoted string> | none)
community (<quoted string> | none)
compatibility (<quoted string> | none)
concurrency limit (<quoted string> | none)
count (<quoted string> | none)
cpu coefficient (<quoted string> | none)
2 - 120
cpu threshold (<quoted string> | none)

database (<quoted string> | none)
debug (<quoted string> | none)
defaults from (<monitor key> | none)
dest (<ip addr> | <member>)
disk coefficient (<quoted string> | none)
disk threshold (<quoted string> | none)
domain (<quoted string> | none)
(enable | disable)
failure interval (<quoted string> | none)
failures (<quoted string> | none)
fault (<quoted string> | none)
filename (<quoted string> | none)
filter (<quoted string> | none)
filter neg (<quoted string> | none)
is read only
folder (<quoted string> | none)
framed addr (<quoted string> | none)
get (<quoted string> | none)
gwm addr (<quoted string> | none)
gwm interval (<quoted string> | none)
gwm protocol (<quoted string> | none)
gwm service (<quoted string> | none)
headers (<quoted string> | none)
host ip address (<quoted string> | none)
ignore down response (enable | disable)
instance <monitor instance list>
interval <number>
key (<quoted string> | none)
mandatoryattrs (<quoted string> | none)
manual resume
max load average (<quoted string> | none)
mem coefficient (<quoted string> | none)
mem threshold (<quoted string> | none)
method (<quoted string> | none)
metrics (<quoted string> | none)
mode (<quoted string> | none)
name <name>
namespace (<quoted string> | none)
nasip (<quoted string> | none)
newsgroup (<quoted string> | none)
origin host (<quoted string> | none)
origin realm (<quoted string> | none)
param name (<quoted string> | none)

Chapter 2
param type (<quoted string> | none)

param value (<quoted string> | none)
password (<quoted string> | none)
pool name (<quoted string> | none)
post (<quoted string> | none)
product name (<quoted string> | none)
program (<quoted string> | none)
protocol (<quoted string> | none)
recv (<quoted string> | none)
recvcolumn (<quoted string> | none)
recvdrain (<quoted string> | none)
recvrow (<quoted string> | none)
request (<quoted string> | none)
response time (<quoted string> | none)
retry time (<quoted string> | none)
return type (<quoted string> | none)
return value (<quoted string> | none)
reverse
run (<quoted string> | none)
secret (<quoted string> | none)
security (<quoted string> | none)
send (<quoted string> | none)
sendpackets (<quoted string> | none)
server (<quoted string> | none)
server id (<quoted string> | none)
server ip (<quoted string> | none)
service (<quoted string> | none)
session id (<quoted string> | none)
snmp port (<quoted string> | none)
snmp version (<quoted string> | none)
time until up (<number> | immediate | indefinite)
timeout (<number> | immediate | indefinite)
timeoutpackets (<quoted string> | none)
transparent
up interval <number>
urlpath (<quoted string> | none)
username (<quoted string> | none)
vendor id (<quoted string> | none)
vendor specific acct application id (<quoted string> | none)
vendor specific auth application id (<quoted string> | none)
vendor specific vendor id (<quoted string> | none)
version (<quoted string> | none)
<monitor instance> ::= (<monitor instance key> | all) \
[{] <monitor instance arg list> [}]
2 - 122
<monitor instance key> ::=

(<ip addr> | <member>)
<monitor instance arg> ::=
addr (<ip addr> | <member>)
(enable | disable)
WARNING
Do not disable default monitors.
Note
If you disable a monitor instance and then run the load command, the
monitor instance is automatically enabled.
Display
monitor [<monitor key> | all] [show [all]]
monitor [<monitor key> | all] list [all]
monitor (<monitor key> | all) <name> [show]
monitor (<monitor key> | all) accounting node [show]
monitor (<monitor key> | all) accounting port [show]
monitor (<monitor key> | all) acct application id [show]
monitor (<monitor key> | all) agent [show]
monitor (<monitor key> | all) agent type [show]
monitor (<monitor key> | all) aggregate dynamic ratios [show]
monitor (<monitor key> | all) args [show]
monitor (<monitor key> | all) auth application id [show]
monitor (<monitor key> | all) base [show]
monitor (<monitor key> | all) call id [show]
monitor (<monitor key> | all) cert [show]
monitor (<monitor key> | all) chasereferrals [show]
monitor (<monitor key> | all) cipherlist [show]
monitor (<monitor key> | all) cmd [show]
monitor (<monitor key> | all) community [show]
monitor (<monitor key> | all) compatibility [show]
monitor (<monitor key> | all) concurrency limit [show]
monitor (<monitor key> | all) count [show]
monitor (<monitor key> | all) cpu coefficient [show]
monitor (<monitor key> | all) cpu threshold [show]
monitor (<monitor key> | all) database [show]
monitor (<monitor key> | all) debug [show]
monitor (<monitor key> | all) defaults from [show]
monitor (<monitor key> | all) dest [show]
monitor (<monitor key> | all) disk coefficient [show]
monitor (<monitor key> | all) disk threshold [show]

Chapter 2
monitor (<monitor key> | all) domain [show]

monitor (<monitor key> | all) enabled [show]
monitor (<monitor key> | all) failure interval [show]
monitor (<monitor key> | all) failures [show]
monitor (<monitor key> | all) fault [show]
monitor (<monitor key> | all) filename [show]
monitor (<monitor key> | all) filter [show]
monitor (<monitor key> | all) filter neg [show]
monitor (<monitor key> | all) flags [show]
monitor (<monitor key> | all) folder [show]
monitor (<monitor key> | all) framed addr [show]
monitor (<monitor key> | all) get [show]
monitor (<monitor key> | all) gwm addr [show]
monitor (<monitor key> | all) gwm interval [show]
monitor (<monitor key> | all) gwm protocol [show]
monitor (<monitor key> | all) gwm service [show]
monitor (<monitor key> | all) headers [show]
monitor (<monitor key> | all) host ip address [show]
monitor (<monitor key> | all) ignore down response [show]
monitor (<monitor key> | all) instance [<monitor instance key> | all] [show [all]]
monitor (<monitor key> | all) instance [<monitor instance key> | all] list [all]
monitor (<monitor key> | all) instance (<monitor instance key> | all) addr [show]
monitor (<monitor key> | all) instance (<monitor instance key> | all) enabled [show]
monitor (<monitor key> | all) instance (<monitor instance key> | all) mon name [show]
monitor (<monitor key> | all) interval [show]
monitor (<monitor key> | all) key [show]
monitor (<monitor key> | all) mandatoryattrs [show]
monitor (<monitor key> | all) manual resume [show]
monitor (<monitor key> | all) max load average [show]
monitor (<monitor key> | all) mem coefficient [show]
monitor (<monitor key> | all) mem threshold [show]
monitor (<monitor key> | all) method [show]
monitor (<monitor key> | all) metrics [show]
monitor (<monitor key> | all) mode [show]
monitor (<monitor key> | all) name [show]
monitor (<monitor key> | all) namespace [show]
monitor (<monitor key> | all) nasip [show]
monitor (<monitor key> | all) newsgroup [show]
monitor (<monitor key> | all) origin host [show]
monitor (<monitor key> | all) origin realm [show]
monitor (<monitor key> | all) param name [show]
monitor (<monitor key> | all) param type [show]
monitor (<monitor key> | all) param value [show]
monitor (<monitor key> | all) partition [show]
2 - 124
monitor (<monitor key> | all) password [show]

monitor (<monitor key> | all) pool name [show]
monitor (<monitor key> | all) post [show]
monitor (<monitor key> | all) product name [show]
monitor (<monitor key> | all) program [show]
monitor (<monitor key> | all) protocol [show]
monitor (<monitor key> | all) recv [show]
monitor (<monitor key> | all) recvcolumn [show]
monitor (<monitor key> | all) recvdrain [show]
monitor (<monitor key> | all) recvrow [show]
monitor (<monitor key> | all) request [show]
monitor (<monitor key> | all) response time [show]
monitor (<monitor key> | all) retry time [show]
monitor (<monitor key> | all) return type [show]
monitor (<monitor key> | all) return value [show]
monitor (<monitor key> | all) reverse [show]
monitor (<monitor key> | all) run [show]
monitor (<monitor key> | all) secret [show]
monitor (<monitor key> | all) security [show]
monitor (<monitor key> | all) send [show]
monitor (<monitor key> | all) sendpackets [show]
monitor (<monitor key> | all) server [show]
monitor (<monitor key> | all) server id [show]
monitor (<monitor key> | all) server ip [show]
monitor (<monitor key> | all) service [show]
monitor (<monitor key> | all) session id [show]
monitor (<monitor key> | all) snmp port [show]
monitor (<monitor key> | all) snmp version [show]
monitor (<monitor key> | all) time until up [show]
monitor (<monitor key> | all) timeout [show]
monitor (<monitor key> | all) timeoutpackets [show]
monitor (<monitor key> | all) transparent [show]
monitor (<monitor key> | all) up interval [show]
monitor (<monitor key> | all) urlpath [show]
monitor (<monitor key> | all) username [show]
monitor (<monitor key> | all) vendor id [show]
monitor (<monitor key> | all) vendor specific acct application id [show]
monitor (<monitor key> | all) vendor specific auth application id [show]
monitor (<monitor key> | all) vendor specific vendor id [show]
monitor (<monitor key> | all) version [show]
Delete
monitor (<monitor key> | all) delete

Chapter 2
Description
Monitors verify connections on pool members and nodes. A monitor can be
either a health monitor or a performance monitor, designed to check the
status of a pool, pool member, or node on an ongoing basis, at a set interval.
If a pool member or node being checked does not respond within a specified
timeout period, or the status of a pool member, or node indicates that
performance is degraded, the system can redirect the traffic to another pool
member or node. Some monitors are included as part of the system, while
other monitors are user-created. Monitors that the system provides are
known as pre-configured monitors. User-created monitors are known as
custom monitors.
The task of implementing a monitor varies depending on whether you are
using a pre-configured monitor or creating a custom monitor. If you want to
implement a pre-configured monitor, you need only associate the monitor
with a pool, pool member, or node. If you want to implement a custom
monitor, you must first create the custom monitor, and then associate it with
a pool, pool member, or node.
Note
To view the man page for the monitor command, enter man monitor at the
BIG-IP system prompt.
Pre-configured monitors
The following monitors are pre-configured monitors:
• gateway icmp
• http
• https
• https_443
• icmp
• inband
• real_server
• snmp dca
• tcp
• tcp_echo
• tcp_half_open
• udp
2 - 126
Examples
This procedure describes how to create a custom HTTP monitor.
To create a custom HTTP monitor

1. Access the bigpipe shell.
2. View the variables for the default monitors, by typing the following
command:
monitor list all |more
3. Find a default monitor on which you want to base the new monitor
and make a note of the settings that you want to change.
For example, if you want to define a new monitor that is based on
the default HTTP monitor, view the default HTTP monitor.
The default HTTP monitor appears as follows:
monitor http {
defaults from
interval 5
timeout 16
dest *:*
password
recv
send GET /
username
}
From the configuration statement of the default HTTP monitor, the

following settings are available:
defaults from none
interval 5
timeout 16
dest *.*
password
recv
send GET /
username
Important: The values for the password, recv, send, and username
settings are contained in quotation marks. If you want to change
these values, you must place the new values in quotation marks.
4. Define the new monitor, using the following command syntax:
monitor <name> '{ defaults from <monitor> <setting>
<value>... }'>
a) Replace name with the name you want to use for the new
monitor.
b) Replace monitor with the name of the default monitor on which
you want to base the new monitor.

Chapter 2
c) Replace setting and value with the name and value of each
setting you want to change.
For example, if you want to create a monitor named
myhttpmonitor that has an interval of 30, a timeout of 91, and a
send string of GET /test.html, you would type the following
command:
monitor myhttpmonitor '{ defaults from http interval 30
timeout 91 send GET /test.html }'
If you decide to change the timeout for the monitor to 121, you
would type the following command:
monitor myhttpmonitor '{ interval 121 }'
5. Save the new monitor, by typing the following command:

save
For more information about configuring monitors, see the Configuration

Guide for BIG-IP® Local Traffic Management.
Options
You can use these options with the monitor command:
◆ accounting node
Specifies the RADIUS server that provides authentication for the WAP
target. Note that if you configure the accounting-port option, but you do
not configure the this option, the system assumes that the RADIUS
server and the WAP server are the same system.
◆ accounting port
Specifies the port that the monitor uses for RADIUS accounting. The
default value is none. A value of 0 (zero) disables RADIUS accounting.
◆ acct application id
Specifies the Accounting identifier for a specific application, as specified
in RFC 3588. The default value is none.
◆ agent
Specifies an agent for use with Real Server, SNMP Base, and WMI
monitors only.
◆ agent type
Specifies the SNMP DCA agent type. This is the type of agent running
on the server that you are monitoring with an SNMP DCA monitor.
◆ aggregate dynamic ratios
Specifies the monitors response to a query. By default, the BIG-IP
monitor uses the gtm_score value as the vs_score for a Local Traffic
Manager virtual server.
◆ args
Specifies any required command line arguments used by external
monitors.
2 - 128
◆ auth application id
Specifies the Authentication and Authorization identifier for a specific
application, as specified in RFC 3588. The default value is none.
◆ base
Specifies a base name, used by LDAP.
◆ call id
Specifies the 11-digit phone number for the RADIUS server. The default
value is none.
◆ cert
Provides the ability to supply a certificate file to be presented to the
server by an HTTPS monitor. If you do not provide the full path to the
certificate file, the system adds the path /config/ssl/ssl.crt. The cert must
be surrounded by quotation marks, for example: cert "client.crt" or cert
"/config/ssl/ssl.crt/client.crt". The default value is null, that is, no
certificate is supplied.
◆ chasereferrals
Specifies whether, upon receipt of an LDAP referral entry, the target
follows (or chases) that referral. The default value is none.
◆ check until up
Specifies how the active monitor performs health checks. The default
value is disable.
◆ cipherlist
Changes the cipher list that the HTTPS monitor uses, from the default.
The default cipherlist used is: DEFAULT:+SHA:+3DES:+kEDH. The
default cipher list is located in the file base_monitors.conf.
◆ cmd
Specifies a command associated with metrics and metric values. Applies
to Real Server and WMI monitors.
◆ community
Specifies an SNMP community name. Applies to SNMP DCA monitors
only. The default value is Public.
◆ compatibility
Sets the SSL options to ALL for an HTTPS monitor. You can enable or
disable this option.
◆ concurrency limit
Specifies the maximum percentage of licensed connections currently in
use under which the monitor marks the FirePass system up. As an
example, a value of 95 percent means that the monitor marks the
FirePass system up until 95 percent of licensed connections are in use.
When the number of in-use licensed connections exceeds 95 percent, the
monitor marks the FirePass system down. The default value is 95.
◆ count
Specifies the number of instances for which the system keeps a
connection open. By default, when you assign instances of this monitor

Chapter 2
to a resource, the system keeps the connection to the database open. With
this option you can assign multiple instances to the database while
reducing the overhead that multiple open connections can cause.
◆ cpu coefficient
Specifies an SNMP DCA CPU Coefficient. This is a CPU value used for
calculating a ratio weight.
◆ cpu threshold
Specifies an SNMP DCA CPU threshold. This is the highest disk
threshold value allowed, used in calculating a ratio weight.
◆ database
Specifies a database name, used by SQL. This is the name of the data
source on the node being pinged, for example: sales or hr.
◆ debug
Specifies whether the monitor provides debug mode.
If the value is yes, the monitor redirects its stderr output to the file
/var/log/<service> <ip addr>.<port>.log, and additional debug
information is directed to stderr.
◆ defaults from
Specifies the monitor that you want to use as the parent monitor. Your
new monitor inherits all settings and values from the parent monitor
specified. The new monitor will have the default settings of the monitor
you specify, but you can change any of the settings. This option is
required.
◆ dest
Specifies a destination IP address. You can also set this to a node name.
◆ disk coefficient
Specifies an SNMP DCA Disk coefficient. This is a disk value used for
calculating a ratio weight.
◆ disk threshold
Specifies an SNMP DCA Disk threshold. This is the highest disk
◆ domain
Specifies a domain name, for SMTP monitors only.
◆ failure interval
Specifies an interval, in seconds. If the number of failures specified in the
failures option occurs within this interval, the system marks the pool
member as being unavailable.
◆ failures
Specifies the number of times within a given time period that the system
tries to connect to a pool member before marking that server as being
unavailable. The default value is 30.
Specifying a value of 0 (zero) disables this option. A failure can be either
a failure to connect or a failure of the pool member to respond within the
time specified in the response time option.
2 - 130
◆ fault
For a SOAP monitor, fault is a Boolean operator specifying whether to
check for a SOAP fault. Valid values are (0, 1). When the fault parameter
is specified as a value of 1, the monitor expects the successful execution
it is monitoring to include a returned fault. This is useful to test for
situations when a fault is expected. This tests only for the existence of a
SOAP fault. Any other server error codes signal a failure of the monitor.
◆ filter
Specifies a filter name, used by LDAP.
◆ filter neg
Specifies the SIP status codes that the target can return to be considered
down. By default the system always accepts status codes according to
filter. After checking that, the status code is checked against this key. If a
code is also in filter, the node is marked up.
◆ folder
Specifies a folder name, used by IMAP.
◆ framed addr
Specifies the RADIUS framed IP address. The default value is none.
◆ get
Gets a specified string.
◆ gwm addr
Specifies the IP address of the Group Workload Manager. The default
value is none.
◆ gwm interval
Specifies the frequency at which the system issues the monitor check.
The default value is auto.
◆ gwm protocol
Specifies the protocol that the monitor uses to communicate with the
target. The default value is tcp.
◆ gwm service
Specifies the port through which the SASP monitor communicates with
the Group Workload Manager. The default port is 3000.
◆ headers
Specifies the set of SIP headers in the SIP message that is sent to the
target. Separate each header with a new line. The default value is none.
◆ host ip address
Specifies the IP address of the diameter server. If no value is specified,
the system uses the BIG-IP system's IP address on the VLAN that the
system uses to generate traffic to the server.
◆ interval
Monitor’s interval time in seconds. The default value is 0.
◆ key
Specifies the RSA private key to be used for client authentication. The
key must be surrounded by quotation marks, for example: key
"client.key".

Chapter 2
Note that if you specify a key, you must also specify a value for the cert
option. For more information, see the cert option on the previous page.
◆ mandatoryattrs
Specifies whether the target must include attributes in its response to be
considered up. The default value is no.
◆ manual resume
Specifies whether the system automatically changes the status of a
resource to Enabled at the next successful monitor check. If you set this
option to Yes, you must manually re-enable the resource before the
system can use it for load balancing connections.
◆ max load average
Specifies the number that the monitor uses to mark the FirePass system
up or down. The system compares value of this option against a
one-minute average of the FirePass system load. When the FirePass
system-load average falls within the specified value, the monitor marks
the FirePass system up. When the average exceeds the setting, the
monitor marks the system down.
◆ mem coefficient
Specifies an SNMP DCA Memory coefficient. This is a memory value
used for calculating a ratio weight.
◆ mem threshold
Specifies an SNMP DCA Memory threshold. This is the highest disk
◆ method
Specifies a method specification such as GET or POST. Applies to Real
Server, SOAP, and WMI monitors only.
◆ metrics
Specifies metrics that you want to monitor, such as CPU percentage or
memory usage. Applies to Real Server and WMI monitors only.
◆ mode
Sets the mode of the monitor. For example, an acceptable setting for this
value is passive for an FTP monitor, or udp or tcp for a SIP monitor.
◆ name
Specifies the monitor name.
◆ namespace
Specifies the namespace associated with the given web service for a
SOAP monitor.
◆ nasip
Specifies the network access server’s IP address for a RADIUS monitor.
◆ newsgroup
Specifies a newsgroup name, for NNTP monitors only.
◆ origin host
Specifies the identifier of the originating server in the form
siteserver.f5.com. If no value is specified, the system uses the one from
the VLAN that the BIG-IP system uses to generate traffic to the server.
2 - 132
◆ origin realm
Specifies the realm containing the diameter server. The default value is
f5.com.
◆ param name
If the method has a parameter, specifies the name of that parameter for
the SOAP monitor.
◆ param type
Specifies the basic type associated with the given parameter name in a
SOAP monitor. Valid values are long, int, string, and bool.
◆ param value
Specifies the value of the given parameter for the SOAP monitor.
◆ partition
Displays the partition within which the monitor resides.
◆ password
Specifies the password for the specified user name.
◆ pool name
Specifies the pool name.
◆ post
Specifies a WMI and Real Server post setting.
◆ product name
Specifies a name for the diameter health monitor.
◆ protocol
Specifies the protocol to use for a SOAP monitor. Valid values are http
or https.
◆ recv
This is an optional parameter, containing the value expected back for a
particular row and column of the table retrieved by the send parameter,
for example: Smith. The expected data must be of a database type that
converts directly to a Java String (for example, VARCHAR). If no value
is specified for this parameter, the returned data is not checked for any
specific value and, as long as no discernible errors occurred (for
example, data was received), the service is considered to be up.
◆ recvcolumn
This option is meaningful only if the recv option is specified. It contains
the column in the returned table in which the recv value is expected.
◆ recvrow
This option is meaningful only if the recv option is specified. It contains
the row in the returned table in which the recv value is expected.
◆ request
Specifies the SIP request line in the SIP message that is sent to the target.
The default value is none.

Chapter 2
◆ response time
Specifies an amount of time, in seconds. If the pool member does not
respond with data after the specified amount of time has passed, the
number of failures in this interval increments by 1. Specifying a value of
0 (zero) disables this option.
◆ retry time
Specifies the amount of time in seconds after the pool member has been
marked unavailable before the system retries to connect to the pool
member. Specifying a value of 0 (zero) disables this option.
◆ return type
If a return type is to be tested, specifies the basic type of the return
parameter. Valid values are:
• bool (Boolean)
• char
• double
• float
• int (integer)
• long
• short
• string
◆ return value
For the SOAP monitor. If a return name is specified, this is the value to
use for comparison to yield a successful service check.
◆ reverse
Checks a monitor recv string reverse mode.
◆ run
Runs a path name.
◆ secret
Specifies a secret or shared secret, used by RADIUS.
◆ security
Valid values are:
• ssl
This value requests that LDAP over SSL be used.
• tls
This value requests that TLS be used.
• none
This value (or a null value or any value that does not equal one of the
above) invokes no special security. The monitor runs as the previous
LDAP pinger was run.
◆ send
You can use this parameter with TCP, HTTP, and HTTPS ECVs, as well
as the SQL monitor. Since this may have special characters, it may
require that it be enclosed with single quotation marks. If this value is
2 - 134
null, then a valid connection suffices to determine that the service is up.
In this case, the recv, recvrow, and recvcolumn options are not needed,
and will be ignored even if not null.
◆ sendpackets
Specifies the number of packets to send when using the UDP monitor.
◆ server
Specifies the host name or IP address of the RADIUS server. This option
is required.
◆ server id
Specifies the RADIUS NAS-ID for this system when configuring a
RADIUS server. The default value is none.
◆ service
Specifies the name of the service that the user is requesting
authentication to use. Identifying the service enables the TACACS+
server to behave differently for different types of authentication requests.
This option is required.
◆ session id
Specifies the RADIUS session identification number when configuring a
RADIUS server. The default value is none.
◆ snmp port
Specifies the port associated with the SNMP server. The default value is
161.
◆ snmp version
Specifies the SNMP version.
◆ time until up
Displays the number of seconds to wait after a resource first responds
correctly to the monitor before setting the resource to up. During the
interval, all responses from the resource must be correct. When the
interval expires, the resource is marked up. The default value is 0,
meaning that the resource is marked up immediately upon receipt of the
first correct response.
◆ timeout
Monitor’s timeout in seconds. You can also set the timeout to immediate
or indefinite. The default value is 0.
◆ timeoutpackets
Specifies the timeout in seconds for receiving UDP packets.
◆ transparent
Specifies a monitor for transparent devices. In this mode, the node with
which the monitor is associated is pinged through to the destination node.
◆ up interval
Displays the interval for the system to use to perform the health check
when a resource is up. When no value is specified, the system uses the
value specified in interval to check the health of the resource.
◆ urlpath
Supplies a URL path for a SOAP monitor.

Chapter 2
◆ username
Specifies a user name for services with password security. For LDAP
monitors only, this is a distinguished name, that is, LDAP-format user
name.
◆ vendor id
Specifies the vendor identification number assigned to your diameter
server by the Internet Assigned Numbers Authority (IANA). The default
is 3375, the IANA ID for F5 Networks. This enables you to specify
vendor specific vendor id, vendor specific auth application id, and
vendor specific acct application id as a grouped value.
◆ vendor specific acct application id
Specifies the vendor-specific grouped values for the diameter
◆ vendor specific auth application id
Specifies the Authentication and Authorization identifier for a specific
◆ vendor specific vendor id
Specifies the Accounting identifier for a specific application, as specified
in RFC 3588. The default value is none.
See also
node(1), pool(1), bigpipe(1)
2 - 136
nat
Configures network address translation (NAT).
Syntax
Use this command to configure a NAT.
Create/Modify
nat <nat key> {}
nat (<nat key> | all) [{] <nat arg list> [}]
<nat key> ::=
(<ip addr> | none)
[(<ip addr> | none)] [to (<ip addr> | none)]
[(<ip addr> | none)] [map (<ip addr> | none)]
<nat arg> ::=
arp (enable | disable)
(enable | disable)
map (<ip addr> | none)
to (<ip addr> | none)
unit <number>
vlans (<vlan key list> | none) (enable | disable)
nat (<nat key> | all) stats reset
Display
nat [<nat key> | all] [show [all]]
nat [<nat key> | all] list [all]
nat (<nat key> | all) arp [show]
nat (<nat key> | all) enabled [show]
nat (<nat key> | all) map [show]
nat (<nat key> | all) partition [show]
nat (<nat key> | all) stats [show]
nat (<nat key> | all) to [show]
nat (<nat key> | all) unit [show]
nat (<nat key> | all) vlans [show]
Delete
nat (<nat key> | all) delete

Chapter 2
Description
A network address translation (NAT) defines a bi-directional mapping
between an originating IP address (orig addr) and a translated IP address
(trans addr).
A primary reason for defining a NAT is to allow one of the servers in the
server array behind the traffic management system to initiate
communication with a computer in front of, or external to the system.
Examples
The node behind the system with the IP address 10.0.140.100 has a presence
in front of the BIG-IP system as IP address 11.0.0.100:
nat 10.0.140.100 to 11.0.0.100
Permanently deletes the NAT from the system configuration:

nat 10.0.140.100 delete
Additional Restrictions
The nat command has the following additional restrictions:
• A virtual server cannot use the IP address defined in the <trans addr>
parameter.
• A NAT cannot use a BIG-IP system's IP address.
• A NAT cannot use an originating or translated IP address defined for and
used by a SNAT or another NAT.
• You must delete a NAT before you can redefine it.
Options
You can use these options with the nat command:
◆ arp
Enables or disables Address Resolution Protocol (ARP).
◆ <ip addr> to <ip addr> or <ip addr> map <ip addr>
Specifies the IP address that is translated or mapped, and the IP address
to which it is translated or mapped. One of these settings is required
when creating a NAT.
◆ orig addr
Specifies the IP address from which traffic is being initiated.
◆ partition
Specifies the partition within which the object resides.
◆ trans addr
Specifies the IP address that <orig addr> is translated to by the traffic
management system.
2 - 138
◆ unit
Specifies a unit ID, currently 1 or 2 for the redundant system
configuration. The default unit ID is set to 1.
◆ vlans
Specifies the name of an existing VLAN on which access to the NAT is
enabled or disabled. A NAT is accessible on all VLANs by default.
See also
snat(1), snat translation(1), bigpipe(1)

Chapter 2
ndp
Manages IPv6 neighbor discovery.
Syntax
Use this command to create, display, and delete IPv6 neighbor discovery.
Create/Modify
ndp <ndp key> {}
ndp (<ndp key> | all) [{] <ndp arg list> [}]
<ndp key> ::=
<ip addr>
(dynamic | static)
<ndp arg> ::=
<ip addr>
(<mac addr> | none)
(dynamic | static)
Display
ndp [<ndp key> | all] [show [all]]
ndp [<ndp key> | all] list [all]
ndp (<ndp key> | all) ip addr [show]
ndp (<ndp key> | all) mac addr [show]
ndp (<ndp key> | all) type [show]
Delete
ndp (<ndp key> | all) delete
Description
The ndp command provides the ability to display and modify the
IPv6-to-Ethernet address translation tables used by the IPv6 neighbor
discovery protocol.
Examples
Maps the IPv6 address fec0:f515::c001 to the MAC address
00:0B:DB:3F:F6:57:
ndp fec0:f515::c001 00:0B:DB:3F:F6:57
Shows all static and dynamic IPv6 address-to-MAC address mapping:

ndp all show
2 - 140
Options
You can use these options with the ndp command:
◆ all
Displays all static and dynamic IPv6 address-to-MAC address mapping.
◆ dynamic
Displays dynamic IPv6 address-to-MAC address mapping.
◆ ip addr
Specifies the IPv6 address to be mapped to the MAC address. For
example: fec0:f515::c001.
◆ mac addr
Specifies a 6-byte Ethernet address in hexadecimal colon notation that is
not case-sensitive. For example: 00:0b:09:88:00:9a. This option is
required.
◆ static
Displays static IPv6 address-to-MAC address mapping.
See also
arp(1), bigpipe(1)

Chapter 2
node
Creates, modifies, or displays node addresses and services.
Syntax
Use this command to create, modify, or display node addresses and services.
Create/Modify
Important
BIG-IP® Systems.
node <node key> {}

node (<node key> | all) [{] <node arg list> [}]
<node key> ::=
<ip addr>
<node arg> ::=
addr <ip addr>
dynamic ratio <number>
limit <number>
monitor (default | <monitor key> |
<monitor key> and <monitor key> [and <monitor key> ...] |
min <number> of <monitor key list>)
(up | down)
ratio <number>
screen (<name> | none)
session (enable | disable)
node (<node key> | all) stats reset
Display
node [<node key> | all] [show [all]]
node [<node key> | all] list [all]
node (<node key> | all) addr [show]
node (<node key> | all) dynamic ratio [show]
node (<node key> | all) limit [show]
node (<node key> | all) monitor [show]
node (<node key> | all) monitor state [show]
node (<node key> | all) partition [show]
2 - 142
node (<node key> | all) ratio [show]

node (<node key> | all) screen [show]
node (<node key> | all) session [show]
node (<node key> | all) stats [show]
Delete
node (<node key> | all) delete
Description
Displays information about nodes, and sets attributes of nodes and node IP
addresses.
Examples
Displays information for all nodes in the system configuration:
node all show
Lists all nodes:

node all list
Removes all monitor associations from all nodes:

node all monitor none
Removes the default node monitor from all nodes. This command does not
remove monitors that have been explicitly assigned to nodes:
node * monitor none
Removes all monitor associations from the node 10.10.10.15:

node 10.10.10.15 monitor none
Options
You can use these options with the node command:
◆ dynamic ratio
Sets the dynamic ratio number for the node. Used for dynamic ratio load
balancing. The ratio weights are based on continuous monitoring of the
servers and are therefore continually changing. Dynamic Ratio load
balancing may currently be implemented on RealNetworks RealServer
platforms, on Windows platforms equipped with Windows Management
Instrumentation (WMI), or on a server equipped with either the UC
Davis SNMP agent or Windows 2000 Server SNMP agent.
◆ limit
Specifies the maximum number of connections allowed for the node or
node address.
◆ monitor
Specifies the name of the monitor that you want to associate with the
node.

Chapter 2
◆ partition
Displays the partition in which the node resides.
◆ ratio
Specifies the fixed ratio value used for a node during ratio load
balancing.
◆ screen <name> | none
Specifies the given name of the node, if any.
◆ session
Displays the current connections for the specified node.
◆ up | down
Marks the node up or down.
See also
pool(1), monitor(1), bigpipe(1)
2 - 144
ntp
Configures the Network Time Protocol (NTP) daemon for the BIG-IP
system.
Syntax
Use this command to configure the NTP servers for the system.
Create/Modify
Important
BIG-IP® Systems.
ntp [{] <ntp arg list> [}]

<ntp arg> ::=
servers (<ip addr list> | none) [add | delete]
timezone (<string> | none)
Display
ntp [show [all]]
ntp list [all]
ntp include [show]
ntp servers [show]
ntp timezone [show]
Description
You can use this command to configure the NTP servers for the system.
Examples
Adds the NTP server with the IP address, 192.168.1.245, to the system:
ntp servers 192.168.1.245 add
Replaces the existing list of NTP servers with a single host, time.f5net.com:
ntp servers time.f5net.com
Sets the system time to Pacific Standard Time:

ntp timezone “America/Los Angeles”

Chapter 2
Options
You can use these options with the ntp command:
◆ include
◆ partition
Displays the partition within which the ntp object resides.
◆ servers
Adds NTP servers to or deletes NTP servers from the BIG-IP system.
◆ timezone
Specifies the time zone that you want to use for the system time.
See also
bigpipe(1), dns(1), httpd(1), snmpd(1), sshd(1)
2 - 146
ocsp responder
Configures Online Certificate System Protocol (OCSP) responder objects.
Syntax
Use this command to configure an OCSP responder object.
Create/Modify
Important
BIG-IP® Systems.
ocsp responder <ocsp responder key> {}

ocsp responder (<ocsp responder key> | all) [{] <ocsp responder arg list> [}]
<ocsp responder key> ::=
<name>
<ocsp responder arg> ::=
ca file (<file name> | none)
ca path (<string> | none)
certid digest (sha1 | md5)
certs (enable | disable)
chain (enable | disable)
check certs (enable | disable)
explicit (enable | disable)
ignore aia (enable | disable)
intern (enable | disable)
name <name>
sig verify (enable | disable)
sign digest (sha1 | md5)
sign key (<file name> | none)
sign key pass phrase (<string> | none)
sign other (<file name> | none)
signer (<file name> | none)
status age <number>
trust other (enable | disable)
url (<string> | none)
va file (<file name> | none)
validity period <number>

Chapter 2
verify (enable | disable)

verify cert (enable | disable)
verify other (<string> | none)
Display
ocsp responder [<ocsp responder key> | all] [show [all]]
ocsp responder [<ocsp responder key> | all] list [all]
ocsp responder (<ocsp responder key> | all) ca file [show]
ocsp responder (<ocsp responder key> | all) ca path [show]
ocsp responder (<ocsp responder key> | all) certid digest [show]
ocsp responder (<ocsp responder key> | all) certs [show]
ocsp responder (<ocsp responder key> | all) chain [show]
ocsp responder (<ocsp responder key> | all) check certs [show]
ocsp responder (<ocsp responder key> | all) explicit [show]
ocsp responder (<ocsp responder key> | all) ignore aia [show]
ocsp responder (<ocsp responder key> | all) intern [show]
ocsp responder (<ocsp responder key> | all) name [show]
ocsp responder (<ocsp responder key> | all) partition [show]
ocsp responder (<ocsp responder key> | all) sig verify [show]
ocsp responder (<ocsp responder key> | all) sign digest [show]
ocsp responder (<ocsp responder key> | all) sign key [show]
ocsp responder (<ocsp responder key> | all) sign key pass phrase [show]
ocsp responder (<ocsp responder key> | all) sign other [show]
ocsp responder (<ocsp responder key> | all) signer [show]
ocsp responder (<ocsp responder key> | all) status age [show]
ocsp responder (<ocsp responder key> | all) trust other [show]
ocsp responder (<ocsp responder key> | all) url [show]
ocsp responder (<ocsp responder key> | all) va file [show]
ocsp responder (<ocsp responder key> | all) validity period [show]
ocsp responder (<ocsp responder key> | all) verify [show]
ocsp responder (<ocsp responder key> | all) verify cert [show]
ocsp responder (<ocsp responder key> | all) verify other [show]
Delete
ocsp responder (<ocsp responder key> | all) delete
Description
To implement the SSL OCSP authentication module, you must create the
following objects: one or more OCSP responder objects, an SSL OCSP
configuration object, and an SSL OCSP profile.
Options
You can use these options with the ocsp responder command:
2 - 148
◆ ca file
Specifies the name of the file containing trusted CA certificates used to
verify the signature on the OCSP response.
◆ ca path
Specifies the name of the path containing trusted CA certificates used to
verify the signature on the OCSP response.
◆ certid digest
Specifies a specific algorithm identifier, either sha1 or md5. sha1 is
newer and provides more security with a 160 bit hash length. md5 is
older and has only a 128 bit hash length. The default value is sha1.
The cert ID is part of the OCSP protocol. The OCSP client (in this case,
the BIG-IP system) calculates the cert ID using a hash of the Issuer and
serial number for the certificate that it is trying to verify.
◆ certs
Enables or disables the addition of certificates to an OCSP request. The
◆ chain
Constructs a chain from certificates in the OCSP response. The default
value is enable.
◆ check certs
Makes additional checks to see if the signer's certificate is authorized to
provide the necessary status information. Used for testing purposes only.
The default value is enable.
◆ explicit
Specifies that the BIG-IP local traffic management system explicitly
trusts that the OCSP response signer's certificate is authorized for OCSP
response signing. If the signer's certificate does not contain the OCSP
signing extension, specification of this setting causes a response to be
untrusted. The default value is enable.
◆ ignore aia
Causes the system to ignore the URL contained in the certificate's AIA
fields, and to always use the URL specified by the responder instead. The
◆ intern
Causes the system to ignore certificates contained in an OCSP response
when searching for the signer's certificate. To use this setting, the signer's
certificate must be specified with either the Verify Other or VA File
setting. The default value is enable.
◆ partition
Displays the partition within which the ocsp responder object resides.

Chapter 2
◆ sig verify
Checks the signature on the OCSP response. Used for testing purposes
only. The default value is enable.
◆ sign key
Specifies the key that the system uses to sign an OCSP request.
◆ sign key pass phrase
Specifies the passphrase that the system uses to encrypt the sign key.
◆ sign other
Adds a list of additional certificates to an OCSP request.
◆ sign digest
Specifies the algorithm for signing the request, using the signing
certificate and key. This parameter has no meaning if request signing is
not in effect (that is, both the request signing certificate and request
signing key parameters are empty). This parameter is required only when
request signing is in effect. The default value is sha1.
◆ signer
Specifies a certificate used to sign an OCSP request. If the certificate is
specified but the key is not specified, then the private key is read from
the same file as the certificate. If neither the certificate nor the key is
specified, then the request is not signed. If the certificate is not specified
and the key is specified, then the configuration is considered to be
invalid.
◆ status age
The default value is 0.
◆ trust other
Instructs the BIG-IP local traffic management system to trust the
certificates specified with the Verify Other setting. The default value is
disable.
◆ url
Specifies the URL used to contact the OCSP service on the responder.
When using the ocsp responder command, you must specify a URL.
◆ va file
Specifies the name of the file containing explicitly-trusted responder
certificates. This parameter is needed in the event that the responder is
not covered by the certificates already loaded into the responder's CA
store.
◆ validity period
Specifies the number of seconds used to specify an acceptable error
range. This setting is used when the OCSP responder clock and a client
clock are not synchronized, which could cause a certificate status check
to fail. This value must be a positive number. The default value is 300
seconds.
◆ verify
Enables or disables verification of an OCSP response signature or the
nonce values. Used for debugging purposes only. The default value is
enable.
2 - 150
◆ verify cert
◆ verify other
Specifies the name of the file used to search for an OCSP response
signing certificate when the certificate has been omitted from the
response.
See also
auth ssl ocsp(1), profile auth(1), bigpipe(1)

Chapter 2
oneconnect
Displays or resets OneConnect™ statistics for the BIG-IP system.
Syntax
Use this command to display or reset OneConnect statistics for the BIG-IP
system.
Display
oneconnect [show [all]]
Modify
oneconnect stats reset
Description
The OneConnect feature optimizes the use of network connections by
keeping server-side connections open and pooling them for reuse. You can
use the oneconnect command to display or reset OneConnect statistics for
the BIG-IP system.
See also
profile(1), profile oneconnect(1), bigpipe(1)
2 - 152
packet filter
Configures packet filter rules and trusted allow lists.
Syntax
Use this command to configure packet filtering.
Create/Modify
Use this syntax to create or modify packet filter rules:
packet filter <packet filter key> {}
packet filter (<packet filter key> | all) [{] <packet filter arg list> [}]
<packet filter key> ::=
<name>
<packet filter arg> ::=
action (none | accept | discard | reject | continue)
filter { <rule> }
log (enable | disable)
name <name>
order <number>
rate class (<rate class key> | none)
vlan (<vlan key> | none)
packet filter (<packet filter key> | all) stats reset
Use this syntax to modify the packet filter’s allow trusted lists:
packet filter {}
packet filter [{] <packet filter arg list> [}]
<packet filter arg> ::=
allow trusted <packet filter allow trusted>
<packet filter allow trusted> ::= [{] <packet filter allow trusted arg list> [}]
<packet filter allow trusted arg> ::=
addresses (<ip addr list> | none) [add | delete]
macs (<mac addr list> | none) [add | delete]
vlans (<vlan key list> | none) [add | delete]
packet filter <packet filter key> {}
Display
packet filter [show [all]]
packet filter list [all]
packet filter allow trusted [show]

Chapter 2
Use this syntax to display allow trusted lists:

packet filter allow trusted vlans [show]
packet filter allow trusted macs [show]
packet filter allow trusted addresses [show]
Use this syntax to display packet filter rules:

packet filter (<packet filter key> | all) delete
packet filter [<packet filter key> | all] [show [all]]
packet filter [<packet filter key> | all] list [all]
packet filter (<packet filter key> | all) action [show]
packet filter (<packet filter key> | all) filter [show]
packet filter (<packet filter key> | all) log [show]
packet filter (<packet filter key> | all) name [show]
packet filter (<packet filter key> | all) order [show]
packet filter (<packet filter key> | all) rate class [show]
packet filter (<packet filter key> | all) stats [show]
packet filter (<packet filter key> | all) vlan [show]
Delete
packet filter (<packet filter key> | all) delete
Description
Provides the ability to create a layer of security for the traffic management
system using packet filter rules or trusted allow lists.
The BIG-IP system packet filters are based on the Berkeley Software Design
Packet Filter (BPF) architecture. Packet filter rules are composed of four
mandatory attributes and three optional attributes. The mandatory attributes
are name, order, action, and filter. The optional attributes are vlan, log,
and rate class. The filter attribute you choose defines the BPF script to
match for the rule.
Trusted allow lists are lists of IP addresses, MAC addresses, and VLANs
that you want to allow to bypass the packet filter.
Important
You must enable the packet filter flag using the Configuration utility, for any
packet filter configuration to work. By default, the packet filter flag is
disabled.
2 - 154
Trusted allow list example

Create a trusted allow list that allows anything listed to bypass the packet
filter.
packet filter allow trusted {
vlan internal1 internal2
mac 00:02:3F:3E:2F:FE
}
In this example, you have an administrative laptop that you want to have
unrestricted access to the traffic management system. This is a laptop, and
therefore it might have a different IP address from time to time. One way to
solve the problem is to add a trusted MAC address. A trusted MAC address
is a MAC address that passes MAC address-based authentication.
This trusted allow list example shows the laptop MAC address as
00:02:3F:3E:2F:FE. Now the laptop can access the traffic management
system regardless of what address it boots with or to which VLAN it is
connected, as long as it is on the same physical segment as the traffic
management system.
Also in this example, the traffic management system is configured with a
basic firewall for the internal network. This example shows a way to filter
incoming traffic and allow outgoing traffic to be unrestricted. To do this,
you add trusted VLANs that represent all traffic that originated on the
internal network.
Note
Another way to do this is to allow trusted IP addresses instead, for example:

192.168.26.0/24.
Packet filter rules examples

You can create a set of rules that specify what incoming traffic to accept and
how to accept it. See the examples following.
Example 1: Block spoofed addresses

This example prevents private IP addresses from being accepted on a public
VLAN. This is a way of ensuring that no one can spoof private IP addresses
through the external VLAN of the system. In this example, the system logs
when this happens.
packet filter spoof_blocker {
order 5
action discard
vlan external
log enable
filter {( src net 172.19.255.0/24 )}
}

Chapter 2
Example 2: Allow restricted management access

You can allow restricted SSH and HTTPS access to the traffic management
system for management purposes, and keep a log of that access. However,
note that this is not the same management access you can get through the
management port/interface (MGMT); that interface is not affected by any
packet filter configuration and if that is the only way you want to allow
access to your system, this configuration is not necessary.
In the first rule, shown below, SSH is allowed access from a single
fixed-address administrative workstation, and each access is logged. In the
second rule, browser-based Configuration utility access is allowed from two
fixed-address administrative workstations, however, access is not logged.
packet filter management_ssh {
order 10
action accept
log enable
filter {( proto TCP ) and ( src host 172.19.254.10 ) and ( dst port 22 )}
}
packet filter management_gui {

order 15
action accept
filter {( proto TCP ) and ( src host 172.19.254.2 or src host 172.19.254.10 ) and \
( dst port 443)}
}
Example 3: Allow access to all virtual servers

In this final example, you can verify that all of the virtual servers in your
configuration are reachable from the public network. This is critical if you
have decided to use a default-deny policy. A default-deny policy restricts
Internet access to everything that is not explicitly permitted. This example
also shows how to rate shape all traffic to the virtual server IP address with a
default rate class (that can be overridden by individual virtual servers or
iRules™ later).
Note
This example has a single virtual server IP, and it does not matter what
interface the traffic is destined for. If you want to be more specific, you
could specify each service port, as well (for example, HTTP, FTP, Telnet,
and so on).
packet filter virtuals {

order 20
action accept
vlan external
rate class root
filter {( dst host 172.19.254.80 )}
}
2 - 156
Options
You can use these options with the packet filter command to create packet
filter rules:
◆ action
Specifies the action that the packet filter rule should take. The values for
action are: accept, discard, reject, continue, and none. There is no
default; you must specify a value when you create a packet filter rule.
◆ filter
Specifies the BPF expression to match. The filter is mandatory, however
you can leave it empty. If empty, the packet filter rule matches all
packets.
◆ log
Enables or disables packet filter logging. If you omit this value, no
logging is performed.
◆ order
Specifies a sort order. The values for the sort order are all integers
between 0 and 999, inclusive. No two rules may have the same sort
order.
There is a single, global list of rules. Each rule in the list has a relative
integer sort-order. The rule with the lowest sort-order value is always
evaluated first, the rule with the highest sort-order value is always
evaluated last, and all other rules are evaluated in-between in order based
on ascent of their sort-order value.
For example, if there are five rules, numbered 500, 100, 300, 200, 201;
the rule evaluation order is 100, 200, 201, 300, 500.
Each packet to be filtered is compared against the list of rules in
sequence, starting with the first. Evaluation of the rule list stops on the
first match that has an action of accept, discard, or reject. A match on a
rule with an action of none does not stop further evaluation of the rule
list; the statistics count is updated and a log is generated if the rule
indicates it, but otherwise rule processing continues with the next rule in
the list.
Rules should be sequenced for effect and efficiency by the user;
generally this means:
• More specific rules should be evaluated first, and thus have the lowest
sort orders.
• One expression with multiple criteria is likely to evaluate more
efficiently than multiple expressions each with a single criterion.
This is a required setting.
◆ rate class
Specifies the name of a rate class. The value for the rate class association
is the name of any existing rate class. If omitted, no rate filter is applied.

Chapter 2
◆ vlan
Specifies the VLAN to which the packet filter rule should apply. The
value for this option is any VLAN name currently in existence. If you
omit this value, the rule applies to all VLANs.
You can use these options with the packet filter command to create trusted
allow lists:
◆ addresses
Specifies a list of source IP addresses. Any traffic matching a source IP
in the list is automatically allowed. This simplifies configuration of the
packet filter to allow trusted internal traffic to be passed from VLAN to
VLAN without a filter rule, including out to the Internet. Processing of
traffic by this option occurs before rule list evaluation, making it
impossible to override this option and mask out (block) certain types of
traffic with a packet filter rule. This option is empty by default.
◆ macs
Specifies a list of MAC addresses. The system allows any traffic
matching a MAC address in the source address list. This simplifies
configuration of the packet filter to allow trusted internal traffic to be
passed from VLAN to VLAN without a filter rule, including out to the
Internet. Processing of traffic by this option occurs before rule list
evaluation, making it impossible to override this option and mask out
(block) certain types of traffic with a packet filter rule. This option is
empty by default.
◆ vlans
Specifies a list of ingress VLANs. Any traffic matching received on a
VLAN in the ingress VLAN list is automatically allowed. This simplifies
configuration of the packet filter to allow trusted internal traffic to be
passed from VLAN to VLAN without a filter rule, including out to the
Internet. Processing of traffic by this option occurs before rule list
evaluation, making it impossible to override this option and mask out
(block) certain types of traffic with a packet filter rule. This option is
empty by default.
See also
rate class(1), virtual(1), vlan(1), vlangroup(1), bigpipe(1)
2 - 158
partition
Configures administrative partitions that implement access control for the
BIG-IP system users.
Syntax
Use this command to configure administrative partitions that implement
access control for the BIG-IP system users. To use this command, you must
have the Administrator user role assigned to your user account.
Create/Modify
partition <partition key> {}
partition (<partition key> | all) [{] <partition arg list> [}]
<partition key> ::=
<name>
<partition arg> ::=
default rd id <number>
description (<string> | none)
name <name>
Display
partition [<partition key> | all] [show [all]]
partition [<partition key> | all] list [all]
partition (<partition key> | all) default rd id [show]
partition (<partition key> | all) description [show]
partition (<partition key> | all) name [show]
Delete
partition (<partition key> | all) delete
Description
An administrative partition is a logical container that you create, containing
a defined set of BIG-IP system objects, such as virtual servers, pools, and
profiles. When a specific set of objects resides in a partition, you can then
give certain users the authority to view and manage the objects in that
partition only, rather than to all objects on the BIG-IP system. This gives a
finer degree of administrative control.

Chapter 2
Options
You can use this option with the partition command:
◆ default rd id
Specifies which route domain in the partition should be the default route
domain.
◆ description
Specifies a description of the partition, for example: This partition
contains local traffic management objects for managing HTTP
traffic.
See also
user(1), bigpipe(1)
2 - 160
password policy
Specifies the parameters of the valid passwords for the BIG-IP system.
Syntax
Use this command to create a password policy for the BIG-IP system to
enforce your company's security requirements.
Create/Modify
Important
BIG-IP® Systems.
password policy [{] <password policy arg list> [}]

<password policy arg> ::=
max days <number>
min days <number>
min length <number>
remember <number>
required lowercase <number>
required numeric <number>
required special <number>
required uppercase <number>
strict (enable | disable)
warn age <number>
Display
password policy [show [all]]
password policy list [all]
password policy max days [show]
password policy min days [show]
password policy min length [show]
password policy remember [show]
password policy required lowercase [show]
password policy required numeric [show]
password policy required special [show]

Chapter 2
password policy required uppercase [show]

password policy strict [show]
password policy warn age [show]
Description
This command provides the ability to define the parameters of valid
passwords on the BIG-IP system.
Examples
Creates a password policy that specifies that passwords are valid for a
maximum of 90 days, and a minimum of 30 days. Also specifies that to be
valid, a password must contain at least six characters, but not more than 10
characters, including two lowercase alpha characters, two uppercase alpha
characters, and one number. Also states that the system automatically warns
users five days before their passwords expire:
password policy max days 90 min days 30 min length 6 max length 10 required lowercase 2 \
required uppercase 2 required special 1 required numeric 1 warn age 5
Options
You can use these options with the password policy command.
◆ max days
Specifies the maximum number of days a password is valid. The default
value is 99999.
◆ min days
Specifies the minimum number of days a password is valid. The default
value is 0 (zero).
◆ min length
Specifies the minimum number of characters in a valid password. The
default value is 6.
◆ partition
Displays the partition within which the password policy resides.
◆ remember
Specifies whether the user has configured the BIG-IP system to
remember a password on a specific computer. The default value is 0
(zero).
◆ required lowercase
Specifies the number of lowercase alpha characters that must be present
in a password for the password to be valid. The default value is 0 (zero).
◆ required numeric
Specifies the number of numeric characters that must be present in a
password for the password to be valid. The default value is 0 (zero).
◆ required special
Specifies the number of special characters that must be present in a
password for the password to be valid. The default value is 0 (zero).
2 - 162
◆ required uppercase
Specifies the number of uppercase alpha characters that must be present
in a password for the password to be valid. The default value is 0 (zero).
◆ strict
Enables or disables the password policy on the BIG-IP system. The
◆ warn age
Specifies the number of days before a password expires. Based on this
value, the BIG-IP system automatically warns users when their password
is about to expire. The default value is 7.
See also
bigpipe(1), user(1), remote_users(1), remoterole(1)

Chapter 2
persist
Configures persistence for the system and manages the persistence table
entries on the system.
Syntax
Use this command to configure persistence for the system and to manage the
persistence table entries on the system. For information on configuring
session persistence for a virtual server, see profile persist, on page 2-223.
Modify
Important
BIG-IP® Systems.
Use this syntax to configure persistence on the system:

persist [{] <persist arg list> [}]
<persist arg> ::=
dest addr limit (timeout | maxcount)
dest addr max <number>
proxy group (<string> | none)
Use this syntax to manage the persistence table entries:

persist <persist key> {}
persist <persist key> [{] <persist arg list> [}]
<persist key> ::=
[pool <pool key>] [virtual <virtual key>] \
[node (<ip addr> | <member>)] [mode (none | \
source addr | dest addr | cookie | msrdp | ssl | \
sip | universal | hash)] [key (<string> | none)] \
[client (<ip addr> | none)]
Display
persist [show [all]]
persist list [all]
persist dest addr limit [show]
persist dest addr max [show]
persist proxy group [show]
2 - 164
Delete
persist (<persist key> | all) delete
Description
You can use the persist command to configure persistence for the BIG-IP
system. You can also use the persist command to manage the records in the
persistence table of the system. If you specify a parameter for persist key,
you must specify a mode and no other parameter than mode.
Examples
Displays all persistence records with a mode of source addr:
persist mode source addr
Displays all persistence records persisting to node 11.12.13.10:80:

persist node 11.12.13.10:80 show
Options
You can use these options to configure persistence for the BIG-IP system:
◆ dest addr limit
Specifies that the persistence session is limited by either the number of
seconds before the persistence entry times out, or by a maximum number
of requests to the destination address.
◆ dest addr max
Specifies the maximum number of entries that can be in the persistence
table at any one time when using the destination address affinity mode
and when the option dest addr limit is set to maxcount. The default value
is 2048 entries.
◆ partition
Displays the partition within which the persist object resides.
◆ proxy group
Specifies a group of servers that are configured to process all of the
requests from a single source address during a persistence session.
You can use these options to manage the persistence table entries:
◆ mode
Specifies the type of persistence you are setting up for the system. The
following options are available:
• client
When you specify source addr for the mode option, use this option to
specify the IP address on which the session persists.
• cookie
Cookie persistence uses an HTTP cookie stored on a client's computer
to allow the client to connect to the same server previously visited at a
web site.

Chapter 2
• dest addr
Also known as sticky persistence, destination address affinity
persistence supports TCP and UDP protocols, and directs session
requests to the same server based solely on the destination IP address
of a packet.
• hash
Hash persistence is based on an existing iRule.
• key
Specifies a string for the system to use to persist a client session.
• msrdp
MSRDP persistence provides an efficient way of load balancing
traffic and maintaining persistent sessions between Windows clients
and servers that are running the Microsoft Terminal Services service.
The recommended scenario for enabling the MSRDP persistence
feature is to create a load balancing pool that consists of members
running Windows Server 2003, Enterprise Edition, or later, where all
members belong to a Windows cluster and participate in a Windows
session directory.
• sip
Session Initiation Protocol (SIP) persistence is a type of persistence
available for server pools. You can configure SIP persistence for
proxy servers that receive SIP messages sent through UDP. The
BIG-IP system currently supports persistence for SIP messages sent
through UDP, TCP, or SCTP.
• source addr
Also known as simple persistence, source address affinity persistence
supports TCP and UDP protocols, and directs session requests to the
same server based solely on the source IP address of a packet. When
you specify source addr as the mode of persistence, you must specify
an IP address using the client option.
• ssl
SSL persistence is a type of persistence that tracks non-terminated
SSL sessions, using the SSL session ID. Even when the client's IP
address changes, the system still recognizes the connection as being
persistent based on the session ID. Note that the term, non-terminated
SSL sessions, refers to sessions in which the system does not perform
the tasks of SSL certificate authentication and
encryption/re-encryption.
• universal
Universal persistence allows you to write an expression that defines
what to persist on in a packet. The expression, written using the same
expression syntax that you use in iRules™, defines some sequence of
bytes to use as a session identifier.
◆ node
Indicates the node with which the client session remains persistent.
2 - 166
◆ pool
Indicates the pool member with which the client session remains
persistent.
◆ virtual
Indicates the virtual server with which the client session remains
persistent.
See also
profile persist(1), virtual(1), bigpipe(1)

Chapter 2
platform
Displays information about the BIG-IP system platform.
Syntax
Use this command to display information about the system platform,
including name and number, the license level of the installed hardware SSL
compression cards, the amount of installed memory, the type and speed of
the CPU, the PVA type (if present), and a list of licensed and enabled
modules, such as the BIG-IP® Global Traffic Manager.
Display
platform [show [all]]
platform base mac [show]
platform bios rev [show]
platform chassis 400 level bom num [show]
platform chassis slot id [show]
platform enable cmp ffp [show]
platform has pva [show]
platform host [show]
platform lacp capable [show]
platform mac offset free [show]
platform mac offset last [show]
platform marketing name [show]
platform max cluster size [show]
platform max static l2 [show]
platform max trunks [show]
platform max vlans [show]
platform mstp capable [show]
platform name [show]
platform netreboot capable [show]
platform num static l2 [show]
platform num trunks [show]
platform phy memory [show]
platform phy memory bytes [show]
platform portmirror capable [show]
platform pva version [show]
platform securekey capable [show]
platform stp capable [show]
platform system type [show]
platform trnk id mode [show]
platform valid baud rates [show]
platform wildcat serial num [show]
2 - 168
Description
Display platform statistics such as CPU fan speed and temperature, chassis
temperature, and power supply status.
Examples
This command:
platform show all
Displays the following information:

PLATFORM INFORMATION -
Type
Chassis serial number and part number
Switch board serial number and part number
Host board serial number and part number
Annunciator board serial number and part number
BIOS Rev
base MAC
CPU temp and fan speed
CHASSIS TEMPERATURE
CHASSIS FAN status
POWER SUPPLY status
This command:
platform base mac [show]
Displays the following information:

PLATFORM - base mac: 00:01:D7:2C:9F:40
See also
bigpipe(1)

Chapter 2
pool
Configures load balancing pools on the BIG-IP system.
Syntax
Use this command to configure a load balancing pool.
Create/Modify
Important
BIG-IP® Systems.
pool <pool key> {}

pool (<pool key> | all) [{] <pool arg list> [}]
<pool key> ::=
<name>
<pool arg> ::=
action on svcdown (none | reset | drop | reselect)
ip tos to client (<number> | mimic | pass)
ip tos to server (<number> | mimic | pass)
lb method (round robin | rr | member ratio | member least conn | member observed |
member predictive | ratio | node ratio | least conn | fastest | observed | \
predictive | dynamic ratio | fastest app resp | least sessions | \
member dynamic ratio | l3 addr)
link qos to client (<number> | mimic | pass)
link qos to server (<number> | mimic | pass)
members (<pool member list> | none) [add | delete]
min active members <number>
min up members <number>
min up members (enable | disable)
min up members (reboot | restart | failover | go active | no action | restart all | \
failover restart tm | failover abort tm | go offline | go offline restart | \
go offline abort tm | go offline downlinks | go offline downlinks restart)
monitor all (none | <monitor key> |
min <number> of <monitor key list>
name <name>
nat (enable | disable)
reselect tries <number>
slow ramp time <number>
2 - 170
snat (enable | disable)

unit <number>
<pool member> ::= (<pool member key> | all) [{] <pool member arg list> [}]
<pool member key> ::=
<member>
<pool member arg> ::=
addr <member>
limit <number>
(up | down)
priority <number>
ratio <number>
weight <number>
pool (<pool key> | all) stats reset
Display
pool [<pool key> | all] [show [all]]
pool [<pool key> | all] list [all]
pool (<pool key> | all) action on svcdown [show]
pool (<pool key> | all) ip tos to client [show]
pool (<pool key> | all) ip tos to server [show]
pool (<pool key> | all) lb method [show]
pool (<pool key> | all) link qos to client [show]
pool (<pool key> | all) link qos to server [show]
pool (<pool key> | all) members (<pool member key> | all) stats reset
pool (<pool key> | all) members [<pool member key> | all] [show [all]]
pool (<pool key> | all) members [<pool member key> | all] list [all]
pool (<pool key> | all) members (<pool member key> | all) addr [show]
pool (<pool key> | all) members (<pool member key> | all) dynamic ratio [show]
pool (<pool key> | all) members (<pool member key> | all) limit [show]
pool (<pool key> | all) members (<pool member key> | all) monitor [show]
pool (<pool key> | all) members (<pool member key> | all) monitor state [show]
pool (<pool key> | all) members (<pool member key> | all) pool name [show]
pool (<pool key> | all) members (<pool member key> | all) priority [show]
pool (<pool key> | all) members (<pool member key> | all) ratio [show]
pool (<pool key> | all) members (<pool member key> | all) session [show]
pool (<pool key> | all) members (<pool member key> | all) stats [show]
pool (<pool key> | all) members (<pool member key> | all) weight [show]
pool (<pool key> | all) min active members [show]
pool (<pool key> | all) min up members [show]

Chapter 2
pool (<pool key> | all) monitor all [show]

pool (<pool key> | all) name [show]
pool (<pool key> | all) nat [show]
pool (<pool key> | all) partition [show]
pool (<pool key> | all) reselect tries [show]
pool (<pool key> | all) slow ramp time [show]
pool (<pool key> | all) snat [show]
pool (<pool key> | all) stats [show]
pool (<pool key> | all) unit [show]
Delete
pool (<pool key> | all) delete
Description
The pool command creates, deletes, modifies, and displays the pool
definitions on the traffic management system. Pools group the member
servers together to use a common load balancing algorithm.
Examples
Creates a pool with two members 10.2.3.11, and 10.2.3.12, where both
members use the round robin load balancing method, and the default HTTP
monitor checks for member availability:
pool mypool {
monitor all http
member 10.2.3.11:http
}
Deletes the pool mypool: (Note that all references to a pool must be
removed before a pool may be deleted.)
pool mypool delete
Displays statistics for all pools:

pool show
Displays settings of pool mypool:

pool mypool show
2 - 172
Options
You can use these options with the pool command:
◆ <pool key>
Specifies a list of pool names separated by a space. A pool name is a
string from 1 to 31 characters, for example: new_pools.
◆ action on svcdown
Specifies the action to take if the service specified in the pool is marked
down. Possible values are none, reset, drop, or reselect. You can
specify no action with none, you can reset the system with reset, you can
drop connections using drop, or you can reselect a node for the next
packet that comes in on a Layer 4 connection if the existing connection’s
service is marked down by specifying reselect. The default value is
none.
◆ <ip:service>
Specifies an IP address and service being assigned to a pool as a member.
For example: 10.2.3.12:http.
◆ ip tos to client and ip tos to server
Specifies the Type of Service (ToS) level to use when sending packets to
a client or server. The default value is 65535.
◆ lb method
Specifies the load balancing mode that the system is to use for the
specified pool.
• dynamic ratio
Specifies a range of numbers that you want the system to use in
conjunction with the ratio load balancing method. The default ratio
number is 1.
• fastest
Indicates that the system passes a new connection based on the fastest
response of all currently active nodes in a pool. This method may be
particularly useful in environments where nodes are distributed across
different logical networks.
• fastest app resp
application response of all currently active nodes in a pool.
• l3 addr
Indicates that the system passes connections sequentially to each
member configured using its IP address. The IP address is a Layer 3
address.
• least conn
Indicates that the system passes a new connection to the node that has
the least number of current connections.
• least sessions
the least number of current sessions. Least Sessions methods work
best in environments where the servers or other equipment you are
load balancing have similar capabilities. This is a dynamic load

Chapter 2
balancing method, distributing connections based on various aspects

of real-time server performance analysis, such as the current number
of sessions
• member dynamic ratio
Indicates that the system passes a new connection to the member
based on continuous monitoring of the servers, which are continually
changing. This is a dynamic load balancing method, distributing
connections based on various aspects of real-time server performance
analysis, such as the current number of connections per node or the
fastest node response time.
• member least conn
Indicates that the system passes a new connection to the member that
has the least number of current connections.
• member observed
member based on observed status of the member.
• member predictive
member based on a predictive algorithm.
• member ratio
Specifies a ratio number that you want the system to use in
number is 1.
• node ratio
number is 1.
• observed
Indicates that the system passes connections sequentially to each node
based on observed status of the member.
• predictive
based on a predictive algorithm.
• rr
member. Round Robin is the default load balancing method.
◆ link qos to client and link qos to server
Specifies the Quality of Service (QoS) level to use when sending packets
to a client or server. The default value is 0.
◆ min active members
Specifies the minimum number of members that must remain available
for traffic to be confined to a priority group when using priority-based
activation. The default value is 0.
◆ min up members
Enables or disables this feature. The default value is disable.
2 - 174
You can also specify the minimum number of members that must remain
up for traffic to be confined to a priority group when using priority-based
activation. If the number specified is exceeded, the action specified
happens. The default value is 0.
You can also specify for the system to failover if the min up members
number is exceeded.
◆ monitor all
Creates a monitor rule for the pool. You can specify a monitor rule that
marks the pool down if the specified number of monitors are not
successful.
◆ nat
Enables or disables NAT connections for the pool.
◆ partition
Displays the partition within which the pool resides.
◆ priority
Specifies a priority that you want to assign to a pool member, to ensure
that traffic is directed to that member before being directed to a member
of a lower priority.
◆ slow ramp time
Provides the ability to cause a pool member that has just been enabled, or
marked up, to receive proportionally less traffic than other members in
the pool. The proportion of traffic the member accepts is determined by
how long the member has been up in comparison to the slow ramp time
set for the pool. For example, if a pool using round robin has a slow ramp
time of 60 seconds, and the pool member has been up for only 30
seconds, it receives approximately half the amount of new traffic as other
pool members that have been up for more than 60 seconds. At 45
seconds, it receives approximately three quarters of the new traffic. Slow
ramp time is particularly useful for least connections load balancing
mode. The default value is 0.
◆ snat
Enables or disables SNAT connections for the pool.
◆ unit
Specifies the unit number used by this pool in an active-active redundant
See also
monitor(1), node(1), virtual(1), bigpipe(1)

Chapter 2
profile
Displays profile settings, resets statistics, or deletes a profile.
Syntax
Use this command to display profile settings, reset statistics, or delete a
profile.
Modify
profile (<profile key> | all) [{] <profile arg list> [}]
<profile key> ::=
<name>
<profile arg> ::=
name <name>
profile (<profile key> | all) stats reset
Display
profile [<profile key> | all] [show [all]]
profile [<profile key> | all] list [all]
profile (<profile key> | all) name [show]
Delete
profile (<profile key> | all) delete
Description
You can use this command to display or delete existing profiles. You can
also reset statistics for an existing profile or display the configuration for a
profile.
Examples
Displays all profiles on the system (includes all system profiles):
profile all show
See also
profile auth(1), profile clientssl(1), profile fastl4(1), profile fastthttp(1),
profile ftp(1), profile http(1), profile oneconnect(1), profile persist(1),
profile serverssl(1), profile statistics(1), profile stream(1), profile tcp(1),
profile udp(1), bigpipe(1)
2 - 176
profile auth
Configures a type of authentication profile.
Syntax
Use this command to configure a type of authentication profile.
Create/Modify
Important
BIG-IP® Systems.
profile auth <profile auth key> {}

profile auth (<profile auth key> | all) [{] <profile auth arg list> [}]
<profile auth key> ::=
<name>
<profile auth arg> ::=
config (<name> | none)
cookie key (<string> | none)
cookie name <name>
credential source http basic auth
defaults from (<profile auth key> | none)
mode (disable | enable)
name <name>
rule (<rule key> | none)
type (ldap | radius | ssl cc ldap | ssl ocsp | tacacs | generic | ssl crldp | \
krbdelegate)
profile auth (<profile auth key> | all) stats reset
Display
profile auth [<profile auth key> | all] [show [all]]
profile auth [<profile auth key> | all] list [all]
profile auth (<profile auth key> | all) config [show]
profile auth (<profile auth key> | all) cookie key [show]
profile auth (<profile auth key> | all) cookie name [show]
profile auth (<profile auth key> | all) credential source [show]
profile auth (<profile auth key> | all) defaults from [show]

Chapter 2
profile auth (<profile auth key> | all) idle timeout [show]

profile auth (<profile auth key> | all) mode [show]
profile auth (<profile auth key> | all) name [show]
profile auth (<profile auth key> | all) partition [show]
profile auth (<profile auth key> | all) rule [show]
profile auth (<profile auth key> | all) stats [show]
profile auth (<profile auth key> | all) type [show]
Delete
profile auth (<profile auth key> | all) delete
Description
configure an authentication profile. An authentication profile is an object
that specifies the type of authentication module you want to implement, a
parent profile, and the configuration object. For example, you can use the
profile auth command to create a TACACS+ profile (see example
following). You can either use the default profile that the BIG-IP local
traffic management system provides for each type of authentication module
or create a custom profile. The types of authentication profiles you can
create with the profile auth command are: LDAP, SSL CC LDAP,
RADIUS, TACACS+, SSL OCSP, and CRLDP.
Examples
Creates a profile named mytacacs_profile for TACACS+ authentication:
profile auth mytacacs_profile {
config mytacacs_profile config credential source http basic auth defaults from tacacs \
mode enable type tacacs rule myrule1 idle timeout 60
}
Example of auth module implementation

For example, to configure the LDAP authentication module, create the
following objects.
1. Create an LDAP configuration object using the auth ldap
command.
2. Create an LDAP profile, in which you specify the authentication
module type as LDAP, specify a parent profile (either the default
ldap profile or another custom profile that you created), and
reference the LDAP configuration object. Use the profile auth
command.
3. Configure the virtual server to reference the custom LDAP profile,
using the virtual command.
2 - 178
Options
You can use these options with the profile auth command:
◆ config
Specifies the type of authentication profile that you are creating. You can
specify an LDAP, RADIUS, TACACS+, SSL client certificate, SSL
OCSP, or CRLDP configuration object. This setting is required.
◆ cookie key/name
The cookie name is only used for the kerberos delegation module. It is a
unique session cookie assigned to each user. Each virtual server should
use a different cookie name. The unique cookie is encrypted in a key.
Each site should use a different key.
◆ credential source
Specifies the credential source as http basic auth or default. For LDAP,
RADIUS, and TACACS+, specify http basic auth for the credential
source. For SSL client certificate or SSL OCSP specify default.
◆ defaults from
Specifies the name of the default authentication profile from which you
want your custom profile to inherit settings. This setting is required.
◆ idle timeout
Sets the idle timeout for the auth profile. The options are a number,
immediate, indefinite, or default. The default value is 300 seconds.
◆ mode
Specifies the profile mode. The options are enable, disable, or default.
◆ partition
Displays the partition in which the authentication profile resides.
◆ rule
Specifies the name of the default rule or custom rule that corresponds to
the authentication method you want to use.
◆ type
Specifies the type of authentication profile that you want use. The
following types are available:
• generic
Unlike the other authentication profile types, when you use the
command line interface to create a generic authentication profile, you
must manually create or edit a pluggable authentication module
(PAM) configuration file. The name of this configuration file for a
given authentication profile is /etc/pam.d/tmm_{name}, where
{name} is the name of the profile instance. The bigpipe utility
displays an informational message that specifies the file to create or
edit when you manipulate a generic authentication profile. F5
recommends that only users with PAM expertise use this advanced
feature.

Chapter 2
• ldap
An LDAP authentication module is a mechanism for authenticating or
authorizing client connections passing through a traffic management
system. This module is useful when your authentication or
authorization data is stored on a remote LDAP server or a Microsoft
Windows Active Directory server, and you want the client credentials
to be based on basic HTTP authentication (that is, user name and
password). You configure an LDAP authentication module by
creating an LDAP configuration object, and creating an LDAP
profile.
• radius
By creating a RADIUS profile and one or more RADIUS server
objects, you can implement the RADIUS authentication module as the
mechanism for authenticating client connections passing through the
BIG-IP local traffic management system. You use this module when
your authentication data is stored on a remote RADIUS server. In this
case, client credentials are based on basic HTTP authentication (that
is, user name and password). To implement the RADIUS
authentication module, you must create the following objects: one or
more high-level RADIUS server objects, a RADIUS configuration
object, and a RADIUS profile. After you create these objects, you
must assign the RADIUS profile to a virtual server.
• ssl cc ldap
Using an SSL client certificate LDAP configuration object and
profile, you can implement the SSL client certificate LDAP
authentication module as the mechanism for authorizing client
connections passing through a traffic management system. In this
case, client credentials are based on SSL certificate credentials instead
of user name and password. LDAP client authorization is based not
only on SSL certificates, but also on user groups and roles that you
define.
• ssl crldp
A Certificate Revocation List Distribution Point (CRLDP)
authentication module is a mechanism for handling certificate
revocations on a network, for client connections passing through the
BIG-IP system. To implement the CRLDP authentication module,
you must create the following objects: One or more high-level
CRLDP server objects, a CRLDP configuration object, and a CRLDP
profile. After you create these objects, you must assign the RADIUS
profile to a virtual server.
• ssl ocsp
Online Certificate Status Protocol (OCSP) is an industry-standard
protocol that offers an alternative to a certificate revocation list (CRL)
when using public-key technology. A CRL is a list of revoked client
certificates, which a server system can check during the process of
verifying a client certificate. The BIG-IP local traffic management
system supports both CRLs and the OCSP protocol. To implement the
SSL OCSP authentication module, you must create the following
objects: one or more high-level SSL OCSP responder objects, an SSL
2 - 180
OCSP configuration object, and an SSL OCSP profile. After you

create these objects, you must assign the SSL OCSP profile to a
virtual server.
• tacacs
Using a TACACS+ profile, you can implement the TACACS+
authentication module as the mechanism for authenticating client
connections passing through a traffic management system. You use
this module when your authentication data is stored on a remote
TACACS+ server. In this case, client credentials are based on basic
HTTP authentication (that is, user name and password). You
configure a TACACS+ authentication module by creating a
TACACS+ configuration object, and then creating a TACACS+
profile.
See also
auth crldp(1), auth ldap(1), auth radius(1), auth ssl cc ldap(1), auth ssl
ocsp(1), auth tacacs(1), bigpipe(1)

Chapter 2
profile clientssl
Configures a Client SSL profile.
Syntax
Use this command to configure a Client SSL profile.
Create/Modify
Important
BIG-IP® Systems.
profile clientssl <profile clientssl key> {}

profile clientssl (<profile clientssl key> | all) [{] <profile clientssl arg list> [}]
<profile clientssl key> ::=
<name>
<profile clientssl arg> ::=
alert timeout (<number> | immediate | indefinite)
authenticate (always | once)
authenticate depth <number>
cache size <number>
cert (<file name> | none)
chain (<file name> | none)
ciphers (<string> | none)
client cert ca (<file name> | none)
crl file (<file name> | none)
defaults from (<profile clientssl key> | none)
dtls cookie (enable | disable)
handshake timeout (<number> | immediate | indefinite)
key (<file name> | none)
modssl methods (enable | disable)
name <name>
nonssl (enable | disable)
2 - 182
options [all bugfixes] [cipher server preference] [dont insert empty fragments] \
[ephemeral rsa] [microsoft big sslv3 buffer] [msie sslv2 rsa padding] \
[netscape ca dn bug] [netscape challenge bug] [netscape demo cipher change bug] \
[netscape reuse cipher change bug] [no session resumption on renegotiation] \
[no sslv2] [no sslv3] [no tlsv1] [passive close] [pkcs1 check 1] [pkcs1 check 2] \
[single dh use] [ssleay 080 client dh bug] [sslref2 reuse cert type bug] \
[tls block padding bug] [tls d5 bug] [tls rollback bug] [microsoft sess id bug] | \
none
passphrase (<string> | none)
peer cert mode (ignore | require | request | auto)
renegotiate max record delay (<number> | immediate | indefinite)
renegotiate period (<number> | immediate | indefinite)
renegotiate size (<number>[MB|mb] | indefinite)
strict resume (enable | disable)
unclean shutdown (enable | disable)
profile clientssl (<profile clientssl key> | all) stats reset
Display
profile clientssl [<profile clientssl key> | all] [show [all]]
profile clientssl [<profile clientssl key> | all] list [all]
profile clientssl (<profile clientssl key> | all) alert timeout [show]
profile clientssl (<profile clientssl key> | all) authenticate [show]
profile clientssl (<profile clientssl key> | all) authenticate depth [show]
profile clientssl (<profile clientssl key> | all) ca file [show]
profile clientssl (<profile clientssl key> | all) cache size [show]
profile clientssl (<profile clientssl key> | all) cache timeout [show]
profile clientssl (<profile clientssl key> | all) cert [show]
profile clientssl (<profile clientssl key> | all) chain [show]
profile clientssl (<profile clientssl key> | all) ciphers [show]
profile clientssl (<profile clientssl key> | all) client cert ca [show]
profile clientssl (<profile clientssl key> | all) crl file [show]
profile clientssl (<profile clientssl key> | all) defaults from [show]
profile clientssl (<profile clientssl key> | all) dtls cookie [show]
profile clientssl (<profile clientssl key> | all) handshake timeout [show]
profile clientssl (<profile clientssl key> | all) key [show]
profile clientssl (<profile clientssl key> | all) mode [show]
profile clientssl (<profile clientssl key> | all) modssl methods [show]
profile clientssl (<profile clientssl key> | all) name [show]
profile clientssl (<profile clientssl key> | all) nonssl [show]
profile clientssl (<profile clientssl key> | all) options [show]
profile clientssl (<profile clientssl key> | all) partition [show]
profile clientssl (<profile clientssl key> | all) passphrase [show]
profile clientssl (<profile clientssl key> | all) peer cert mode [show]
profile clientssl (<profile clientssl key> | all) renegotiate max record delay [show]
profile clientssl (<profile clientssl key> | all) renegotiate period [show]
profile clientssl (<profile clientssl key> | all) renegotiate size [show]

Chapter 2
profile clientssl (<profile clientssl key> | all) stats [show]

profile clientssl (<profile clientssl key> | all) strict resume [show]
profile clientssl (<profile clientssl key> | all) unclean shutdown [show]
Delete
profile clientssl (<profile clientssl key> | all) delete
Description
This command provides the ability to create a custom Client SSL profile.
Client-side profiles allow the traffic management system to handle
authentication and encryption tasks for any SSL connection coming into a
traffic management system from a client system. You implement this type of
profile by using the default profile, or creating a custom profile based on the
default clientssl profile and modifying its settings. All default profiles are
stored in the file /config/profile_base.conf.
Examples
Creates a Client SSL profile named myclientsslprofile using the system
defaults:
profile clientssl myclientsslprofile { mode enable }
Arguments
Several command arguments are available for use with this command:
◆ ca file
Specifies the certificate authority (CA) file name. To use the default CA
file name, specify default. Configures certificate verification by
specifying a list of client or server CAs that the traffic management
system trusts.
◆ cert
Specifies the name of the certificate installed on the traffic management
system for the purpose of terminating or initiating an SSL connection.
You can specify the default certificate name, which is default.crt.
◆ chain
Specifies or builds a certificate chain file that a client can use to
authenticate the profile. To use the default chain name, specify default.
◆ ciphers
Specifies a cipher name. To use the default ciphers, specify default.
◆ client cert ca
Specifies the client cert certificate authority name. To use the client cert
certificate authority name, specify default.
◆ crl file
Specifies the certificate revocation list file name. To use the default
certificate revocation file name, specify default.
2 - 184
◆ defaults from
Specifies the profile that you want to use as the parent profile. Your new
profile inherits all settings and values from the parent profile specified.
◆ dtls cookie
Specifies if Datagram Transport Level Security support is enabled or
disabled for SSL traffic.
◆ key
Specifies the name of a key file that you generated and installed on the
system. When selecting this option, type a key file name or use the
default key name default.key. The default key name is default.key.
◆ mode
Specifies the profile mode, which enables or disables SSL processing.
The options are enable, disable, or default. The default value is enable.
Options
◆ alert timeout
Specifies the alert timeout in seconds. You can also specify immediate,
indefinite, or default.
◆ authenticate
Specifies frequency of authentication. Options are once, always, or
default.
◆ authenticate depth
Specifies the authenticate depth. This is the client certificate chain
maximum traversal depth.
◆ cache size
Specifies the SSL session cache size. For client-side profiles only, you
can configure timeout and size values for the SSL session cache. Because
each profile maintains a separate SSL session cache, you can configure
the values on a per-profile basis.
◆ cache timeout
Specifies the SSL session cache timeout value. This specifies the number
of usable lifetime seconds of negotiated SSL session IDs. The default
timeout value for the SSL session cache is 300 seconds. Acceptable
values are integers greater than or equal to 5. You can also set this value
to indefinite.
◆ handshake timeout
Specifies the handshake timeout in seconds. You can also specify
indefinite or default.
◆ modssl methods
Enables or disables ModSSL methods. This setting enables or disables
ModSSL method emulation. This setting should be enabled when
OpenSSL methods are inadequate. For example, you can enable this
when you want to use SSL compression over TLSv1.

Chapter 2
◆ nonssl
Specifies enable to allow non-SSL connections to pass through the
traffic management system as clear text.
◆ partition
Displays the partition within which the clientssl profile resides.
◆ passphrase
Specifies the key passphrase if required.
◆ peer cert mode
Specifies the peer certificate mode. Options are request, require,
ignore, auto, or default.
◆ renegotiate period
Specifies the Renegotiate Period setting to renegotiate an SSL session
based on the number of seconds that you specify.
◆ renegotiate size
Specifies the Renegotiate Size setting forces the traffic management
system to renegotiate an SSL session based on the size, in megabytes, of
application data that is transmitted over the secure channel.
◆ renegotiate max record delay
Forces the traffic management system to renegotiate an SSL session
based on the maximum number of SSL records that can be received
while waiting for the client to initiate the renegotiation. If the maximum
number of SSL records is received, the traffic management system closes
the connection. This setting applies to client-side profiles only.
◆ strict resume
Specifies enable to prevent an SSL session from being resumed after an
unclean shutdown. The default option is disable, which causes the SSL
profile to allow uncleanly shut down SSL sessions to be resumed.
Conversely, when the enable option is set, the SSL profile refuses to
resume SSL sessions after an unclean shutdown.
◆ unclean shutdown
By default, the SSL profile performs unclean shutdowns of all SSL
connections, which means that underlying TCP connections are closed
without exchanging the required SSL shutdown alerts. If you want to
force the SSL profile to perform a clean shutdown of all SSL
connections, you can disable the default setting.
The following choices, including some industry-related workarounds, are

available under options:
◆ [all bugfixes]
This option enables all of the industry-related defect workarounds. It is
usually safe to use the all bugfixes option to enable the defect
workaround options when you want compatibility with broken
implementations. Note that if you edit the configuration in the
browser-based Configuration utility, the syntax for this option is
expanded into each individual option.
2 - 186
◆ [cipher server preference]

When choosing a cipher, use this option to set all the server's preferences
instead of the client’s preferences. When this option is not set, the SSL
server always follows the client's preferences. When this option is set, the
SSLv3/TLSv1 server chooses by using its own preferences. Due to the
different protocol, for SSLv2 the server sends its list of preferences to the
client and the client always chooses.
◆ [dont insert empty fragments]
This option disables a countermeasure against a SSL 3.0/TLS 1.0
protocol vulnerability affecting CBC ciphers. These ciphers cannot be
handled by certain broken SSL implementations. This option has no
effect for connections using other ciphers.
◆ [ephemeral rsa]
This option uses ephemeral (temporary) RSA keys when doing RSA
operations. According to the specifications, this is done only when an
RSA key can be used only for signature operations (namely under export
ciphers with restricted RSA key length). By setting this option, you
specify that ephemeral RSA keys are always used. This option breaks
compatibility with the SSL/TLS specifications, and may lead to
interoperability problems with clients. Therefore, F5 does not
recommend it. You should use ciphers with EDH (Ephemeral
Diffie-Hellman) key exchange instead. This option is ignored for
server-side SSL.
◆ [microsoft big sslv3 buffer]
This option enables a workaround for communicating with older
Microsoft applications that use non-standard SSL record sizes.
◆ [microsoft sess id bug]
This option handles a Microsoft session ID problem.
◆ [msie sslv2 rsa padding]
Microsoft applications that use non-standard RSA key padding. This
option is ignored for server-side SSL.
◆ [netscape ca dn bug]
This option handles a defect regarding the system crashing or hanging. If
the system accepts a Netscape Navigator® browser connection, demands
a client cert, has a non-self-signed CA that does not have its CA in
Netscape Navigator, and the browser has a certificate, the system
becomes unavailable. This option works for Netscape Navigator versions
3 and later.
◆ [netscape challenge bug]
This option handles the Netscape® challenge problem.
◆ [netscape demo cipher change bug]
This option deliberately manipulates the SSL server session resumption
behavior to mimic that of certain Netscape servers (see the Netscape
reuse cipher change bug workaround description). F5 does not
recommend this option for normal use. The system ignores this option
for server-side SSL.

Chapter 2
◆ [netscape reuse cipher change bug]

This option handles a defect within Netscape Enterprise Server version
2.01 that only appears when you are connecting through SSLv2/v3 then
reconnecting through SSLv3. In this case, the cipher list changes.
First, a connection is established with the RC4-MD5 cipher list. If it is
then resumed, the connection switches to using the DES-CBC3-SHA
cipher list. However, according to RFC 2246 (section 7.4.1.3, cipher
suite), the cipher list should remain RC4-MD5.
As a workaround, you can attempt to connect with a cipher list of
DES-CBC-SHA:RC4-MD5 and so on. Each new connection uses the
RC4-MD5 cipher list, but any re-connection attempts to use the
DES-CBC-SHA cipher list. Thus Netscape, when reconnecting, always
uses the first cipher in the cipher list.
◆ [no sslv2]
Do not use the SSLv2 protocol.
◆ [no sslv3]
◆ [no tlsv1]
Do not use the TLSv1 protocol.
◆ [no session resumption on renegotiation]
When performing renegotiation as an SSL server, this option always
starts a new session (that is, session resumption requests are only
accepted in the initial handshake). This option is ignored for server-side
SSL.
◆ [passive close]
Indicates how to handle industry-related workarounds.
• none
Choose this option if you want to disable all workarounds. F5 does
not recommend this option.
• default
Specifies the value, all bugfixes, which enables a set of
industry-related miscellaneous workarounds related to SSL
processing.
◆ [pkcs1 check 1]
This debugging option deliberately manipulates the PKCS1 padding used
by SSL clients in an attempt to detect vulnerability to particular SSL
server vulnerabilities. F5 does not recommend this option for normal use.
The system ignores this option for client-side SSL.
◆ [pkcs1 check 2]
◆ [single dh use]
This option creates a new key when using temporary/ephemeral DH
parameters. This option must be used to prevent small subgroup attacks,
2 - 188
when the DH parameters were not generated using strong primes, for
example, when using DSA-parameters. If strong primes were used, it is
not strictly necessary to generate a new DH key during each handshake,
but it is recommended. Enable the Single DH use option, whenever
temporary/ephemeral DH parameters are used.
◆ [ssleay 080 client dh bugssleay 080 client dh bug]
SSLeay-based applications that specify an incorrect Diffie-Hellman
public value length. This option is ignored for server-side SSL.
◆ [sslref2 reuse cert type bug]
This option handles the SSL reuse certificate type problem.
◆ [tls d5 bug]
This option is a workaround for communicating with older
TLSv1-enabled applications that specify an incorrect encrypted RSA key
length. This option is ignored for server-side SSL.
◆ [tls block padding bug]
TLSv1-enabled applications that use incorrect block padding.
◆ [tls rollback bug]
This option disables version rollback attack detection. During the client
key exchange, the client must send the same information about
acceptable SSL/TLS protocol levels as it sends during the first hello.
Some clients violate this rule by adapting to the server's answer. For
example, the client sends an SSLv2 hello and accepts up to SSLv3.1
(TLSv1), but the server only understands up to SSLv3. In this case, the
client must still use the same SSLv3.1 (TLSv1) announcement. Some
clients step down to SSLv3 with respect to the server's answer and
violate the version rollback protection. This option is ignored for
server-side SSL.
See also
profile(1), profile serverssl(1), bigpipe(1)

Chapter 2
profile dns
Configures a domain name service (DNS) profile.
Syntax
Use this command to configure a DNS profile.
Create/Modify
Important
BIG-IP® Systems.
profile dns <profile dns key> {}

profile dns (<profile dns key> | all) [{] <profile dns arg list> [}]
<profile dns key> ::=
<name>
<profile dns arg> ::=
defaults from (<profile dns key> | none)
gtm (enable | disable)
name <name>
profile dns (<profile dns key> | all) stats reset
Display
profile dns [<profile dns key> | all] [show [all]]
profile dns [<profile dns key> | all] list [all]
profile dns (<profile dns key> | all) defaults from [show]
profile dns (<profile dns key> | all) gtm [show]
profile dns (<profile dns key> | all) name [show]
profile dns (<profile dns key> | all) partition [show]
profile dns (<profile dns key> | all) stats [show]
Delete
profile dns (<profile dns key> | all) delete
2 - 190
Description
This command provides the ability to define the behavior of DNS traffic.
Examples
Creates a DNS profile named mydnsprofile that inherits its settings from
the system default DNS profile:
profile dns mydnsprofile {}
Options
You can use these options with the profile dns command:
◆ defaults from
◆ gtm
Indicates whether to allow the BIG-IP global traffic management system
to handle DNS resolution for DNS queries and responses that contain
wide IP names. The options are enable, disable, and default (that is,
accept the default from the parent profile). The default value is enable.
◆ name
Specifies the name of the profile.
◆ partition
Displays the partition within which the profile resides.
See also
dns(1), profile(1), virtual(1), bigpipe(1)

Chapter 2
profile diameter
Configures a profile to manage diameter network traffic.
Syntax
Use this command to configure a diameter profile.
Create/Modify
Important
BIG-IP® Systems.
profile diameter <profile diameter key> {}

profile diameter (<profile diameter key> | all) [{] <profile diameter arg list> [}]
<profile diameter key> ::=
<name>
<profile diameter arg> ::=
defaults from (<profile diameter key> | none)
dest realm (<string> | none)
name <name>
overwrite dest host (enable | disable)
parent avp (<string> | none)
persist avp (<string> | none)
Display
profile diameter [<profile diameter key> | all] [show [all]]
profile diameter [<profile diameter key> | all] list [all]
profile diameter (<profile diameter key> | all) defaults from [show]
profile diameter (<profile diameter key> | all) dest realm [show]
profile diameter (<profile diameter key> | all) name [show]
profile diameter (<profile diameter key> | all) overwrite dest host [show]
profile diameter (<profile diameter key> | all) parent avp [show]
profile diameter (<profile diameter key> | all) partition [show]
profile diameter (<profile diameter key> | all) persist avp [show]
Delete
profile diameter (<profile diameter key> | all) delete
2 - 192
Description
You can use this command to configure a profile to manage diameter
network traffic.
Examples
Creates a profile diameter profile named my_diameter_profile:
profile diameter my_diameter_profile
Options
You can use these options with the profile dns command:
◆ defaults from
profile inherits all settings and values from the parent profile.
◆ dest realm
Specifies the realm to which messages are routed. A value of none
indicates that the destination-realm option is disabled. The default value
is none.
◆ overwrite dest host
When you enable this option, the system replaces the value of the
destination host field in the diameter header with the BIG-IP pool
member address. When you disable this option, the system does not
modify the destination host field. The default value is enable.
◆ parent avp
Specifies the name of the diameter attribute that the system uses to
indicate if the persist-avp option is embedded in a grouped avp. A value
of none indicates that the value of the persist-avp option is not
embedded in a grouped avp. The default value is none.
You can specify an ASCII string or a numeric ID in the range 1 to
4294295967. Acceptable strings can be found in RFC 3588 section 4.5.
◆ partition
◆ persist avp
Specifies the name of the diameter attribute that the system persists on. A
value of none indicates that persistence is disabled. The default value is
none.
You can specify an ASCII string or a numeric ID in the range 1 to
4294295967. Acceptable strings can be found in RFC 3588 section 4.5.
See also
dns(1), profile(1), virtual(1), bigpipe(1)

Chapter 2
profile fasthttp
Configures a Fast HTTP profile.
Syntax
Use this command to configure a Fast HTTP profile.
Create/Modify
Important
BIG-IP® Systems.
profile fasthttp <profile fasthttp key> {}

profile fasthttp (<profile fasthttp key> | all) [{] <profile fasthttp arg list> [}]
<profile fasthttp key> ::=
<name>
<profile fasthttp arg> ::=
client close timeout (<number> | immediate | indefinite)
conn pool idle timeout override ([<number>d] [<hh>:<mm>:<ss>] | disable |
indefinite)
conn pool max reuse <number>
conn pool max size <number>
conn pool min size <number>
conn pool replenish (enable | disable)
conn pool step <number>
defaults from (<profile fasthttp key> | none)
force http10 response (enable | disable)
header insert (<string> | none)
http11 close workarounds (enable | disable)
insert xforwarded for (disable | enable)
layer7 (enable | disable)
max header size <number>
max requests <number>
mss override <number>
name <name>
reset on timeout (enable | disable)
server close timeout (<number> | immediate | indefinite)
unclean shutdown (disable | enable | fast)
2 - 194
profile fasthttp (<profile fasthttp key> | all) stats reset
Display
profile fasthttp [<profile fasthttp key> | all] [show [all]]
profile fasthttp [<profile fasthttp key> | all] list [all]
profile fasthttp (<profile fasthttp key> | all) client close timeout [show]
profile fasthttp (<profile fasthttp key> | all) conn pool idle timeout override [show]
profile fasthttp (<profile fasthttp key> | all) conn pool max reuse [show]
profile fasthttp (<profile fasthttp key> | all) conn pool max size [show]
profile fasthttp (<profile fasthttp key> | all) conn pool min size [show]
profile fasthttp (<profile fasthttp key> | all) conn pool replenish [show]
profile fasthttp (<profile fasthttp key> | all) conn pool step [show]
profile fasthttp (<profile fasthttp key> | all) defaults from [show]
profile fasthttp (<profile fasthttp key> | all) force http10 response [show]
profile fasthttp (<profile fasthttp key> | all) header insert [show]
profile fasthttp (<profile fasthttp key> | all) http11 close workarounds [show]
profile fasthttp (<profile fasthttp key> | all) idle timeout [show]
profile fasthttp (<profile fasthttp key> | all) insert xforwarded for [show]
profile fasthttp (<profile fasthttp key> | all) layer7 [show]
profile fasthttp (<profile fasthttp key> | all) max header size [show]
profile fasthttp (<profile fasthttp key> | all) max requests [show]
profile fasthttp (<profile fasthttp key> | all) mss override [show]
profile fasthttp (<profile fasthttp key> | all) name [show]
profile fasthttp (<profile fasthttp key> | all) partition [show]
profile fasthttp (<profile fasthttp key> | all) reset on timeout [show]
profile fasthttp (<profile fasthttp key> | all) server close timeout [show]
profile fasthttp (<profile fasthttp key> | all) stats [show]
profile fasthttp (<profile fasthttp key> | all) unclean shutdown [show]
Delete
profile fasthttp (<profile fasthttp key> | all) delete
Description
The Fast HTTP profile provides the ability to accelerate certain HTTP
connections such as banner ads.
Examples
Creates a Fast HTTP profile named myfasthttpprofile that inherits its
settings from the system default fasthttp profile:
profile fasthttp myfasthttpprofile {}

Chapter 2
Options
You can use these options with the profile fasthttp command:
◆ client close timeout
Specifies the number of seconds after which the system closes a client
connection, when the system either receives a client FIN packet or sends
a FIN packet. This setting overrides the idle timeout setting. The default
value is 5.
◆ conn pool idle timeout override
Specifies the number of seconds after which a server-side connection in a
OneConnect™ pool is eligible for deletion, when the connection has no
traffic. This setting overrides the idle timeout that you specify. The
default value is 0 seconds, which disables the override setting.
◆ conn pool max reuse
Specifies the maximum number of times that the system can reuse a
current connection. The default value is 0.
◆ conn pool max size
Specifies the maximum number of connections to a load balancing pool.
A setting of 0 specifies that a pool can accept an unlimited number of
connections. The default value is 2048.
◆ conn pool min size
Specifies the minimum number of connections to a load balancing pool.
A setting of 0 specifies that there is no minimum. The default value is 10.
◆ conn pool replenish
The default value is enable. When this setting is enabled, the system
replenishes the number of connections to a load balancing pool to the
number of connections that existed when the server closed the
connection to the pool. When disabled, the system replenishes the
connection that was closed by the server, only when there are fewer
connections to the pool than the number of connections set in the conn
pool min size connections option. See the conn pool min size option
above.
◆ conn pool step
Specifies the increment in which the system makes additional
connections available, when all available connections are in use. The
default value is 4.
◆ defaults from
◆ force http10 response
Specifies whether to rewrite the HTTP version in the status line of the
server to HTTP 1.0 to discourage the client from pipelining or chunking
data. The default value is disable.
2 - 196
◆ header insert
Specifies a string that the system inserts as a header in an HTTP request.
If the header exists already, the system does not replace it.
◆ http11 close workarounds
Enables or disables HTTP 1.1 close workarounds. The default value is
disable.
◆ idle timeout
Specifies the number of seconds after which a connection is eligible for
deletion, when the connection has no traffic. The default value is 300
seconds.
◆ insert xforwarded for
Specifies whether the system inserts the XForwarded For header in an
HTTP request with the client IP address, to use with connection pooling.
• enable
Specifies that the system inserts the XForwarded For header with the
client IP address.
• disable
Specifies that the system does not insert the XForwarded For header.
◆ layer7
When enabled, the system parses HTTP data in the stream. Disable this
setting if you want to use the performance HTTP profile to shield against
denial-of-service attacks against non-HTTP protocols. The default value
is enable.
◆ max header size
Specifies the maximum amount of HTTP header data that the system
buffers before making a load balancing decision. The default value is
32768.
◆ max requests
Specifies the maximum number of requests that the system can receive
on a client-side connection, before the system closes the connection. A
setting of 0 specifies that requests are not limited. The default value is 0.
◆ mss override
Specifies a maximum segment size (MSS) override for server-side
connections. The default value is 0, which corresponds to an MSS of
1460. You can specify any integer between 536 and 1460.
◆ partition
◆ reset on timeout
When enabled, the system sends a TCP RESET packet when a
connection times out, and deletes the connection. The default value is
enable.
◆ server close timeout
Specifies the number of seconds after which the system closes a client
connection, when the system either receives a client FIN packet or sends
a FIN packet. This setting overrides the idle timeout setting. The default
value is 5.

Chapter 2
Specifies how the system handles closing a connection. The default value
is enable, which allows unclean shutdown of a client connection. Use
disable to prevent unclean shutdown of a client connection. Fast
specifies that the system sends a RESET packet to close the connection
only if the client attempts to send further data after the response has
completed. Default specifies to use the setting from the parent profile.
See also
profile(1), virtual(1), bigpipe(1)
2 - 198
profile fastl4
Configures a Fast Layer 4 profile.
Syntax
Use this command to configure a Fast Layer 4 profile.
Create/Modify
Important
BIG-IP® Systems.
profile fastL4 <profile fastL4 key> {}

profile fastL4 (<profile fastL4 key> | all) [{] <profile fastL4 arg list> [}]
<profile fastL4 key> ::=
<name>
<profile fastL4 arg> ::=
defaults from (<profile fastL4 key> | none)
hardware syncookie (enable | disable)
loose close (enable | disable)
loose initiation (enable | disable)
mss override <number>
name <name>
pva acceleration (full | assist | none)
reassemble fragments (enable | disable)
rtt from client (enable | disable)
rtt from server (enable | disable)
software syncookie (enable | disable)
tcp close timeout (<number> | immediate | indefinite)
tcp generate isn (enable | disable)
tcp handshake timeout (<number> | immediate | indefinite)
tcp strip sack (enable | disable)

Chapter 2
tcp timestamp (preserve | strip | rewrite)

tcp wscale (preserve | strip)
profile fastL4 (<profile fastL4 key> | all) stats reset
Display
profile fastL4 [<profile fastL4 key> | all] [show [all]]
profile fastL4 [<profile fastL4 key> | all] list [all]
profile fastL4 (<profile fastL4 key> | all) defaults from [show]
profile fastL4 (<profile fastL4 key> | all) hardware syncookie [show]
profile fastL4 (<profile fastL4 key> | all) idle timeout [show]
profile fastL4 (<profile fastL4 key> | all) ip tos to client [show]
profile fastL4 (<profile fastL4 key> | all) ip tos to server [show]
profile fastL4 (<profile fastL4 key> | all) link qos to client [show]
profile fastL4 (<profile fastL4 key> | all) link qos to server [show]
profile fastL4 (<profile fastL4 key> | all) loose close [show]
profile fastL4 (<profile fastL4 key> | all) loose initiation [show]
profile fastL4 (<profile fastL4 key> | all) mss override [show]
profile fastL4 (<profile fastL4 key> | all) name [show]
profile fastL4 (<profile fastL4 key> | all) partition [show]
profile fastL4 (<profile fastL4 key> | all) pva acceleration [show]
profile fastL4 (<profile fastL4 key> | all) reassemble fragments [show]
profile fastL4 (<profile fastL4 key> | all) reset on timeout [show]
profile fastL4 (<profile fastL4 key> | all) rtt from client [show]
profile fastL4 (<profile fastL4 key> | all) rtt from server [show]
profile fastL4 (<profile fastL4 key> | all) software syncookie [show]
profile fastL4 (<profile fastL4 key> | all) stats [show]
profile fastL4 (<profile fastL4 key> | all) tcp close timeout [show]
profile fastL4 (<profile fastL4 key> | all) tcp generate isn [show]
profile fastL4 (<profile fastL4 key> | all) tcp handshake timeout [show]
profile fastL4 (<profile fastL4 key> | all) tcp strip sack [show]
profile fastL4 (<profile fastL4 key> | all) tcp timestamp [show]
profile fastL4 (<profile fastL4 key> | all) tcp wscale [show]
Delete
profile fastL4 (<profile fastL4 key> | all) delete
2 - 200
Description
The fastl4 profile is the default profile used by the system when you create a
basic configuration for non-UDP traffic. Any changes you make to an active
fastL4 profile (one that is in use by a virtual server) take affect after the idle
timeout value has passed. That means new connections are affected by the
profile change immediately. However, old connections need to be aged out
by the idle timeout value or closed for the new values to take effect.
Examples
Creates a custom Fast Layer 4 profile named myfastl4profile that inherits
its settings from the system default fastl4 profile:
profile fastl4 myfastl4profile {}
Options
You can use these options with the profile fastL4 command:
◆ defaults from
◆ hardware syncookie
Enables or disables hardware SYN cookie support when PVA10 is
present on the system. The default value is disable.
◆ idle timeout
Specifies an idle timeout in seconds. You can also specify immediate,
indefinite, or default. This setting specifies the number of seconds that a
connection is idle before the connection is eligible for deletion. When
you specify an idle timeout for the Fast L4 profile, the value needs to be
greater than the bigdb database variable Pva.Scrub time in msec for it to
work properly. The default value is 300 seconds.
◆ ip tos to client
Specifies an IP ToS number for the client side. This setting specifies the
Type of Service level that the traffic management system assigns to UDP
packets when sending them to clients. The default value is 65535, which
indicates, do not modify UDP packets.
◆ ip tos to server
Specifies an IP ToS number for the server side. This setting specifies the
Type of Service level that the traffic management system assigns to UDP
packets when sending them to servers. The default value is 65535, which
indicates, do not modify UDP packets.
◆ link qos to client
Specifies a Link QoS (VLAN priority) number for the client side. This
setting specifies the Quality of Service level that the system assigns to
UDP packets when sending them to clients. The default value is 65535,
which indicates, do not modify UDP packets.

Chapter 2
◆ link qos to server

Specifies a Link QoS (VLAN priority) number for the server side. This
setting specifies the Quality of Service level that the system assigns to
UDP packets when sending them to servers. The default value is 65535,
which indicates, do not modify UDP packets.
◆ loose close
Specifies that the system closes a loosely-initiated connection when the
system receives the first FIN packet from either the client or the server.
◆ loose initiation
Specifies that the system initializes a connection when it receives any
TCP packet, rather than requiring a SYN packet for connection initiation.
◆ mss override
Specifies a maximum segment size (MSS) override for server-side
connections. The default value is disable, which corresponds to an MSS
of 1460. Disable specifies that the system does not use an MSS override.
To choose a different value than the default, specify any integer between
536 and 1460 bytes. Note that this is also the MSS advertised to a client
when a client first connects.
◆ partition
Displays the partition within which the Fast L4 profile resides.
◆ pva acceleration
Specifies the Packet Velocity® ASIC acceleration mode. The options are
none, assist, full, or default.
◆ reassemble fragments
Specifies whether to reassemble fragments. The options are enable,
disable, or default. The default value is enable.
Specifies whether you want to reset connections on timeout. The options
are enable, disable, or default. The default value is enable.
◆ rtt from client
Enables or disables the TCP timestamp options to measure the round trip
time to the client. The default value is disable.
◆ rtt from server
Enables or disables the TCP timestamp options to measure the round trip
time to the server. The default value is disable.
◆ software syncookie
Enables or disables software SYN cookie support when PVA10 is not
present on the system. The default value is disable.
◆ tcp close timeout
Specifies an TCP close timeout in seconds. You can also specify
2 - 202
◆ tcp timestamp
Specifies how you want to handle the TCP timestamp. The options are
preserve, strip, rewrite, or default. Preserve is the default setting for
this option.
◆ tcp generate isn
Specifies whether you want to generate TCP sequence numbers on all
SYNs that conform with RFC1948, and allow timestamp recycling. This
option is disabled by default.
◆ tcp handshake timeout
Specifies a TCP handshake timeout in seconds. You can also specify
◆ tcp strip sack
Specifies whether you want to block the TCP SackOK option from
passing to server on an initiating SYN. This option is disabled by default.
◆ tcp wscale
Specifies how you want to handle the TCP window scale. The options
are preserve, strip, rewrite, or default. The default setting for this
option is preserve TCP window scale.
See also

Chapter 2
profile ftp
Configures an FTP profile.
Syntax
Use this command to configure an FTP profile.
Create/Modify
Important
BIG-IP® Systems.
profile ftp <profile ftp key> {}

profile ftp (<profile ftp key> | all) [{] <profile ftp arg list> [}]
<profile ftp key> ::=
<name>
<profile ftp arg> ::=
data port (<service> | none)
defaults from (<profile ftp key> | none)
name <name>
security (enable | disable)
translate extended (enable | disable)
profile ftp (<profile ftp key> | all) stats reset
Display
profile ftp [<profile ftp key> | all] [show [all]]
profile ftp [<profile ftp key> | all] list [all]
profile ftp (<profile ftp key> | all) data port [show]
profile ftp (<profile ftp key> | all) defaults from [show]
profile ftp (<profile ftp key> | all) name [show]
profile ftp (<profile ftp key> | all) partition [show]
profile ftp (<profile ftp key> | all) security [show]
profile ftp (<profile ftp key> | all) stats [show]
profile ftp (<profile ftp key> | all) translate extended [show]
Delete
profile ftp (<profile ftp key> | all) delete
2 - 204
Description
Manages a profile for FTP traffic.
Examples
Creates a custom FTP profile named myftpprofile that inherits its settings
from the system default FTP profile:
profile ftp myftpprofile { }
Options
You can use these options with the profile ftp command:
◆ data port
Specifies a service for the data channel port used for this FTP profile.
The default port is 20.
◆ defaults from
◆ partition
◆ security
Enables secure FTP traffic for the BIG-IP® Application Security
Manager. You can set the security option only if the system is licensed
for the BIG-IP® Application Security Manager.
◆ translate extended
This setting is enabled by default, and thus, automatically translates
RFC2428 extended requests EPSV and EPRT to PASV and PORT when
communicating with IPv4 servers.
See also

Chapter 2
profile http
Configures an HTTP profile.
Syntax
Use this command to configure an HTTP profile.
Create/Modify
Important
BIG-IP® Systems.
profile http <profile http key> {}

profile http (<profile http key> | all) [{] <profile http arg list> [}]
<profile http key> ::=
<name>
<profile http arg> ::=
adaptive parsing (enable | disable)
basic auth realm (<string> | none)
compress (disable | enable | selective)
compress browser workarounds (enable | disable)
compress buffer size <number>
compress content type exclude (<string list> | none) [add | delete]
compress content type include (<string list> | none) [add | delete]
compress cpu saver (enable | disable)
compress cpu saver high <number>
compress cpu saver low <number>
compress gzip level <number>
compress gzip memory level <number>[K|k]
compress gzip window size <number>[K|k]
compress http 1.0 (enable | disable)
compress keep accept encoding (enable | disable)
compress min size <number>
compress prefer (deflate | gzip)
compress uri exclude (<regex list> | none) [add | delete]
compress uri include (<regex list> | none) [add | delete]
compress vary header (enable | disable)
cookie secret (<string> | none)
2 - 206
defaults from (<profile http key> | none)

encrypt cookies (<string list> | none) [add | delete]
fallback (<string> | none)
fallback status (<string list> | none) [add | delete]
header erase (<string> | none)
header insert (<string> | none)
insert xforwarded for (disable | enable)
lws separator [cr] [lf] [sp] | none
lws width <number>
max requests <number>
name <name>
oneconnect transformations (enable | disable)
pipelining (disable | enable)
ramcache (disable | enable)
ramcache aging rate <number>
ramcache entry (<ramcache info key list> | none) [delete]
ramcache ignore client cache control (none | max age | all)
ramcache insert age header (disable | enable)
ramcache max age <number>
ramcache max entries <number>
ramcache max object size <number>
ramcache min object size <number>
ramcache size <number>[MB|mb]
ramcache uri exclude (<regex list> | none) [add | delete]
ramcache uri include (<regex list> | none) [add | delete]
ramcache uri pinned (<regex list> | none) [add | delete]
redirect rewrite (none | all | matching | nodes)
response (preserve chunk | selective chunk | unchunk | rechunk)
response headers allowed (<string list> | none) [add | delete]
<ramcache info key> ::=
[exact] [max response <number>] [uri (<string> | none)] [host (<string> | none)]
profile http (<profile http key> | all) stats reset
Display
profile http [<profile http key> | all] [show [all]]
profile http [<profile http key> | all] list [all]
profile http (<profile http key> | all) adaptive parsing [show]
profile http (<profile http key> | all) basic auth realm [show]
profile http (<profile http key> | all) compress [show]
profile http (<profile http key> | all) compress browser workarounds [show]
profile http (<profile http key> | all) compress buffer size [show]
profile http (<profile http key> | all) compress content type exclude [show]

Chapter 2
profile http (<profile http key> | all) compress content type include [show]
profile http (<profile http key> | all) compress cpu saver [show]
profile http (<profile http key> | all) compress cpu saver high [show]
profile http (<profile http key> | all) compress cpu saver low [show]
profile http (<profile http key> | all) compress gzip level [show]
profile http (<profile http key> | all) compress gzip memory level [show]
profile http (<profile http key> | all) compress gzip window size [show]
profile http (<profile http key> | all) compress http 1.0 [show]
profile http (<profile http key> | all) compress keep accept encoding [show]
profile http (<profile http key> | all) compress min size [show]
profile http (<profile http key> | all) compress prefer [show]
profile http (<profile http key> | all) compress uri exclude [show]
profile http (<profile http key> | all) compress uri include [show]
profile http (<profile http key> | all) compress vary header [show]
profile http (<profile http key> | all) cookie secret [show]
profile http (<profile http key> | all) defaults from [show]
profile http (<profile http key> | all) encrypt cookies [show]
profile http (<profile http key> | all) fallback [show]
profile http (<profile http key> | all) fallback status [show]
profile http (<profile http key> | all) header erase [show]
profile http (<profile http key> | all) header insert [show]
profile http (<profile http key> | all) insert xforwarded for [show]
profile http (<profile http key> | all) lws separator [show]
profile http (<profile http key> | all) lws width [show]
profile http (<profile http key> | all) max header size [show]
profile http (<profile http key> | all) max requests [show]
profile http (<profile http key> | all) name [show]
profile http (<profile http key> | all) oneconnect transformations [show]
profile http (<profile http key> | all) partition [show]
profile http (<profile http key> | all) pipelining [show]
profile http (<profile http key> | all) ramcache [show]
profile http (<profile http key> | all) ramcache aging rate [show]
profile http (<profile http key> | all) ramcache entry [<ramcache info key> | all] \
[show [all]]
profile http (<profile http key> | all) ramcache ignore client cache control [show]
profile http (<profile http key> | all) ramcache insert age header [show]
profile http (<profile http key> | all) ramcache max age [show]
profile http (<profile http key> | all) ramcache max entries [show]
profile http (<profile http key> | all) ramcache max object size [show]
profile http (<profile http key> | all) ramcache min object size [show]
profile http (<profile http key> | all) ramcache size [show]
profile http (<profile http key> | all) ramcache uri exclude [show]
profile http (<profile http key> | all) ramcache uri include [show]
profile http (<profile http key> | all) ramcache uri pinned [show]
profile http (<profile http key> | all) redirect rewrite [show]
2 - 208
profile http (<profile http key> | all) response [show]

profile http (<profile http key> | all) response headers allowed [show]
profile http (<profile http key> | all) security [show]
profile http (<profile http key> | all) stats [show]
Delete
profile http (<profile http key> | all) ramcache entry \
(<ramcache info key list> | none) delete
profile http (<profile http key> | all) delete
Description
Use the default HTTP profile to create a custom HTTP profile. This default
profile includes default values for any of the properties and settings related
to managing HTTP traffic. When you create a custom HTTP profile, you
can use the default settings, or you can change their values to suit your
needs. This profile contains the configuration settings for compression and
RAM Cache.
The BIG-IP system installation includes these HTTP-type profiles:
• http
• http-lan-optimized-caching
• http-wan-optimized-compression
• http-wan-optimized-compression-caching
You can modify the settings of these profiles or create new HTTP-type
profiles using any of these existing profiles as parent profiles.
Examples
Creates a custom HTTP profile named myhttpprofile that inherits its
settings from the system default http profile:
profile http myhttpprofile { }
Replaces the header in the profile named myhttpprofile with the default
header:
profile http myhttpprofile header insert default
Displays RAM cache entries for the profile named my_rc_profile:

profile http my_rc_profile ramcache entry show

Chapter 2
Displays all RAM cache entries for the graphic /static/graphic.jpg:

profile http myprofile ramcache entry max response 100 uri
/static/graphic.jpg
Note
In the example above, you must place the parameters in the order shown, for
example, place the max response parameter before the uri parameter and
the uri parameter before object.
Displays all RAM cache entries for all HTTP profiles:

profile http all ramcache entry show
Note
When using the example above, the system displays the RAM cache entries
in order based on how often an object is requested. The entries for the most
frequently requested objects display first.
Options
You can use these options with the profile http command:
◆ adaptive parsing
Enables or disables adaptive parsing.
◆ basic auth realm
Specifies a quoted string for the basic authentication realm. You can also
specify none or default. The value of the Basic Auth Realm setting is a
string that you provide. The system sends this string to a client whenever
authorization fails.
◆ compress
Specifies the compression mode. The options are enable, disable,
selective, and default. Note that the data compression feature
compresses HTTP server responses, and not client requests.
◆ compress browser workarounds
Enables or disables browser workarounds. The default value is disable.
Enabling this attribute causes turns of compression on server responses
when any of the following conditions are detected:
• If the client browser is Netscape Navigator version 4.0.x, compression
is turned off. Note that Netscape advertises that the browser can
handle compression, but it does not handle compression gracefully. In
this case, F5 disables compression entirely for that class of browser.
• If the client browser is Netscape Navigator version 4.x (4.1 and
beyond) and the server response Content-Type is neither text/html
or text/plain, compression is turned off. This class of Netscape
browsers can handle plain text and HTML just fine, but there are
known issues with other types of content.
2 - 210
• If the client browser is Microsoft Internet Explorer (any version), the

server response Content-Type is either text/css or
application/x-javascript, and the clients connection is over SSL,
compression is turned off. The Microsoft article ID for this problem is
825057.
• If the client browser is Microsoft Internet Explorer (any version), the
server response Content-Type is either text/css or
application/x-javascript, and the server set the header
Cache-Control to no-cache, compression is turned off. The
Microsoft article ID for this problem is 327286.
◆ compress buffer size
Specifies the maximum number of uncompressed bytes that the system
buffers before determining whether or not to compress the response.
Useful when the headers of a server response do not specify the length of
the response content. The default value is 4096.
◆ compress content type exclude
Excludes a specified list of content types from compression of HTTP
Content-Type responses. Use a string list to specify a list of content
types you want to compress.
◆ compress content type include
Specifies a list of content types for compression of HTTP Content-Type
responses. Use a string list to specify a list of content types you want to
compress.
◆ compress cpu saver
Specifies the CPU saver setting. When the CPU saver is enabled, the
system monitors the percent of CPU usage and adjusts compression rates
automatically when the CPU usage reaches the percentage defined in the
cpu saver low or the cpu saver high options. The default value is
enable.
◆ compress cpu saver high
Specifies the percent of CPU usage at which the system starts
automatically decreasing the amount of content being compressed, as
well as the amount of compression which the system is applying. The
default value is 90 percent.
◆ compress cpu saver low
Specifies the percent CPU usage at which the system resumes content
compression at the user-defined rates. The default value is 75 percent.
◆ compress gzip level
Specifies a value that determines the amount of memory that the system
uses when compressing a server response. The default value is 8.
◆ compress gzip memory level
Specifies a value that determines the amount of memory that the system
uses when compressing a server response. The default value is 8.
◆ compress gzip window size
Specifies the number of bits in the window size that the system uses
when compressing a server response. The default value is 16 bits.

Chapter 2
◆ compress http 1.0

Enables or disables compression of HTTP/1.0 server responses.
◆ compress min size
Specifies the minimum length in bytes of a server response that is
acceptable for compressing that response. The length in bytes applies to
content length only, not headers. The default value is 1024.
◆ compress prefer
Specifies the type of compression that is preferred by the system. The
options are deflate, gzip, or default.
◆ compress uri exclude
Disables compression on a specified list of HTTP Request-URI
responses. Use a regular expression to specify a list of URIs you do not
want to compress.
◆ compress uri include
Enables compression on a specified list of HTTP Request-URI
responses. Use a regular expression to specify a list of URIs you want to
compress.
◆ compress vary header
Enables or disables the insertion of a Vary header into cacheable server
responses. The default value is enable.
◆ cookie secret
Specifies a passphrase for the cookie encryption.
◆ defaults from
◆ encrypt cookies
Encrypts specified cookies that the BIG-IP system sends to a client
system.
◆ fallback
Specifies an HTTP fallback host. HTTP redirection allows you to
redirect HTTP traffic to another protocol identifier, host name, port
number, or URI path. For example, if all members of the targeted pool
are unavailable (that is, the members are disabled, marked as down, or
have exceeded their connection limit), the system can redirect the HTTP
request to the fallback host, with the HTTP reply Status Code 302
Found. For details about how to configure this string, refer to the
Configuration Guide for BIG-IP® Local Traffic Management.
◆ fallback status
Specifies one or more three-digit status codes that can be returned by an
HTTP server.
◆ header erase
Specifies the header string that you want to erase from an HTTP request.
You can also specify none or default.
2 - 212
◆ header insert
Specifies the header string that you want to insert into an HTTP request.
You can also specify none or default. An optional setting in an HTTP
profile is HTTP header insertion. The HTTP header being inserted can
include a client IP address. Including a client IP address in an HTTP
header is useful when a connection goes through a secure network
address translation (SNAT) and you need to preserve the original client
IP address. The format of the header insertion that you specify must be a
quoted string. When you assign the configured HTTP profile to a virtual
server, the system then inserts the header specified by the profile into any
HTTP request that the system sends to a pool or pool member.
◆ insert xforwarded for
When using connection pooling, which allows clients to make use of
other client requests' server-side connections, you can insert the
X-Forwarded-For header and specify a client IP address.
◆ keep accept encoding
Enables or disables keep accept encoding. When enabled, causes the
target server, rather than the BIG-IP local traffic management system, to
perform the data compression.
◆ lws separator
Specifies the linear white space separator that the system should use
between HTTP headers when a header exceeds the maximum width
specified by the lws width setting. The options are cr, lf, or sp.
◆ lws width
Specifies the maximum number of columns allowed for a header that is
inserted into an HTTP request. See also the lws separator option above.
◆ max header size
Specifies the maximum header size.
◆ oneconnect transformations
Enables the system to perform HTTP header transformations for the
purpose of keeping server-side connections open. This feature requires
configuration of a OneConnect™ profile.
◆ partition
◆ pipelining
Enables HTTP/1.1 pipelining. This allows clients to make requests even
when prior requests have not received a response. In order for this to
succeed, however, destination servers must include support for
pipelining.
◆ ramcache
Enables or disables the RAM Cache feature. The default value is disable.
Note that you cannot insert a cookie on an HTTP RESPONSE when the
RAM Cache is enabled and the document is cacheable.

Chapter 2
◆ ramcache aging rate

Specifies how quickly the system ages a cache entry. The aging rate
ranges from 0 (slowest aging) to 10 (fastest aging). The default value is
9.
◆ ramcache entry
Specifies the following information about a ramcache entry:
• exact max response
Specifies the maximum number of RAM cache entries to display.
• URI
Specifies the URI from which the entry was cached.
• host
Specifies the host from which the entry was cached.
◆ ramcache ignore client cache control
Specifies if you want to ignore cache disabling headers sent by clients.
You can set this to none, max age, or all.
◆ ramcache insert age header
When enabled, inserts Age and Date headers in the response.
◆ ramcache max age
Specifies how long the system considers the cached content to be valid.
◆ ramcache max entries
Specifies the maximum number of entries that can be in the RAM cache.
The default value is 0, which means that the system does not limit the
maximum entries.
◆ ramcache max object size
Specifies the largest object that the system considers eligible for caching.
The default value is 50000 bytes.
◆ ramcache min object size
Specifies the smallest object that the system considers eligible for
caching. The default value is 500 bytes.
◆ ramcache size
Specifies the maximum size for the RAM cache. When the cache reaches
the maximum size, the system starts removing the oldest entries. The
default value is 100 megabytes.
◆ ramcache uri exclude
Configures a list of URIs to exclude in the RAM Cache. A value of none
specifies that URI pinning is not activated. The default value is none.
◆ ramcache uri include
Configures a list of URIs to include in the RAM Cache. A value of none
specifies that URI pinning is not activated. The default value is none.
◆ ramcache uri pinned
Specifies whether the system retains or excludes certain URIs in the
RAM cache. The pinning process forces the system either to cache URIs
that typically are ineligible for caching or to not cache URIs that
typically are eligible for caching.
2 - 214
◆ redirect rewrite
Specifies which of the application HTTP redirects the system rewrites to
HTTPS. Use this feature when the application is generating HTTP
redirects that send the client to HTTP (a non-secure channel) when you
want the client to continue accessing the application using HTTPS (a
secure channel). This is a common occurrence when using client-side
SSL processing on a BIG-IP system.
• all
Specifies that you want to rewrite to HTTPS all application redirects.
• matching
Specifies that you want to rewrite to HTTPS only application redirects
that match the original URI exactly.
• nodes
If the URI contains a node IP address, instead of a host name,
specifies that the system rewrites the node IP address to the virtual
server IP address.
• none
Specifies that the system does not rewrite to HTTPS any application
HTTP redirects. This is the default value.
• default
Specifies that you want to use the default value for this parameter,
which is none.
◆ response
Specifies how to handle chunked and unchunked requests and responses.
• unchunk
If the request or response is chunked, this option unchunks the request
or response, processes the HTTP content, and then passes the request
or response on as unchunked. The Keep-Alive value for the
Connection header is not supported, and therefore the system sets the
value of the header to Close.
If the request or response is unchunked, the BIG-IP local traffic
management system processes the HTTP content and passes the
request or response on untouched.
• rechunk
If the request or response is chunked, the system unchunks the request
or response, processes the HTTP content, re-adds the chunk trailer
headers, and then passes the request or response on as chunked. Any
chunk extensions are lost.
If the request or response is unchunked, the system adds transfer
encoding and chunking headers on egress.
• preserve chunk
Specifies that the system processes the HTTP content, and sends the
response to the client unchanged.

Chapter 2
• selective chunk
If the request or response is chunked, the system unchunks the request
or response, processes the HTTP content, re-adds the chunk trailer
headers, and then passes the request or response on as chunked. Any
chunk extensions are lost.
If the request is unchunked, the system processes the HTTP content
and then passes the request or response on untouched.
• default
Indicates to use the value in the default http profile.
◆ response headers allowed
Specifies headers that the BIG-IP system allows in an HTTP response.
See also
profile(1), virtual(1), profile fasthttp(1), bigpipe(1)
2 - 216
profile httpclass
Configures an HTTP Class type of profile.
Syntax
Use this command to create an HTTP class profile, redirect HTTP traffic to
HTTPS using the same virtual server, and redirect HTTP traffic without
changing the URL in the browser.
Create/Modify
Important
BIG-IP® Systems.
profile httpclass <profile httpclass key> {}

profile httpclass (<profile httpclass key> | all) [{] <profile httpclass arg list> [}]
<profile httpclass key> ::=
<name>
<profile httpclass arg> ::=
asm (enable | disable)
cookies (<regex/glob list> | none) [add | delete]
defaults from (<profile httpclass key> | none)
headers (<regex/glob list> | none) [add | delete]
hosts (<regex/glob list> | none) [add | delete]
name <name>
paths (<regex/glob list> | none) [add | delete]
pool (<pool key> | none)
redirect (<string> | none)
url rewrite (<string> | none)
wa (enable | disable)
<regex/glob> ::= [glob | regex] <string>
Note
regex and glob act as sticky switches within a single list.
profile httpclass (<profile httpclass key> | all) stats reset

Chapter 2
Display
profile httpclass [<profile httpclass key> | all] [show [all]]
profile httpclass [<profile httpclass key> | all] list [all]
profile httpclass (<profile httpclass key> | all) asm [show]
profile httpclass (<profile httpclass key> | all) cookies [show]
profile httpclass (<profile httpclass key> | all) defaults from [show]
profile httpclass (<profile httpclass key> | all) headers [show]
profile httpclass (<profile httpclass key> | all) hosts [show]
profile httpclass (<profile httpclass key> | all) name [show]
profile httpclass (<profile httpclass key> | all) partition [show]
profile httpclass (<profile httpclass key> | all) paths [show]
profile httpclass (<profile httpclass key> | all) pool [show]
profile httpclass (<profile httpclass key> | all) redirect [show]
profile httpclass (<profile httpclass key> | all) stats [show]
profile httpclass (<profile httpclass key> | all) url rewrite [show]
profile httpclass (<profile httpclass key> | all) wa [show]
Delete
profile httpclass (<profile httpclass key> | all) delete
Description
You can use this command to create an HTTP class profile, redirect HTTP
traffic to HTTPS using the same virtual server, and redirect HTTP traffic
without changing the URL in the browser.
Examples
Creates an HTTP class profile named myhttpclassprofile that inherits its
settings from the system default HTTP Class profile:
profile httpclass myhttpclassprofile { }
Options
You can use these options with the profile httpclass command:
◆ asm
Enables application security management. You can set the asm option
only if the system is licensed for the BIG-IP® Application Security
Manager. The options are enable, disable, and default.
◆ cookies
Specifies how the system routes all incoming HTTP traffic for the web
application, based on cookie headers.
◆ defaults from
2 - 218
◆ headers
Specifies how the system routes incoming HTTP traffic for the web
application, based on HTTP headers and values.
◆ hosts
Specifies how the system routes incoming HTTP traffic, based on host
information.
◆ partition
◆ paths
Specifies how the system routes all incoming HTTP traffic for the web
application, based on URI paths.
◆ pool
Specifies a local traffic pool to which the system sends the HTTP traffic.
The options are <pool key>, none, and default.
◆ redirect
Specifies a URL to which the system redirects the traffic. The options are
none, <string>, and default.
◆ url rewrite
Specifies the TCL expression that the system uses to rewrite the request
URI that is forwarded to the server without sending an HTTP redirect to
the client. The options are none, <string>, and default.
◆ wa
Specifies web acceleration. You can set the wa option only if the system
is licensed for the BIG-IP WebAccelerator Module. The options are
enable, disable, and default.
See also
profile(1), profile http(1)

Chapter 2
profile oneconnect
Configures a OneConnect™ profile.
Syntax
Use this command to configure a OneConnect profile.
Create/Modify
Important
BIG-IP® Systems.
profile oneconnect <profile oneconnect key> {}

profile oneconnect (<profile oneconnect key> | all) [{] <profile oneconnect arg list> [}]
<profile oneconnect key> ::=
<name>
<profile oneconnect arg> ::=
defaults from (<profile oneconnect key> | none)
idle timeout override ([<number>d] [<hh>:<mm>:<ss>] | disable | indefinite)
max age <number>
max reuse <number>
max size <number>
name <name>
source mask (<ip mask> | none)
profile oneconnect (<profile oneconnect key> | all) stats reset
Display
profile oneconnect [<profile oneconnect key> | all] [show [all]]
profile oneconnect [<profile oneconnect key> | all] list [all]
profile oneconnect (<profile oneconnect key> | all) defaults from [show]
profile oneconnect (<profile oneconnect key> | all) idle timeout override [show]
profile oneconnect (<profile oneconnect key> | all) max age [show]
profile oneconnect (<profile oneconnect key> | all) max reuse [show]
profile oneconnect (<profile oneconnect key> | all) max size [show]
profile oneconnect (<profile oneconnect key> | all) name [show]
2 - 220
profile oneconnect (<profile oneconnect key> | all) partition [show]

profile oneconnect (<profile oneconnect key> | all) source mask [show]
profile oneconnect (<profile oneconnect key> | all) stats [show]
Delete
profile oneconnect (<profile oneconnect key> | all) delete
Description
Create a OneConnect profile that optimizes connections by improving client
performance and increasing server capacity.
Examples
Creates a OneConnect profile named myOCprofile that inherits its settings
from the system default OneConnect profile:
profile oneconnect myOCprofile { }
Options
You can use these options with the profile oneconnect command:
◆ defaults from
◆ idle timeout override
Specifies the number of seconds that a connection is idle before the
connection flow is eligible for deletion. Possible values are disable,
indefinite, or a numeric value that you specify. The default value is
disable.
◆ max size
Specifies the maximum number of connections that the system holds in
the connection reuse pool. If the pool is already full, then the server-side
connection closes after the response is completed. The default value is
10000.
◆ max age
Specifies the maximum age in number of seconds allowed for a
connection in the connection reuse pool. For any connection with an age
higher than this value, the system removes that connection from the reuse
pool. The default maximum age is 86400.
◆ max reuse
Specifies the maximum number of times that a server-side connection
can be reused. The default value is 1000.
◆ partition

Chapter 2
◆ source mask
Specifies a source IP mask. The system applies the value of this setting to
the source address to determine its eligibility for reuse. A mask of 0
causes the system to share reused connections across all clients. A host
mask, that is, all 1 values in binary, causes the system to share only those
reused connections originating from the same client IP address. The
default mask is 0.0.0.0.
See also
profile(1), bigpipe(1)
2 - 222
profile persist
Configures a persistence profile.
Syntax
Use this command to configure a persistence profile.
Create/Modify
Important
BIG-IP® Systems.
profile persist <profile persist key> {}

profile persist (<profile persist key> | all) [{] <profile persist arg list> [}]
<profile persist key> ::=
<name>
<profile persist arg> ::=
across pools (enable | disable)
across services (enable | disable)
across virtuals (enable | disable)
cookie expiration (<number> | immediate | indefinite)
cookie hash length <number>
cookie hash offset <number>
cookie mode (none | insert | rewrite | passive | hash)
cookie name (<string> | none)
defaults from (<profile persist key> | none)
hash alg (default | carp)
hash end (<string> | none)
hash length <number>
hash more (enable | disable)
hash offset <number>
hash start (<string> | none)
hash window <number>
map proxies (enable | disable)
mask (<ip mask> | none)
mirror (enable | disable)
mode (none | source addr | dest addr | cookie | msrdp | ssl | sip | universal | hash)
msrdp session directory (enable | disable)

Chapter 2
name <name>
override connection limit (enable | disable)
rule (<rule key> | none)
sip info (<string> | none)
Display
profile persist [<profile persist key> | all] [show [all]]
profile persist [<profile persist key> | all] list [all]
profile persist (<profile persist key> | all) across pools [show]
profile persist (<profile persist key> | all) across services [show]
profile persist (<profile persist key> | all) across virtuals [show]
profile persist (<profile persist key> | all) cookie expiration [show]
profile persist (<profile persist key> | all) cookie hash length [show]
profile persist (<profile persist key> | all) cookie hash offset [show]
profile persist (<profile persist key> | all) cookie mode [show]
profile persist (<profile persist key> | all) cookie name [show]
profile persist (<profile persist key> | all) defaults from [show]
profile persist (<profile persist key> | all) hash alg [show]
profile persist (<profile persist key> | all) hash end [show]
profile persist (<profile persist key> | all) hash length [show]
profile persist (<profile persist key> | all) hash more [show]
profile persist (<profile persist key> | all) hash offset [show]
profile persist (<profile persist key> | all) hash start [show]
profile persist (<profile persist key> | all) hash window [show]
profile persist (<profile persist key> | all) map proxies [show]
profile persist (<profile persist key> | all) mask [show]
profile persist (<profile persist key> | all) mirror [show]
profile persist (<profile persist key> | all) mode [show]
profile persist (<profile persist key> | all) msrdp session directory [show]
profile persist (<profile persist key> | all) name [show]
profile persist (<profile persist key> | all) override connection limit [show]
profile persist (<profile persist key> | all) partition [show]
profile persist (<profile persist key> | all) rule [show]
profile persist (<profile persist key> | all) sip info [show]
profile persist (<profile persist key> | all) timeout [show]
Delete
profile persist (<profile persist key> | all) delete
2 - 224
Description
A persistence profile is a pre-configured object that automatically enables
persistence when you assign the profile to a virtual server. Using a
persistence profile avoids having to write an iRule to implement a type of
persistence.
Each type of persistence that the traffic management system offers includes
a corresponding default persistence profile. These persistence profiles each
contain settings and setting values that define the behavior of the system for
that type of persistence. You can either use the default profile or create a
custom profile based on the default.
Examples
Creates a custom persistence profile named mypersistprofile that inherits
its settings from the default Cookie persistence profile:
profile persist mypersistprofile { defaults from cookie }
Creates a SIP persistence profile named mysippersistenceprofile that

persists on Call-ID:
profile persist mysippersistenceprofile sip info Call-ID
Options
You can use these options with the profile persist command:
◆ across pools
Enables or disables persistence across pools. When enabled, specifies
that the BIG-IP system can use any pool that contains this persistence
entry. Persistence across all pools causes the traffic management system
to maintain persistence for all connections requested by the same client,
regardless of which pool hosts each individual connection initiated by the
client. The default value is disable.
◆ across services
Enables or disables persistence across services. When enabled, this
setting specifies that all persistent connections from a client IP address
that go to the same virtual IP address also go to the same node. The
◆ across virtuals
Enables or disables persistence across virtual servers. When enabled,
specifies that all persistent connections from a client IP address that go to
the same virtual IP address also go to the same node. Persistence across
all virtual servers causes the traffic management system to maintain
persistence for all connections requested by the same client, regardless of
which virtual server hosts each individual connection initiated by the
client. The default value is disable.
◆ cookie expiration
Specifies the cookie expiration date in the format <number>
<hh>:<mm>:<ss>. The default value is 0 seconds.

Chapter 2
◆ cookie hash length

Specifies the cookie hash length. The length is the number of bytes to use
when calculating the hash value. The default value is 0 bytes.
◆ cookie hash offset
Specifies the cookie hash offset. The offset is the number of bytes in the
cookie to skip before calculating the hash value. The default value is 0
bytes.
◆ cookie mode
Specifies the cookie mode for cookie persistence. The default value is
insert. Options are: none, insert, rewrite, passive, hash, and default.
• insert
If you specify HTTP cookie insert method within the profile, the
information about the server to which the client connects is inserted in
the header of the HTTP response from the server as a cookie. The
cookie is named BIGipServer <pool name>, and it includes the
address and port of the server handling the connection. The expiration
date for the cookie is set, based on the timeout configured on the
traffic management system. HTTP cookie insert method is the
default value for the cookie mode setting.
• rewrite
Specifies cookie rewrite mode. HTTP cookie rewrite mode requires
you to set up the cookie created by the server. For HTTP cookie
rewrite mode to succeed, there needs to be a blank cookie coming
from the web server for the system to rewrite. For web servers that are
Apache server variants, you can add the cookie to every web page
header by adding the following entry to the httpd.conf file of the web
server:
Header add Set-Cookie \
BIGipCookie=0000000000000000000000000...
(Note that the cookie must contain a total of 120 zeros.)
• passive
If you specify HTTP cookie passive mode, the system does not insert
or search for blank Set-Cookie headers in the response from the
server. This method does not try to set up the cookie. With this
method, the server provides the cookie, formatted with the correct
server information and timeout.
• hash
If you specify cookie hash mode, the hash mode consistently maps a
cookie value to a specific node. When the client returns to the site, the
system uses the cookie information to return the client to a given
node. With this mode, the web server must generate the cookie. The
system does not create the cookie automatically, as it does with insert
mode.
• default
Indicates that you want to use the settings from the parent profile.
2 - 226
◆ cookie name
Specifies the cookie name. Type the name of an HTTP cookie being sent
by the Web site. This could be something like Apache or
SSLSESSIONID. The name depends on the type of web server your site
is running. This attribute is used by cookie hash mode.
◆ defaults from
◆ map proxies
Enables or disables the map proxies attribute. The default setting for the
map proxies for the persistence variable is enable. The AOL® proxy
addresses are hard-coded. This enables you to use client IP address
persistence with a simple persist mask, but forces all AOL clients to
persist to the same server. All AOL clients persist to the node that was
picked for the first AOL client connection received. The default value is
disable.
◆ mask
Specifies an IP mask. This is the mask used by simple persistence for
connections.
◆ mirror
Enables or disables mirroring of persistence date. The default value is
disable.
◆ mode
Specifies the persistence mode. The default value is none. This setting is
required. The options are: none, source addr, dest addr, cookie, ssl,
msrdp, universal, hash, sip, or default.
• source addr
Also known as simple persistence, source address affinity persistence
supports TCP and UDP protocols, and directs session requests to the
same server based solely on the source IP address of a packet.
• dest addr
Also known as sticky persistence, destination address affinity
persistence supports TCP and UDP protocols, and directs session
requests to the same server based solely on the destination IP address
of a packet.
• cookie
Cookie persistence uses an HTTP cookie stored on a client computer
to allow the client to reconnect to the same server previously visited at
a web site.
• ssl
SSL persistence is a type of persistence that tracks non-terminated
SSL sessions, using the SSL session ID. Even when the client's IP
address changes, the BIG-IP local traffic management system still
recognizes the connection as being persistent based on the session ID.
Note that the term non-terminated SSL sessions refers to sessions in
which the traffic management system does not perform the tasks of
SSL certificate authentication and encryption/re-encryption.

Chapter 2
• msrdp
Microsoft Remote Desktop persistence tracks sessions between
clients and servers running Microsoft Remote Desktop Protocol
(MSRDP).
• universal
Universal persistence allows you to write an expression that defines
what to persist on in a packet. The expression, written using the same
expression syntax that you use in iRules, defines some sequence of
bytes to use as a session identifier.
• hash
Hash persistence allows you to create a persistence hash based on an
existing iRule.
• sip
SIP persistence load balances all of the SIP communications in a SIP
session to the same SIP server based on SIP header field information.
• default
Specify default if you want to use the default system profile settings
for persistence mode.
◆ msrdp session directory
Enables or disables the MSRDP session directory option for MSRDP
persistence. Enable this option to implement Windows Terminal Server
persistence for those Windows servers on which the Session Directory
service is not available. The default value is enable.
◆ partition
◆ rule
Specifies a rule name if you are using a rule for universal persistence.
◆ sip info
Specifies the SIP header field on which you want SIP sessions to persist.
The default value is Call-ID. Your options include, but are not limited to
the following header fields:
• Call-ID
Specifies that the SIP sessions persist on the ID of the call. The
Call-ID is a globally unique identifier of a call.
• SIP-ETag
Specifies that the SIP sessions persist on the SIP-ETag.
• To
Specifies to persist on the destination of the SIP session.
• From
Specifies that the SIP sessions persist on the origin of the SIP session.
• Subject
Specifies that the SIP sessions persist on the subject of the SIP
session.
Before you can use the sip info option of the profile persist command,
you must create a SIP profile (using the profile sip command). Then, you
must assign both profiles to the same virtual server.
2 - 228
◆ timeout
Specifies the timeout. Possible values are default, immediate,
indefinite, or a numeric value that you specify. This is the simple
persistence timeout. The default value is 180 seconds.
The timeout value that you specify allows the BIG-IP system to free up
resources associated with old persistence entries, without having to test
each inbound packet for one of the different types of final messages. A
default timeout value exists, which is 180 seconds. If you change the
timeout value, F5 recommends that the value be no lower than the
default.
See also
profile(1), virtual(1), rule(1), bigpipe(1)

Chapter 2
profile rtsp
Configures a Real Time Streaming Protocol (RTSP) profile.
Syntax
Use this command to configure an RTSP profile.
Create/Modify
Important
BIG-IP® Systems.
profile rtsp <profile rtsp key> {}

profile rtsp (<profile rtsp key> | all) [{] <profile rtsp arg list> [}]
<profile rtsp key> ::=
<name>
<profile rtsp arg> ::=
check source (enable | disable)
defaults from (<profile rtsp key> | none)
max queued data <number>
multicast redirect (enable | disable)
name <name>
proxy (none | external | internal)
proxy header (<string> | none)
real http persistence (enable | disable)
rtcp service (<service> | none)
rtp service (<service> | none)
session reconnect (enable | disable)
unicast redirect (enable | disable)
profile rtsp (<profile rtsp key> | all) stats reset
Display
profile rtsp [<profile rtsp key> | all] [show [all]]
profile rtsp [<profile rtsp key> | all] list [all]
profile rtsp (<profile rtsp key> | all) check source [show]
profile rtsp (<profile rtsp key> | all) defaults from [show]
2 - 230
profile rtsp (<profile rtsp key> | all) idle timeout [show]

profile rtsp (<profile rtsp key> | all) max header size [show]
profile rtsp (<profile rtsp key> | all) max queued data [show]
profile rtsp (<profile rtsp key> | all) multicast redirect [show]
profile rtsp (<profile rtsp key> | all) name [show]
profile rtsp (<profile rtsp key> | all) partition [show]
profile rtsp (<profile rtsp key> | all) proxy [show]
profile rtsp (<profile rtsp key> | all) proxy header [show]
profile rtsp (<profile rtsp key> | all) real http persistence [show]
profile rtsp (<profile rtsp key> | all) rtcp service [show]
profile rtsp (<profile rtsp key> | all) rtp service [show]
profile rtsp (<profile rtsp key> | all) session reconnect [show]
profile rtsp (<profile rtsp key> | all) stats [show]
profile rtsp (<profile rtsp key> | all) unicast redirect [show]
Delete
profile rtsp (<profile rtsp key> | all) delete
Description
Manages a profile for RTSP traffic.
Examples
Creates a custom RTSP profile named myrtspprofile that inherits its
settings from the system default RTSP profile:
profile rtsp myrtspprofile { }
Options
You can use these options with the profile rtsp command:
◆ defaults from
profile inherits all of the settings and values from the specified parent
profile.
◆ idle timeout
connection is eligible for deletion. You can also specify immediate,
indefinite or default. The default value is 300 seconds.
◆ max header size
Specifies the maximum size of an RTSP request or response header that
the RTSP filter allows before dropping the connection. The default value
is 4096 bytes.
◆ max queued data
Specifies the maximum amount of data that the RTSP filter buffers
before dropping the connection. The default value is 32768 bytes.

Chapter 2
◆ multicast redirect
Specifies whether to enable or disable multicast redirect. When enabled,
the client can select the destination to which to stream data. The default
value is disable.
◆ partition
◆ proxy
Specifies whether the RTSP filter is associated with an RTSP proxy
configuration. The default value is none.
◆ proxy header
When a proxy is set, specifies the name of the header in the RTSP proxy
configuration that is passed from the client-side virtual server to the
server-side virtual server. Note that the name of the header must begin
with X-.
◆ real http persistence
Specifies whether to enable or disable real HTTP persistence. When
enabled, the RTSP filter automatically persists Real Networks RTSP
over HTTP using the RTSP port. The default value is enable. If you
disable this parameter, you can override the default behavior with an
iRule.
◆ rtcp service
The Real Time Control Protocol (RTCP) allows monitoring of the
real-time data delivery. This parameter specifies the number of the port
to use for the RTCP service.
◆ rtp service
The Real Time Protocol (RTP) provides data transport functions suitable
for applications transmitting real-time data. This parameter specifies the
number of the port to use for the RTP service.
◆ session reconnect
Specifies whether to enable or disable session reconnect. When enabled,
the RTSP filter persists the control connection, which is being resumed,
to the correct server. The default value is disable.
◆ unicast redirect
Specifies whether to enable or disable unicast redirect. When enabled,
the client can select the destination to which to stream data. The default
value is disable.
See also
2 - 232
profile sctp
Configures a Stream Control Transmission Protocol (SCTP) profile.
Syntax
Use this command to configure an SCTP profile.
Create/Modify
Important
BIG-IP® Systems.
profile sctp <profile sctp key> {}

profile sctp (<profile sctp key> | all) [{] <profile sctp arg list> [}]
<profile sctp key> ::=
<name>
<profile sctp arg> ::=
cookie expiration (<number> | immediate | indefinite)
defaults from (<profile sctp key> | none)
heartbeat <number>
in streams <number>
init max retries <number>
ip tos (<number> | mimic | pass)
link qos (<number> | mimic | pass)
name <name>
out streams <number>
proxy buffer high <number>
proxy buffer low <number>
recv chunks <number>
recv ordered (enable | disable)
recv window <number>
send buffer <number>
send max retries <number>
send partial (enable | disable)

Chapter 2
tcp shutdown (enable | disable)

trans chunks <number>
profile sctp (<profile sctp key> | all) stats reset
Display
profile sctp [<profile sctp key> | all] [show [all]]
profile sctp [<profile sctp key> | all] list [all]
profile sctp (<profile sctp key> | all) cookie expiration [show]
profile sctp (<profile sctp key> | all) defaults from [show]
profile sctp (<profile sctp key> | all) heartbeat [show]
profile sctp (<profile sctp key> | all) idle timeout [show]
profile sctp (<profile sctp key> | all) in streams [show]
profile sctp (<profile sctp key> | all) init max retries [show]
profile sctp (<profile sctp key> | all) ip tos [show]
profile sctp (<profile sctp key> | all) link qos [show]
profile sctp (<profile sctp key> | all) name [show]
profile sctp (<profile sctp key> | all) out streams [show]
profile sctp (<profile sctp key> | all) partition [show]
profile sctp (<profile sctp key> | all) proxy buffer high [show]
profile sctp (<profile sctp key> | all) proxy buffer low [show]
profile sctp (<profile sctp key> | all) recv chunks [show]
profile sctp (<profile sctp key> | all) recv ordered [show]
profile sctp (<profile sctp key> | all) recv window [show]
profile sctp (<profile sctp key> | all) reset on timeout [show]
profile sctp (<profile sctp key> | all) secret [show]
profile sctp (<profile sctp key> | all) send buffer [show]
profile sctp (<profile sctp key> | all) send max retries [show]
profile sctp (<profile sctp key> | all) send partial [show]
profile sctp (<profile sctp key> | all) stats [show]
profile sctp (<profile sctp key> | all) tcp shutdown [show]
profile sctp (<profile sctp key> | all) trans chunks [show]
Delete
profile sctp (<profile sctp key> | all) delete
Description
Manages a profile for SCTP traffic.
Examples
Creates a custom SCTP profile named mysctpprofile that inherits its
settings from the system default SCTP profile:
profile sctp mysctpprofile { }
2 - 234
Options
You can use these options with the profile sctp command:
◆ cookie expiration
Specifies how many seconds the cookie is valid. The default value is 60
seconds.
◆ defaults from
◆ heartbeat
Specifies the number of seconds to wait before sending a heartbeat
chunk. The default value is 30 seconds.
◆ idle timeout
Specifies the number of seconds without traffic before a connection is
eligible for deletion. The default value is 300 seconds.
◆ in streams
Specifies the number of inbound streams. The default value is 2.
◆ init max retries
Specifies the maximum number of retries to establish a connection. The
default value is 4.
◆ ip tos
Specifies the type of IP service set in packets sent to peer. The default
value is 0.
◆ link qos
Specifies the link quality of service set in sent packets. The default value
is 0.
◆ out streams
Specifies the number of outbound streams. The default value is 2.
◆ partition
◆ proxy buffer high
Specifies the proxy buffer level after which the system closes the receive
window. The default value is 16384.
◆ proxy buffer low
Specifies the proxy buffer level after which the system opens the receive
window. The default value is 4096.
◆ recv chunks
Specifies the size (in chunks) of the rx_chunk buffer. The default value
is 256.
◆ recv ordered
When enabled, the system delivers messages to the application layer in
order. The default value is enable.

Chapter 2
◆ recv window
Specifies the size (in bytes) of the receive window. Prorate this value to
the Receive Chunks value. The default value is 65536.
When enabled, the system resets a connection when the connection times
out. The default value is enable.
◆ secret
Specifies the internal secret string that the system uses for HTTP
Message Authenticated Code (HMAC) cookies.
◆ send buffer
Specifies the size in bytes of the buffer. The default value is 65536.
◆ send max retries
Specifies the maximum number of times the system tries again to send
data. The default value is 8.
◆ send partial
When enabled, the system accepts partial application data. The default
value is enable.
◆ tcp shutdown
When enabled, the system emulates the closing of a TCP connection. The
◆ trans chunks
Specifies the size (in chunks) of the tx_chunk buffer. The default value
is 256.
See also
profile(1), bigpipe(1), profile rtsp(1), profile sip(1)
2 - 236
profile serverssl
Configures a Server SSL profile.
Syntax
Use this command to configure a Server SSL profile.
Create/Modify
Important
BIG-IP® Systems.
profile serverssl <profile serverssl key> {}

profile serverssl (<profile serverssl key> | all) [{] <profile serverssl arg list> [}]
<profile serverssl key> ::=
<name>
<profile serverssl arg> ::=
alert timeout (<number> | immediate | indefinite)
authenticate (always | once)
authenticate name (<string> | none)
cache size <number>
cert (<file name> | none)
chain (<file name> | none)
ciphers (<string> | none)
defaults from (<profile serverssl key> | none)
handshake timeout (<number> | immediate | indefinite)
key (<file name> | none)
modssl methods (enable | disable)
name <name>
options [all bugfixes] [cipher server preference] [dont insert empty fragments] \
[ephemeral rsa] [microsoft big sslv3 buffer] [msie sslv2 rsa padding] \
[netscape ca dn bug] [netscape challenge bug] [netscape demo cipher change bug] \
[netscape reuse cipher change bug] [no session resumption on renegotiation] \
[no sslv2] [no sslv3] [no tlsv1] [passive close] [pkcs1 check 1] [pkcs1 check 2] \

Chapter 2
[single dh use] [ssleay 080 client dh bug] [sslref2 reuse cert type bug] \
[tls block padding bug] [tls d5 bug] [tls rollback bug] \
[microsoft sess id bug] | none
passphrase (<string> | none)
peer cert mode (ignore | require)
renegotiate period (<number> | immediate | indefinite)
renegotiate size (<number>[MB|mb] | indefinite)
strict resume (enable | disable)
unclean shutdown (enable | disable)
profile serverssl (<profile serverssl key> | all) stats reset
Display
profile serverssl [<profile serverssl key> | all] [show [all]]
profile serverssl [<profile serverssl key> | all] list [all]
profile serverssl (<profile serverssl key> | all) alert timeout [show]
profile serverssl (<profile serverssl key> | all) authenticate [show]
profile serverssl (<profile serverssl key> | all) authenticate depth [show]
profile serverssl (<profile serverssl key> | all) authenticate name [show]
profile serverssl (<profile serverssl key> | all) ca file [show]
profile serverssl (<profile serverssl key> | all) cache size [show]
profile serverssl (<profile serverssl key> | all) cache timeout [show]
profile serverssl (<profile serverssl key> | all) cert [show]
profile serverssl (<profile serverssl key> | all) chain [show]
profile serverssl (<profile serverssl key> | all) ciphers [show]
profile serverssl (<profile serverssl key> | all) crl file [show]
profile serverssl (<profile serverssl key> | all) defaults from [show]
profile serverssl (<profile serverssl key> | all) handshake timeout [show]
profile serverssl (<profile serverssl key> | all) key [show]
profile serverssl (<profile serverssl key> | all) mode [show]
profile serverssl (<profile serverssl key> | all) modssl methods [show]
profile serverssl (<profile serverssl key> | all) name [show]
profile serverssl (<profile serverssl key> | all) options [show]
profile serverssl (<profile serverssl key> | all) partition [show]
profile serverssl (<profile serverssl key> | all) passphrase [show]
profile serverssl (<profile serverssl key> | all) peer cert mode [show]
profile serverssl (<profile serverssl key> | all) renegotiate period [show]
profile serverssl (<profile serverssl key> | all) renegotiate size [show]
profile serverssl (<profile serverssl key> | all) stats [show]
profile serverssl (<profile serverssl key> | all) strict resume [show]
profile serverssl (<profile serverssl key> | all) unclean shutdown [show]
Delete
profile serverssl (<profile serverssl key> | all) delete
2 - 238
Description
Server-side profiles allow the traffic management system to handle
encryption tasks for any SSL connection being sent from a local traffic
management system to a target server. A server-side SSL profile is able to
act as a client by presenting certificate credentials to a server when
authentication of the local traffic management system is required. You
implement this type of profile by using the default profile, or creating a
custom profile based on the Server SSL profile template and modifying its
settings.
Examples
Creates a custom Server SSL profile named myserversslprofile that inherits
its settings from the system default serverssl profile:
profile serverssl myserversslprofile { }
Arguments
Several arguments are available for use with this command.
◆ ca file
Specifies the certificate authority (CA) file name or indicates the system
uses the certificate authority file name from the parent profile.
Configures certificate verification by specifying a list of client or server
CAs that the traffic management system trusts.
◆ cert
Specifies the certificate file name or indicates the system uses the
certificate file name from the parent profile. Specifies the name of the
certificate installed on the traffic management system for the purpose of
terminating or initiating an SSL connection. The default value is
default.crt.
◆ chain
Specifies the chain name or indicates the system uses the chain name
from the parent profile. Specifies or builds a certificate chain file that a
client can use to authenticate the profile.
◆ ciphers
Specifies a cipher name or indicates the system uses the default ciphers
from the parent profile.
◆ crl file
Specifies the certificate revocation list file name or indicates the system
uses the certificate revocation file name from the parent profile.
◆ defaults from

Chapter 2
◆ keynea
Specifies the key file name or indicates the system uses the key file name
from the parent profile. Specifies the name of the key installed on the
traffic management system for the purpose of terminating or initiating an
SSL connection. The default key file name is default.key.
◆ mode
Specifies the profile mode. The options are enable, disable, or default.
Enables or disables SSL processing. The default value is enable.
Options
These options are available, including some industry-related workarounds:
◆ alert timeout
Specifies the alert timeout in seconds. You can also specify immediate,
indefinite, or default. The default value is 60 seconds.
◆ authenticate
Specifies frequency of authentication. Options are once, always, or
default.
Specifies the client certificate chain maximum traversal depth.
◆ authenticate name
Specifies a Common Name (CN) that is embedded in a server certificate.
The system authenticates a server based on the specified CN.
◆ cache size
Specifies the SSL session cache size. For client-side profiles only, you
can configure timeout and size values for the SSL session cache. Because
each profile maintains a separate SSL session cache, you can configure
the values on a per-profile basis.
◆ cache timeout
Specifies the SSL session cache timeout value, which is the usable
lifetime seconds of negotiated SSL session IDs. The default value is 300
seconds. Acceptable values are integers greater than or equal to 5. You
can also set this value to immediate or indefinite.
◆ handshake timeout
Specifies the handshake timeout in seconds. You can also specify
immediate, indefinite, or default.
◆ modssl methods
Enables or disables ModSSL method emulation. Use enable when
OpenSSL methods are inadequate. For example, you can enable ModSSL
method emulation when you want to use SSL compression over TLSv1.
◆ partition
◆ passphrase
Specifies the key passphrase, if required.
2 - 240
◆ peer cert mode

Specifies the peer certificate mode. Options are require, ignore, and
default.
◆ renegotiate period
Specifies the number of seconds from the initial connect time after which
the system renegotiates an SSL session. The default value is indefinite
meaning that you do not want the system to renegotiate SSL sessions.
Each time the session renegotiation is successful, a new connection is
started. Therefore, the system attempts to renegotiate the session again,
in the specified amount of time following the successful session
renegotiation. For example, setting the Renegotiate Period to 3600
seconds triggers session renegotiation at least once an hour.
◆ renegotiate size
Specifies a throughput size, in bytes, of SSL renegotiation. This setting
forces the traffic management system to renegotiate an SSL session
based on the size, in megabytes, of application data that is transmitted
over the secure channel. The default value is indefinite specifying that
you do not want a throughput size.
◆ strict resume
You can enable or disable the resumption of SSL sessions after an
unclean shutdown. The default value is disable, which indicates that the
SSL profile refuses to resume SSL sessions after an unclean shutdown.
By default, the SSL profile performs unclean shutdowns of all SSL
connections, which means that underlying TCP connections are closed
without exchanging the required SSL shutdown alerts. If you want to
force the SSL profile to perform a clean shutdown of all SSL
connections, you can disable the default setting.
The following choices, including some industry-related workarounds, are

available under options:
◆ [all bugfixes]
This option enables the following defects: microsoft sess id bug, netscape
challenge bug, netscape reuse cipher change bug, sslref2 reuse cert type
bug, microsoft big sslv3 buffer, msie sslv2 rsa padding, ssleay 080 client
dh bug, tls d5 bug, tls block padding bug, and dont insert empty
fragments
It is usually safe to use the all bugfixes option to enable the defect
workaround options when compatibility with broken implementations is
needed. Note that if you edit the configuration in the browser-based
Configuration utility, the syntax for this option expands into each
individual option.
◆ [cipher server preference]
When choosing a cipher, use this option to set all the server's preferences
instead of the client’s preferences. When this option is not set, the SSL
server always follows the client's preferences. When this option is set, the

Chapter 2
SSLv3/TLSv1 server chooses by using its own preferences. Due to the

different protocol, for SSLv2 the server sends its list of preferences to the
client and the client always chooses.
◆ [dont insert empty fragments]
This option disables a countermeasure against a SSL 3.0/TLS 1.0
protocol vulnerability affecting CBC ciphers. These ciphers cannot be
handled by certain broken SSL implementations. This option has no
effect for connections using other ciphers.
◆ [ephemeral rsa]
This option uses ephemeral (temporary) RSA keys when doing RSA
operations. According to the specifications, this is only done when an
RSA key can be used only for signature operations (namely under export
ciphers with restricted RSA key length). By setting this option, you
specify that you want to use ephemeral RSA keys always. This option
breaks compatibility with the SSL/TLS specifications and may lead to
interoperability problems with clients. Therefore, F5 does not
recommend this option. You should use ciphers with EDH (ephemeral
Diffie-Hellman) key exchange instead. This option is ignored for
server-side SSL.
◆ [microsoft big sslv3 buffer]
Microsoft applications that use non-standard SSL record sizes.
◆ [microsoft sess id bug]
This option handles a Microsoft session ID problem.
◆ [msie sslv2 rsa padding]
Microsoft applications that use non-standard RSA key padding. This
option is ignored for server-side SSL.
◆ [netscape ca dn bug]
This option handles a defect regarding the system crashing or hanging. If
the system accepts a Netscape Navigator browser connection, demands a
client cert, has a non-self-signed CA that does not have its CA in
Netscape, and the browser has a certificate, the system crashes or hangs.
◆ [netscape challenge bug]
This option handles the Netscape challenge problem.
◆ [netscape demo cipher change bug]
This option deliberately manipulates the SSL server session resumption
behavior to mimic that of certain Netscape servers (see the Netscape
reuse cipher change bug workaround description). F5 does not
recommend this option for normal use. It is ignored for server-side SSL.
◆ [netscape reuse cipher change bug]
This option handles a defect within Netscape Enterprise Server version
2.01 that only appears when connecting through SSLv2/v3 then
reconnecting through SSLv3. In this case, the cipher list changes.
2 - 242
First, a connection is established with the RC4-MD5 cipher list. If it is

then resumed, the connection switches to using the DES-CBC3-SHA
cipher list. However, according to RFC 2246 (section 7.4.1.3, cipher
suite), the cipher list should remain RC4-MD5.
As a workaround, you can attempt to connect with a cipher list of
DES-CBC-SHA:RC4-MD5, and so on. Each new connection uses the
RC4-MD5 cipher list, but any re-connection attempts to use the
DES-CBC-SHA cipher list. Thus Netscape, when reconnecting, always
uses the first cipher in the cipher list.
◆ [no session resumption on renegotiation]
When performing renegotiation as an SSL server, this option always
starts a new session (that is, session resumption requests are only
accepted in the initial handshake). The system ignores this option for
server-side SSL.
◆ [no sslv2]
◆ [no sslv3]
◆ [no tlsv1]
Do not use the TLSv1 protocol.
◆ [passive close]
Specifies how to handle passive closes.
• none
Choose this option if you want to disable all workarounds. F5 does
not recommend this option.
• default
Specifies the value, all bugfixes, which enables a set of
industry-related miscellaneous workarounds related to SSL
processing.
◆ [pkcs1 check 1]
◆ [pkcs1 check 2]
◆ [single dh use]
This option creates a new key when using temporary/ephemeral DH
parameters. This option must be used to prevent small subgroup attacks,
when the DH parameters were not generated using strong primes (for
example. when using DSA-parameters). If strong primes were used, it is

Chapter 2
not strictly necessary to generate a new DH key during each handshake,

but it is recommended. You should enable the single dh use option
whenever temporary or ephemeral DH parameters are used.
◆ [ssleay 080 client dh bug]
SSLeay-based applications that specify an incorrect Diffie-Hellman
public value length. This option is ignored for server-side SSL.
◆ [sslref2 reuse cert type bug]
This option handles the SSL reuse certificate type problem.
◆ [tls block padding bug]
TLSv1-enabled applications that use incorrect block padding.
◆ [tls d5 bug]
This option is a workaround for communicating with older
TLSv1-enabled applications that specify an incorrect encrypted RSA key
length. This option is ignored for server-side SSL.
◆ [tls rollback bug]
This option disables version rollback attack detection. During the client
key exchange, the client must send the same information about
acceptable SSL/TLS protocol levels as it sends during the first hello.
Some clients violate this rule by adapting to the server's answer. For
example, the client sends an SSLv2 hello and accepts up to SSLv3.1
(TLSv1), but the server only processes up to SSLv3. In this case, the
client must still use the same SSLv3.1 (TLSv1) announcement. Some
clients step down to SSLv3 with respect to the server's answer and
violate the version rollback protection. The system ignores this option for
server-side SSL.
See also
profile(1), profile clientssl(1), bigpipe(1)
2 - 244
profile sip
Configures a Session Initiation Protocol (SIP) profile.
Syntax
Use this command to configure a SIP profile.
Create/Modify
Important
BIG-IP® Systems.
profile sip <profile sip key> {}

profile sip (<profile sip key> | all) [{] <profile sip arg list>
[}]
<profile sip key> ::=
<name>
<profile sip arg> ::=
defaults from (<profile sip key> | none)
dialog aware (enable | disable)
insert record route (enable | disable)
insert via (enable | disable)
max size <number>
name <name>
secure via (enable | disable)
sip community (<string> | none)
terminate bye (enable | disable)
via userdata (<string> | none)
profile sip (<profile sip key> | all) stats reset
Display
profile sip [<profile sip key> | all] [show [all]]
profile sip [<profile sip key> | all] list [all]
profile sip (<profile sip key> | all) defaults from [show]
profile sip (<profile sip key> | all) dialog aware [show]
profile sip (<profile sip key> | all) insert record route [show]
profile sip (<profile sip key> | all) insert via [show]

Chapter 2
profile sip (<profile sip key> | all) max size [show]

profile sip (<profile sip key> | all) name [show]
profile sip (<profile sip key> | all) partition [show]
profile sip (<profile sip key> | all) secure via [show]
profile sip (<profile sip key> | all) security [show]
profile sip (<profile sip key> | all) sip community [show]
profile sip (<profile sip key> | all) stats [show]
profile sip (<profile sip key> | all) terminate bye [show]
profile sip (<profile sip key> | all) via userdata [show]
Description
This command provides the ability to create a SIP profile.
Examples
Creates a SIP profile named mysipprofile using the system defaults:
profile sip mysipprofile { }
Creates a SIP profile named mysipprofile that leaves a connection open

following the completion of a BYE transaction:
profile sip mysipprofile { terminate bye disable }
Options
You can use these options with the profile sip command:
◆ defaults from
profile inherits all of the settings and values from the specified parent
profile. The default value is sip.
◆ dialog aware
Enables or disables the ability for the system to be aware of unauthorized
use of the SIP dialog. The default value is disable.
◆ insert record route
Enables or disables the insertion of a Record-Route header, which
indicates the next hop for the following SIP request messages. The
◆ insert via
Enables or disables the insertion of a Via header, which indicates where
the message originated. The response message uses this routing
information. The default value is disable.
◆ max size
Specifies the maximum SIP message size that the BIG-IP system accepts.
The default value is 64000 bytes.
◆ partition
2 - 246
◆ secure via
Enables or disables the insertion of a Secure Via header, which indicates
where the message originated. When you are using SSL/TLS (over TCP)
to create a secure channel with the server node, use this setting to
configure the BIG-IP system to insert a Secure Via header into SIP
requests. The default value is disable.
◆ security
Enables or disables security for the SIP profile. The default value is
disable.
◆ sip community
Specifies the community to which you want to assign the virtual server
that you associate with this profile. The default value is none.
◆ terminate bye
Enables or disables the termination of a connection when a BYE
transaction finishes. Use this parameter with UDP connections only, not
with TCP connections. The default value is enable.
◆ via userdata
Enables or disables the insertion of a Via header specified by a system
administrator. The default value is none.
See also
bigpipe(1), profile(1), profile persist(1)

Chapter 2
profile stats
Configures a Statistics profile.
Syntax
Use this command to configure a Statistics profile.
Create/Modify
Important
BIG-IP® Systems.
profile stats <profile stats key> {}

profile stats (<profile stats key> | all) \
[{] <profile stats arg list> [}]
<profile stats key> ::=
<name>
<profile stats arg> ::=
defaults from (<profile stats key> | none)
field<i> (<name> | none | default) (i=1-32)
profile stats (<profile stats key> | all) stats reset
Display
profile stats [<profile stats key> | all] [show [all]]
profile stats [<profile stats key> | all] list [all]
profile stats (<profile stats key> | all) defaults from [show]
profile stats (<profile stats key> | all) field<i> [show]
Delete
profile stats (<profile stats key> | all) delete
Description
Use the stats profile to create a custom Statistics profile.
2 - 248
Examples
Lists all available custom statistics fields:
profile stats all list
Options
You can use these options with the profile stats command:
◆ defaults from
profile inherits all settings and values from the specified parent profile.
◆ field
Specifies the field identifier. This is a number from 1 to 32.
◆ partition
See also
profile(1), bigpipe(1)

Chapter 2
profile stream
Configures a Stream profile.
Syntax
Use this command to configure a Stream profile.
Create/Modify
Important
BIG-IP® Systems.
profile stream <profile stream key> {}

profile stream (<profile stream key> | all) [{] <profile stream arg list> [}]
<profile stream key> ::=
<name>
<profile stream arg> ::=
defaults from (<profile stream key> | none)
name <name>
source (<string> | none)
target (<string> | none)
profile stream (<profile stream key> | all) stats reset
Display
profile stream [<profile stream key> | all] [show [all]]
profile stream [<profile stream key> | all] list [all]
profile stream (<profile stream key> | all) defaults from [show]
profile stream (<profile stream key> | all) name [show]
profile stream (<profile stream key> | all) partition [show]
profile stream (<profile stream key> | all) source [show]
profile stream (<profile stream key> | all) stats [show]
profile stream (<profile stream key> | all) target [show]
Delete
profile stream (<profile stream key> | all) delete
2 - 250
Description
You can use the Stream profile to search and replace strings within a data
stream, such as a TCP connection.
Examples
Creates a custom Stream profile named mystreamprofile that inherits its
settings from the system default stream profile:
profile stream mystreamprofile { }
Options
You can use these options with the profile stream command:
◆ defaults from
◆ partition
◆ target
Specifies the string you want to rewrite. You can also specify default if
you want to use the default system profile value.
◆ source
Specifies the string that is used to rewrite the target string. You can also
specify default if you want to use the default stream profile value.
See also

Chapter 2
profile tcp
Configures a TCP profile.
Syntax
Use this command to configure a TCP profile.
Create/Modify
Important
BIG-IP® Systems.
profile tcp <profile tcp key> {}

profile tcp (<profile tcp key> | all) [{] <profile tcp arg list> [}]
<profile tcp key> ::=
<name>
<profile tcp arg> ::=
abc (enable | disable)
ack on push (enable | disable)
bandwidth delay (enable | disable)
close wait (<number> | immediate | indefinite)
cmetrics cache (enable | disable)
congestion control (reno | newreno | scalable | highspeed | none)
defaults from (<profile tcp key> | none)
deferred accept (enable | disable)
delayed acks (enable | disable)
dsack (enable | disable)
ecn (enable | disable)
fin wait (<number> | immediate | indefinite)
keep alive interval <number>
limited transmit (enable | disable)
max retrans <number>
max retrans syn <number>
md5 sign (enable | disable)
md5 sign passphrase (<string> | none)
2 - 252
nagle (enable | disable)

name <name>
pkt loss ignore burst <number>
pkt loss ignore rate <number>
proxy buffer high <number>
proxy buffer low <number>
proxy mss (enable | disable)
proxy options (enable | disable)
recv window <number>
rfc1323 (enable | disable)
selective acks (enable | disable)
send buffer <number>
slow start (enable | disable)
time wait (<number> | immediate | indefinite)
time wait recycle (enable | disable)
verified accept (enable | disable)
profile tcp (<profile tcp key> | all) stats reset
Display
profile tcp [<profile tcp key> | all] [show [all]]
profile tcp [<profile tcp key> | all] list [all]
profile tcp (<profile tcp key> | all) abc [show]
profile tcp (<profile tcp key> | all) ack on push [show]
profile tcp (<profile tcp key> | all) bandwidth delay [show]
profile tcp (<profile tcp key> | all) close wait [show]
profile tcp (<profile tcp key> | all) cmetrics cache [show]
profile tcp (<profile tcp key> | all) congestion control [show]
profile tcp (<profile tcp key> | all) defaults from [show]
profile tcp (<profile tcp key> | all) deferred accept [show]
profile tcp (<profile tcp key> | all) delayed acks [show]
profile tcp (<profile tcp key> | all) dsack [show]
profile tcp (<profile tcp key> | all) ecn [show]
profile tcp (<profile tcp key> | all) fin wait [show]
profile tcp (<profile tcp key> | all) idle timeout [show]
profile tcp (<profile tcp key> | all) ip tos [show]
profile tcp (<profile tcp key> | all) keep alive interval [show]
profile tcp (<profile tcp key> | all) limited transmit [show]
profile tcp (<profile tcp key> | all) link qos [show]
profile tcp (<profile tcp key> | all) max retrans [show]
profile tcp (<profile tcp key> | all) max retrans syn [show]
profile tcp (<profile tcp key> | all) md5 sign [show]
profile tcp (<profile tcp key> | all) md5 sign passphrase [show]
profile tcp (<profile tcp key> | all) nagle [show]

Chapter 2
profile tcp (<profile tcp key> | all) name [show]

profile tcp (<profile tcp key> | all) partition [show]
profile tcp (<profile tcp key> | all) pkt loss ignore burst [show]
profile tcp (<profile tcp key> | all) pkt loss ignore rate [show]
profile tcp (<profile tcp key> | all) proxy buffer high [show]
profile tcp (<profile tcp key> | all) proxy buffer low [show]
profile tcp (<profile tcp key> | all) proxy mss [show]
profile tcp (<profile tcp key> | all) proxy options [show]
profile tcp (<profile tcp key> | all) recv window [show]
profile tcp (<profile tcp key> | all) reset on timeout [show]
profile tcp (<profile tcp key> | all) rfc1323 [show]
profile tcp (<profile tcp key> | all) selective acks [show]
profile tcp (<profile tcp key> | all) send buffer [show]
profile tcp (<profile tcp key> | all) slow start [show]
profile tcp (<profile tcp key> | all) stats [show]
profile tcp (<profile tcp key> | all) time wait [show]
profile tcp (<profile tcp key> | all) time wait recycle [show]
profile tcp (<profile tcp key> | all) verified accept [show]
Delete
profile tcp (<profile tcp key> | all) delete
Description
The TCP profile is a configuration tool for managing TCP network traffic.
Many of the TCP profile settings are standard SYSCTL types of settings,
while others are unique to the traffic management system. For most of the
TCP profile settings, the default values usually meet your needs. The
specific settings that you might want to change are: Reset on Timeout, Idle
Timeout, IP ToS, and Link QoS.
The BIG-IP system installation includes these TCP-type profiles: tcp,
tcp-lan-optimized, and tcp-wan-optimized. You can modify the settings of
these profiles or create new TCP-type profiles using any of these existing
profiles as parent profiles.
Examples
Creates a custom TCP profile named mystcpprofile that inherits its settings
from the system default tcp profile:
profile tcp mytcpprofile { }
2 - 254
Options
You can use these options with the profile tcp command:
◆ abc
When enabled, increases the congestion window by basing the increase
amount on the number of previously unacknowledged bytes that each
ACK covers. The default value is enable.
◆ ack on push
When enabled, significantly improves performance to Windows and
MacOS peers who are writing out on a very small send buffer. The
◆ bandwidth delay
When enabled, the system attempts to calculate the optimal bandwidth to
use to contact the client, based on throughput and round-trip time,
without exceeding the available bandwidth. The default value is enable.
◆ close wait
Specifies the number of seconds that a connection remains in a
LAST-ACK state before quitting. A value of 0 represents a term of
forever (or until the matrix of the FIN state). The default value is 5
seconds. You can also specify immediate, indefinite, or default.
◆ cmetrics cache
When enabled, specifies that the system uses a cache for storing
congestion metrics. The default value is enable.
◆ congestion control
Specifies the algorithm to use to share network resources among
competing users to reduce congestion. The default value is New Reno.
The options are:
• High Speed
Specifies that the system uses a more aggressive, loss-based
algorithm.
• New Reno
Specifies that the system uses a modification to the Reno algorithm
that responds to partial acknowledgements when SACKs are
unavailable.
• None
Specifies that the system does not use a network-congestion-control
mechanism, even when congestion occurs.
• Reno
Specifies that the system uses an implementation of the TCP Fast
Recovery algorithm, which is based on the implementation in the
BSD Reno release.
• Scalable
Specifies that the system uses a TCP algorithm modification that adds
a scalable, delay-based and loss-based component into the Reno
algorithm.

Chapter 2
◆ defaults from
◆ deferred accept
When enabled, the system defers allocation of the connection chain
context until the client response is received. This setting is useful for
dealing with 3-way handshake DOS attacks. The default value is disable.
◆ delayed acks
When enabled, the traffic management system allows coalescing of
multiple ACK responses. The default value is enable.
◆ dsack
When enabled, specifies the use of the Selective ACKs (SACK) option to
acknowledge duplicate segments. The default value is disable.
◆ ecn
When enabled, the system uses the TCP flags CWR and ECE to notify
its peer of congestion and congestion counter-measures. The default
value is disable.
◆ fin wait
Specifies the number of seconds that a connection is in the FIN-WAIT or
closing state before quitting. The default value is 5 seconds. A value of 0
represents a term of forever (or until the matrix of the FIN state). You
can also specify immediate, indefinite, or default.
◆ idle timeout
connection is eligible for deletion. You can also specify indefinite or
default. The default value is 300 seconds.
◆ ip tos
Specifies the Type of Service level that the traffic management system
assigns to TCP packets when sending them to clients.
◆ keep alive interval
Specifies the keep alive probe interval, in seconds. The default value is
1800 seconds.
◆ limited transmit
When enabled, the system uses limited transmit recovery revisions for
fast retransmits (as specified in RFC 3042) to reduce the recovery time
for connections on a lossy network. The default value is enable.
◆ link qos
Specifies the Quality of Service level that the system assigns to TCP
packets when sending them to clients.
◆ max retrans
Specifies the maximum number of retransmissions of data segments that
the system allows.
◆ max retrans syn
Specifies the maximum number of retransmissions of SYN segments that
the system allows.
2 - 256
◆ md5 sign
Specifies, when enabled, that the system uses RFC2385 TCP-MD5
signatures to protect TCP traffic against intermediate tampering. The
◆ md5 sign passphrase
Specifies, when enabled, a plaintext passphrase which may be between 1
and 80 characters in length, and is used in a shared-secret scheme to
implement the spoof-prevention parts of RFC2385.
◆ nagle
Specifies, when enabled, that the system applies Nagle's algorithm to
reduce the number of short segments on the network. The default value is
enable. Note that for interactive protocols such as Telnet, rlogin, or SSH,
F5 recommends disabling this setting on high-latency networks, to
improve application responsiveness.
◆ partition
◆ pkt loss ignore rate
Specifies packet loss rate to ignore. Measured in packets per million. The
default value is 0.
◆ pkt loss ignore burst
Ignore burst controls sensitivity to burst lost. The default value is 0.
◆ proxy buffer high
Specifies the highest level at which the receive window is closed. The
default value is 16384.
◆ proxy buffer low
Specifies the lowest level at which the receive window is closed. The
◆ proxy mss
When enabled, the system advertises the same mss to the server as was
negotiated with the client. The default value is enable.
◆ proxy options
When enabled, the system advertises an option, such as a time-stamp to
the server only if it was negotiated with the client. The default value is
enable.
◆ recv window
Specifies the size of the receive window, in bytes. The default value is
4096 bytes.
Specifies whether to reset connections on timeout.
◆ rfc1323
When enabled, the system uses the timestamp and window-scaling
extensions for TCP (as specified in RFC 1323) to enhance high-speed
network performance. The default value is enable.

Chapter 2
◆ selective acks
When enabled, the system negotiates RFC2018-compliant Selective
Acknowledgements with peers. The default value is enable.
◆ send buffer
Specifies the size of the buffer, in bytes. The default value is 8192 bytes.
◆ slow start
When enabled, the system uses larger initial window sizes (as specified
in RFC 3390) to help reduce round trip times. The default value is
enable.
◆ time wait
Specifies the number of seconds that a connection is in the TIME-WAIT
state before closing. You can also specify immediate, indefinite, or
default. The default value is 2 seconds.
◆ time wait recycle
Specifies whether the system recycles the connection when a SYN
packet is received in a TIME-WAIT state. The default value is enable.
◆ verified accept
Specifies, when enabled, that a SYN-ACK acknowledgement code is
sent only if the server port is open. The default value is disable.
See also
2 - 258
profile udp
Configures a UDP profile.
Syntax
Use this command to configure a UDP profile.
Create/Modify
Important
BIG-IP® Systems.
profile udp <profile udp key> {}

profile udp (<profile udp key> | all) [{] <profile udp arg list> [}]
<profile udp key> ::=
<name>
<profile udp arg> ::=
allow no payload (enable | disable)
datagram lb (enable | disable)
defaults from (<profile udp key> | none)
name <name>
no cksum (enable | disable)
profile udp (<profile udp key> | all) stats reset
Display
profile udp [<profile udp key> | all] [show [all]]
profile udp [<profile udp key> | all] list [all]
profile udp (<profile udp key> | all) allow no payload [show]
profile udp (<profile udp key> | all) datagram lb [show]
profile udp (<profile udp key> | all) defaults from [show]
profile udp (<profile udp key> | all) idle timeout [show]
profile udp (<profile udp key> | all) ip tos [show]
profile udp (<profile udp key> | all) link qos [show]
profile udp (<profile udp key> | all) name [show]
profile udp (<profile udp key> | all) no cksum [show]

Chapter 2
profile udp (<profile udp key> | all) partition [show]

profile udp (<profile udp key> | all) stats [show]
Delete
profile udp (<profile udp key> | all) delete
Description
The UDP profile is a configuration tool for managing UDP network traffic.
Examples
Creates a custom UDP profile named myudpprofile that inherits its settings
from the system default udp profile:
profile udp myudpprofile { }
Options
You can use these options with the profile udp command:
◆ allow no payload
Provides the ability to allow the passage of datagrams that contain header
information, but no essential data. The default value is disable.
◆ datagram lb
Provides the ability to load balance UDP datagram by datagram. The
◆ defaults from
◆ idle timeout
◆ ip tos
assigns to UDP packets when sending them to clients.
◆ link qos
Specifies the Quality of Service level that the system assigns to UDP
◆ no cksum
When enabled,
◆ partition
See also
2 - 260
provision
Configures provisioning on the BIG-IP system.
Syntax
Use this command to configure provisioning on the system.
Create/Modify
provision <provision key> {}
provision (<provision key> | all) [{] <provision arg list> [}]
<provision key> ::=
<name>
<provision arg> ::=
cpu ratio <number>
disk ratio <number>
level (none | minimum | nominal | dedicated | custom)
memory ratio <number>
name <name>
Display
provision [<provision key> | all] [show [all]]
provision [<provision key> | all] list [all]
provision (<provision key> | all) cpu [show]
provision (<provision key> | all) cpu ratio [show]
provision (<provision key> | all) disk [show]
provision (<provision key> | all) disk ratio [show]
provision (<provision key> | all) host [show]
provision (<provision key> | all) level [show]
provision (<provision key> | all) memory [show]
provision (<provision key> | all) memory ratio [show]
provision (<provision key> | all) name [show]
Delete
provision (<provision key> | all) delete
Description
Modifies the allocation of resources to the licensed modules on the system.

Chapter 2
Examples
Provisions the minimum amount of resources for the BIG-IP Application
Security Manager:
provision asm level minimum
Displays the current provisioning of the system:

provision list
Options
You can use these options with the provision command.
◆ cpu
Displays the percentage of CPU available to a module.
◆ cpu ratio
Use this option only when the level option is set to custom. F5 Networks
recommends that you do not modify this option.
◆ disk
Displays the amount of disk space available to a module.
◆ disk ratio
◆ host
Displays the amount of allocated host memory space available to a
module.
◆ level
Specifies the level of resources that you want to provision for a module.
The options are:
• custom
F5 Networks does not recommend that you specify this level.
• dedicated
Specifies that all resources are dedicated to the module you are
provisioning. For all other modules, the level option must be set to
none.
• minimal
Specifies that you want to provision the minimal amount of resources
for the module you are provisioning.
• nominal
Specifies that you want to share all of the available resources equally
among all of the modules that are licensed on the unit.
• none
Specifies that you do not want to provision any resources for this
module.
◆ memory
Displays the amount of memory available to a module.
2 - 262
◆ memory ratio
◆ name
Displays the name of the module you are provisioning.
See also
bigpipe(1), list(1)

Chapter 2
pva
Displays or resets Packet Velocity® ASIC statistics for the BIG-IP system.
Syntax
Use this command to display or reset Packet Velocity ASIC statistics.
Modify
pva (<pva key> | all) stats reset
Display
<pva key> ::=
(<number>.<number> | none)
pva [<pva key> | all] [show [all]]
Description
Displays or resets Packet Velocity ASIC statistics for the BIG-IP system.
Examples
Resets all the PVA statistics for the system:
pva all stats reset
Displays all the PVA statistics for the system:

pva all show all
Note
The BIG-IP system has one PVA accelerator; however, when you run this
command, the system displays a PVA statistics entry for each Traffic
Management Microkernel (TMM).
See also
bigpipe(1)
2 - 264
radius server
Configures a RADIUS server object for RADIUS authentication.
Syntax
Use this command to configure a RADIUS server.
Create/Modify
Important
BIG-IP® Systems.
radius server <radius server key> {}

radius server (<radius server key> | all) [{] <radius server arg list> [}]
<radius server key> ::=
<name>
<radius server arg> ::=
name <name>
Display
radius server [<radius server key> | all] [show [all]]
radius server [<radius server key> | all] list [all]
radius server (<radius server key> | all) name [show]
radius server (<radius server key> | all) partition [show]
radius server (<radius server key> | all) secret [show]
radius server (<radius server key> | all) server [show]
radius server (<radius server key> | all) service [show]
radius server (<radius server key> | all) timeout [show]
Delete
radius server (<radius server key> | all) delete

Chapter 2
Description
Creates, modifies, or deletes the RADIUS server. Note that you must also
create an auth radius profile to use a RADIUS server.
Examples
Lists the configuration for all RADIUS server objects on the system:
radius server all list
Creates a RADIUS server object named myserver2 with the secret of

mysecret, an IP address of 12.12.10.4 on port 80, and a timeout of 65
seconds:
radius server myserver2 secret \mysecret\ server \12.12.10.4\
service 80 timeout 65>
Options
You can use these options with the radius server command:
◆ partition
Displays the partition in which the RADIUS server resides.
◆ secret
Sets the secret key used to encrypt and decrypt packets sent or received
from the server. This setting is required.
◆ server
Specifies the host name or IP address of the RADIUS server. This setting
is required.
◆ service
Specifies the port for RADIUS authentication traffic. The default value is
port 1812.
◆ timeout
Specifies the timeout value in seconds. The default value is 3 seconds.
You can also specify immediate or indefinite.
See also
auth_radius(1), bigpipe(1)
2 - 266
rate class
Configures rate classes.
Syntax
Use this command to configure a rate class.
Create/Modify
rate class <rate class key> {}
rate class (<rate class key> | all) [{] <rate class arg list> [}]
<rate class key> ::=
<name>
<rate class arg> ::=
burst <number>
ceiling <number>[bps]
direction (any | to client | to server | vlan egress)
drop policy (<drop policy key> | none)
name <name>
parent (<rate class key> | none)
percent ceil <number>
percent rate <number>
rate <number>[bps]
shaping policy (<shaping policy key> | none)
type (<shaping queue key> | none)
rate class (<rate class key> | all) stats reset
Display
rate class [<rate class key> | all] [show [all]]
rate class [<rate class key> | all] list [all]
rate class [<rate class key> | all] burst [show]
rate class [<rate class key> | all] ceiling [show]
rate class [<rate class key> | all] direction [show]
rate class [<rate class key> | all] drop policy [show]
rate class [<rate class key> | all] name [show]
rate class [<rate class key> | all] parent [show]
rate class [<rate class key> | all] percent ceil [show]
rate class [<rate class key> | all] percent rate [show]
rate class [<rate class key> | all] rate [show]
rate class [<rate class key> | all] shaping policy [show]
rate class [<rate class key> | all] stats [show]
rate class [<rate class key> | all] type [show]

Chapter 2
Delete
rate class (<rate class key> | all) delete
Description
A rate class is a rate-shaping policy that you assign to a type of traffic, such
as Layer 3 traffic that specifies a certain source, destination, or service.
More specifically, a rate class defines the number of bits per second that the
system allows per connection and the number of packets in a queue. You
configure rate shaping by creating a rate class and then assigning the rate
class to a packet filter, a virtual server, or from within an iRule.
Examples
Creates the rate class myRTclass with a rate of 500 Mbps:
rate class myRTclass { rate 500M }
Deletes the rate class myRTclass:

rate class myRTclass delete
Options
You can use these options with the rate class command:
◆ burst
Specifies the maximum number of bytes that traffic is allowed to burst
beyond the specified rate. You can configure the rate in kilobits per
second (Kbps), megabits per second (Mbps), or gigabits per second
(Gbps).
◆ ceiling
Specifies how far beyond the base rate traffic is allowed to flow when
bursting. This number sets an absolute limit. No traffic can exceed this
rate. You can configure the rate in bits per second (bps), kilobits per
(Gbps).
◆ direction
Specifies the direction of traffic to which the rate class is applied.
Possible values are any, to client, or to server.
◆ drop policy
Specifies the drop policy for this rate class, which tells the system when
and how to drop packets, if required, when the traffic handling queue is
full. The available pre-configured policies are red (randomly drops
packets), fred (drops packets according to the type of traffic in the flow),
and tail (drops the end of the traffic stream). The default value is tail.
You can create a customized drop policy using the drop policy
command. If you specify a custom shaping policy, the drop policy
specified in the shaping policy takes precedence and changes this value
to conform with it.
2 - 268
◆ name
Specifies the name of this rate class.
◆ parent
Associates this class with another class. The class you are configuring
can borrow any unused bandwidth from the parent class' ceiling, thereby
supplementing the rate of the child class. Note that borrowing bandwidth
affects the rate, ceiling, and queuing method. The default value is none.
◆ percent ceil
Specifies the percentage of the ceiling specified for the associated parent
class that is available for this rate class. The default value is 0 (zero),
which indicates that the rate class uses the value of the ceiling option.
◆ percent rate
Specifies the percentage of the maximum throughput rate specified for
the associated parent class that is available for this rate class. The default
value is 0 (zero), which indicates that the system uses the value of the
rate option.
◆ rate
Specifies the maximum throughput rate allowed for traffic handled by
the rate class. Packets that exceed the specified number are dropped. This
setting is required. You can configure the rate in bits per second (bps),
kilobits per second (Kbps), megabits per second (Mbps), or gigabits per
second (Gbps).
◆ shaping policy
Specifies the name of a shaping policy that includes customized values
for drop policy and queuing method. The system automatically changes
the values for percent ceil, drop policy, burst, type, and percent rate
options of this class to match the values in the specified shaping policy.
◆ type
Specifies the queuing method. The pre-configured options are sfq and
pfifo.
• sfq
Stochastic Fair Queuing is a queuing method that further queues
traffic under a set of sub-queues, choosing the specific sub-queue
based on a hash of the flow address information. This results in traffic
from the same flow always being queued in the same list. SFQ then
dequeues packets from the sub-queues in a round-robin fashion. The
overall effect is that fairness of dequeuing is achieved, because
packets from one flow cannot occupy the queues at the exclusion of
those of another flow. If the rate class has a parent class, the default
queuing method is that of the parent class. If the rate class has no
parent class, the default value is sfq. You can create a custom queuing
method using the shaping queue command.
• pfifo
The Priority FIFO queuing method queues all traffic under a set of
five sub-queues based on the Type of Service (ToS) field of the
traffic. Four of the sub-queues correspond to the four possible ToS
values (Minimum delay, Maximum throughput, Maximum
reliability, and Minimum cost). The fifth sub-queue represents

Chapter 2
traffic with no ToS value. The Priority FIFO method processes these
five sub-queues in a way that preserves the meaning of the ToS field
as much as possible. For example, a packet with the ToS field set to
Minimum cost might yield dequeuing to a packet with the ToS field
set to Minimum delay.
See also
packet filter(1), rule(1), virtual(1), bigpipe(1)
2 - 270
remote users
Configures the default user role, partition access, and console access for all
remotely-authenticated user accounts that have not been added as local user
accounts on the BIG-IP system.
Note
To assign a different access to a specific remote user, you must create a

local user account for that user. For more information, see user, on page
2-355.
Syntax
Use this command to configure the default parameters for all of the remote
user accounts on the BIG-IP system as a group.
Create/Modify
Important
BIG-IP® Systems.
remote users [{] <remote users arg list> [}]

<remote users arg> ::=
default partition (<partition key> | all)
default role (administrator | resource admin | \
user manager | manager | app editor | operator | \
guest | policy editor | none)
remote console access (enable | disable)
Display
remote users [show [all]]
remote users list [all]
remote users default partition [show]
remote users default role [show]
remote users remote console access [show]
Description
You can use this command to configure the default parameters for all of the
remote user accounts on the BIG-IP system as a group.

Chapter 2
Examples
For all remote users, sets the default partition access to partition Common,
the default user role to none, and the default remote console access to
disable:
remoteusers default partition Common default role none remote console access disable
Options
You can use these options with the remote users command.
◆ default partition
Specifies the default partition for all remote user accounts. The default
partition is Common.
◆ default role
Specifies the default user role for all remote user accounts. The default
value is none. The available user roles are:
• administrator
• resource admin
• user manager
• app editor
• operator
• guest
• policy editor
◆ partition
Displays the partition within which the remote users object resides.
◆ remote console access
Enables or disables the default console access for all remote user
accounts. The default value is disable.
See also
bigpipe(1), user(1), remoterole(1)
2 - 272
remoterole
Creates a file (/config/bigip/auth/remoterole) that an LDAP, Active
Directory, RADIUS, or TACACS+ server reads to determine the specific
access rights to grant to groups of remotely-authenticated users.
Syntax
Use this command to grant access to a specific group of
remotely-authenticated users.
Create
Important
BIG-IP® Systems.
remoterole [{] <remoterole arg list> [}]

<remoterole arg> ::=
role info (<role info list> | none) [add | delete]
<role info> ::= (<role info key> | all) [{] <role info arg list> [}]
<role info key> ::=
<name>
<role info arg> ::=
attribute (<string> | none)
console (<string> | none)
deny (enable | disable)
line order <number>
name <name>
role (<string> | none)
user partition (<string> | none)
Display
remoterole [show [all]]
remoterole list [all]
remoterole role info [<role info key> | all] [show [all]]
remoterole role info [<role info key> | all] list [all]
remoterole role info (<role info key> | all) attribute [show]
remoterole role info (<role info key> | all) console [show]

Chapter 2
remoterole role info (<role info key> | all) deny [show]

remoterole role info (<role info key> | all) line order [show]
remoterole role info (<role info key> | all) name [show]
remoterole role info (<role info key> | all) role [show]
remoterole role info (<role info key> | all) user partition [show]
Description
You can use this command to grant access to a specific group of
remotely-authenticated users without having to create a local user account
on the BIG-IP system for each user in the group.
Examples
Configures a remote role named mygroupofusers, for LDAP
authentication, by creating the 1000th line of the
/config/bigip/auth/remoterole file and granting the Manager role in
partition_A to the remote users assigned this role:
remoterole role info mygroupofusers { line order 1000 role manager user partition \
partition_A attribute
"memberOF=cn=BigIPOperatorGroup,cn=users,dc=mydept,dc=mycompany,dc=com" }
Configures a remote role, named mygroupof users, for RADIUS or
TACACS+ authentication, by creating the 3000th line of the
/config/bigip/auth/remoterole file and granting the Manager role in
partition_A to the remote users assigned this role:
bigpipe remoterole role info mygroupofusers { attribute "operator_group=operator" console
enable line order 2000 role operator user partition partition_A }
Options
You can use these options with the remoterole command.
◆ attribute
Specifies an attribute-value pair supplied by the authentication server that
will be used to match against the entries in
/config/bigip/auth/remoterole. The pair chosen will typically identify
users with access rights in common. This value is required.
◆ console
Enables or disables console access for the specified group of
remotely-authenticated users. The default value is disable.
◆ deny
Enables or disables remote access for the specified group of
remotely-authenticated users. The default value is disable.
◆ line order
Specifies the order of the lines in the file,
/config/bigip/auth/remoterole. The LDAP and Active Directory servers
read this file line by line. The order of the information is important;
2 - 274
therefore, F5 recommends that you set the first line at 1000. This allows
you, in the future, to insert lines before the first line. This value is
required.
◆ partition
Displays the partition within which the remoterole object resides.

Chapter 2
◆ role
Specifies the user role that you want to grant to the specified group of
remotely-authenticated users. The default value is none. The available
user roles are:
• administrator
• resource admin
• user manager
• app editor
• operator
• guest
• policy editor
◆ user partition
Specifies the partition to which you are assigning access to the specified
group of remotely-authenticated users. The default value is Common.
See also
bigpipe(1), user(1), remote_users(1)
2 - 276
route
Configures routes for traffic management.
Syntax
Use this command to create, display, or delete a traffic route.
Create
route <route key> {}
route (<route key> | all) [{] <route arg list> [}]
<route key> ::=
<network ip>
(auto | connected | dynamic | static)
<route arg> ::=
dest <network ip>
gateway (<ip addr> | none)
mtu <number>
(auto | connected | dynamic | static)
(reject)
vlan (<vlan key> | none)
Display
route [<route key> | all] [show [all]]
route [<route key> | all] list [all]
route (<route key> | all) dest [show]
route (<route key> | all) gateway [show]
route (<route key> | all) mtu [show]
route (<route key> | all) pool [show]
route (<route key> | all) source [show]
route (<route key> | all) type [show]
route (<route key> | all) vlan [show]
Delete
route (<route key> | all) delete
Description
Configure static routes for the system, including default routes. When
configuring a static route, you can specify a gateway (that is, the next- or
last-hop router) to be an IP address, a VLAN name, or the name of a pool of
routers.

Chapter 2
Examples
Sets the route 12.12.3.0/24 on the VLAN named internal:
route 12.12.3.0/24 vlan internal
Options
You can use these options with the route command.
Note
The options gateway, vlan, pool, and reject are mutually exclusive. You can
use only one of these options at a time, and at least one of these options is
required when using the route command.
◆ default
Sets the default routing type to IPv4 (inet) or IPv6 (inet6).
◆ gateway
Specifies a gateway address for the system.
◆ ip addr
Creates an IP address/netmask route. You can also specify the route
using CIDR notation, such as 12.12.3.0/24.
◆ mtu
Sets a specific maximum transition unit (MTU).
◆ pool
Specifies a gateway pool. A gateway pool allows multiple, load-balanced
gateways to be used for a given route.
◆ reject
Rejects packets coming from the specified route.
◆ vlan
Specifies the VLAN name for the route.
See also
mgmt(1), bigpipe(1), mgmt route(1), pool(1), vlan(1), vlangroup(1)
2 - 278
route domain
Configures route domains for traffic management.
Syntax
Use this command to configure the route domain for the system.
Create/Modify
route domain <route domain key> {}
route domain (<route domain key> | all) [{] <route domain arg list> [}]
<route domain key> ::=
<number>
<route domain arg> ::=
id <number>
parent id <number>
strict (enable | disable)
Display
route domain [<route domain key> | all] [show [all]]
route domain [<route domain key> | all] list [all]
route domain (<route domain key> | all) description [show]
route domain (<route domain key> | all) id [show]
route domain (<route domain key> | all) parent id [show]
route domain (<route domain key> | all) partition [show]
route domain (<route domain key> | all) strict [show]
route domain (<route domain key> | all) vlans [show]
Delete
route domain (<route domain key> | all) delete
Description
You can use route domains to assign the same IP address to more than one
device on a network, as long as each instance of the IP address resides in a
separate routing domain.

Chapter 2
Examples
Creates a route domain with an ID of 1:
route domain 1
Displays all of the properties of all route domains:

route domain list all
Options
You can use these options with the route domain command.
◆ description
Specifies identifying text for the route domain.
◆ id
Specifies a unique numeric identifier for the route domain.
◆ parent id
Specifies the route domain the system searches when it cannot find a
route in the configured domain. The default value is none. If you specify
a Parent ID during route table lookup, if the system cannot find a route in
the current route domain, the system searches routes in the parent route
domain. If no route is found in the parent route domain, the system
searches the parent route domain's parent, and so on, until the system
finds either a match or a Parent ID with a value of none.
For example, if rd_1 has a Parent ID of 0 (in this example, route domain
0 has a Parent ID of none), and you include vlan_a in rd_1, when
requests arrive for vlan_a, the system looks in rd_1 for a route for the
specified destination. If no route is found, the system searches route
domain 0. If it still cannot find a route, the request for vlan_a fails. If you
use the same example and set the parent ID to none, under the same
conditions, the system looks in rd_1. If it cannot find a matching route,
the system refrains from searching any other route domain, and the
request for vlan_a fails.
◆ strict
Specifies whether you want the system to enforce cross-routing
restrictions. When enabled, routes cannot cross route domain boundaries
(so they are strictly isolated to the current route domain). The default is
enabled. When disabled, a route can cross route domains.
For example, you can add a route to the routing table where the
destination is 10.0.0.0%20 (route domain 20) and the gateway is
172.27.84.29%32 (route domain 32).
◆ vlans
Specifies VLANs, by name, for the system to use in the route domain.
See also
bigpipe(1), vlan(1), vlangroup(1)
2 - 280
rtsp
Displays or resets Real Time Streaming Protocol (RTSP) statistics for the
BIG-IP system.
Syntax
Use this command to display or reset RTSP statistics for the system.
Display
rtsp [show [all]]
Modify
rtsp stats reset
Description
Displays or resets RTSP statistics for the system.
Examples
Displays all RTSP statistics for the system:
rtsp show all
See also
bigpipe(1), profile rtsp (1)

Chapter 2
rule
Creates, modifies, deletes, and displays iRules™ for traffic management
Syntax
Use this command to configure an iRule.
Create/Modify
Important
BIG-IP® Systems.
rule <rule key> {}

rule (<rule key> | all) { <rule arg list> }
<rule key> ::=
<name>
<rule arg> ::=
<iRule>
name <name>
rule (<rule key> | all) stats reset
Display
rule [<rule key> | all] [show [all]]
rule [<rule key> | all] list [all]
rule (<rule key> | all) definition [show]
rule (<rule key> | all) name [show]
rule (<rule key> | all) partition [show]
Delete
rule (<rule key> | all) delete
2 - 282
Description
iRules can direct traffic not only to specific pools, but also to individual pool
members, including port numbers and URI paths, either to implement
persistence or to meet specific load balancing requirements. The syntax that
you use to write iRules is based on the Tools Command Language (Tcl)
programming standard. Thus, you can use many of the standard Tcl
commands, plus a robust set of extensions that the BIG-IP local traffic
management system provides to help you further increase load balancing
efficiency.
For information about standard Tcl syntax, see
http://tmml.sourceforge.net/doc/tcl/index.html. For a list of Tcl
commands that have been disabled within the traffic management system
and therefore cannot be used in the traffic management system, see the
Configuration Guide for BIG-IP® Local Traffic Management. This guide
is available at https://support.f5.com.
Examples
In this example, the iRule my_Rule includes the event declaration
CLIENT_ACCEPTED, as well as the iRule command IP::remote_addr.
In this case, the IP address that the iRule command returns is that of the
client, because the default context of the event declaration
CLIENT_ACCEPTED is clientside:
rule my_Rule '{ when CLIENT_ACCEPTED { if [[IP::remote_addr] == 10.1.1.80] \
{ pool myPool }}}'
This example shows the iRule my_Rule2, which includes the event
declaration SERVER_CONNECTED, as well as the iRule command
IP::remote_addr. In this case, the IP address that the iRule command
returns is that of the server, because the default context of the event
declaration SERVER_CONNECTED is serverside:
rule my_Rule2 '{ when SERVER_CONNECTED { if { [IP::remote_addr] == 10.1.1.80 } \
{ pool my_pool2 }}}'
In this example, the iRule my_Rule3 includes the event declaration

CLIENT_ACCEPTED, as well as the iRule command IP::remote_addr.
In this case, the IP address 10.1.1.80 is directed to the pool named
blackhole, while traffic originating from other addresses is directed to the
pool normalService. Instead of one IP address, you could also specify a
class that contains IP addresses that you want to send to the blackhole pool:
rule my_Rule3 '{ when CLIENT_ACCEPTED { if [[IP::remote_addr] == 10.1.1.80] \
{ pool blackhole } else { pool normalService }}}'

Chapter 2
Options
You can use this option with the rule command:
◆ partition
Displays the partition in which the rule resides.
See also
persist(1), pool(1), profile(1), rate class(1), snat(1), bigpipe(1)
2 - 284
save
Writes the running configuration into the stored configuration files.
Syntax
Use this command to write the running configuration into the stored
configuration files.
Modify
save
save all
[base] save
Description
You can use this command to save the running configuration of the BIG-IP
system.
Options
You can use these options with the save command.
Important
When you want to save to the stored configuration files the changes that you
make to the system, F5 recommends that you use the save all command.
◆ base save
Saves only the portions of the running configuration that reside in these
stored configuration files:
◆ save
Saves only the portions of the running configuration that reside in these
stored configuration files:
◆ save all
Saves the entire running configuration into these stored configuration
files:

Chapter 2
See also
bigpipe(1), load(1)
2 - 286
sctp
Displays or resets Stream Control Transmission Protocol (SCTP) statistics
for the BIG-IP system.
Syntax
Use this command to display or reset SCTP statistics for the system.
Display
sctp [show [all]]
Modify
sctp stats reset
Description
Displays or resets SCTP statistics for the system.
Examples
Displays all SCTP statistics for the system:
sctp show all
See also
bigpipe(1), profile sctp (1)

Chapter 2
self
Configures a self IP address for a VLAN.
Syntax
Use this command to create, modify, display, and delete a self IP address.
Create/Modify
self <self key> {}
self (<self key> | all) [{] <self arg list> [}]
<self key> ::=
<ip addr>
<self arg> ::=
addr <ip addr>
allow (<protocol/service list> | none) [add | delete]
floating (enable | disable)
netmask (<ip mask> | none)
unit <number>
vlan <vlan key>
<protocol/service> ::= proto <protocol list> | \
(tcp | udp) (<service list> | none | all)
Display
self [<self key> | all] [show [all]]
self [<self key> | all] list [all]
self (<self key> | all) addr [show]
self (<self key> | all) allow [show]
self (<self key> | all) floating [show]
self (<self key> | all) netmask [show]
self (<self key> | all) unit [show]
self (<self key> | all) vlan [show]
Delete
self (<self key> | all) delete
Description
A self IP address is an IP address that is assigned to the system. Self IP
addresses are part of the configuration of the BIG-IP network components.
You must define at least one self IP address for each VLAN.
2 - 288
Examples
Adds the self IP address 10.10.10.24 to the VLAN named internal:
self 10.10.10.24 vlan internal
Enables a floating IP address on the external VLAN. The floating attribute

makes this virtual address available to whichever unit of a redundant system
configuration is active at a given time. In other words, when the standby unit
becomes the active unit, it uses this virtual address. Only one of the units in
a redundant system configuration can use the floating IP address at any
given time.
self 10.1.1.1 vlan external netmask 255.255.0.0 floating enable
Options
You can use these options with the self command.
◆ addr
Specifies the self IP address for a VLAN.
◆ allow
Specifies the type of protocol/service that the VLAN handles.
◆ floating
Enables or disables a floating self IP address for the VLAN. A floating
self IP address is an additional self IP address for a VLAN that serves as
a shared address by both units of a BIG-IP redundant system
configuration.
◆ netmask
Specifies a netmask for the self IP address for the VLAN.
◆ unit
Specifies the unit number in a redundant system configuration.
◆ vlan
Specifies the VLAN for which you are setting a self IP address. This
setting is required.
See also
vlan(1), vlangroup(1), bigpipe(1)

Chapter 2
self allow
Configures the default allow list for all self IP addresses on the BIG-IP
system.
Syntax
Use this command to delete, modify, or display the default allow list for all
self IP addresses on the BIG-IP system. The default allow list displays
which service and protocol ports allow connections from outside the system.
Connections made to a service or protocol port that is not on the list are
refused.
Modify
self allow {}
self allow [{] <self allow arg list> [}]
<self allow arg> ::=
default (<protocol/service list> | none) [add | delete]
Display
self allow [show [all]]
self allow list [all]
self allow default [show]
Delete
self allow delete
Description
You can use this command to modify, display, or delete the default allow
list for all self IP addresses on the BIG-IP system.
Examples
Sets the default allow list for all self IP addresses on the system to the
system default:
self allow default tcp 22 53 161 443 4353 udp 53 161 520 1026 4353 proto 89
Sets the default allow list for all self IP addresses on the system to TCP:
self allow default tcp 55
Displays the default allow list for all self IP addresses on the system:
self allow default
2 - 290
Options
You can use these options with the self allow command:
◆ default
Specifies that you want to set the default allow list to one of the
following:
• all
Specifies all protocols and services allow connections from outside
the system. Use this option to open the system to complete access.
• none
Specifies that no protocols or services allow connections from outside
the system.
• protocol/service list
Specifies a list of protocols/services that allow connections from
outside the system.
◆ delete
Deletes the default self allow list.
See also
vlan(1), vlangroup(1), bigpipe(1)

Chapter 2
shell
Displays information about and customizes the bigpipe shell.
Syntax
Use this command to customize the bigpipe shell and display information
about the shell.
Modify
shell [{] <shell arg list> [}]
<shell arg> ::=
history <number>
partition <partition key>
prompt <string>
read partition (<partition key> | all)
write partition <partition key>
Display
shell [show [all]]
shell list [all]
shell history [show]
shell partition [show]
shell prompt [show]
shell read partition [show]
shell write partition [show]
Description
When typed at the BIG-IP system prompt, the bigpipe shell command starts
the bigpipe utility in its shell mode and presents a prompt at which you can
type bigpipe commands. You can also use the bigpipe shell command from
the BIG-IP system prompt to configure the shell.
Once the bigpipe utility is started in its shell mode, you can use the shell
command to configure the shell.
Examples
Customizes the bigpipe shell prompt to display as F5>:
shell prompt F5>
Displays all of attribute settings, including those that have been modified
and those that are set to the default values:
shell list all
2 - 292
Specifies that you want to save up to 100 commands in the bigpipe shell
history:
shell history 100
Displays the maximum number of commands that the bigpipe shell saves in
the shell history file, $HOME/.bphistory-<user>.
shell history show
have Write access to the partition named Application1:
shell write partition Application1
have Read and Write access to the partition named Application2:
shell partition Application2
Options
You can use these options with the shell command:
◆ history
Specifies the maximum number of commands that the bigpipe shell
saves in the shell history file, $HOME/.bphistory-<user>. The default
value is 50. A value of 0 (zero) specifies that the bigpipe shell does not
save any commands in history.
◆ partition
Changes the partition to which you have Read and Write access to the
partition you specify. This option is available only to users with access to
all partitions.
◆ prompt
Specifies a string to use for the bigpipe shell prompt. The default prompt
is bp>.
◆ read partition
Changes the partition to which you have Read access to the partition you
◆ write partition
Changes the partition to which you have Write access to the partition you
See also
partition(1), bigpipe(1)

Chapter 2
snat
Configures secure network address translation (SNAT).
Syntax
Use this command to configure a SNAT.
Create/Modify
snat <snat key> {}
snat (<snat key> | all) [{] <snat arg list> [}]
<snat key> ::=
<name>
<snat arg> ::=
name <name>
origins (<network ip list> | none) [add | delete]
snatpool (<snatpool key> | none)
srcport (preserve | preserve strict | change)
translation (<snat translation key> | none)
(none | automap)
snat (<snat key> | all) stats reset
Display
snat [<snat key> | all] [show [all]]
snat [<snat key> | all] list [all]
snat (<snat key> | all) mirror [show]
snat (<snat key> | all) name [show]
snat (<snat key> | all) origins [show]
snat (<snat key> | all) snatpool [show]
snat (<snat key> | all) srcport [show]
snat (<snat key> | all) stats [show]
snat (<snat key> | all) translation [show]
snat (<snat key> | all) type [show]
snat (<snat key> | all) vlans [show]
Delete
snat (<snat key> | all) delete
2 - 294
Description
The snat command creates, deletes, sets properties on, and displays
information about SNATs. A SNAT defines the relationship between an
externally visible IP address, SNAT IP, or translated address, and a group of
internal IP addresses, or originating addresses, of individual servers at your
site.
Examples
Creates the SNAT mysnat that translates the address of connections that
originate from the address 10.1.1.3 to the translation address 11.1.1.3:
snat mysnat { origin 10.1.1.3 translation 11.1.1.3 }
Options
You can use these options with the snat command:
◆ automap
Turns on SNAT automapping. This setting can be used only when
snatpool and translation are not used.
◆ mirror
Enables or disables mirroring of SNAT connections.
◆ origin
Specifies an originating IP address. Note that originating addresses are
behind the unit. This setting is required.
◆ snatpool
Specifies the name of a SNAT pool. This setting can be used only when
automap and translation are not used.
◆ translation
Specifies a translated IP address. Note that translated addresses are
outside the traffic management system. This setting can be used only
when automap and snatpool are not used.
◆ type
Displays the type of SNAT. The types are automap, snatpool, and
translation.
◆ vlans
Specifies the name of the VLAN to which you want to assign the SNAT.
The default value is vlans all enable.
See also
nat(1), snat translation(1), snatpool(1), virtual(1), bigpipe(1)

Chapter 2
snat translation
Configures an explicit SNAT translation address.
Syntax
Use this command to configure an explicit SNAT translation address.
Create/Modify
snat translation <snat translation key> {}
snat translation (<snat translation key> | all) [{] <snat translation arg list> [}]
<snat translation key> ::=
(<ip addr> | none)
<snat translation arg> ::=
(enable | disable)
ip timeout (<number> | immediate | indefinite)
limit <number>
tcp timeout (<number> | immediate | indefinite)
udp timeout (<number> | immediate | indefinite)
unit <number>
snat translation (<snat translation key> | all) stats reset
Display
snat translation [<snat translation key> | all] [show [all]]
snat translation [<snat translation key> | all] list [all]
snat translation (<snat translation key> | all) addr [show]
snat translation (<snat translation key> | all) arp [show]
snat translation (<snat translation key> | all) enabled [show]
snat translation (<snat translation key> | all) ip timeout [show]
snat translation (<snat translation key> | all) limit [show]
snat translation (<snat translation key> | all) stats [show]
snat translation (<snat translation key> | all) tcp timeout [show]
snat translation (<snat translation key> | all) udp timeout [show]
snat translation (<snat translation key> | all) unit [show]
Delete
snat translation (<snat translation key> | all) delete
2 - 296
Description
Explicitly defines the properties of a SNAT translation address.
Examples
Disables Address Resolution Protocol (ARP) on all SNAT translation
addresses:
snat translation all arp disable
Options
You can use these options with the snat translation command:
◆ arp
Indicates whether or not the system responds to ARP requests or sends
gratuitous ARPs. The default value is enable.
◆ ip timeout
Specifies the number of seconds that IP connections initiated using a
SNAT address are allowed to remain idle before being automatically
disconnected. Possible values are immediate, indefinite, or a number
that you specify.
◆ limit
Specifies the number of connections a translation address must reach
before it no longer initiates a connection. The default value of 0 indicates
that the setting is disabled.
◆ tcp timeout
Specifies the number of seconds that TCP connections initiated using a
that you specify. The default value is indefinite.
◆ udp timeout
Specifies the number of seconds that UDP connections initiated using a
that you specify. The default value is indefinite.
◆ unit
Specifies the unit number in a redundant system configuration.
See also
nat(1), snat(1), snatpool(1), virtual(1), bigpipe(1)

Chapter 2
snatpool
Configures a SNAT pool.
Syntax
Use this command to configure a SNAT pool.
Create/Modify
snatpool <snatpool key> {}
snatpool (<snatpool key> | all) [{] <snatpool arg list> [}]
<snatpool key> ::=
<name>
<snatpool arg> ::=
members (<snat translation key list> | none) [add | delete]
name <name>
snatpool (<snatpool key> | all) stats reset
Display
snatpool [<snatpool key> | all] [show [all]]
snatpool [<snatpool key> | all] list [all]
snatpool (<snatpool key> | all) members (<snat translation key> | all) stats reset
snatpool (<snatpool key> | all) members [<snat translation key> | all] [show [all]]
snatpool (<snatpool key> | all) members (<snat translation key> | all) \
snatpool name [show]
snatpool (<snatpool key> | all) members (<snat translation key> | all) stats [show]
snatpool (<snatpool key> | all) members (<snat translation key> | all) trans addr [show]
snatpool (<snatpool key> | all) name [show]
snatpool (<snatpool key> | all) stats [show]
Delete
snatpool (<snatpool key> | all) delete
Description
A SNAT pool is a pool of translation addresses that you can map to one or
more original IP addresses. Translation addresses in a SNAT pool are not
self-IP addresses. You can simply create a SNAT pool and then assign it as
a resource directly to a virtual server. This eliminates the need for you to
explicitly define original IP addresses to which to map translation addresses.
2 - 298
Examples
Creates the SNAT pool mysnatpool1 that contains the translation addresses
(members) 11.12.11.24 and 11.12.11.25:
snatpool mysnatpool1 { members 11.12.11.24 11.12.11.25 }
Deletes the SNAT pool named mysnatpool1:

snatpool mysnatpool1 delete
Options
You can use this option with the snatpool command:
◆ members
Specifies the addition of a translation address to, or the deletion of a
translation address from, a SNAT pool.
See also
nat(1), snat(1), snat translation(1), bigpipe(1)

Chapter 2
snmpd
Configures the simple network management protocol (SNMP) daemon for
the BIG-IP system.
Syntax
Use this command to configure the snmpd daemon for the system.
Create/Modify
Important
BIG-IP® Systems.
snmpd [{] <snmpd arg list> [}]

<snmpd arg> ::=
agent address (<string list> | none) [add | delete]
agenttrap (enable | disable)
authtrapenable (enable | disable)
bigip traps (enable | disable)
community (<community list> | none) [add | delete]
disk (<disk list> | none) [add | delete]
l2forward vlan (<string> | none)
load max1 <number>
load max15 <number>
load max5 <number>
proc (<proc list> | none) [add | delete]
syscontact (<string> | none)
syslocation (<string> | none)
sysservices <number>
trap2sink (<trap2sink list> | none) [add | delete]
trapcommunity (<string> | none)
trapsess (<trapsess list> | none) [add | delete]
trapsink (<trapsink list> | none) [add | delete]
trapsource (<ip addr> | none)
usmuser (<usmuser list> | none) [add | delete]
2 - 300
<community> ::= (<community key> | all) [{] <community arg list> [}]
<community key> ::=
<name>
<community arg> ::=
access (ro | rw)
community name (<string> | none)
ipv6 (enable | disable)
name <name>
oid (<string> | none)
source (<string> | none)
<disk> ::= (<disk key> | all) [{] <disk arg list> [}]
<disk key> ::=
<name>
<disk arg> ::=
minspace <number>
minspace type (size | percent)
name <name>
path (<string> | none)
<proc> ::= (<proc key> | all) [{] <proc arg list> [}]
<proc key> ::=
<name>
<proc arg> ::=
max (<string> | none)
min <number>
name <name>
process (<string> | none)
<trap2sink> ::= (<trap2sink key> | all) [{] <trap2sink arg list> [}]
<trap2sink key> ::=
<name>
<trap2sink arg> ::=
community (<string> | none)
host (<ip addr> | <host name> | none)
name <name>
port <number>
<trapsess> ::= (<trapsess key> | all) [{] <trapsess arg list> [}]
<trapsess key> ::=
<name>
<trapsess arg> ::=
auth password (crypt (<string> | none) | <string> | none)
auth protocol (MD5 | SHA | NONE)
engine id (<string> | none)
name <name>

Chapter 2
port <number>
privacy password (crypt (<string> | none) | <string> | none)
privacy protocol (DES | NONE)
security level (noAuthNoPriv | authNoPriv | authPriv)
security name (<string> | none)
version (1 | 2c | 3)
<trapsink> ::= (<trapsink key> | all) [{] <trapsink arg list> [}]
<trapsink key> ::=
<name>
<trapsink arg> ::=
name <name>
port <number>
<usmuser> ::= (<usmuser key> | all) [{] <usmuser arg list> [}]
<usmuser key> ::=
<name>
<usmuser arg> ::=
access (ro | rw)
auth password (crypt (<string> | none) | <string> | none)
auth protocol (MD5 | SHA | NONE)
name <name>
oid (<string> | none)
privacy password (crypt (<string> | none) | <string> | none)
privacy protocol (DES | NONE)
security level (noAuthNoPriv | authNoPriv | authPriv)
username (<string> | none)
Display
snmpd [show [all]]
snmpd list [all]
snmpd agent address [show]
snmpd agenttrap [show]
snmpd allow [show]
snmpd authtrapenable [show]
snmpd bigip traps [show]
snmpd community [<community key> | all] [show [all]]
snmpd community [<community key> | all] list [all]
snmpd community (<community key> | all) access [show]
snmpd community (<community key> | all) community name [show]
snmpd community (<community key> | all) ipv6 [show]
snmpd community (<community key> | all) name [show]
2 - 302
snmpd community (<community key> | all) oid [show]

snmpd community (<community key> | all) source [show]
snmpd disk [<disk key> | all] [show [all]]
snmpd disk [<disk key> | all] list [all]
snmpd disk (<disk key> | all) minspace [show]
snmpd disk (<disk key> | all) minspace type [show]
snmpd disk (<disk key> | all) name [show]
snmpd disk (<disk key> | all) path [show]
snmpd include [show]
snmpd l2forward vlan [show]
snmpd load max1 [show]
snmpd proc [<proc key> | all] [show [all]]
snmpd proc [<proc key> | all] list [all]
snmpd proc (<proc key> | all) max [show]
snmpd proc (<proc key> | all) min [show]
snmpd proc (<proc key> | all) name [show]
snmpd proc (<proc key> | all) process [show]
snmpd syscontact [show]
snmpd syslocation [show]
snmpd sysservices [show]
snmpd trap2sink [<trap2sink key> | all] [show [all]]
snmpd trap2sink [<trap2sink key> | all] list [all]
snmpd trap2sink (<trap2sink key> | all) community [show]
snmpd trap2sink (<trap2sink key> | all) host [show]
snmpd trap2sink (<trap2sink key> | all) name [show]
snmpd trap2sink (<trap2sink key> | all) port [show]
snmpd trapcommunity [show]
snmpd trapsess [<trapsess key> | all] [show [all]]
snmpd trapsess [<trapsess key> | all] list [all]
snmpd trapsess (<trapsess key> | all) auth password [show]
snmpd trapsess (<trapsess key> | all) auth protocol [show]
snmpd trapsess (<trapsess key> | all) community [show]
snmpd trapsess (<trapsess key> | all) engine id [show]
snmpd trapsess (<trapsess key> | all) host [show]
snmpd trapsess (<trapsess key> | all) name [show]
snmpd trapsess (<trapsess key> | all) port [show]
snmpd trapsess (<trapsess key> | all) privacy password [show]
snmpd trapsess (<trapsess key> | all) privacy protocol [show]
snmpd trapsess (<trapsess key> | all) security level [show]
snmpd trapsess (<trapsess key> | all) security name [show]

Chapter 2
snmpd trapsess (<trapsess key> | all) version [show]

snmpd trapsink [<trapsink key> | all] [show [all]]
snmpd trapsink [<trapsink key> | all] list [all]
snmpd trapsink (<trapsink key> | all) community [show]
snmpd trapsink (<trapsink key> | all) host [show]
snmpd trapsink (<trapsink key> | all) name [show]
snmpd trapsink (<trapsink key> | all) port [show]
snmpd trapsource [show]
snmpd usmuser [<usmuser key> | all] [show [all]]
snmpd usmuser [<usmuser key> | all] list [all]
snmpd usmuser (<usmuser key> | all) access [show]
snmpd usmuser (<usmuser key> | all) auth password [show]
snmpd usmuser (<usmuser key> | all) auth protocol [show]
snmpd usmuser (<usmuser key> | all) name [show]
snmpd usmuser (<usmuser key> | all) oid [show]
snmpd usmuser (<usmuser key> | all) privacy password [show]
snmpd usmuser (<usmuser key> | all) privacy protocol [show]
snmpd usmuser (<usmuser key> | all) security level [show]
snmpd usmuser (<usmuser key> | all) username [show]
Description
You can use this command to configure the snmpd daemon for the system.
Important
changes are made to the system using the command snmpd. This is because
making changes to the system using the command snmpd causes a restart of
the snmpd daemon. Likewise, restarting the snmpd daemon creates the
necessity for a restart of the Configuration utility.
Examples
Specifies that the person who administers the snmpd daemon for the system
can be reached using the email address, admin@company.com:
snmpd syscontact admin@company.com
Specifies that the physical location of the system is the central office:
snmpd syslocation "central office"
Disables agent traps:

snmpd agenttrap disable
Adds a range of SNMP clients to the /etc/hosts.allow file:

snmpd allow 10.10.0.0/255.255.240.0
2 - 304
Adds the SNMP version 2c trapsess, ts1, to the system. The IP address of
ts1 is 192.168.1.245 and the community that has access to ts1 is public:
snmpd trapsses ts1 { host 192.168.1.245 community public }
Adds the SNMP version 2 trapsink, number1, to the system. The host of
number1 is 10.20.5.11, the port is 162, and the community that has access
to number1 is public.
snmpd trap2sink number1 { community public host 10.20.5.11 port 162 }
Adds an SNMP version 3 trapsess, ts2, to the system:

snmpd trapsess ts2 { host 192.168.1.246 community public auth protocol MD5 \
auth password myAuthPassword engine id 80001030204 security level authNoPriv \
security name mySecurityName version 3 }
Creates a community specification, named community1, for the BIG-IP

system. community1 includes a community, named mycommunity, that
provides read-only access to the host at 192.168.1.126. This host cannot be
an IPv6 address. The oid for this community is 5:
snmpd community community1 { community name mycommunity access ro source 192.168.1.246\
oid 5 ipv6 disable }
Replaces the default community specification for the BIG-IP system. Using
this command, the default community includes a community, named public,
that provides read-only access to the default host. The oid for this
community is 1:
snmpd community default { community name public source default oid 1 access ro }
Deletes the default community for the BIG-IP system:

snmpd community default delete
Disables monitoring of the snmpd load average on the BIG-IP system:

snmpd load max1 0 load max5 0 load max15 0
Options
You can use the following commands with the snmpd command:
◆ agent address
Indicates that the SNMP agent listens on the specified address. F5
recommends that you do not change this setting without fully
understanding the impact of the change.
◆ agenttrap
Specifies, when enabled, that snmpd sends traps, for example: start/stop
traps. The default value is enable.
◆ allow
Adds or deletes IP addresses for the SNMP clients from which the
snmpd daemon accepts requests. An SNMP client is a system that runs
the SNMP manager software for the purpose of remotely managing the
BIG-IP system. The default value is 127.

Chapter 2
◆ authtrapenable
Specifies, when enabled, the snmpd daemon generates authentication
failure traps. The default value is disable.
◆ bigip traps
Specifies, when enabled, that the BIG-IP system sends device warning
traps to the trap destinations. The default value is enable.
◆ community
Adds or deletes a community. Note that you must include a community
key, and you must enclose the attributes in braces. The options are
additive, and include:
• access
Specifies the community access level to the MIB. The options are ro
(Read-Only community), and rw (Read-Write community). The
default value is ro.
• community name
Specifies the name of the community that you are adding or deleting.
This setting is required. The default value is public.
• ipv6
Enables or disables IPv6 addresses for the community that you are
adding or deleting. The default value is disable.
• oid
Specifies that you want to restrict access for the community to every
object below the specified object identifier (OID) for the record.
• source
Specifies the source addresses with the specified community name
that can access the management information base (MIB). The default
value is default, which means allow any source address to access the
MIB.
◆ disk
Checks the disks mounted at the specified path for available disk space.
The options are:
• minspace type
Specifies a minimum disk space measurement type of either size (in
kBs) or percent. Please note that the minspace setting is based on the
this setting.
• minspace
Specifies the minimum disk space threshold in either kBs or
percentage based on the minspace type setting. If the available disk
space is less than this amount, the associated entry in the
1.3.6.1.4.1.2021.9.1.100 MIB table is set to (1) and a descriptive error
message is returned to queries of 1.3.6.1.4.1.2021.9.1.101.
• path
Specifies the path to the disk that the system checks for disk space.
2 - 306
◆ include
◆ l2forward vlan
Specifies the VLANs for which you want the snmpd daemon to expose
Layer 2 forwarding information. Layer 2 forwarding is the means by
which frames are exchanged directly between hosts, with no IP routing
required.
• none
This is the default value; it means this parameter is not set.
Important: The default value is not the same as setting the l2forward
vlan parameter to the string "none," which indicates that you do not
want the snmpd daemon to expose Layer 2 forwarding for any VLAN.
• <vlan key>
Specifies the names of the VLANs for which the snmpd daemon
exposes Layer 2 forwarding information. The snmpd daemon
overwrites the value of the sysL2ForwardAttrVlan object identifier
(OID) with the specified VLAN names. Once you set this parameter,
users cannot change the value of the sysL2FowardAttrVlan OID
using the SNMP set method.
• all
Specifies that the snmpd daemon exposes Layer 2 forwarding
information for all VLANs.
Warning: When you set this parameter to all, the system can create a
very large table of statistics, and potentially affect system
performance.
◆ load max1
Specifies the maximum 1-minute load average of the machine. If the load
exceeds this threshold, the associated entry in the
Note: When you specify a 0 (zero) for all of the load max1, load max5,
and load max15 options, the system does not monitor the load average.
◆ load max15
Specifies the maximum 15-minute load average of the machine. If the
load exceeds this threshold, the associated entry in the

Chapter 2
◆ load max5
Specifies the maximum 5-minute load average of the machine. If the load
exceeds this threshold, the associated entry in the
◆ partition
Displays the partition within which the snmpd daemon resides.
◆ proc
Specifies a check of the machine to determine if the specified process is
running. An error flag (1) and a description message are passed to the
1.3.6.1.4.1.2021.2.1.100 and 1.3.6.1.4.1.2021.2.1.101 MIB columns
(respectively) if the specified program is not found in the process table as
reported by /bin/ps -e.
F5 recommends that you do not modify or delete system processes;
however, you can add, modify, or delete user-defined processes.
• max
Specifies the maximum number of instances of the process that can
run. If min and max settings are not specified, the max setting is 1 by
default. The maximum is infinity.
• min
Specifies the minimum number of instances of the process that can
run. If max setting is specified, but min setting is not specified, the
min setting is 1 by default.
• process
Specifies the name of the process for which you are checking. The
maximum length for a process name is 16 characters.
◆ syscontact
Specifies the name of the person who administers the snmpd daemon for
this system.
◆ syslocation
Describes this system's physical location.
◆ sysservices
Specifies the value of the system.sysServices.0 object.
◆ trap2sink
Adds or deletes an SNMP version 2 trap destination. Note that you must
include a trap2sink key, and you must enclose the attributes in braces.
• community
Specifies the community name for the trap destination that you are
adding or deleting.
• host
Specifies the IP address or the FQDN for the trap2sink host that you
are adding or deleting. Note that you must configure the DNS Server
on the BIG-IP system. You can use the dns command to do this.
2 - 308
• port
Specifies the port for the trap destination that you are adding or
deleting. The default value is 162.
◆ trapcommunity
Specifies the common community name for the trap destination.
◆ trapsess
Adds or deletes an SNMP trap destination.
Note: You must include a trapsess key, and you must enclose the
attributes in braces.
• auth password
Specifies the authentication password only for an SNMP version 3
trap. Note that if you enter an authentication password, the auth
protocol option cannot equal NONE.
• auth protocol
Specifies the authentication method only for an SNMP version 3 trap.
The default value is NONE. You must use capital letters for the
following authentication methods:
• MD5
Specifies that the system uses the MD5 algorithm to authenticate
the user. This option is valid only for SNMP version 3.
• SHA
Specifies that the system uses the secure hash algorithm (SHA) to
authenticate the user. This option is valid only for SNMP version
3.
• NONE
Specifies that user does not require authentication. Note that if
you use this option, you do not use the auth password option.
This option is not valid for SNMP version 3.
• engine id
Specifies the authoritative security engine ID for SNMP version 3.
• host
Specifies the IP address or the FQDN for the trapsess host that you
on the BIG-IP system. You can use the dns command to do this. This
• port
Specifies the port for the trapsess destination. The default value is
162.
• privacy password
Specifies the privacy pass phrase to use for encrypted SNMP version
3 messages. Note that if you enter a privacy password, the privacy
protocol option cannot equal NONE. Use this setting to set only
SNMP version 3 traps.

Chapter 2
• privacy protocol
Specifies the encryption protocol to use to deliver authentication
information for this trapsess. The default value is NONE. Use this
setting to set only SNMP version 3 traps. You must use the specified
case for the following options exactly:
• DES
Specifies that the system encrypts the user information using
DES (Data Encryption Standard). This option is valid only for
SNMP version 3.
• NONE
Specifies that the system does not encrypt the user information.
Note that if you use this option, you do not use the privacy
password option.
• security level
Specifies the security level for the trapsess. The default value is
noAuthNoPriv. Use this setting to set only SNMP version 3 traps.
You must use the specified case for the following options exactly:
• noAuthNoPriv
Specifies that if the system cannot authenticate the user, the
system does not grant the user access to the system. This setting
is required if the SNMP version is other than version 3.
• authNoPriv
Specifies that the SNMP trap destination uses the auth protocol
setting, but not the privacy protocol setting. Note that if you use
this option, auth protocol cannot be NONE, and auth password
must be set. This option is valid only for SNMP version 3.
• authPriv
Specifies that the SNMP trap destination uses both the
authentication protocol setting and the privacy protocol
setting. Note that if you use this option, auth protocol cannot be
set to NONE, and privacy protocol cannot be set to NONE. This
option is valid only for SNMP version 3.
• security name
Specifies the security name the system uses to authenticate SNMP
version 3 messages.
• version
Specifies the SNMP version to which the trap destination applies. The
default value is 2c.
◆ trapsink
Adds or deletes an SNMP version 1 trap destination.
• community
Specifies the community name for the trap destination.
• host
Specifies the IP address or the FQDN for the trapsink host that you
on the BIG-IP system. You can use the dns command to do this.
2 - 310
• port
Specifies the port for the trapsink destination.
◆ trapsource
Specifies the source of the SNMP trap. The default value is none.
◆ usmuser
Adds or deletes a user for which you are setting an SNMP access level
for SNMP version 3. Note that you must include a usmuser key, and you
must enclose the attributes in braces. The options are additive and
include:
• access
Specifies the user access level to the MIB. The default value is ro
(Read Only).
• authpassword
Specifies the user’s authentication password. Note that if you enter an
authentication password, the auth type option cannot equal NONE.
• auth protocol
Specifies the authentication method for this user. This setting is
required. You must use capital letters for the following authentication
methods:
• MD5
Specifies that the system uses the MD5 algorithm to authenticate
the user.
• SHA
Specifies that the system uses the secure hash algorithm (SHA) to
authenticate the user.
• NONE
Specifies that user does not require authentication.
• oid
Specifies an object identifier (OID) for the record.
• privacy password
Specifies the password for the user. Note that if you enter a privacy
password, the privacy protocol option cannot equal NONE.
• privacy protocol
Specifies the encryption protocol to use to deliver authentication
information for this user. Note that if you enter a privacy protocol, the
auth type option cannot equal NONE. This setting is required. You
must use capital letters for the following authentication methods:
• DES
Specifies that the system encrypts the user information using
DES. This option is valid only for SNMP version 3.
• NONE
Specifies that the system does not encrypt the user information.
Note that if you use this option, you do not use the privacy
password option.

Chapter 2
• security level
Specifies the security level for the user. The default value is
noAuthNoPriv. Use this setting to set only SNMP version 3 traps.
You must use the specified case for the following options exactly:
• noAuthNoPriv
Specifies that if the user cannot be authenticated, the system does
not grant access to the system. This setting is required if the
SNMP version is other than version 3.
• authNoPriv
Specifies that the SNMP trap destination uses the auth protocol
setting, but not the privacy protocol setting. Note that if you use
this option, auth protocol cannot be NONE, and auth password
must be set. This option is valid only for SNMP version 3.
• authPriv
Specifies that the SNMP trap destination uses the authentication
protocol setting and the privacy protocol setting. Note that if
you use this option, auth protocol cannot be set to NONE, and
privacy protocol cannot be set to NONE. This option is valid
only for SNMP version 3.
• username
Specifies the name of the user who is using SNMP version 3 to access
the MIB. This setting is required.
See also
bigpipe(1), httpd(1), ntp(1), dns(1), sshd(1)
2 - 312
software
Downloads and installs software onto a BIG-IP system.
Syntax
Use this command to download software, and then install it onto a BIG-IP
system.
Create/Modify
software [{] <software arg list> [}]
<software arg> ::=
desired (<software desired list> | none) [add | delete]
hotfixes (<software hotfix key list> | none) [add | delete]
images (<software image key list> | none) [add | delete]
status <software status key list>
volumes <software volume key list>
<software desired> ::= (<software desired key> | all) \
[{] <software desired arg list> [}]
<software desired key> ::=
<name>
<software desired arg> ::=
active (enable | disable)
build (<string> | none)
product (<string> | none)
retry (enable | disable)
retry count <number>
version (<string> | none)
volume <name>
<software hotfix key> ::=
(<string> | none)
<software image key> ::=
(<string> | none)
<software status key> ::=
<name>
<software volume key> ::=
<name>
Display
software [show [all]]
software list [all]
software desired [<software desired key> | all] [show [all]]
software desired [<software desired key> | all] list [all]
software desired (<software desired key> | all) active [show]

Chapter 2
software desired (<software desired key> | all) build [show]

software desired (<software desired key> | all) product [show]
software desired (<software desired key> | all) retry [show]
software desired (<software desired key> | all) retry count [show]
software desired (<software desired key> | all) version [show]
software desired (<software desired key> | all) volume [show]
software hotfixes [<software hotfix key> | all] [show [all]]
software hotfixes (<software hotfix key> | all) build [show]
software hotfixes (<software hotfix key> | all) chksum [show]
software hotfixes (<software hotfix key> | all) filename [show]
software hotfixes (<software hotfix key> | all) hotfix id [show]
software hotfixes (<software hotfix key> | all) hotfix title [show]
software hotfixes (<software hotfix key> | all) product [show]
software hotfixes (<software hotfix key> | all) verified [show]
software hotfixes (<software hotfix key> | all) version [show]
software images [<software image key> | all] [show [all]]
software images (<software image key> | all) build [show]
software images (<software image key> | all) build date [show]
software images (<software image key> | all) chksum [show]
software images (<software image key> | all) file size [show]
software images (<software image key> | all) filename [show]
software images (<software image key> | all) last modified [show]
software images (<software image key> | all) product [show]
software images (<software image key> | all) verified [show]
software images (<software image key> | all) version [show]
software status [<software status key> | all] [show [all]]
software status (<software status key> | all) active [show]
software status (<software status key> | all) basebuild [show]
software status (<software status key> | all) build [show]
software status (<software status key> | all) edition [show]
software status (<software status key> | all) product [show]
software status (<software status key> | all) status [show]
software status (<software status key> | all) version [show]
software status (<software status key> | all) volume [show]
software volumes [<software volume key> | all] [show [all]]
software volumes (<software volume key> | all) active [show]
software volumes (<software volume key> | all) media [show]
software volumes (<software volume key> | all) name [show]
software volumes (<software volume key> | all) size [show]
2 - 314
Delete
software delete
software desired(<software desired list> delete
software hotfixes <software hotfix key list> delete
software images <software image key list> delete
software status <software status key list> delete
software volumes <software volume key list> delete
Description
You can use the software command to:
• Download and install software images and hotfixes onto the system
• Delete software that you have downloaded
Examples
Copies the software image file Hotfix-BIGIP-10.0.0-5514.0-HF2.iso from
/root to /shared/images:
bigpipe software hotfix \
/root/Hotfix-BIGIP-10.0.0-5514.0-HF2.iso add
Deletes the software installation from the HD1.3 partition.

bigpipe software desired HD1.3 product none version none \
build none
You can install the software using the following series of commands as an
example.
Copies the software image file BIGIP-10.0.0.5401.0.iso from /root to
/shared/images:
bigpipe software image /root/BIGIP-10.0.0.5401.0.iso add
When you are currently running on volume HD1.1, installs BIG-IP version
9.6.0, build 565, on install volume HD1.2:
bigpipe software desired HD1.2 product BIG-IP version 9.6.0 \
build 565.0
Displays the progress of the software installation:

watch bigpipe software status show
When you are currently running on volume HD1.1, switchboot reboots the
system to volume HD1.2:
bigpipe software desired HD1.2 active enable

Chapter 2
You can use the following commands to display information about the
BIG-IP system.
Displays the software images table:
bigpipe software images show
Displays the status of the software for each volume:

bigpipe software status show
You can use the following commands to add or delete an image location.
Adds the HD1.3 image location.
bigpipe software desired HD1.3 add
Deletes the HD1.3 image location.

bigpipe software desired HD1.3 delete
Options
You can use these options with the software command:
◆ active
Displays whether the volume is running. Note that you cannot delete the
active volume.
◆ build
Displays the F5 Networks build number related to the installed software
image.
◆ build date
Displays the date associated with the software image file.
◆ chksum
Displays the MD5 checksum for the software image.
◆ desired
Installs the specified version of the software or hotfix at the specified
location.
◆ file size
Displays the size of the software image file.
◆ filename
Displays the name of the software image file.
◆ hotfix id
Displays the ID number related to the hotfix.
◆ hotfix title
Displays the name of the hotfix.
◆ hotfixes
Initiates installation of the specified software hotfix on the specified
volume.
2 - 316
◆ images
Copies the specified files to a location from which the system can install
the software.
◆ last modified
Displays the date on which the software image was last changed.
◆ media
Displays the type of media on which the volume exists.
◆ name
Specifies the name of the volume.
◆ product
Displays the F5 Networks product related to the installed software.
◆ retry
Enables the retry option, which automatically retries installing in case of
installation failure.
◆ size
Displays the size of the volume.
◆ status
Displays the status of currently installing or installed software.
◆ version
Displays the F5 Networks product version number related to the installed
software image.
◆ volume
Displays the volumes on the system.
• active (enable | disable)
• media
• name
• size
Note: The volume option is not applicable to partitioned systems.
See also

Chapter 2
sshd
Configures the Secure Shell (SSH) daemon for the BIG-IP system.
Syntax
Use this command to configure the sshd daemon on the system.
Create/Modify
Important
BIG-IP® Systems.
Note
You must enter the values for the loglevel argument using the exact case
shown below. In other words, to assign a log level of ERROR, you use the
syntax: sshd loglevel ERROR.
sshd [{] <sshd arg list> [}]

<sshd arg> ::=
banner (enable | disable)
banner text (<string> | none)
inactivity timeout <number>
login (enable | disable)
loglevel (QUIET | FATAL | ERROR | INFO | VERBOSE | \
DEBUG | DEBUG1 | DEBUG2 | DEBUG3)
Display
sshd [show [all]]
sshd list [all]
sshd allow [show]
sshd banner [show]
sshd banner text [show]
sshd inactivity timeout [show]
sshd include [show]
sshd login [show]
sshd loglevel [show]
2 - 318
Description
Use the sshd command to configure a secure channel between the BIG-IP
system and other devices.
Important
changes are made to the system using the sshd command. This is because
making changes to the system using the sshd command causes a restart of
the sshd daemon. Likewise, restarting the sshd daemon creates the necessity
for a restart of the Configuration utility.
Examples
Creates an initial range of IP addresses (192.168.0.0 with a netmask of
255.255.0.0) that are allowed to log on to the system:
sshd allow 192.168.0.0/255.255.0.0
Adds the IP address, 192.168.1.245, to the existing list of IP addresses that

are allowed to log on to the system:
sshd allow 192.168.1.245 add
Enables SSH logon to the system:

sshd login enable
Sets an inactivity timeout of 60 minutes for SSH logons to the system:

sshd inactivity timeout 3600
Sets the sshd message log level to ERROR:

sshd loglevel ERROR
Note
In the following examples, the banner text can be composed of multiple

lines, but you must type (double) quotation marks around the text, and type
apostrophes (single quotation marks) outside the (double) quotation marks.
Enables the display of an SSH banner upon logon and sets the contents of
that banner to: NOTICE: Improper use of this computer is prohibited.
sshd banner enable banner text ‘"NOTICE: Improper use of this
computer may result in prosecution!"’
Creates a three-line banner that displays when a user attempts to log on to a

system using SSH.
sshd banner enable banner text
‘”Attention:
This system is private.
Illegal use is punishable by law.
“’

Chapter 2
Options
You can use these options with the sshd command:
◆ allow
Adds a server to or removes a server from the /etc/hosts.allow file. Use
this option to either add servers that are allowed to access the BIG-IP
system or delete these servers from the system.
Warning: Using the value none resets the sshd daemon to allow all
servers access to the system. F5 recommends that you do not use the
value none with the sshd command.
◆ banner
Enables or disables the display of the banner text field when a user logs
in to the system using SSH. The default value is disable.
◆ banner text
When banner is enabled, specifies the text to include in the banner that
displays when a user attempts to log on to the system.
◆ inactivity timeout
Specifies the number of seconds before inactivity causes an SSH session
to log off. The default value is 0 (zero) seconds, which indicates that
inactivity timeout is disabled.
◆ include
◆ login
Enables or disables SSH logons to the system. The default value is
enable.
◆ loglevel
Specifies the minimum sshd message level to include in the system log.
You must enter the following values in capital letters:
• DEBUG - DEBUG3
Indicates that the minimum sshd message level that the system logs is
the specified debugging level.
• ERROR
error.
• FATAL
fatal.
• INFO
informational.
2 - 320
• QUIET
Indicates that the system does not log sshd messages.
• VERBOSE
Indicates that the system logs all sshd messages.
◆ partition
Displays the partition within which the sshd daemon resides.
See also

Chapter 2
ssl
Displays or resets Secure Sockets Layer (SSL) statistics for the BIG-IP
system.
Syntax
Use this command to display or reset SSL statistics for the system.
Modify
ssl stats reset
Display
ssl [show [all]]
Description
Displays or resets SSL statistics for the system.
Examples
Displays all SSL statistics for the system:
ssl show all
See also
bigpipe(1)
2 - 322
statemirror
Configures connection mirroring for a BIG-IP unit that is part of a
Syntax
Use this command to enable and configure connection mirroring for the
system.
Create/Modify
Important
BIG-IP® Systems.
statemirror [{] <statemirror arg list> [}]

<statemirror arg> ::=
peer addr (<ip addr> | none)
secondary addr (<ip addr> | none)
secondary peer addr (<ip addr> | none)
state (enable | disable)
Display
statemirror [show [all]]
statemirror list [all]
statemirror addr [show]
statemirror peer addr [show]
statemirror secondary addr [show]
statemirror secondary peer addr [show]
statemirror state [show]
Description
You use this command to configure connection mirroring on a system that is
part of a redundant system configuration in a high availability system.
Connection mirroring is the process of duplicating connections from the
active system to the standby system. Enabling this setting ensures a higher
level of connection reliability, but it may also have an impact on system
performance.

Chapter 2
Examples
Enables and configures connection mirroring for a high availability system
in which one BIG-IP system has an IP address of 192.168.10.10 and its peer
has an IP address of 192.168.10.20:
statemirror state enable addr 192.168.10.10 peer addr 192.168.10.20
Re-enables connection mirroring for a system for which connection

mirroring was disabled:
statemirror state enable
Options
You can use these options with the statemirror command:
◆ addr
Specifies the primary self-IP address on this unit to which the peer unit
mirrors its connections. This is a required setting.
◆ partition
Displays the partition within which the statemirror object resides.
◆ peer addr
Specifies the primary self-IP address on the peer unit to which this unit
mirrors its connections. This is a required setting.
◆ secondary addr
Specifies another self-IP address on this unit to which the peer unit
mirrors its connections when the primary address is unavailable.
◆ secondary peer addr
Specifies another self-IP address on the peer unit to which this unit
mirrors its connections when the primary peer address is unavailable.
◆ state
Enables or disables connection mirroring. The default value is enable.
See also
bigpipe(1), failover(1)
2 - 324
stop
Discontinues command continuation.
Syntax
Use this command to discontinue command continuation.
Usage
stop
Description
If you type any command using an unbalanced opening brace, the bigpipe
shell stores the command entered up to that point. The shell stores any
subsequent commands in a similar way until you type a command that
closes all open braces, or you type the stop command.
Examples
Suppose you type the auth radius command, with an opening brace, but no
closing brace:
bp> auth radius rad-1 {
The shell does nothing. At this point, you can continue to type more options
for the auth radius command:
debug enable
retries 4
The shell continues to gather the syntax for the command. When finished
typing, you can either type a command containing a closing brace (}), in
which case the shell runs the full command sequence that you typed, or you
can type:
stop
The shell presents an empty prompt:

bp>

Chapter 2
stp
Configures spanning tree protocols on the system.
Syntax
Use this command to modify or display an RSTP, MSTP, or STP
configuration.
Modify
stp [{] <stp arg list> [}]
<stp arg> ::=
config name (<string> | none)
config revision <number>
forward delay <number>
hello <number>
max age <number>
max hops <number>
mode (disable | stp | rstp | mstp | passthru)
transmit hold <number>
Display
stp [show [all]]
stp list [all]
stp config name [show]
stp config revision [show]
stp forward delay [show]
stp hello [show]
stp max age [show]
stp max hops [show]
stp mode [show]
stp transmit hold [show]
Description
Provides the ability to configure spanning tree protocols for the traffic
management system. Spanning tree protocols are Layer 2 protocols for
preventing bridging loops. The system supports multiple spanning tree
protocol (MSTP), rapid spanning tree protocol (RSTP), and spanning tree
protocol (STP).
2 - 326
Examples
Sets the STP mode to passthru. Passthru mode forwards spanning tree
bridge protocol data units (BPDUs) received on any interface to all other
interfaces:
stp mode passthru
Sets the STP mode to disable. No STP, RSTP, or MSTP packets are
transmitted or received on the interface or trunk, and the spanning tree
algorithm exerts no control over forwarding or learning on the port or the
trunk:
stp mode disable
Options
You can use these options with the stp command:
◆ config name
Specifies the configuration name (1 - 32 characters in length) only when
the spanning tree mode is MSTP. The default configuration name is a
string representation of a globally-unique MAC address belonging to the
traffic management system.
The MSTP standard introduces the concept of spanning tree regions,
which are groups of adjacent bridges with identical configuration names,
configuration revision levels, and assignments of VLANs to spanning
tree instances.
◆ config revision
Specifies the revision level of the MSTP configuration only when the
spanning tree mode is MSTP. The specified number must be in the range
0 to 65535. The default value is 0.
◆ forward delay
In the original Spanning Tree Protocol, the forward delay parameter
controlled the number of seconds for which an interface was blocked
from forwarding network traffic after a reconfiguration of the spanning
tree topology. This parameter has no effect when RSTP or MSTP are
used, as long as all bridges in the spanning tree use the RSTP or MSTP
protocol. If any legacy STP bridges are present, then neighboring bridges
must fall back to the old protocol, whose reconfiguration time is affected
by the forward delay value. The default forward delay value is 15, and
the valid range is 4 to 30 seconds.
◆ hello
Specifies the time interval in seconds between the periodic transmissions
that communicate spanning tree information to the adjacent bridges in
the network. The default value is 2 seconds, and the valid range is 1 to
10. The default hello time is optimal in virtually all cases. Changing the
hello time is not recommended.

Chapter 2
◆ max age
Specifies the number of seconds for which spanning tree information
received from other bridges is considered valid. The default value is 20
seconds, and the valid range is 6 to 40 seconds.
◆ max hops
Specifies the maximum number of hops an MSTP packet may travel
before it is discarded. Use this option only when the spanning tree mode
is MSTP. The number of hops must be in the range of 1 to 255 hops. The
default number of hops is 20.
◆ mode
Specifies one of three spanning tree modes:
• disable
Disable mode discards spanning tree bridge protocol data units
(BPDUs) received on any interface.
• mstp
MSTP mode supports multiple spanning tree instances. The spanning
tree instances operate independently of one another. Each instance
asserts control over one or more VLANs, called the members of the
spanning tree instance. STP and RSTP do not support multiple
spanning tree instances. They support only a single instance (instance
0), which contains all VLANs.
• passthru
Passthru mode forwards spanning tree bridge protocol data units
(BPDUs) received on any interface to all other interfaces. Essentially,
passthru mode makes the traffic management system transparent to
spanning tree BPDUs.
• rstp
The default mode is RSTP (rapid spanning tree protocol). RSTP
converges to a fully-connected state quickly.
• stp
STP mode is supported for legacy systems. If STP is detected in the
network, the traffic management system changes to STP mode even
when the mode option is set to rstp or mstp.
◆ transmit hold
Specifies the absolute limit on the number of spanning tree protocol
packets the traffic management system may transmit on a port in any
hello time interval. It is used to ensure that spanning tree packets do not
unduly load the network even in unstable situations. The default value is
6 packets, and the valid range is 1 to 10 packets.
See also
interface(1), stp instance(1), bigpipe(1)
2 - 328
stp instance
Configures an STP configuration instance.
Syntax
Use this command to configure an STP configuration instance.
Create/Modify
stp instance help [usage]
stp instance <stp instance key> {}
stp instance (<stp instance key> | all) [{] <stp instance arg list> [}]
<stp instance key> ::=
<number>
<stp instance arg> ::=
instance id <number>
interfaces (<stp interface list> | none) [add | delete]
priority <number>
trunks (<stp trunk list> | none) [add | delete]
<stp interface> ::= (<stp interface key> | all) [{] <stp interface arg list> [}]
<stp interface key> ::=
<interface key>
<stp interface arg> ::=
external path cost <number>
internal path cost <number>
name <interface key>
priority <number>
<stp trunk> ::= (<stp trunk key> | all) [{] <stp trunk arg list> [}]
<stp trunk key> ::=
<trunk key>
<stp trunk arg> ::=
external path cost <number>
internal path cost <number>
name <trunk key>
priority <number>
stp instance (<stp instance key> | all) stats reset
Display
stp instance [<stp instance key> | all] [show [all]]
stp instance [<stp instance key> | all] list [all]
stp instance (<stp instance key> | all) instance id [show]
stp instance (<stp instance key> | all) interfaces [<stp interface key> | all] \
[show [all]]

Chapter 2
stp instance (<stp instance key> | all) interfaces [<stp interface key> | all] \
list [all]
stp instance (<stp instance key> | all) interfaces (<stp interface key> | all) \
external path cost [show]
internal path cost [show]
stp instance (<stp instance key> | all) interfaces (<stp interface key> | all) name [show]
pending [show]
priority [show]
stp instance (<stp instance key> | all) priority [show]
stp instance (<stp instance key> | all) stats [show]
stp instance (<stp instance key> | all) trunks [<stp trunk key> | all] [show [all]]
stp instance (<stp instance key> | all) trunks [<stp trunk key> | all] list [all]
stp instance (<stp instance key> | all) trunks (<stp trunk key> | all) \
external path cost [show]
stp instance (<stp instance key> | all) trunks (<stp trunk key> | all) \
internal path cost [show]
stp instance (<stp instance key> | all) trunks (<stp trunk key> | all) name [show]
stp instance (<stp instance key> | all) trunks (<stp trunk key> | all) pending [show]
stp instance (<stp instance key> | all) trunks (<stp trunk key> | all) priority [show]
stp instance (<stp instance key> | all) vlans [show]
Delete
stp instance (<stp instance key> | all) delete
Description
Creates, modifies, and displays an STP configuration instance.
Examples
Displays all STP instances on the system:
stp instance show
Lists the configuration information for all STP instances:

stp instance list
All members are removed from the instance, and then the instance itself is
deleted. Spanning tree instance 0 (the Common and Internal Spanning Tree)
cannot be deleted. This command may be used only in MSTP mode:
stp instance 2 delete
2 - 330
Options
You can use these options with the stp instance command:
◆ interface path cost
Specifies the interface internal or external path cost number. Each
network interface has an associated path cost within each spanning tree
instance. The path cost represents the relative cost of sending network
traffic through that interface. In calculating the spanning tree, the
algorithm tries to minimize the total path cost between each point of the
tree and the root bridge. By manipulating the path costs of different
interfaces, it is possible to steer traffic toward paths that are faster, more
reliable, and/or more economical. Path costs can take values in the range
1 to 200,000,000. The default path cost for an interface is based on the
interface's maximum speed, not its actual speed.
In MSTP mode there are two kinds of path cost: external and internal.
The external path cost applies only to spanning tree instance 0, the
Common and Internal Spanning Tree (CIST). It is used to calculate the
cost to reach an adjacent spanning tree region. Independently, internal
path costs can be set for each spanning tree instance (including instance
0) in MSTP mode. The internal path costs are used to calculate the costs
of reaching adjacent bridges within the same spanning tree region.
◆ interface priority
Specifies the interface priority number. Each network interface has an
associated priority within each spanning tree instance. The relative
values of the interface priorities influence which interfaces are chosen to
carry network traffic. All other things being equal, interfaces with
numerically lower priority values are favored to carry traffic. Interface
priorities take values in the range 0 to 240 in increments of 16. The
default interface priority is 128, the middle of the valid range.
◆ priority
Specifies the priority number. Each bridge in a spanning tree instance has
a priority value. The relative values of the bridge priorities control the
topology of the spanning tree chosen by the protocol. The bridge with the
lowest priority value (numerically) becomes the root of the spanning tree.
Priority values vary from 0 to 61440 in increments of 4096.
◆ trunk path cost
Specifies the trunk internal or external path cost number.
In MSTP mode there are two kinds of path cost: external and internal.
The external path cost applies only to spanning tree instance 0, the
Common and Internal Spanning Tree (CIST). It is used to calculate the
cost to reach an adjacent spanning tree region. Independently, internal
path costs can be set for each spanning tree instance (including instance
0) in MSTP mode. The internal path costs are used to calculate the costs
of reaching adjacent bridges within the same spanning tree region.

Chapter 2
◆ trunk priority
Specifies the trunk priority number. Each network trunk has an
associated priority within each spanning tree instance. The relative
values of the trunk priorities influence which trunks are chosen to carry
network traffic. All other things being equal, trunks with numerically
lower priority values are favored to carry traffic. Trunk priorities take
values in the range 0 to 240 in increments of 16. The default trunk
priority is 128, the middle of the valid range.
◆ vlans
Specifies a list of VLAN names.
See also
interface(1), stp(1), bigpipe(1)
2 - 332
stream
Displays or resets global stream statistics for the BIG-IP system.
Syntax
Use this command to display or reset global stream statistics for the system.
Modify
stream stats reset
Display
stream [show [all]]
Description
Displays or resets stream statistics for the system.
Examples
Displays the global stream statistics for the system:
stream show
Resets all global stream statistics on the system:

stream stats reset
See also
bigpipe(1)

Chapter 2
sys-icheck
Identifies unintended modifications to BIG-IP system files.
Syntax
Use this command at the BIG-IP system prompt to identify any unintended
modifications to BIG-IP system files. Note that a hot fix (patch) is an
intended modification that will not be identified by the sys-icheck
command.
Usage
sys-icheck [options]
Options
You can use these options with the sys-icheck command.
◆ -h
Use this option to show help for the sys-reset command.
◆ -w
Use this option to report Warn issues, as well as the default, Error
issues.
◆ -i
Use this option to report Info and Warn issues, as well as the default,
Error issues.
Description
The sys-icheck command identifies any unintended modifications to BIG-IP
system files and returns Error issues. Use the options to report Warn or
Info issues, as well.
Examples
Runs the sys-icheck utility, and returns Info, Error, and Warn issues:
sys-reset -i
See also
sys-reset(8)
2 - 334
sys-reset
Returns the configuration of the system to the factory default (installation
time) state.
Syntax
Use this command at the BIG-IP system prompt to return the configuration
of the system to the factory default (installation time) state.
Usage
sys-reset <file name> [options]
Options
You can use these options with the sys-reset command.
◆ -h
Use this option to show help for the sys-reset command.
◆ -p
Use this option to ignore all applied hot fixes.
Description
The sys-reset command returns the system to the factory default state. You
must specify the full path to the installation media (ISO image). Note that if
you have applied hot fixes (patches) to your system, you must specify an
override option for sys-reset to run.
Examples
Runs the sys-reset command to restore the system to the factory default
state ignoring any hot fixes that have been applied to the system:
sys-reset -p
Runs the sys-reset command to restore the system to the factory default state
without changing the /shared file system.
sys-reset -s
See also
sys-icheck(8)

Chapter 2
syslog
Configures the system log, /var/run/config/syslog-ng.conf.
Syntax
Use this command to configure the system log.
Create/Modify
Important
BIG-IP® Systems.
syslog [{] <syslog arg list> [}]

<syslog arg> ::=
authpriv from (emerg | alert | crit | err | warning | notice | info | debug)
authpriv to (emerg | alert | crit | err | warning | notice | info | debug)
cron from (emerg | alert | crit | err | warning | notice | info | debug)
cron to (emerg | alert | crit | err | warning | notice | info | debug)
daemon from (emerg | alert | crit | err | warning | notice | info | debug)
daemon to (emerg | alert | crit | err | warning | notice | info | debug)
kern from (emerg | alert | crit | err | warning | notice | info | debug)
kern to (emerg | alert | crit | err | warning | notice | info | debug)
mail from (emerg | alert | crit | err | warning | notice | info | debug)
mail to (emerg | alert | crit | err | warning | notice | info | debug)
messages from (emerg | alert | crit | err | warning | notice | info | debug)
messages to (emerg | alert | crit | err | warning | notice | info | debug)
remote server (<remote server list> | none) [add | delete]
userlog from (emerg | alert | crit | err | warning | notice | info | debug)
userlog to (emerg | alert | crit | err | warning | notice | info | debug)
<remote server> ::= (<remote server key> | all) [{] <remote server arg list> [}]
<remote server key> ::=
<name>
<remote server arg> ::=
local ip (<ip addr> | none)
name <name>
remote port <number>
2 - 336
Display
syslog [show [all]]
syslog list [all]
syslog authpriv from [show]
syslog authpriv to [show]
syslog cron from [show]
syslog cron to [show]
syslog daemon from [show]
syslog daemon to [show]
syslog include [show]
syslog kern from [show]
syslog kern to [show]
syslog mail from [show]
syslog mail to [show]
syslog messages from [show]
syslog messages to [show]
syslog remote server [<remote server key> | all] [show [all]]
syslog remote server [<remote server key> | all] list [all]
syslog remote server (<remote server key> | all) host [show]
syslog remote server (<remote server key> | all) local ip [show]
syslog remote server (<remote server key> | all) name [show]
syslog remote server (<remote server key> | all) \
remote port [show]
syslog userlog from [show]
syslog userlog to [show]
Description
You can use this command to configure the system log.
Examples
Resets the message range of the security/authorization messages that are
included in the system log to messages with a level of warning, error,
critical, alert, and emergency:
syslog authpriv from warning
Options
You can use these options with the syslog command:
◆ authpriv from
Specifies the lowest level of security/authorization messages to include
in the log. The default value is notice.
◆ authpriv to
Specifies the highest level of messages about user authentication to
include in the log. The default value is emerg.

Chapter 2
◆ cron from
Specifies the lowest level of messages about time-based scheduling to
include in the log. The default value is warning.
◆ cron to
Specifies the highest level of messages about time-based scheduling to
◆ daemon from
Specifies the lowest level of messages about daemon performance to
include in the log. The default value is notice.
◆ daemon to
Specifies the highest level of messages about daemon performance to
◆ include
Inserts the configuration <string> value into the syslog-ng.conf file.
◆ kern from
Specifies the lowest level of kern messages to include in the log. The
default value is notice.
◆ kern to
Specifies the highest level of kern messages to include in the log. The
default value is emerg.
◆ local ip
Specifies the IP address of the interface that the syslog-ng utility binds
with to log messages to a remote host. For example, if you want the
syslog-ng utility to log messages to a remote host that is connected to a
VLAN, you set this parameter to the self IP address of the VLAN.
◆ mail from
Specifies the lowest level of mail log messages to include in the log. The
◆ mail to
Specifies the highest level of mail log messages to include in the log. The
default value is emerg.
◆ messages from
Specifies the lowest level of system messages to include in the log. The
◆ messages to
Specifies the highest level of system messages to include in the log. The
default value is warning.
◆ remote port
Specifies the port number of a remote server to which the Syslog utility
sends messages. The default value is 514.
◆ remote server
Specifies the IP address of a remote server to which the Syslog utility
sends messages. The default value is none.
2 - 338
◆ userlog from
Specifies the lowest level of user account messages to include in the log.
The default value is notice.
◆ userlog to
Specifies the highest level of user account messages to include in the log.
The default value is emerg.
See also
bigpipe(1)

Chapter 2
system
Sets up the BIG-IP system.
Syntax
Use this command to set up the BIG-IP system.
Create/Modify
Important
BIG-IP® Systems.
system [{] <system arg list> [}]

<system arg> ::=
archive encrypt (on | on request | off)
auth source type (local | ldap | radius | activedirectory | tacacs)
console inactivity timeout <number>
custom addr (<ip addr> | none)
failsafe action (go offline | reboot | restart all | go offline abort tm | \
failover abort tm)
gui security banner (enable | disable)
gui security banner text (<string> | none)
gui setup (enable | disable)
host addr mode (mgmt | statemirror | custom)
hostname (<string> | none)
hosts allow include (<string> | none)
lcd display (enable | disable)
net reboot (enable | disable)
password prompt (<string> | none)
quiet boot (enable | disable)
remote host (<remote host list> | none) [add | delete]
username prompt (<string> | none)
<remote host> ::= (<remote host key> | all) [{] <remote host arg list> [}]
<remote host key> ::=
<name>
<remote host arg> ::=
name <name>
2 - 340
Display
system [show [all]]
system list [all]
system archive encrypt [show]
system auth source type [show]
system console inactivity timeout [show]
system custom addr [show]
system failsafe action [show]
system gui security banner [show]
system gui security banner text [show]
system gui setup [show]
system host addr mode [show]
system hostname [show]
system hosts allow include [show]
system lcd display [show]
system net reboot [show]
system password prompt [show]
system quiet boot [show]
system remote host [<remote host key> | all] [show [all]]
system remote host [<remote host key> | all] list [all]
system remote host (<remote host key> | all) addr [show]
system remote host (<remote host key> | all) hostname [show]
system remote host (<remote host key> | all) name [show]
system username prompt [show]
Description
You use this command to set up the general properties of the BIG-IP system.
Examples
Sets up the BIG-IP system using the system defaults:
system {}
Sets up a remote host named bigip151 with an IP address of 172.27.226.151

and a host name of bigip151.saxon.net:
system remote host bigip151 { addr 172.27.226.151 hostname
bigip151.saxon.net }

Chapter 2
Options
You can use these options with the system command:
◆ archive encrypt
Specifies whether the system archive encryption feature is set to on,
off, or on request. The default value is on request. Note that you must
configure the system archive encrypt option in conjunction with the
configsync encrypt and configsync passphrase options.
The reason for this is when you perform a configuration synchronization
of two BIG-IP units in a redundant system configuration, the process
involves saving a UCS file from one system onto the peer system, and
then installing the saved file on the peer system. You use the system
archive encrypt option to indicate whether the process of saving the
UCS file creates an encrypted or unencrypted file. For example, you can
set the configsync encrypt option to enable, and configure a passphrase
using the configsync passphrase option. If you use the default value, on
request, for the system archive encrypt option, then when a user saves
the UCS file, and provides the passphrase, the UCS file is encrypted. If
the user does not provide the passphrase, the UCS file is not encrypted.
◆ auth source type
Specifies the default user authorization source. The default value is local.
When user accounts that access the BIG-IP system reside on a remote
server, the value of auth source type is the type of server that you are
using for authentication, for example: ldap.
◆ console inactivity timeout
Specifies the number of seconds of inactivity before the console is
locked. The default value is 0. This means that no timeout is set.
◆ custom addr
Indicates a user-specified IP address for the BIG-IP system. The default
value is none.
It is important to note that you must set the host addr mode option to
custom, if you want to specify an IP address using custom addr. For
more information, see the host addr mode option.
◆ failsafe action
Specifies the action that the system takes when the switch board fails.
• failover abort tm
Specifies that the system goes offline and restarts the traffic manager
service.
• go offline
Specifies that when the switch board fails, the system goes offline.
• go offline abort tm
Specifies that when the switch board fails, the system goes offline and
aborts the traffic management system.
• reboot
Specifies that after the active unit fails over to its peer, it reboots
while the peer processes the traffic.
2 - 342
• restart all
Specifies that when the switch board fails the system restarts all
system services.
◆ gui security banner
Specifies whether the system presents on the logon screen the text you
specify in the Security banner text to show on the logon screen field. If
you disable this option, the system presents an empty frame in the right
portion of the logon screen. The default value is enable.
◆ gui security banner text
Specifies the text to present on the logon screen when the Show the
security banner on the login screen option is enabled. The default
value is: Welcome to the BIG-IP Configuration Utility. Log in with
your username and password using the fields on the left.
◆ gui setup
Enables or disables the Setup utility in the browser-based Configuration
utility. The default value is enable.
When you configure a BIG-IP system using the command line interface,
disable this option. Disabling the gui setup option of the system
command enables your system administrators to use the browser-based
Configuration utility without having to run the Setup utility.
◆ host addr mode
Specifies the type of host address assigned to the system. The default
value is mgmt, which indicates that the host address is the management
port of the system.
If you use the statemirror option, then the host address of the system is
shared by the other unit in a redundant system configuration. In case of
system failure, the traffic to the other system is routed to this system.
If you use the custom option, you must specify a custom IP address for
the system using the custom addr option. For more information, see the
custom addr option.
◆ hostname
Specifies a local name for the BIG-IP system. The default value is
bigip1.
◆ hosts allow include
◆ lcd display
Enables or disables the system menu to display on the LCD panel on the
front of the BIG-IP system. The default value is enable.
◆ net reboot
Enables or disables the network reboot feature. The default value is
disable. If you enable this feature and then reboot the system, the system
boots from an ISO image on the network, rather than from an internal

Chapter 2
media drive. Use this option only when you want to install software on
the system, for example, for an upgrade or a re-installation. Note that this
setting reverts to disabled after you reboot the system a second time.
◆ password prompt
Specifies the text to present above the password field (the second of the
two text boxes) on the logon screen.
◆ partition
Displays the partition within which the system object resides.
◆ quiet boot
Enables or disables the quiet boot feature. The default value is enable. If
you enable this feature, the system suppresses informational text on the
console during the boot cycle.
◆ remote host
Adds a remote host to or removes a remote host from the /etc/hosts file.
The default value is none. You must enter both an IP address and a fully
qualified domain name (FQDN) or alias for each host that you want to
add to the file.
◆ username prompt
Specifies the text to present above the user name field (the first of the
See also
bigpipe(1)
2 - 344
tcp
Displays or resets TCP statistics for the BIG-IP system.
Syntax
Use this command to display or reset TCP statistics for the BIG-IP system.
Modify
tcp stats reset
Display
tcp [show [all]]
Description
Display or reset TCP statistics for the system.
Examples
Resets TCP statistics for the system:
tcp stats reset
See also
bigpipe(1)

Chapter 2
tmm
Displays or resets statistics about the tmm daemon.
Syntax
Use this command to display or reset statistics about the tmm daemon.
Create/Modify
<tmm key> ::=
(<number>.<number> | none)
tmm (<tmm key> | all) stats reset
Display
tmm [<tmm key> | all] [show [all]]
Description
You use this command to view or reset statistics about the Traffic
Management Microkernel (tmm) daemon. The purpose of this daemon is
to direct all application traffic passing through the BIG-IP system.
Options
You can use the following option with the tmm command:
◆ stats reset
Resets the statistics for the tmm daemon.
See also
bigpipe(1)
2 - 346
traffic class
Configures a traffic class.
Syntax
Use this command to configure a traffic class on the system.
Create/Modify
traffic class <traffic class key> {}
traffic class (<traffic class key> | all) [{] <traffic class arg list> [}]
<traffic class key> ::=
<name>
<traffic class arg> ::=
class name <name>
classification tag (<string> | none)
dst ip (<ip addr> | none)
dst mask (<ip addr> | none)
dst port (<service> | none)
proto <number>
src ip (<ip addr> | none)
src mask (<ip addr> | none)
src port (<service> | none)
Display
traffic class [<traffic class key> | all] [show [all]]
traffic class [<traffic class key> | all] list [all]
traffic class (<traffic class key> | all) class name [show]
traffic class (<traffic class key> | all) classification tag [show]
traffic class (<traffic class key> | all) dst ip [show]
traffic class (<traffic class key> | all) dst mask [show]
traffic class (<traffic class key> | all) dst port [show]
traffic class (<traffic class key> | all) partition [show]
traffic class (<traffic class key> | all) proto [show]
traffic class (<traffic class key> | all) src ip [show]
traffic class (<traffic class key> | all) src mask [show]
traffic class (<traffic class key> | all) src port [show]
Delete
traffic class (<traffic class key> | all) delete

Chapter 2
Description
You can use the traffic class command to configure a traffic class, which is
a named group of ports, machines, and subnets. You can then assign this
traffic class to a virtual server to configure the virtual server to achieve
specific Quality of Service (QoS) standards.
Examples
Displays tags for a traffic class named my_traffic_class:
traffic class my_traffic_class classification tag
Displays all of the properties of all of the traffic classes.:

traffic class list all
Deletes the traffic class named my_traffic_class:

traffic class my_traffic_class delete
Options
You can use these options with the traffic class command.
◆ class name
Specifies a unique name for the component.
◆ classification
Specifies the actual textual tag to be associated with the flow if the traffic
class is matched.
◆ dst ip
Specifies destination IP addresses for the system to use when evaluating
traffic flow.
◆ dst mask
Specifies a destination IP address mask for the system to use when
evaluating traffic flow.
◆ dst port
Specifies a destination port for the system to use when evaluating traffic
flow.
◆ partition
Specifies the partition to which the traffic class configuration belongs.
Only users with access to a partition can view the objects (such as traffic
class configurations) that it contains.
◆ proto
Specifies a protocol for the system to use when evaluating traffic flow.
◆ src ip
Specifies source IP addresses for the system to use when evaluating
traffic flow.
2 - 348
◆ src mask
Specifies a source IP address mask for the system to use when evaluating
traffic flow.
◆ src port
Specifies a source port for the system to use when evaluating traffic flow.
See also
bigpipe(1), list(1), virtual(1)

Chapter 2
trunk
Configures a link aggregation trunk.
Syntax
Use this command to configure a link aggregation trunk.
Create/Modify
trunk <trunk key> {}
trunk (<trunk key> | all) [{] <trunk arg list> [}]
<trunk key> ::=
<name>
<trunk arg> ::=
distribution (src dest mac | dest mac | src dest ip | src dest port | index)
lacp (enable | disable)
lacp mode (active | passive)
lacp timeout (long | short)
name <name>
policy (auto | max bw)
stp (enable | disable)
stp reset
trunk (<trunk key> | all) stats reset
Display
trunk [<trunk key> | all] [show [all]]
trunk [<trunk key> | all] list [all]
trunk (<trunk key> | all) agg addr [show]
trunk (<trunk key> | all) distribution [show]
trunk (<trunk key> | all) interfaces [<interface key> | all] [show [all]]
trunk (<trunk key> | all) interfaces (<interface key> | all) lacp info [show]
trunk (<trunk key> | all) interfaces (<interface key> | all) name [show]
trunk (<trunk key> | all) interfaces (<interface key> | all) trunk name [show]
trunk (<trunk key> | all) lacp [show]
trunk (<trunk key> | all) lacp info [show]
trunk (<trunk key> | all) lacp mode [show]
trunk (<trunk key> | all) lacp timeout [show]
trunk (<trunk key> | all) name [show]
trunk (<trunk key> | all) policy [show]
trunk (<trunk key> | all) stats [show]
trunk (<trunk key> | all) stp [show]
2 - 350
Delete
trunk (<trunk key> | all) delete
Description
Link aggregation allows multiple physical links to be treated as one logical
link. It is also referred to as trunking. The main objective of link
aggregation is to provide increased bandwidth at a lower cost, without
having to upgrade hardware. The bandwidth of the aggregated trunk is the
sum of the capacity of individual member links. Thus it provides an option
for linearly incremental bandwidth as opposed to bandwidth options
available through physical layer technology. The traffic management system
supports link aggregation control protocol (LACP).
When a trunk is created, LACP is disabled by default. In this mode, no
control packets are exchanged and the member links carry traffic as long as
the physical layer is operational. In the event of physical link failure, an
LACP member is removed from the aggregation.
It should be noted that both endpoints of the trunk should have identical
LACP configuration to work properly. A mixed configuration where one
endpoint is LACP enabled and other LACP disabled is not valid.
Examples
Creates a trunk named mytrunk that includes the interfaces 1.1, 1.2, and
1.3:
trunk mytrunk { interface 1.1 1.2 1.3 }
Enable LACP on the trunk named mytrunk:

trunk mytrunk lacp enable
Enable active LACP mode on the trunk mytrunk:

trunk mytrunk lacp mode active
Options
You can use these options with the trunk command:
◆ distribution
Specifies the method of frame distribution. The options are src dest mac,
dest mac, or src dest ip. When frames are transmitted on a trunk, they
are distributed across the working member links. The distribution
function ensures that the frames belonging to a particular conversation
are neither mis-ordered nor duplicated at the receiving end. Distribution
is done by calculating a hash value based on source and destination
addresses carried in the frame, and associating the hash value with a link.
All frames with a particular hash value are transmitted on the same link,
thereby maintaining frame order.
◆ interfaces
Specifies a list of interface names separated by spaces.

Chapter 2
◆ lacp
Indicates whether to enable or disable Link Aggregation Control Protocol
(LACP).
◆ lacp mode
Sets the LACP mode to active or passive.
• In active mode, LACP packets are transmitted periodically, regardless
of peer systems control value.
• In passive mode, LACP packets are not transmitted periodically,
unless peer system's control value is active.
◆ lacp timeout
Sets the LACP timeout to short or long. The default value is long.
• When you use the short timeout value, LACP packets are exchanged
every second.
• When you use the long timeout value, LACP packets are exchanged
every 30 seconds.
◆ policy
Sets the LACP policy to auto or max bw (maximum bandwidth). Link
aggregation is allowed only when all the interfaces are operating at the
same media speed and connected to the same partner aggregation system.
When there is a mismatch among configured members due to
configuration errors or topology changes (auto-negotiation), link
selection policy determines which links become working members and
form the aggregation.
• With auto link selection, the lowest numbered operational link is
chosen as the reference link. All the members that have the same
media speed and are connected to the same partner as that of the
reference link are declared as working members, and they are
aggregated. The other configured members do not carry traffic.
• With max bw link selection, a subset of links that gives maximum
aggregate bandwidth to the trunk is added to the aggregation.
◆ stp
Enables or disables spanning tree protocols (STP).
◆ stp reset
Enables or disables STP reset.
See also
interface(1), vlan(1), vlangroup(1), bigpipe(1)
2 - 352
udp
Displays or resets all UDP statistics for the system.
Syntax
Use this command to display or reset all UDP statistics for the system.
Modify
udp stats reset
Display
udp [show [all]]
Description
Displays or resets all UDP statistics for the system.
Examples
Displays the UDP statistics for the system:
udp stats show
See also
bigpipe(1)

Chapter 2
unit
Displays the unit ID for the unit, or peer unit, in a redundant system
configuration.
Syntax
Use this command to display the unit ID of a unit in a redundant system
configuration.
Display
unit [peer] [show]
Description
Displays the unit ID for the unit, or peer unit, in a redundant system
configuration.
Examples
Displays the unit number of the peer unit in the redundant system
configuration:
unit peer show
Displays the unit number of the unit in the redundant system configuration:
unit show
See also
2 - 354
user
Configures user accounts for managing the BIG-IP system.
Syntax
Use this command to create, display, modify, or delete user accounts on the
BIG-IP system.
Create/Modify
Important
BIG-IP® Systems.
user <user key> {}

user (<user key> | all) [{] <user arg list> [}]
<user key> ::=
<name>
<user arg> ::=
description <string>
group <number>
home <string>
id <number>
name <name>
password (crypt <encrypted password> | <old password> <new password>)
role <user role partition>
shell (<file name> | none)
<user role partition> ::=
(administrator | resource admin | user manager | manager | app editor | operator | \
guest | policy editor | none)
in (<partition key> | all)
Display
user [<user key> | all] [show [all]]
user [<user key> | all] list [all]
user (<user key> | all) description [show]
user (<user key> | all) group [show]
user (<user key> | all) home [show]
user (<user key> | all) id [show]

Chapter 2
user (<user key> | all) name [show]

user (<user key> | all) partition [show]
user (<user key> | all) password [show]
user (<user key> | all) role [show]
user (<user key> | all) shell [show]
Delete
user (<user key> | all) delete
Description
The user command enables you to create, display, modify, or delete user
accounts.
You can create user accounts where the user names differ only by case
sensitivity (for example, david and DAVID). F5 Networks may reinstate
case sensitivity in a future release. There are restrictions on reserved user
names, for example, admin and root. You cannot create a user account
using any variation of these two names, such as Admin or ADMIN.
Note
Only users with the Administrator or Resource Admin user role can save
user accounts. If you are assigned a different user role, when you complete
creating or modifying user accounts, you must contact an Administrator or
Resource Admin to save the user accounts to the bigip.conf file.
Examples
Creates a new user named nwinters with a password of abc123 and a role of
guest in all partitions:
user nwinters password none abc123 role guest in all
Changes the partition, within which the user nwinters can create and
modify objects, to pm_users:
user nwinters bigpipe shell write partition pm_users
Changes the password for the nwinters account from none to h411pass:
user nwinters password none h411pass
Displays all the user accounts and the user role and partition to which each
account is assigned:
user show
2 - 356
Options
You can use these options with the user command:
◆ description <string>
Describes the user account.
◆ home <string>
Displays the home directory for the user account. The home directory is
based on the user name.
◆ partition
Displays the partition within which the user account resides.
◆ password <old password> <new password>
Changes the password for a user account, by specifying the old and the
new password.
◆ role <role name> in <partition key>
Specifies the user role you want to assign to the user account and the
partition that the user account can access. The available user roles are
administrator, resource admin, user manager, app editor, manager,
operator, guest, and policy editor. You can indicate that you do not
want to assign a user role to the user account by using the option none.
◆ shell (<file name> | none)
Specifies the shell to which the user has access. Valid file names are
bpsh (bigpipe shell), false (no shell), or bash (an unrestricted system
prompt).
Important: You can assign access to the bash shell only to users with the
Administrator or Resource Admin user role. However, F5 recommends
that you do not give bash shell access to users with the Resource Admin
user role unless they use the tcpdump, ssldump, or qkview utilities, or
manage certificate and key files using the console. Instead, F5
recommends that you give these users bpsh shell access.
◆ user <name>
Specifies the name of the user account you are configuring.
See also
bigpipe(1), remote users(1), remoterole(1)

Chapter 2
version
Displays software version information for the system.
Syntax
Use this command to display the software version information for the
system.
Display
version [show [all]]
Description
Displays detailed licensing and version information for the system,
including kernel version, BIG-IP software version, installed hot fixes, and a
list of licensed features.
Examples
Displays detailed licensing and version information for the system:
version
See also
bigpipe(1)
2 - 358
virtual
Configures a virtual server.
Syntax
Use this command to configure a virtual server.
Create/Modify
Important
BIG-IP® Systems.
virtual <virtual key> {}

virtual (<virtual key> | all) [{] <virtual arg list> [}]
<virtual key> ::=
<name>
<virtual arg> ::=
auth (<profile auth key list> | none) [add | delete]
clone pools (<clone pool name/type list> | none) [add | delete]
cmp (enable | disable)
cmp processor (<number>.<number> | none)
destination <member>
(enable | disable)
fallback persist (<profile persist key> | none)
httpclass (<profile httpclass key list> | none) [add | delete]
ip protocol <protocol>
lasthop pool (<pool key> | none)
limit <number>
modules <(asm | sam | wam) list>
name <name>
persist (<profile persist key list> | none) [add | delete]
profiles (<virtual server profile list> | none) [add | delete]
rate class (<rate class key> | none)
rules (<rule key list> | none) [add | delete]
snat (none | automap)

Chapter 2

srcport (preserve | preserve strict | change)
traffic classes (<traffic class key list> | none) [add | delete]
translate address (enable | disable)
translate service (enable | disable)
(ip forward | l2 forward | reject)
<clone pool/name type> ::= <pool key> (clientside | serverside)
<virtual server profile> ::=
<profile key> [clientside | serverside]
virtual (<virtual key> | all) stats reset
Display
virtual [<virtual key> | all] [show [all]]
virtual [<virtual key> | all] list [all]
virtual (<virtual key> | all) auth [show]
virtual (<virtual key> | all) clone pools [show]
virtual (<virtual key> | all) cmp [show]
virtual (<virtual key> | all) cmp mode [show]
virtual (<virtual key> | all) cmp processor [show]
virtual (<virtual key> | all) destination [show]
virtual (<virtual key> | all) enabled [show]
virtual (<virtual key> | all) fallback persist [show]
virtual (<virtual key> | all) gtm score [show]
virtual (<virtual key> | all) httpclass [show]
virtual (<virtual key> | all) ip protocol [show]
virtual (<virtual key> | all) lasthop pool [show]
virtual (<virtual key> | all) limit [show]
virtual (<virtual key> | all) mask [show]
virtual (<virtual key> | all) mirror [show]
virtual (<virtual key> | all) modules [(asm | sam | wam) | all] [show [all]]
virtual (<virtual key> | all) modules ((asm | sam | wam) | all) module type [show]
virtual (<virtual key> | all) modules ((asm | sam | wam) | all) score [show]
virtual (<virtual key> | all) modules ((asm | sam | wam) | all) vs name [show]
virtual (<virtual key> | all) name [show]
virtual (<virtual key> | all) partition [show]
virtual (<virtual key> | all) persist [show]
virtual (<virtual key> | all) pool [show]
virtual (<virtual key> | all) profiles [<virtual server profile key> | all] [show [all]]
virtual (<virtual key> | all) profiles [<virtual server profile key> | all] list [all]
virtual (<virtual key> | all) profiles (<virtual server profile key> | all) \
profile context [show]
profile name [show]
2 - 360
virtual [show]
virtual (<virtual key> | all) rate class [show]
virtual (<virtual key> | all) rules [show]
virtual (<virtual key> | all) snat [show]
virtual (<virtual key> | all) snatpool [show]
virtual (<virtual key> | all) srcport [show]
virtual (<virtual key> | all) stats [show]
virtual (<virtual key> | all) traffic classes [show]
virtual (<virtual key> | all) translate address [show]
virtual (<virtual key> | all) translate service [show]
virtual (<virtual key> | all) type [show]
virtual (<virtual key> | all) vlans [show]
Delete
virtual (<virtual key> | all) delete
Description
The virtual command creates, deletes, modifies properties on, and displays
information about virtual servers. Virtual servers are externally visible IP
addresses that receive client requests, and instead of sending the requests
directly to the destination IP address specified in the packet header, virtual
servers send the requests to any of several content servers that make up a
load balancing pool. Virtual servers also apply various behavioral settings to
multiple traffic types, enable persistence for multiple traffic types, and direct
traffic according to user-written iRules™. For more information see, the
Configuration Guide for BIG-IP® Local Traffic Management.
Examples
Create a virtual server named myV20, which uses the source address
persistence method:
virtual myV20 { destination 11.11.11.12:* persist source addr pool myPool }
Replaces the profile associated with the virtual server vs_fast14_http4.

Note that to replace the profile associated with a virtual server, you must
enclose the name of the new profile in braces:
virtual vs_fastl4_http4 {profile udp}
Delete the virtual servers named myV4, myV5, myV6, myV7, myV8,
myV9, and myV10:
virtual myV4 myV5 myV6 myV7 myV8 myV9 myV10 delete

Chapter 2
Options
You can use these options with the virtual command:
◆ auth
Specifies a list of authentication profile names separated by spaces that
the virtual server uses to manage authentication.
◆ clone pools
Specifies clone pools that the virtual server uses to replicate either
client-side traffic (that is, prior to address translation) or server-side
traffic (that is, after address translation) to a member of the specified
clone pool. This feature is used for intrusion detection.
◆ cmp
Enables or disables clustered multi-processor (CMP) acceleration. This
feature applies to certain platforms only. The default value is enable.
◆ cmp mode
Displays the CMP mode for a virtual server.
◆ cmp processor
Specifies the processor for CMP acceleration. This feature applies to
certain platforms only.
◆ destination
Specifies the IP address and service on which the virtual server listens for
connections.
◆ (enable | disable)
Specifies the state of the virtual server. The default value is enable. Note
that when you disable a virtual server, the virtual server no longer
accepts new connection requests. However, it allows current connections
to finish processing before going to a down state.
◆ fallback persist
Specifies a fallback persistence profile for the virtual server to use when
the default persistence profile is not available.
◆ httpclass
Specifies a list of httpclass profiles, separated by spaces, with which the
virtual server works to increase the speed at which the virtual server
processes HTTP requests.
◆ (ip forward | l2 forward | reject)
Specifies whether to enable IP forwarding or Layer 2 (L2) forwarding or
to reject forwarding for the virtual server. IP forwarding allows the
virtual server to simply forward packets directly to the destination IP
address specified in the client request.
◆ ip protocol
Specifies the IP protocol for which you want the virtual server to direct
traffic. Sample protocol names are TCP and UDP. Note that you do not
use this setting when creating an httpclass virtual server.
2 - 362
◆ lasthop pool
Specifies the name of the last hop pool that you want the virtual server to
use to direct reply traffic to the last hop router.
◆ limit
Specifies the maximum number of concurrent connections you want to
allow for the virtual server.
◆ mask
Specifies the netmask for a network virtual server only. This setting is
required for a network virtual server. The netmask clarifies whether the
host bit is an actual zero or a wildcard representation.
◆ mirror
Enables or disables state mirroring. You can use state mirroring to
maintain the same state information in the standby unit that is in the
active unit, allowing transactions such as FTP file transfers to continue as
though uninterrupted. The default value is enable.
◆ name
Specifies a unique name for the virtual server. This setting is required.
◆ partition
Displays the name of the partition within which the virtual server resides.
◆ persist
Specifies a list of profiles separated by spaces that the virtual server uses
to manage connection persistence.
◆ pool
Specifies a default pool to which you want the virtual server to
automatically direct traffic.
◆ profiles
Specifies a list of profiles for the virtual server to use to direct and
manage traffic.
◆ rate class
Specifies the name of an existing rate class you that you the virtual server
to use to enforce a throughput policy for incoming network traffic.
◆ rules
Specifies a list of iRules™ separated by spaces that customizes the virtual
server to direct and manage traffic.
◆ snat
Indicates to enable SNAT automap for the virtual server.
◆ snatpool
Specifies the name of an existing SNAT pool that you want the virtual
server to use to implement selective and intelligent SNATs.
◆ translate address
Enables or disables address translation for the virtual server. Turn
address translation off for a virtual server if you want to use the virtual
server to load balance connections to any address. This option is useful
when the system is load balancing devices that have the same IP address.

Chapter 2
◆ translate service
Enables or disables port translation. Turn port translation off for a virtual
server if you want to use the virtual server to load balance connections to
any service.
◆ vlan (enable | disable)
Specifies a list of names of external VLANs from which you want the
virtual server to accept traffic. Indicates whether or not the VLAN is
enabled or disabled. The default value is vlans all enable.
See also
pool(1), profile auth(1), profile persist(1), rule(1), vlan(1), vlangroup(1),
bigpipe(1)
2 - 364
virtual address
Configures virtual addresses.
Syntax
Use this command to enable, disable, display, or delete a virtual address.
Modify
virtual address <virtual address key> {}
virtual address (<virtual address key> | all) [{] <virtual address arg list> [}]
<virtual address key> ::=
<ip addr>
<virtual address arg> ::=
addr <ip addr>
(enable | disable)
floating (enable | disable)
limit <number>
route advertisement (enable | disable)
server (none | any | all)
unit <number>
virtual address (<virtual address key> | all) stats reset
Display
virtual address [<virtual address key> | all] [show [all]]
virtual address [<virtual address key> | all] list [all]
virtual address (<virtual address key> | all) addr [show]
virtual address (<virtual address key> | all) arp [show]
virtual address (<virtual address key> | all) enabled [show]
virtual address (<virtual address key> | all) floating [show]
virtual address (<virtual address key> | all) limit [show]
virtual address (<virtual address key> | all) mask [show]
virtual address (<virtual address key> | all) partition [show]
virtual address (<virtual address key> | all) route advertisement [show]
virtual address (<virtual address key> | all) server [show]
virtual address (<virtual address key> | all) stats [show]
virtual address (<virtual address key> | all) unit [show]
Delete
virtual address (<virtual address key> | all) delete

Chapter 2
Description
Provides the ability to enable, disable, display and delete virtual addresses.
You can also list the virtual address configuration.
Examples
Disables the virtual address 10.10.10.20:
virtual address 10.10.10.20 disable
Deletes the virtual address 10.10.10.20:

virtual address 10.10.10.20 delete
Lists the configuration information for the virtual server 10.10.10.25:

virtual address 10.10.10.25 list
Options
You can use these options with the virtual address command:
◆ arp
Enables or disables ARP for the specified virtual address. The default
value is enable.
Enables or disables the specified virtual address. The default value is
enable.
◆ floating
Enables or disables floating self IP addresses for the specified virtual
address. The default value is enable. A floating self IP address is an
additional self IP address for a VLAN that serves as a shared address by
both units of a BIG-IP redundant system configuration.
◆ limit
Sets a concurrent connection limit in seconds for one or more virtual
servers. The default value is 0 seconds.
◆ mask
Sets the netmask or one or more network virtual servers only. This
setting is required for network virtual servers.
◆ partition
Displays the partition within which the virtual address resides.
◆ route advertisement
Enables or disables route advertisement for the specified virtual address.
◆ server
Specifies the server that uses the specified virtual address. The options
are none, any, or all.
◆ unit
Specifies the unit number of a redundant system configuration that uses
the specified virtual address. The default value is 0.
2 - 366
See also
virtual(1), bigpipe(1)

Chapter 2
vlan
Configures a virtual local area network (VLAN).
Syntax
Use this command to configure a VLAN.
Create/Modify
vlan <vlan key> {}
vlan (<vlan key> | all) [{] <vlan arg list> [}]
<vlan key> ::=
<name>
<vlan arg> ::=
failsafe (enable | disable)
failsafe (reboot | restart | failover | go active | no action | restart all | \
fdb (<fdb list> | none) [add | delete]
interfaces tagged (<interface key list> | none) [add | delete]
learning (enable | disable forward | disable drop)
mac masq (<mac addr> | none)
mtu <number>
name <name>
source check (enable | disable)
tag <number>
trunks (<trunk key list> | none) [add | delete]
trunks tagged (<trunk key list> | none) [add | delete]
<fdb> ::= (<fdb key> | all) [{] <fdb arg list> [}]
<fdb key> ::=
<mac addr>
(dynamic | static)
<fdb arg> ::=
(dynamic | static)
interface <interface key>
mac addr <mac addr>
trunk <trunk key>
2 - 368
Display
vlan [<vlan key> | all] [show [all]]
vlan [<vlan key> | all] list [all]
vlan (<vlan key> | all) failsafe [show]
vlan (<vlan key> | all) fdb [<fdb key> | all] [show [all]]
vlan (<vlan key> | all) fdb [<fdb key> | all] list [all]
vlan (<vlan key> | all) fdb (<fdb key> | all) dynamic [show]
vlan (<vlan key> | all) fdb (<fdb key> | all) interface [show]
vlan (<vlan key> | all) fdb (<fdb key> | all) mac addr [show]
vlan (<vlan key> | all) fdb (<fdb key> | all) trunk [show]
vlan (<vlan key> | all) fdb (<fdb key> | all) vlan [show]
vlan (<vlan key> | all) ifname [show]
vlan (<vlan key> | all) interfaces [<interface key> | all] [show [all]]
vlan (<vlan key> | all) interfaces (<interface key> | all) parent vname [show]
vlan (<vlan key> | all) interfaces (<interface key> | all) pending [show]
vlan (<vlan key> | all) interfaces (<interface key> | all) vmname [show]
vlan (<vlan key> | all) interfaces tagged [<interface key> | all] [show [all]]
vlan (<vlan key> | all) interfaces tagged (<interface key> | all) parent vname [show]
vlan (<vlan key> | all) interfaces tagged (<interface key> | all) pending [show]
vlan (<vlan key> | all) interfaces tagged (<interface key> | all) vmname [show]
vlan (<vlan key> | all) learning [show]
vlan (<vlan key> | all) mac masq [show]
vlan (<vlan key> | all) mac true [show]
vlan (<vlan key> | all) mtu [show]
vlan (<vlan key> | all) name [show]
vlan (<vlan key> | all) source check [show]
vlan (<vlan key> | all) tag [show]
vlan (<vlan key> | all) timeout [show]
vlan (<vlan key> | all) trunks [<trunk key> | all] [show [all]]
vlan (<vlan key> | all) trunks (<trunk key> | all) parent vname [show]
vlan (<vlan key> | all) trunks (<trunk key> | all) pending [show]
vlan (<vlan key> | all) trunks (<trunk key> | all) vmname [show]
vlan (<vlan key> | all) trunks tagged [<trunk key> | all] [show [all]]
vlan (<vlan key> | all) trunks tagged (<trunk key> | all) parent vname [show]
vlan (<vlan key> | all) trunks tagged (<trunk key> | all) pending [show]
vlan (<vlan key> | all) trunks tagged (<trunk key> | all) vmname [show]
Delete
vlan (<vlan key> | all) delete

Chapter 2
Description
This command creates, displays and modifies settings for VLANs. VLANs
are part of the configuration of the BIG-IP network components. VLANs
can be based on either ports or tags.
When creating a VLAN, a tag value for the VLAN is automatically chosen
unless you specify a tag value on the command line. VLANs can have both
tagged and untagged interfaces. You can add an interface to a single VLAN
as an untagged interface. You can also add an interface to multiple VLANs
as a tagged interface.
Examples
Create the VLAN myvlan that includes the interfaces 1.2, 1.3, and 1.4:
vlan myvlan interface 1.2 1.3 1.4
Delete the VLAN named myvlan:

vlan myvlan delete>
Options
You can use these options with the vlan command:
◆ failsafe
Enables a fail-safe mechanism that causes the active unit to fail over to a
redundant unit when loss of traffic is detected on a VLAN, and traffic is
not restored during the failover timeout period for that VLAN. The
default action set with VLAN fail-safe is restart all. When the fail-safe
mechanism is triggered, all the daemons are restarted and the unit fails
over. The default value is disable.
◆ fdb
Specifies the forwarding database. You can edit the Layer 2 forwarding
table to enter static MAC address assignments. The forwarding database
has an entry for each node in the VLAN and associates the MAC address
of that node with the traffic management system.
◆ interfaces
Specifies a list of interfaces that you want to assign to the VLAN.
◆ interfaces tagged
Specifies a list of tagged interfaces. A tagged interface is an interface that
you assign to a VLAN in a way that causes the system to add a VLAN
tag into the header of any frame passing through that interface. Use
tagged interfaces when you want to assign a single interface to multiple
VLANs.
◆ learning
Specifies whether switch ports placed in the VLAN are configured for
switch learning, forwarding only, or dropped. Possible values are:
enable, disable forward, or disable drop. The default value is enable.
2 - 370
◆ mac masq
Configures a shared MAC masquerade address. You can share the media
access control (MAC) masquerade address between units in a redundant
system configuration. This has the following advantages:
• Increased reliability and failover speed, especially in lossy networks
• Interoperability with switches that are slow to respond to the network
changes
• Interoperability with switches that are configured to ignore network
changes
◆ mtu
Sets a specific maximum transition unit (MTU) for the VLAN. The
◆ source check
Specifies that only connections that have a return route in the routing
table are accepted. The default value is disable.
◆ tag
Specifies a number that the system adds into the header of any frame
passing through the VLAN.
◆ timeout
Specifies the number of seconds that an active unit can run without
detecting network traffic on this VLAN before it initiates a failover. The
◆ trunks
Specifies a list of trunks. A trunk is a combination of two or more
interfaces and cables configured as one link.
◆ trunks tagged
Specifies a list of tagged trunks. A tagged trunk is a trunk that you assign
to a VLAN in a way that causes the system to add a VLAN tag into the
header of any frame passing through the trunk. Use tagged trunks when
you want to assign a single trunk to multiple VLANs.
See also
interface(1), self(1), vlangroup(1), virtual(1), bigpipe(1)

Chapter 2
vlangroup
Configures a VLAN group.
Syntax
Use this command to configure a VLAN group.
Create/Modify
vlangroup <vlangroup key> {}
vlangroup (<vlangroup key> | all) [{] <vlangroup arg list> [}]
<vlangroup key> ::=
<name>
<vlangroup arg> ::=
bridge all (enable | disable)
bridge in standby (enable | disable)
bridge multicast (enable | disable)
members (<vlan key list> | none) [add | delete]
name <name>
proxy excludes (<ip addr list> | none) [add | delete]
transparency (transparent | translucent | opaque)
Display
vlangroup [<vlangroup key> | all] [show [all]]
vlangroup [<vlangroup key> | all] list [all]
vlangroup (<vlangroup key> | all) bridge all [show]
vlangroup (<vlangroup key> | all) bridge in standby [show]
vlangroup (<vlangroup key> | all) bridge multicast [show]
vlangroup (<vlangroup key> | all) ifname [show]
vlangroup (<vlangroup key> | all) mac masq [show]
vlangroup (<vlangroup key> | all) mac true [show]
vlangroup (<vlangroup key> | all) members [show]
vlangroup (<vlangroup key> | all) name [show]
vlangroup (<vlangroup key> | all) proxy excludes [show]
vlangroup (<vlangroup key> | all) transparency [show]
Delete
vlangroup (<vlangroup key> | all) delete
2 - 372
Description
The vlangroup command defines a VLAN group, which is a grouping of
two or more VLANs belonging to the same IP network for the purpose of
allowing Layer 2 packet forwarding between those VLANs.
The VLANs between which the packets are to be passed must be on the
same IP network, and they must be grouped using the vlangroup command.
For example:
vlangroup network11 { vlans add internal external }
Sets the global VLAN group proxy exclusion list:

vlangroup all [{] proxy excludes <ip addr list> [add | delete ] [}]
Examples
Creates a VLAN group named myvlangroup that consists of VLANs
named vlan1 and vlan2:
vlangroup myvlangroup member vlan1 vlan2
Shows the statistics for all elements of the specified VLAN group:
vlangroup myvlangroup show
Deletes the specified VLAN group named myvlangroup:

vlangroup myvlangroup delete
Options
You can use these options with the vlangroup command:
◆ bridge all
When enabled, specifies that the VLAN group forwards all frames,
including non-IP traffic. The default value is disable.
◆ bridge in standby
When enabled, specifies that the VLAN group forwards packets, even
when the system is the standby unit in a redundant system configuration.
Note that this setting is designed for deployments in which the VLAN
group exists on only one of the units. If that does not match your
configuration, using this setting may cause adverse effects. The default
value is enable.
◆ mac masq
Specifies a MAC address to be used with a redundant system
configuration. This is a 6-byte Ethernet address in not case-sensitive
hexadecimal colon notation, for example: 00:0b:09:88:00:9a.
◆ members
The names of the VLANs you want to add to the VLAN group.

Chapter 2
◆ proxy excludes
Specifies the IP addresses that you want to include in the proxy ARP
exclusion list. If you use VLAN groups, you must configure a proxy
ARP forwarding exclusion list. F5 recommends that you configure this
feature if you use VLAN groups with a redundant system configuration.
The reason is that both units need to communicate directly with their
gateways and the back-end nodes. Creating a proxy ARP exclusion list
prevents traffic from being proxied through the active unit due to proxy
ARP. This traffic needs to be sent directly to the destination, not proxied.
◆ tag
Specifies a number to be the tag for the VLAN. A VLAN tag is an
identification number the system inserts into the header of a frame that
indicates the VLAN to which the destination device belongs. Use VLAN
tags when a single interface forwards traffic for multiple VLANs.
◆ transparency
Specifies the level of exposure of remote MAC addresses within VLAN
groups. Possible values are: opaque, translucent, or transparent. The
default value is translucent.
• Use opaque when you have a Cisco® router in the network sending
CDP packets to the system. Because opaque VLAN groups require a
source and destination MAC address and CDP packets do not contain
a source and destination MAC address, the CDP packets are not
forwarded through the VLAN group. This mode changes the MAC
address to the MAC address assigned to the VLAN group. A proxy
ARP with Layer 3 forwarding.
• Use transparent when you want to leave the MAC address
unchanged by the traffic management system. Layer 2 forwarding
with the original MAC address of the remote system preserved across
VLANs.
• Use translucent when you want to use the real MAC address of the
requested host with the locally unique bit toggled. Layer 2 forwarding
with locally-unique bit, toggled in ARP response across VLANs.
See also
interface(1), self(1), vlan(1), virtual(1), bigpipe(1)
2 - 374
3
• Introduction to Access Policy Manager commands

Introduction to Access Policy Manager commands

You can use bigpipe commands to configure the Access Policy Manager
Module. This chapter includes Access Policy Manager-specific commands
that you can use in addition to the bigpipe commands listed in Chapter 2,
Bigpipe Utility Command Reference.
F5 Networks recommends that only advanced users of the BIG-IP system
configure Access Policy Manager from the command line.
For more information about configuring Access Policy Manager, see the
BIG-IP® Configuration Guide for Access Policy Manager.

The remainder of this chapter lists bigpipe commands used to configure
Access Policy Manager.

Chapter 3
aaa active directory server

Manages an authentication access policy (AAA) Microsoft® Active
Directory® server.
Syntax
Use this command to create, modify, display, or delete an AAA Active
Directory server.
Create/Modify
Important
assigned access to all partitions, then before you create an object in a
specific partition, you must use the command bigpipe shell to set your Write
partition to the partition in which you want to create the object.
aaa active directory server <aaa active directory server key list> {}
aaa active directory server (<aaa active directory server key list> | all) \
[{] <aaa active directory server arg list> [}]
<aaa active directory server key> ::=
<name>
<aaa active directory server arg> ::=
admin name <string>
admin password <string>
domain (<string> | none)
partition <name>
kdc (<string> | none)
Display
aaa active directory server [<aaa active directory server key list> | all] [show [all]]
aaa active directory server [<aaa active directory server key list> | all] list [all]
aaa active directory server [<aaa active directory server key list> | all] \
admin name [show]
admin password [show]
aaa active directory server [<aaa active directory server key list> | all] domain [show]
aaa active directory server [<aaa active directory server key list> | all] name [show]
partition [show]
aaa active directory server [<aaa active directory server key list> | all] kdc [show]
aaa active directory server [<aaa active directory server key list> | all] timeout [show]
3-2
Delete
aaa active directory server (<aaa active directory server key list> | all) delete
Description
You can use the command aaa active directory server to create and
manage an AAA Active Directory server. The Active Directory is a network
structure supported by Windows® 2000, or later, that provides support for
tracking and locating any object on a network.
Examples
Creates the AAA Active Directory server named MyADserver in the
Company domain, sets the administrator logon name to administrator and
the administrator password to !My123Password, and sets the Key
Distribution Center to company.com:
aaa active directory server MyADserver {
kdc "company.com"
domain "Company"
admin name "administrator"
admin password "!My123Password"
}
Displays a list of all AAA Active Directory servers on the system:

aaa active directory server show all
Deletes the AAA Active Directory server named

MyActiveDirectoryServer from the system.
aaa active directory server MyActiveDirectoryServer delete
Options
You can use these options with the command aaa active directory server:
◆ admin name
Specifies the user name that has administrative permissions on an AAA
Active Directory server.
◆ admin password
Specifies the password associated with admin name.
◆ domain
Specifies the Fully Qualified Domain Name (FQDN) of an AAA Active
Directory server. This setting is required.
◆ name
Specifies the name of an AAA Active Directory server. This setting is
required.

Chapter 3
◆ Note that the initial character should be a letter, followed by either

another letter, a number, a period, an underscore, or a dash. Avoid using
global reserved words such as all, delete, disable, enable, help, list,
none, show, or None.
◆ kdc
Specifies the KDC (Key Distribution Center). The default is none.
◆ partition
◆ timeout
Specifies a timeout interval (in seconds) after which an AAA Active
Directory server closes a connection. The default is 15 seconds.
See also
aaa ldap server(1), aaa radius server(1)
3-4
aaa ldap server

Manages an AAA LDAP server.
Syntax
Use this command to create, modify, display, or delete an AAA LDAP
server.
Create/Modify
Important
aaa ldap server <aaa ldap server key list> {}

aaa ldap server (<aaa ldap server key list> | all) [{] <aaa ldap server arg list> [}]
<aaa ldap server key> ::=
<name>
<aaa ldap server arg> ::=
admin dn <string>
admin password <string>
partition <name>
port (<service> | none)
Display
aaa ldap server [<aaa ldap server key list> | all] [show [all]]
aaa ldap server [<aaa ldap server key list> | all] list [all]
aaa ldap server [<aaa ldap server key list> | all] addr [show]
aaa ldap server [<aaa ldap server key list> | all] admin dn [show]
aaa ldap server [<aaa ldap server key list> | all] admin password [show]
aaa ldap server [<aaa ldap server key list> | all] name [show]
aaa ldap server [<aaa ldap server key list> | all] partition [show]
aaa ldap server [<aaa ldap server key list> | all] port [show]
aaa ldap server [<aaa ldap server key list> | all] timeout [show]
Delete
aaa ldap server (<aaa ldap server key list> | all) delete

Chapter 3
Description
You can use the command aaa ldap server to create and manage an AAA
LDAP server.
Examples
Creates the AAA LDAP server named MyLDAPserver that is assigned the
IP address 172.30.6.144 and the administrator container distinguished name
of cn=administrator,cn=users,dc=company,dc=companynet,dc=com
with a password of !MyPassword:
aaa ldap server MyLDAPserver {
addr 172.30.6.144
admin dn "cn=administrator,cn=users,dc=company,dc=companynet,dc=com"
admin password "!MyPassword"
}
Displays a list of AAA LDAP servers:

aaa ldap server show all
Deletes the AAA LDAP server named MyLDAPServer from the system:
aaa ldap server MyLDAPServer delete
Options
You can use these options with the command aaa ldap server:
◆ addr
Specifies the IP address of an AAA LDAP server. This setting is
required.
◆ admin dn
Specifies the Container Distinguished Name (DN) to use for
authentication. This setting is required.
◆ admin password
Specifies the password for admin name. This setting is required.
◆ name
Specifies the name of the AAA server. This setting is required.
◆ partition
◆ port
Specifies the port number of the AAA LDAP server. The default is ldap.
3-6
◆ timeout
Specifies a timeout interval (in seconds) for the AAA LDAP server after
which the server closes a connection. The default is 15 seconds.
See also
aaa active directory server(1), aaa radius server(1)

Chapter 3
aaa radius server

Manages an AAA RADIUS server.
Syntax
Use this command to create, modify, display, or delete an AAA RADIUS
server.
Create/Modify
Important
aaa radius server <aaa radius server key list> {}

aaa radius server (<aaa radius server key list> | all) \
[{] <aaa radius server arg list> [}]
<aaa radius server key> ::=
<name>
<aaa radius server arg> ::=
nas ip address (<ip addr> | none)
partition <name>
retries <number>
secret <string>
server (<ip addr> | none)
service type (default | login | framed | callback login | callback framed | \
outbound | administrative | nas prompt | authenticate only | \
callback nas prompt | call check | callback administrative | last)
3-8
Display
aaa radius server [<aaa radius server key list> | all] [show [all]]
aaa radius server [<aaa radius server key list> | all] list [all]
aaa radius server [<aaa radius server key list> | all] name [show]
aaa radius server [<aaa radius server key list> | all] nas ip address [show]
aaa radius server [<aaa radius server key list> | all] partition [show]
aaa radius server [<aaa radius server key list> | all] retries [show]
aaa radius server [<aaa radius server key list> | all] secret [show]
aaa radius server [<aaa radius server key list> | all] server [show]
aaa radius server [<aaa radius server key list> | all] service [show]
aaa radius server [<aaa radius server key list> | all] service type [show]
aaa radius server [<aaa radius server key list> | all] timeout [show]
Delete
aaa radius server (<aaa radius server key list> | all) delete
Description
You can use the command aaa radius server to create and manage an AAA
RADIUS server.
Examples
Creates the AAA RADIUS server named companyradiusserver that has an
IP address of 172.30.6.144, and has a shared secret of !MySharedSecret:
aaa radius server companyradiusserver {
server 172.30.6.144
secret "!MySharedSecret"
}
Displays a list of all AAA RADIUS servers on the system:

aaa radius server show all
Deletes the AAA RADIUS server named Myradiusserver from the system:
aaa radius server Myradiusserver delete

Chapter 3
Options
You can use these options with the command aaa radiusserver:
◆ name
Specifies the name of an AAA RADIUS server. This setting is required.
◆ nas ip address
Specifies the IP address of an AAA RADIUS server.
◆ partition
◆ retries
Specifies the number of retries for an AAA RADIUS server. The default
is 3.
◆ secret
Specifies the shared secret password of an AAA RADIUS server. This
◆ server
Specifies the IP address of an AAA RADIUS server. This setting is
required.
◆ service
Specifies the port number for the service. The default is radius. This
◆ service type
Specifies the service type for an AAA RADIUS server. This setting is
optional.
◆ timeout
Specifies a timeout interval (in seconds) for an AAA RADIUS server
after which the server closes a connection. The default is 5 seconds.
See also
aaa active directory server(1), aaa ldap server(1)
3 - 10
aaa securid server

Specify the RSA SecurID server configuration used for authentication.
Syntax
Use this command to create, modify, display, or delete an RSA SecurID
server.
Create/Modify
Important
bigpipe aaa securid server < aaa securid server key list> {}
bigpipe agent aaa securid server (< aaa securid server key list> | all) \
[{] < aaa securid server arg list> [}]
< aaa securid server key> ::=
<name>
< aaa securid server arg> ::=
config file (<string>| none)
description <string>
source ip <string>
partition <name>
Display
bigpipe aaa securid server [<aaa securid server key list> | all] [show [all]]
bigpipe aaa securid server [<aaa securid server key list> | all] list [all]
bigpipe aaa securid server [<aaa securid server key list> | all] config file [show]
bigpipe aaa securid server [<aaa securid server key list> | all] description [show]
bigpipe aaa securid server [<aaa securid server key list> | all] source ip [show]
bigpipe aaa securid server [<aaa securid server key list> | all] partition [show]
Delete
bigpipe aaa securid server (<aaa securid server key list> | all)
delete
Description
You can use the command aaa securid server to create and manage an RSA
Securid server.

Chapter 3
Examples
Creates the MyRSAServer RSA Securid server that is associated with the
MyRSAServer server:
bigpipe aaa securid server MyRSASecurIDserver {
server "MyRSAServer"}
Displays a list of RSA Securid servers:

bigpipe aaa securid server show
Deletes the B<MyRSAServer> aaa securid server:

bigpipe aaa securid server MyRSASever delete
3 - 12
Options
You can use these options with the command aaa securid:
◆ config file
Specifies which file to use for your SecurID authentication. Upload a
copy of the sdconf.rec file from your RSA Authentication Manager
server.
◆ description
Specifies the description of your configuration file.
◆ source ip
Specifies the source IP address of the RSA SecurID agent. This is
required when authenticating to the RSA Authentication Manager server.
◆ partition
See also
agent_aaa_active_directory(1), agent_aaa_ldap(1),
agent_aaa_radius(1),

Chapter 3
aaa acct radius

Specify the Radius accounting agent used for authentication.
Syntax
Use this command to create, modify, display, or delete a radius accounting
agent.
Create/Modify
Important
bigpipe agent acct radius< agent acct radius key list> {}

bigpipe agent acct radius (< agent acct radius key list> | all) \
[{] < agent acct radius arg list> [}]
< agent acct radius key> ::=
<name>
< agent acct radius arg> ::=
server <string>
Display
bigpipe agent acct radius [<agent acct radius key list> | all] [show [all]]
bigpipe agent acct radius [<agent acct radius key list> | all] list [all]
bigpipe agent acct radius [<agent acct radius key list> | all] max logon attempt [show]
bigpipe agent acct radius [<agent acct radius key list> | all] show extended error
[show]
bigpipe agent acct radius [<agent acct radius key list> | all] server [show]
bigpipe agent acct radius [<agent aaa securid key list> | all] partition [show]
Delete
bigpipe agent agent acct radius (<agent acct radius key list> |
all) delete
Description
You can use the command agent acct radius to create and manage radius
accounting agent.
3 - 14
Examples
Creates the qaRadiusAcctAgentRadius accounting agent that is associated
with the qaRadius server:
=item B<bigpipe agent acct radius qaRadiusAcctAgent {
server "qaRadius"}>
Displays a list of Radius accounting agents:

bigpipe agent agent acct radius show
Deletes the B<qaRadiusAcctAgent> aaa securid agent.:

bigpipe agent acct radius qaRadiusAcctAgent delete
Options
You can use these options with the command aaa securid:
◆ name
Specifies the name of the radius accounting agent associated with the
Radius accounting server.
◆ server
Specifies the name of the radius accounting agent.
See also
agent_aaa_active_directory(1), agent_aaa_ldap(1),
agent_aaa_radius(1), agent_aaa_securid(1),

Chapter 3
access
Displays and resets access statistics on the BIG-IP® Access Policy Manager.
Syntax
Use this command to display and reset access statistics.
Modify
access stats reset
Display
access [show [all]]
Description
You can use the command access to reset the access statistics.
Examples
Displays the access statistics for the BIG-IP Access Policy Manager:
access show all
Resets and displays the access statistics for the BIG-IP Access Policy
Manager:
access stats reset
See also
access policy(1), access policy item(1), access session(1)
3 - 16
access policy
Manages an access policy.
Important
F5 Networks® recommends that you do not use the command line interface
to create and manage an access policy. Instead, use the visual policy editor
in the Configuration utility.
Syntax
Use this command to create, modify, display, or delete an access policy.
Create/Modify
Important
access policy <access policy key list> {}

access policy (<access policy key list> | all) [{] <access policy arg list> [}]
<access policy key> ::=
<name>
<access policy arg> ::=
caption (<string> | none)
default ending name <name>
items (<access policy item key list> | none) [add | delete]
macros (<string list> | none) [add | delete]
partition <name>
start item name <name>
type (access policy | macro)
Display
access policy [<access policy key list> | all] [show [all]]
access policy [<access policy key list> | all] list [all]
access policy [<access policy key list> | all] default ending name [show]
access policy [<access policy key list> | all] items [show]
access policy [<access policy key list> | all] macros [show]
access policy [<access policy key list> | all] name [show]
access policy [<access policy key list> | all] partition [show]
access policy [<access policy key list> | all] start item name [show]
access policy [<access policy key list> | all] type [show]

Chapter 3
Delete
access policy (<access policy key list> | all) delete
Description
An access policy contains the steps that the client and server go through
before the BIG-IP® Access Policy Manager grants access to a connection
request. You can use the command access policy to create and then manage
access policies.
Examples
Creates an access policy in which the user logs on and the system checks for
a specific file. If the client contains the specified file, the access policy
carries out an antivirus check, and then performs a RADIUS authentication
and assigns a resource. If the client does not contain the specified file, but
the RADIUS authentication is successful, the system performs the resource
assignment and displays the webtop. The webtop is the user’s home page,
which grants access to the network access connection.
access policy item Companyprofile_act_file_check list
access policy item Companyprofile_act_file_check {
type action
caption "File Check"
color 1
rules
{ expression "expr {[mcget {session.windows_check_file.last.result}] == 1}"
caption "Successful"
next item windows_av_and_fw_act_av_check
}
{ caption "fallback"
next item Companyprofile_act_radius
}
agents name Companyprofile_act_file_check_ag
type endpoint windows check file
}
Swaps the success and failure branches of the file check in the new
configuration. If the client does not contain the specified file, the system
performs an antivirus check followed by RADIUS authentication. If the
client contains the specified file, the system performs a RADIUS
authentication directly.
rules
{ next item Companyprofile_act_radius }
{ next item windows_av_and_fw_act_av_check} }
access policy item Companyprofile_act_file_check list
3 - 18
type action
caption "File Check"
color 1
rules
{ expression "expr {[mcget {session.windows_check_file.last.result}] == 1}"
caption "Successful"
next item
Companyprofile_act_radius
}
{ caption "fallback"
next item windows_av_and_fw_act_av_check
}
agents name Companyprofile_act_file_check_ag
type endpoint windows check file
}
Creates an access policy named MyAccessPolicy that displays in the visual

policy editor with the caption ldap_auth:
access policy MyAccessPolicy caption ldap_auth
Displays a list of access policies:

access policy show all
Deletes the access policy named MyAccessPolicy:

access policy MyAccessPolicy delete
Options
You can use these options with the command access policy:
◆ caption
Specifies the name of the access policy that displays in the visual policy
editor. This setting is required.
◆ default ending name
Specifies the name of the default ending for the access policy.
◆ items
Adds an item to or deletes an item from the access policy.
◆ macros
Adds a macro to or deletes a macro from the access policy. A macro is a
commonly used, predefined section of an access policy configuration that
usually contains several actions, which are configured in a flow, that can
be added directly to an access policy and used with a minimum of
configuration.
◆ name
Specifies the name of the access policy. This setting is required.

Chapter 3
Note that the initial character should be a letter, followed by either

◆ partition
◆ start item name
Specifies the name of the first action item in the access policy.
◆ type
Specifies either an access policy or a macro.
See also
access(1), access policy item(1), access session(1)
3 - 20
access policy item

Manages an access policy item.
Syntax
Use this command to create, modify, display, or delete an access policy
item.
Create/Modify
Important
access policy item <access policy item key list> {}

access policy item (<access policy item key list> | all) \
[{] <access policy item arg list> [}]
<access policy item key> ::=
<name>
<access policy item arg> ::=
agents (<access policy item agent list> | none) [add | delete]
color <number>
macro name <name>
partition <name>
rules (<access policy rule list> | none) [add | delete]
type (entry | ending | terminalout | action | macrocall)
<access policy rule> ::= [{] <access policy rule arg list> [}]
<access policy rule arg> ::=
expression (<string> | none)
next item (<access policy item key> | none)
<access policy item agent> ::=(<access policy item agent key list> | all) \
[{] <access policy item agent arg list> [}]
<access policy item agent key> ::=
name <name>
<access policy item agent arg> ::=
type (ending denied | ending redirect | ending webtop | aaa active directory | \
aaa clientcert | aaa http | aaa ldap | aaa ntlm | aaa radius | \
connectivity resource | decision box | endpoint windows browser cache cleaner | \
endpoint windows check av | endpoint windows check file | \
endpoint windows check fw | endpoint windows check process | \
endpoint windows check registry | endpoint windows info os | logon page | \
message box | resource assign | variable assign | vlan selection)

Chapter 3
Display
access policy item [<access policy item key list> | all] [show [all]]
access policy item [<access policy item key list> | all] list [all]
access policy item [<access policy item key list> | all] agents \
[<access policy item agent key list> | all] [show]
[<access policy item agent key list> | all] name [show]
[<access policy item agent key list> | all] type [show]
access policy item [<access policy item key list> | all] caption [show]
access policy item [<access policy item key list> | all] color [show]
access policy item [<access policy item key list> | all] macro name [show]
access policy item [<access policy item key list> | all] name [show]
access policy item [<access policy item key list> | all] partition [show]
access policy item [<access policy item key list> | all] rules [show]
access policy item [<access policy item key list> | all] type [show]
Delete
access policy item (<access policy item key list> | all) delete
Description
You can use the command access policy item to create and manage an
access policy item.
Examples
Creates the ending type access policy item named MyEnding that displays
the caption ending in the visual policy editor:
access policy item MyEnding {
type ending
caption "ending”
}
Displays all access policy items:

access policy item show all
Deletes the access policy item named MyEntryItem from the system:
access policy item MyEntryItem delete
3 - 22
Options
You can use these options with the command access policy item:
◆ agents
Specifies a list of agents that you want to add to or delete from the access
policy item. You can specify the following:
◆ name
Name of the agent.
◆ type
Type of agent. The default is ending.
◆ caption
Specifies the name of the access policy item that displays in the visual
policy editor. This setting is required.
◆ color
Specifies the number of the color you want to apply to the access policy
item for display in the visual policy editor. The default is 0 (zero).
◆ macro name
Specifies the name of the macro that you want to include in the access
policy item.
◆ name
Specifies the name of the access policy item. This setting is required.
◆ partition
◆ rules
Adds a rule to or deletes a rule from an access policy item. You can
specify the following attributes for rules:
◆ caption
The name of the rule that displays in the visual policy editor.
◆ expression
An expression to use in this rule. You can write your own expression
using the Tcl programming language. Note that when writing in Tcl you
must always use a space before and after braces { }.
• next item
The name of the next policy item in the access policy.
◆ type
Specifies the type of access policy item. This setting is required. You can
specify one of the following types:
• action
An access policy item that indicates an action the system takes
between the entry and ending items of an access policy branch.

Chapter 3
◆ ending
An access policy item that indicates the action the system takes at the end
of an access policy branch. The predefined endings are:
• logon_denied
Sets a failure ending to deny the user access.
• webtop
Sets a successful ending to launch the secure access webtop.
◆ entry
An access policy item that indicates the action the system takes when a
user first attempts to access the network.
◆ macrocall
An access policy item that is a user-defined macro.
◆ terminalout
An access policy item that indicates the outcome of a macro branch.
See also
access(1), access policy(1), access session(1)
3 - 24
access session
Displays properties of an access session.
Syntax
access session <access session key> {}
<access session key> ::=
<string>
Create/Modify
Not applicable.
Display
access session [<access session key> | all] [show [all]]
Delete
Not applicable.
Description
You can use the command access session to display an access session.
You associate an access policy with a virtual server by associating an access
profile with the virtual server. A connection that the system sends to a
virtual server must include credentials that meet the requirements of the
access policy associated with that virtual server.
Examples
Displays information about all access sessions:
access session all show
Displays information about an access session with a session ID of

aa91d349:
access session aa91d349
Options
Not applicable.
See also
access(1), access policy(1), access policy item(1)

Chapter 3
acl
Manages an access control list (ACL).
Syntax
Use this command to create, modify, display, or delete an ACL.
Create/Modify
Important
acl <acl key list> {}

acl (<acl key list> | all) [{] <acl arg list> [}]
<acl key> ::=
<name>
<acl arg> ::=
entries (<acl entry list> | none) [add | delete]
order <number>
partition <name>
type (l4 | l7)
<acl entry> ::= [{] <acl entry arg list> [}]
<acl entry arg> ::=
action (allow | continue | discard | reject)
dst ip (<ip addr> [mask <ip mask> | (prefixlen | /) \
<number>] | default [inet | inet6])
dst port (<service> | none)[:(<service> | none)]
log (none | summary | config | packet | verbose)
protocol <number>
src ip (<ip addr> [mask <ip mask> | (prefixlen | /) \
<number>] | default [inet | inet6])
src port (<service> | none)[:(<service> | none)]
Display
acl [<acl key list> | all] [show [all]]
acl [<acl key list> | all] list [all]
acl [<acl key list> | all] description [show]
acl [<acl key list> | all] entries [show]
acl [<acl key list> | all] name [show]
acl [<acl key list> | all] order [show]
3 - 26
acl [<acl key list> | all] partition [show]

acl [<acl key list> | all] type [show]
Delete
acl (<acl key list> | all) delete
Description
An ACL is a set of restrictions associated with a resource or favorite that
defines access for users and groups. You can use the command acl to create
and manage ACLs.
Examples
Creates the access control list named MyACL that is the third ACL in the
list of ACLs in the visual policy editor, and adds an access control entry that
allows traffic using the default source IP address and the default destination
IP address:
acl MyACL { order 3 entries src ip default inet dst ip default inet action allow add }
Displays a list of ACLs that includes the attributes of each ACL:

acl list
Deletes the MyACL access control list:

acl MyACL delete
Options
You can use these options with the command acl:
◆ description
Describes the access control list.
◆ entries
Adds an entry to or deletes an entry from an access control list.
• action
Specifies the action that an access control list takes when this access
control list entry is encountered. This setting is required. You can
specify one of the following actions:
• allow
Allows traffic.
• continue
Stops checking against the remaining entries of an access control
list, and continues evaluation at the next access control list.
• discard
Drops packets silently.

Chapter 3
• reject
Drops a packet and sends TCP RST on TCP flows or proper ICMP
messages on UDP flows. Silently drops a packet on other
protocols.
◆ dst ip
Specifies the destination IP address and network mask of the access
control list entry.
◆ dst port
Specifies the destination port or range of ports of the access control list
entry.
◆ log
Specifies the log level that is logged when actions of this type occur.
Your options are:
• none
Logs nothing. This is the default value.
• config
Logs the configuration of a matched entry.
• packet
Logs a matched packet.
• summary
Logs the name and entry number of a matched access control list
and access control list entry.
• verbose
Logs everything.
◆ protocol
Specifies the protocol number (TCP=6, UDP=17) of the access control
list entry. The default is any.
◆ src ip
Specifies the source IP address and network mask of the access control
list entry.
◆ src port
Specifies the source port or range of ports of the access control list entry.
◆ name
Specifies the name of the access control list. This setting is required.
◆ order
Specifies the order of the access control entries in this access control list.
◆ partition
3 - 28
◆ type
Specifies the type of access control list. The default is 14. This setting is
required. The available types are:
• 14
Layer 4
• 17
Layer 7
See also
agent resource assign(1), connectivity resource network access(1)

Chapter 3
agent
Manages an agent.
Syntax
Use this command to display or delete an agent.
Modify
<agent key> ::=
<name>
Display
agent [<agent key list> | all] [show [all]]
agent [<agent key list> | all] list [all]
agent [<agent key list> | all] name [show]
Delete
agent (<agent key list> | all) delete
Description
You can use the command agent to display or delete an agent.
Examples
Displays a list of all agents and the attributes for each agent:
agent list
Tip
You cannot delete an agent that is associated with an access policy item.
Options
You can use this option with the command agent:
◆ name
Specifies the name of an agent that you want to display or delete. This
Note that the initial character should be a letter, followed by either another
letter, a number, a period, an underscore, or a dash. Avoid using global
reserved words such as all, delete, disable, enable, help, list, none, show,
or None.
3 - 30
See also
agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1),
agent aaa radius(1), agent decision box(1), agent ending denied(1),
agent ending redirect(1), agent ending webtop(1), agent endpoint
windows browser cache cleaner(1), agent endpoint windows check
av(1), agent endpoint windows check file(1), agent endpoint windows
check fw(1), agent endpoint windows check process(1), agent endpoint
windows check registry(1), agent endpoint windows info os(1), agent
logging(1), agent logon page(1), agent message box(1), agent resource
assign(1), agent variable assign(1), agent vlan selection(1)

Chapter 3
agent aaa active directory

Manages an AAA Active Directory agent.
Syntax
Use this command to create, modify, display, or delete an AAA Active
Directory agent.
Create/Modify
Important
agent aaa active directory <agent aaa active directory key list> {}
agent aaa active directory (<agent aaa active directory key list> | all) \
[{] <agent aaa active directory arg list> [}]
<agent aaa active directory key> ::=
<name>
<agent aaa active directory arg> ::=
attrname (<string list> | none) [add | delete]
fetchgroupattr (enable | disable)
filter <string>
hints (enable | disable)
max logon attempt <number>
partition <name>
type (query | auth | last)
upn (enable | disable)
Display
agent aaa active directory [<agent aaa active directory key list> | all] [show [all]]
agent aaa active directory [<agent aaa active directory key list> | all] list [all]
agent aaa active directory [<agent aaa active directory key list> | all] attrname [show]
agent aaa active directory [<agent aaa active directory key list> | all] \
fetchgroupattr [show]
agent aaa active directory [<agent aaa active directory key list> | all] filter [show]
agent aaa active directory [<agent aaa active directory key list> | all] hints [show]
agent aaa active directory [<agent aaa active directory key list> | all] \
max logon attempt [show]
agent aaa active directory [<agent aaa active directory key list> | all] name [show]
agent aaa active directory [<agent aaa active directory key list> | all] partition [show]
3 - 32
agent aaa active directory [<agent aaa active directory key list> | all] server [show]
agent aaa active directory [<agent aaa active directory key list> | all] type [show]
agent aaa active directory [<agent aaa active directory key list> | all] upn [show]
Delete
agent aaa active directory (<agent aaa active directory key list> | all) delete
Description
You can use the command agent aaa active directory to create and manage
an AAA Active Directory agent.
Examples
Creates the query type AAA Active Directory agent named
MyADQueryagent that uses the
(SAMAccountName=%{session.logon.last.username}) filter and the
companyAD server:
agent aaa active directory MyADQueryagent {
filter "(SAMAccountName=%{session.logon.last.username})"
type query
server "companyAD"
}
Creates the authorization type AAA Active Directory agent named

MyADAuthagent that uses the companyAD server:
agent aaa active MyADAuthagent {
type auth
server "companyAD"
}
Displays a list of AAA Active Directory agents and the server associated
with each agent:
agent aaa active directory show all
Deletes the MyADagent AAA Active Directory agent:

agent aaa active directory MyADagent delete

Chapter 3
Options
You can use these options with the command agent aaa active directory:
◆ attrname
Adds an attribute name to the agent or deletes an attribute name from the
agent.
◆ fetchgroupattr
When enabled, the system administrator can retrieve the primary group
attributes of a user, and use the primary domain name of the group in
access policy item rules. The default is disable.
◆ filter
Specifies the search criteria the system uses when querying an AAA
Active Directory server for authentication information. The system
supports session variables as part of search query string.
◆ hints
When enabled, the system offers the user an option to create a hint that
assists in remembering a password. The default is disable.
◆ max logon attempt
Specifies the maximum number of opportunities that a user has in which
to re-enter her credentials after her first attempt to log on fails. If you set
this value to a number from 2 - 5 inclusive, the system offers a user the
specified number of opportunities to log on after her first attempt to log
on fails. If you set the value to 1, the system does not provide a second
opportunity to log on after a first attempt to log on fails. The default is 3.
◆ name
Specifies the name of an AAA Active Directory agent. This setting is
required.
◆ partition
◆ server
Specifies an AAA Active Directory server the system uses for Active
Directory queries and authentication.
◆ type
Specifies the type of AAA Active Directory agent. The default is last.
◆ upn
When enabled, the BIG-IP® Access Policy Manager supports the user
principal name (UPN) naming style. An example of UPN is
user@domain. The default is disable.
3 - 34
See also
agent(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1),
agent decision box(1), agent ending denied(1), agent ending redirect(1),
agent ending webtop(1), agent endpoint windows browser cache
cleaner(1), agent endpoint windows check av(1), agent endpoint
windows check file(1), agent endpoint windows check fw(1), agent
endpoint windows check process(1), agent endpoint windows check
registry(1), agent endpoint windows info os(1), agent logging(1), agent
logon page(1), agent message box(1), agent resource assign(1), agent
variable assign(1), agent vlan selection(1)

Chapter 3
agent aaa client cert

Manages an AAA Client Certification agent.
Syntax
Use this command to create, modify, display, or delete an AAA Client
Certification agent.
Create/Modify
Important
agent aaa clientcert <agent aaa clientcert key list> {}

agent aaa clientcert (<agent aaa clientcert key list> | all) \
[{] <agent aaa clientcert arg list> [}]
<agent aaa clientcert key> ::=
<name>
<agent aaa clientcert arg> ::=
partition <name>
Display
agent aaa clientcert [<agent aaa clientcert key list> | all] [show [all]]
agent aaa clientcert [<agent aaa clientcert key list> | all] list [all]
agent aaa clientcert [<agent aaa clientcert key list> | all] name [show]
agent aaa clientcert [<agent aaa clientcert key list> | all] partition [show]
Delete
agent aaa clientcert (<agent aaa clientcert key list> | all) delete
Description
You can use the command agent aaa clientcert to create and manage an
AAA Client Certification agent.
3 - 36
Examples
Creates the AAA Client Certification agent named MyCCagent in the
Common partition:
agent aaa clientcert MyCCagent
Displays a list of AAA Client Certification agents:

agent aaa clientcert show all
Deletes the MyCCagent AAA Client Certification agent:

agent aaa clientcert MyCCagent delete
Options
You can use these options with the command agent aaa clientcert:
◆ name
Specifies the name of an AAA Client Certification agent. This setting is
required.
◆ partition
See also
agent(1), agent aaa active directory(1), agent aaa ldap(1), agent aaa
radius(1), agent decision box(1), agent ending denied(1), agent ending
redirect(1), agent ending webtop(1), agent endpoint windows browser
cache cleaner(1), agent endpoint windows check av(1), agent endpoint

Chapter 3
agent aaa ldap

Manages an AAA LDAP agent.
Syntax
Use this command to create, modify, display, or delete an AAA LDAP
agent.
Create/Modify
Important
agent aaa ldap <agent aaa ldap key list> {}

agent aaa ldap (<agent aaa ldap key list> | all) \
[{] <agent aaa ldap arg list> [}]
<agent aaa ldap key> ::=
<name>
<agent aaa ldap arg> ::=
attrname (<string list> | none) [add | delete]
filter <string>
partition <name>
searchdn <string>
type (query | auth | last)
userdn <string>
Display
agent aaa ldap [<agent aaa ldap key list> | all] [show [all]]
agent aaa ldap [<agent aaa ldap key list> | all] list [all]
agent aaa ldap [<agent aaa ldap key list> | all] attrname [show]
agent aaa ldap [<agent aaa ldap key list> | all] filter [show]
agent aaa ldap [<agent aaa ldap key list> | all] max logon attempt [show]
agent aaa ldap [<agent aaa ldap key list> | all] name [show]
agent aaa ldap [<agent aaa ldap key list> | all] partition [show]
agent aaa ldap [<agent aaa ldap key list> | all] searchdn [show]
agent aaa ldap [<agent aaa ldap key list> | all] server [show]
agent aaa ldap [<agent aaa ldap key list> | all] type [show]
agent aaa ldap [<agent aaa ldap key list> | all] userdn [show]
3 - 38
Delete
agent aaa ldap (<agent aaa ldap key list> | all) delete
Description
You can use the command agent aaa ldap to create and manage an AAA
LDAP agent.
Examples
The following two command sequences create the authorization type AAA
LDAP agent named MyLDAPagent that is associated with the
companyLDAP server that utilizes the
cn=%{session.logon.last.username},cn=users,dc=lab,dc=fp,dc=f5net,dc
=com user domain name, the cn=users,dc=lab,dc=fp,dc=com search
domain, and the (SAMAccountName=%{{session.logon.last.username})
filter:
agent aaa ldap MyLDAPagent {
userdn "cn=%{session.logon.last.username},cn=users,dc=lab,dc=fp,dc=com"
type auth
server "companyLDAP"
}
searchdn "cn=users,dc=lab,dc=fp,dc=com"
filter "(SAMAccountName=%{{session.logon.last.username})"
type auth
}
Creates the query type AAA LDAP agent named MyLDAPagent that is
associated with the companyLDAP server that utilizes the
cn=users,dc=lab,dc=fp,dc=com search domain and the
(SAMAccountName=%{{session.logon.last.username}) filter:
searchdn "cn=users,dc=lab,dc=fp,dc=com"
filter "(sAMAccountName=%{{session.logon.last.username})"
type query
}
Displays a list of AAA LDAP agents:

agent aaa ldap show
Deletes the MyLDAPagent AAA LDAP agent:

agent aaa ldap MyLDAPagent delete

Chapter 3
Options
You can use these options with the command agent aaa ldap:
◆ attrname
Adds an attribute name to the agent or deletes an attribute name from the
agent.
◆ filter
Specifies the LDAP filter that the BIG-IP® Access Policy Manager uses
when querying an AAA LDAP server for authentication information.
You must use the filter option with the searchdn option.
to re-enter his credentials after his first attempt to log on fails. If you set
specified number of opportunities to log on after his first attempt to log
◆ name
Specifies the name of an AAA LDAP agent. This setting is required.
◆ partition
◆ searchdn
Specifies the base domain name that the BIG-IP Access Policy Manager
uses for internal LDAP search operations. You must use the searchdn
option with the filter option.
◆ server
Specifies an AAA LDAP server that the system uses for LDAP queries
and authentication.
◆ type
Specifies a type of AAA LDAP agent. This setting is required. The
default is last.
◆ userdn
Specifies the fully qualified domain name of the BIG-IP Access Policy
Manager. F5 Networks® recommends that you specify this value in lower
case and without spaces for compatibility with some specific LDAP
servers. The specific content of this string depends on your directory
layout.
3 - 40
See also
agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent
aaa radius(1), agent decision box(1), agent ending denied(1), agent
ending redirect(1), agent ending webtop(1), agent endpoint windows
browser cache cleaner(1), agent endpoint windows check av(1), agent
endpoint windows check file(1), agent endpoint windows check fw(1),
agent endpoint windows check process(1), agent endpoint windows
check registry(1), agent endpoint windows info os(1), agent logging(1),
agent logon page(1), agent message box(1), agent resource assign(1),
agent variable assign(1), agent vlan selection(1)

Chapter 3
agent aaa radius

Manages an AAA RADIUS agent.
Syntax
Use this command to create, modify, display, or delete an AAA RADIUS
agent.
Create/Modify
Important
agent aaa radius <agent aaa radius key list> {}

agent aaa radius (<agent aaa radius key list> | all) \
[{] <agent aaa radius arg list> [}]
<agent aaa radius key> ::=
<name>
<agent aaa radius arg> ::=
partition <name>
Display
agent aaa radius [<agent aaa radius key list> | all] [show [all]]
agent aaa radius [<agent aaa radius key list> | all] list [all]
agent aaa radius [<agent aaa radius key list> | all] max logon attempt [show]
agent aaa radius [<agent aaa radius key list> | all] name [show]
agent aaa radius [<agent aaa radius key list> | all] partition [show]
agent aaa radius [<agent aaa radius key list> | all] server [show]
Delete
agent aaa radius (<agent aaa radius key list> | all) delete
Description
You can use the command agent aaa radius to create and manage an AAA
RADIUS agent.
3 - 42
Examples
Creates the Myradiusagent AAA RADIUS agent that is associated with the
Myradius server:
agent aaa radius Myradiusagent {
server "Myradius"
}
Displays a list of AAA RADIUS agents and the servers associated with the
agents:
agent aaa radius show
Deletes the Myradiusagent AAA RADIUS agent:

agent aaa radius Myradiusagent delete
Options
You can use these options with the command agent aaa radius:
to re-enter his credentials after his first attempt to log on fails. If you set
specified number of opportunities to log on after his first attempt to log
◆ name
Specifies the name of an AAA RADIUS server. This setting is required.
◆ partition
◆ server
Specifies an AAA RADIUS server the system uses for RADIUS queries
and authentication. This setting is required.
See also
aaa ldap(1), agent decision box(1), agent ending denied(1), agent ending

Chapter 3
agent decision box

Manages a Decision Box agent.
Syntax
Use this command to display or delete a Decision Box agent.
Create/Modify
Important
agent decision box <agent decision box key list> {}

agent decision box (<agent decision box key list> | all) \
[{] <agent decision box arg list> [}]
<agent decision box key> ::=
<name>
<agent decision box arg> ::=
partition <name>
Display
agent decision box [<agent decision box key list> | all] [show [all]]
agent decision box [<agent decision box key list> | all] list [all]
agent decision box [<agent decision box key list> | all] name [show]
agent decision box [<agent decision box key list> | all] partition [show]
Delete
agent decision box (<agent decision box key list> | all) delete
Description
You can use the command agent decision box to display or delete a
decision box agent. A decision box provides a user with two options for
accessing a system.
Note
You cannot use the command line interface to create or modify the messages
that display in a decision box. You can edit customizable messages using the
visual policy editor. For more information about using the editor, see
Creating Access Profiles and Access Policies in Configuration Guide for
BIG-IP® Access Policy Manager™.
3 - 44
Examples
Displays a list of decision box agents:
agent decision box show
Deletes the decision box agent named MyDecisionBoxAgent:

agent decision box MyDecisionBoxAgent delete
Options
You can use these options with the command agent decision box:
◆ name
Specifies the name of a Decision Box agent. This setting is required.
◆ partition
See also
aaa ldap(1), agent aaa radius(1), agent ending denied(1), agent ending

Chapter 3
agent ending denied

Manages an ending denied agent.
Syntax
Use this command to create, modify, display, or delete an ending denied
agent.
Create/Modify
Important
agent ending denied <agent ending denied key list> {}

agent ending denied (<agent ending denied key list> | all) \
[{] <agent ending denied arg list> [}]
<agent ending denied key> ::=
<name>
<agent ending denied arg> ::=
customization group (<string> | none)
partition <name>
Display
agent ending denied [<agent ending denied key list> | all] [show [all]]
agent ending denied [<agent ending denied key list> | all] list [all]
agent ending denied [<agent ending denied key list> | all] customization group [show]
agent ending denied [<agent ending denied key list> | all] name [show]
agent ending denied [<agent ending denied key list> | all] partition [show]
Delete
agent ending denied (<agent ending denied key list> | all) delete
Description
Access policy endings indicate the final outcome of a branch of an access
policy. The Logon Denied ending is the final result of an incorrect logon
attempt. When a user reaches a Logon Denied ending, the user sees an error
message. You can use the command agent ending denied to create and
manage an Ending Denied agent.
3 - 46
Examples
Creates the Ending Denied agent named MyEndingDeniedAgent that is
associated with the MyLogOffCG customization group:
agent ending denied MyEndingDeniedAgent customization group MyLogOffCG
Displays a list of Ending Denied agents:

agent ending denied show
Deletes the Ending Denied agent named MyEndingDeniedAgent:

agent ending denied MyEndingDeniedAgent delete
Options
You can use these options with the command agent ending denied:
◆ customization group
Customizes the logon denied page, for example, adds a specific reason
for the denial of access. This setting is required, and the customization
group that you assign must be of the type logout.
◆ name
Specifies the name of an Ending Denied agent. This setting is required.
◆ partition
See also
aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending

Chapter 3
agent ending redirect

Manages an Ending Redirect agent.
Syntax
Use this command to create, modify, display, or delete an Ending Redirect
agent.
Create/Modify
Important
agent ending redirect <agent ending redirect key list> {}

agent ending redirect (<agent ending redirect key list> | all) \
[{] <agent ending redirect arg list> [}]
<agent ending redirect key> ::=
<name>
<agent ending redirect arg> ::=
partition <name>
url (<string> | none)
Display
agent ending redirect [<agent ending redirect key list> | all] [show [all]]
agent ending redirect [<agent ending redirect key list> | all] list [all]
agent ending redirect [<agent ending redirect key list> | all] name [show]
agent ending redirect [<agent ending redirect key list> | all] partition [show]
agent ending redirect [<agent ending redirect key list> | all] url [show]
Delete
agent ending redirect (<agent ending redirect key list> | all) delete
Description
policy. The Redirect ending is the result of the originally requested host
being unavailable. When a user reaches a Redirect ending, the user sees a
screen indicating that the user is being redirected to a different URL. You
can use the command agent ending redirect to create and manage an
Ending Redirect agent.
3 - 48
Examples
Creates the Ending Redirect agent named MyEndingRedirectAgent that
redirects a connection to http://www.myweb.com:
agent ending redirect MyEndingRedirectAgent { url "http://www.myweb.com" }
Displays a list of Ending Redirect agents:

agent ending redirect show
Deletes the Ending Redirect agent named MyEndingRedirectAgent:

agent ending redirect MyEndingRedirectAgent delete
Options
You can use these options with the command agent ending redirect:
◆ name
Specifies the name of an Ending Redirect agent. This setting is required.
◆ partition
◆ url
Specifies the URL to which the system redirects the original request.
This setting is required, and you must specify an absolute URL. An
absolute URL specifies the exact location of a file or directory on the
internet.
See also
denied(1), agent ending webtop(1), agent endpoint windows browser

Chapter 3
agent ending webtop

Manages an Ending Webtop agent.
Syntax
Use this command to create, modify, display, or delete an Ending Webtop
agent.
Create/Modify
Important
agent ending webtop <agent ending webtop key list> {}

agent ending webtop (<agent ending webtop key list> | all) \
[{] <agent ending webtop arg list> [}]
<agent ending webtop key> ::=
<name>
<agent ending webtop arg> ::=
partition <name>
Display
agent ending webtop [<agent ending webtop key list> | all] [show [all]]
agent ending webtop [<agent ending webtop key list> | all] list [all]
agent ending webtop [<agent ending webtop key list> | all] name [show]
agent ending webtop [<agent ending webtop key list> | all] partition [show]
Delete
agent ending webtop (<agent ending webtop key list> | all) delete
Description
policy. A Webtop ending is a successful ending in which the system
displays the user’s home page, which grants access to the network access
connection. You can use the command agent ending webtop to create and
manage an Ending Webtop agent.
3 - 50
Examples
Creates the Ending Webtop agent named MyEndingWebtopAgent:
agent ending webtop MyEndingWebtopAgent { }
Displays a list of Ending Webtop agents:

agent ending webtop show
Deletes the Ending Webtop agent named MyEndingDeniedAgent:

agent ending Webtop MyEndingWebtopAgent delete
Options
You can use these options with the command agent ending webtop:
◆ name
Specifies the name of an Ending Webtop agent. This setting is required.
◆ partition
See also
denied(1), agent ending redirect(1), agent endpoint windows browser

Chapter 3
agent endpoint linux check file

Manages an Endpoint Linux Check File agent.
Syntax
Use this command to create, modify, display, or delete an Endpoint Linux
Check File agent.
Create/Modify
bigpipe agent endpoint linux check file <agent endpoint linux check file key list> {}
bigpipe agent endpoint linux check file (<agent endpoint linux check file key list> |
all) [{] <agent endpoint linux check file arg list> [}]
<agent endpoint linux check file key> ::=
<name>
<agent endpoint linux check file arg> ::=
files (<endpoint linux check file item list> | none) [add | delete]
partition <name>
<endpoint linux check file item> ::= [{] <endpoint linux check file item arg list> [}]
<endpoint linux check file item arg> ::=
filename (<string> | none)
md5 (<string> | none)
size <number>
modified <date>
Display
bigpipe agent endpoint linux check file [<agent endpoint linux check file key list> |
all] [show [all]]
all] list [all]
all] files [show]
all] name [show]
all] partition [show]
Delete
bigpipe agent endpoint linux check file (<agent endpoint linux check file key list> |
all) delete
Description
The BIG-IP Access Policy Manager checks for the presence of one or more
files on a client that is attempting to connect.
3 - 52
If a file with the described properties exists, the action goes to the successful
branch. If the file does not exist, or a file exists but one or more properties
are not correct, the action goes to the fallback branch.
You can use the command agent endpoint linux check file to create or
manage an Endpoint linux Check File agent that verifies the presence of
specified linux files on a client.
Examples
Creates the Endpoint Linux Check File agent named
Myprofile_act_file_check_ag that checks that the client contains two files
located in the /tmp/demo directory: a 12 byte file named B<demofile> that
was modified no later than January 6, 2007 at 10:30 and has an MD5
checksum of 6b61ad518c23650b17e738e1fa2bb04e, and a 9 byte file
named testfile that has an MD5 check sum of
f20d9f2072bbeb6691c0f9c5099b01f3:
bigpipe agent endpoint linux check file Myprofile_act_file_check_ag {
files {
filename "/tmp/demo/demofile"
md5 "6b61ad518c23650b17e738e1fa2bb04e"
modified 2007-06-01 10:30:10
size 12
}
{
filename "/tmp/demo/testfile"
md5 "f20d9f2072bbeb6691c0f9c5099b01f3"
size 9
}
}>
Displays information about the Endpoint linux Check File agent named
Company8profile_act_file_check_ag:
bigpipe agent endpoint linux check file Company8profile_act_file_check_ag list all
Deletes the /tmp/demo/demofile file from the Endpoint linux Check File
agent named B<Company8profile_act_file_check_ag:
bigpipe agent endpoint linux check file Company8profile_act_check_file { files { filename
"/tmp/demo/demofile" } delete
Options
You can use these options with the command agent endpoint linux check
file:
◆ files
Adds files to or deletes files from an Endpoint linux Check File agent.
You can specify the following attributes of the files that you want an
Endpoint linux Check File agent to verify the presence of on the client in
order to allow the access policy to pass.

Chapter 3
• filename of the file, including the full path, that you want an
Endpoint linux Check File agent to verify the presence of on the client
in order to allow the access policy to pass. When you want add a file
to or delete a file from the agent, this setting is required.
• md5 specifies the value of the MD5 checksum for the specified file
that you want an Endpoint linux Check File agent to verify on the
client to match in order to allow the access policy to pass. The default
is none.
• modified specifies the last modified date of the specified file that you
want an Endpoint linux Check File agent to verify on the client in
order to allow the access policy to pass. The default is 1970-01-01
00:00:00.
• size specifies the size, in bytes, of the specified file that you want an
Endpoint linux Check File agent to verify on the client in order to
allow the access policy to pass. The default is 0 (zero).
◆ partition
See also
denied(1), agent ending redirect(1), agent ending webtop(1), agent
endpoint windows check av(1), agent endpoint windows check file(1),
agent endpoint windows check fw(1), agent endpoint windows check
process(1), agent endpoint windows check registry(1), agent endpoint
windows info os(1), agent logging(1), agent logon page(1), agent message
box(1), agent resource assign(1), agent variable assign(1), agent vlan
selection(1)
3 - 54
agent endpoint windows browser cache cleaner

Manages an Endpoint Windows Browser Cache Cleaner agent.
Syntax
Use this command to create, modify, display, or delete an Endpoint
Windows Browser Cache Cleaner agent.
Create/Modify
agent endpoint windows browser cache cleaner \
<agent endpoint windows browser cache cleaner key list> {}
(<agent endpoint windows browser cache cleaner key list> | all) \
[{] <agent endpoint windows browser cache cleaner arg list> [}]
<agent endpoint windows browser cache cleaner key> ::=
<name>
<agent endpoint windows browser cache cleaner arg> ::=
clean passwords (enable | disable)
empty recycle bin (enable | disable)
monitor webtop (enable | disable)
partition <name>
remove connection entry (enable | disable)
Display
[<agent endpoint windows browser cache cleaner key list> | all] [show [all]]
[<agent endpoint windows browser cache cleaner key list> | all] list [all]
[<agent endpoint windows browser cache cleaner key list> | all] clean passwords [show]
[<agent endpoint windows browser cache cleaner key list> | all] \
empty recycle bin [show]
[<agent endpoint windows browser cache cleaner key list> | all] idle timeout [show]
[<agent endpoint windows browser cache cleaner key list> | all] monitor webtop [show]
[<agent endpoint windows browser cache cleaner key list> | all] name [show]
[<agent endpoint windows browser cache cleaner key list> | all] partition [show]
[<agent endpoint windows browser cache cleaner key list> | all] \
remove connection entry [show]

Chapter 3
Delete
(<agent endpoint windows browser cache cleaner key list> | all) delete
Description
Endpoint security is a centrally managed method of monitoring and
maintaining client-system security. You can use the command agent
endpoint windows browser cache cleaner to create and manage an
Endpoint Windows Browser Cache Cleaner agent, which cleans items from
the browser and the computer of the client after logoff, and also enforces
session inactivity timeouts.
Examples
Creates the Endpoint Windows Browser Cache Cleaner agent named
MyEndpointWBCCagent that does not enforce a timeout:
agent endpoint windows browser cache cleaner MyEndpointWBCCagent idle timeout 0
Creates the Endpoint Windows Browser Cache Cleaner agent named

MyEndpointWBCCagent that does not enforce a timeout, but does clear
saved passwords from the client after logoff:
agent endpoint windows browser cache cleaner MyEndpointWBCCagent \
{ idle timeout 0 clean passwords enable }
Displays a list of Endpoint Windows Browser Cache Cleaner agents:

agent endpoint windows browser cache cleaner show
Deletes the Endpoint Windows Browser Cache Cleaner agent named

MyEndpointWBCCagent:
agent endpoint windows browser cache cleaner MyEndpointWBCCagent delete
Options
You can use these options with the command agent endpoint windows
browser cache cleaner:
◆ clean passwords
When enabled, the Endpoint Windows Browser Cache Cleaner agent
ensures that saved passwords are cleared from the client after logoff. The
default is disable.
◆ empty recycle bin
empties the Recycle Bin on the client after logoff. The default is disable.
◆ idle timeout
Specifies the number of minutes that the client session can be idle before
the Endpoint Windows Browser Cache Cleaner agent disconnects the
session. The default is 0 (zero), which enforces no timeout. This setting
is required.
3 - 56
◆ monitor webtop
forces session termination if the browser or webtop is closed. The default
is disable.
◆ name
Specifies the name of the Endpoint Windows Browser Cache Cleaner
agent. This setting is required.
◆ partition
◆ remove connection entry
removes the connection from the Network Connections Dial-up
Networking folder on the client. The default is disable.
See also
endpoint windows check av(1), agent endpoint windows check file(1),
agent endpoint windows check fw(1), agent endpoint windows check
process(1), agent endpoint windows check registry(1), agent endpoint
windows info os(1), agent logging(1), agent logon page(1), agent message
box(1), agent resource assign(1), agent variable assign(1), agent vlan
selection(1)

Chapter 3
agent endpoint windows check av

Manages an Endpoint Windows Check AV agent.
Syntax
Windows Check AV agent.
Create/Modify
Important
agent endpoint windows check av <agent endpoint windows check av key list> {}
agent endpoint windows check av (<agent endpoint windows check av key list> | all) \
[{] <agent endpoint windows check av arg list> [}]
<agent endpoint windows check av key> ::=
<name>
<agent endpoint windows check av arg> ::=
items (<endpoint windows check av item list> | none) [add | delete]
partition <name>
<endpoint windows check av item> ::= [{] <endpoint windows check av item arg list> [}]
<endpoint windows check av item arg> ::=
db age <number>
db version (<string> | none)
id (<string> | none)
Display
agent endpoint windows check av [<agent endpoint windows check av key list> | all] \
[show [all]]
list [all]
items [show]
name [show]
partition [show]
3 - 58
Delete
agent endpoint windows check av (<agent endpoint windows check av key list> | all) delete
Description
endpoint windows check av to create and manage an agent that enforces
antivirus protection and performs endpoint checks for viruses.
Examples
Creates the Endpoint Windows Check Antivirus agent named
MyEndpointWCAVagent, which verifies that the specified anti-virus
software is running on the client that is attempting to connect:
agent endpoint windows check av MyEndpointWCAVagent items state enabled add
Displays a list of Endpoint Windows Check Antivirus agents:

agent endpoint windows check av show
Deletes the Endpoint Windows Check Antivirus agent named

MyEndpointWCAVagent:
agent endpoint windows check av MyEndpointWCAVagent delete
Options
check av:
◆ items
Adds items to or deletes items from an Endpoint Windows Check AV
agent. You can specify the following attributes for the antivirus software:
• db age
Specifies the maximum age of the anti-virus database that you want
an Endpoint Windows Check AV agent to verify the presence of on
the client in order to allow the access policy to pass.
• db version
Specifies the version of the anti-virus database that you want an
Endpoint Windows Check AV agent to verify the presence of on the
client in order to allow the access policy to pass.
• id
Specifies the ID of the anti-virus software that you want an Endpoint
Windows Check AV agent to verify the presence of on the client in
order to allow the access policy to pass.

Chapter 3
• state
When enabled, an Endpoint Windows Check AV agent verifies that
the specified anti-virus software is running on the client that is
attempting to connect. When disabled, the agent verifies only that the
antivirus software is present on the system. The default is disable.
• version
Specifies the version of the anti-virus software that you want an
Endpoint Windows Check AV agent to verify the presence of on the
◆ name
Specifies the name of an Endpoint Windows Check AV agent. This
◆ partition
See also
endpoint windows browser cache cleaner(1), agent endpoint windows
check file(1), agent endpoint windows check fw(1), agent endpoint
windows check process(1), agent endpoint windows check registry(1),
agent endpoint windows info os(1), agent logging(1), agent logon
page(1), agent message box(1), agent resource assign(1), agent variable
assign(1), agent vlan selection(1)
3 - 60
agent endpoint windows check file

Manages an Endpoint Windows Check File agent.
Syntax
Windows Check File agent.
Create/Modify
Important
agent endpoint windows check file <agent endpoint windows check file key list> {}
agent endpoint windows check file (<agent endpoint windows check file key list> | all) \
[{] <agent endpoint windows check file arg list> [}]
<agent endpoint windows check file key> ::=
<name>
<agent endpoint windows check file arg> ::=
files (<endpoint windows check file item list> | none) [add | delete]
partition <name>
<endpoint windows check file item> ::= [{] \
<endpoint windows check file item arg list> [}]
<endpoint windows check file item arg> ::=
filename (<string> | none)
md5 (<string> | none)
modified <date>
operation (equal | greater | lesser)
signer (<string> | none)
size <number>
Display
agent endpoint windows check file [<agent endpoint windows check file key list> | all] \
[show [all]]
list [all]
files [show]
name [show]

Chapter 3
part
Delete
agent endpoint windows check file (<agent endpoint windows check file key list> | all) \
delete
Description
The BIG-IP® Access Policy Manager checks for the presence of one or more
files on a client that is attempting to connect. If a file with the described
properties exists, the action goes to the successful branch. If the file does not
exist, or a file exists but one or more properties are not correct, the action
goes to the fallback branch.
You can use the command agent endpoint windows check file to create or
manage an Endpoint Windows Check File agent that verifies the presence of
specified Windows® files on a client.
Examples
Creates the Endpoint Windows Check File agent named
Myprofile_act_file_check_ag that checks that the client contains two files
located in the C:\demo directory:
• a 12 byte file named demofile that was modified no later than January 6,
2007 at 10:30, and has an MD5 checksum of
6b61ad518c23650b17e738e1fa2bb04e
• a 9 byte file named test.file that has an MD5 check sum of
f20d9f2072bbeb6691c0f9c5099b01f3:
agent endpoint windows check file Myprofile_act_file_check_ag {
files {
filename "C:\\demo\\demofile"
md5 "6b61ad518c23650b17e738e1fa2bb04e"
modified 2007-06-01 10:30:10
size 12
}
{
filename "C:\\demo\\test.file"
md5 "f20d9f2072bbeb6691c0f9c5099b01f3"
size 9
}
}
Displays information about the Endpoint Windows Check File agent named
Company8profile_act_file_check_ag:
agent endpoint windows check file Company8profile_act_file_check_ag list all
3 - 62
Deletes the C:\demo\demofile file from the Endpoint Windows Check File
agent named Company8profile_act_file_check_ag:
agent endpoint windows check file Company8profile_act_check_file \
{ files { filename "C:\\demo\\demofile" } delete }
Options
check file:
◆ files
Adds files to or deletes files from an Endpoint Windows Check File
agent. You can specify the following attributes of the files that you want
an Endpoint Windows Check File agent to verify the presence of on the
• filename
Specifies the name of the file, including the full path, that you want an
Endpoint Windows Check File agent to verify the presence of on the
client in order to allow the access policy to pass. When you want add
a file to or delete a file from the agent, this setting is required.
• md5
Specifies the value of the MD5 checksum for the specified file that
you want an Endpoint Windows Check File agent to verify on the
client to match in order to allow the access policy to pass. The default
is none.
• modified
Specifies the last modified date of the specified file that you want an
Endpoint Windows Check File agent to verify on the client in order to
allow the access policy to pass. The default is 1970-01-01 00:00:00.
• operation
Specifies the operator that you want an Endpoint Windows Check File
agent to use when verifying the attributes of the specified file on the
client. The default is equal.
• signer
Specifies whether you want an Endpoint Windows Check File agent
to verify that the specified file on the client is signed in order to allow
the access policy to pass. The default is none.
• size
Specifies the size, in bytes, of the specified file that you want an
Endpoint Windows Check File agent to verify on the client in order to
allow the access policy to pass. The default is 0 (zero).
• version
Specifies the version of the specified file that you want an Endpoint
Windows Check File agent to verify on the client in order to allow the
access policy to pass. The version must be this form: x.x.x.x and the
maximum value is 65535.65535.65535.65535. The default is none.
◆ name
Specifies the name of an Endpoint Windows Check File agent. This

Chapter 3

◆ partition
See also
check av(1), agent endpoint windows check fw(1), agent endpoint
3 - 64
agent endpoint windows check fw

Manages an Endpoint Windows Check FW agent.
Syntax
Windows Check FW agent.
Create/Modify
Important
agent endpoint windows check fw <agent endpoint windows check fw key list> {}
agent endpoint windows check fw (<agent endpoint windows check fw key list> | all) \
[{] <agent endpoint windows check fw arg list> [}]
<agent endpoint windows check fw key> ::=
<name>
<agent endpoint windows check fw arg> ::=
items (<endpoint windows check fw item list> | none) [add | delete]
partition <name>
<endpoint windows check fw item> ::= [{] <endpoint windows check fw item arg list> [}]
<endpoint windows check fw item arg> ::=
id (<string> | none)
Display
agent endpoint windows check fw [<agent endpoint windows check fw key list> | all] \
[show [all]]
list [all]
items [show]
name [show]
partition [show]
Delete
agent endpoint windows check fw (<agent endpoint windows check fw key list> | all) delete

Chapter 3
Description
endpoint windows check fw to create or manage an Endpoint Windows
Check FW agent that checks for the presence of the specified firewall on a
client.
Examples
Creates the Endpoint Windows Check FW agent named
MyEndpointWCFWagent, to which you can add items that you want the
agent to verify the presence of on the client:
agent endpoint windows check fw MyEndpointWCFWagent {}
Creates the Endpoint Windows Check FW agent named

MyEndpointWCFWagent, which verifies that the firewall running on the
client that is attempting to connect is version 2.0:
agent endpoint windows check fw MyEndpointWCFWagent \
{ items state enable version 2.0 }
Displays a list of Endpoint Windows Check FW agents:

agent endpoint windows check fw show
Deletes the Endpoint Windows Check FW agent named

MyEndpointWCFWagent:
agent endpoint windows check fw MyEndpointWCFWagent delete
Options
check fw:
◆ items
Adds an item to or deletes an item from an Endpoint Windows Check
FW agent. You can specify the following attributes to define the item:
• id
Specifies the ID of the firewall that you want an Endpoint Windows
Check FW agent to verify on the client in order to allow the access
policy to pass.
• state
When enabled, an Endpoint Windows Check FW agent verifies that
the specified firewall is running on the client that is attempting to
connect. When you enable this attribute, you must specify either the
ID or version of the firewall for which you want the agent to check.
The default is disable.
• version
Specifies the version of the firewall that you want an Endpoint
Windows Check FW agent to verify on the client in order to allow the
access policy to pass.
3 - 66
◆ name
Specifies the name of an Endpoint Windows Check FW agent. This
◆ partition
See also
check av(1), agent endpoint windows check file(1), agent endpoint

Chapter 3
agent endpoint windows check process

Manages an Endpoint Windows Check Process agent.
Syntax
Windows Check Process agent.
Create/Modify
Important
agent endpoint windows check process <agent endpoint windows check process key list> {}
agent endpoint windows check process \
(<agent endpoint windows check process key list> | all) \
[{] <agent endpoint windows check process arg list> [}]
<agent endpoint windows check process key> ::=
<name>
<agent endpoint windows check process arg> ::=
partition <name>
Display
[<agent endpoint windows check process key list> | all] [show [all]]
[<agent endpoint windows check process key list> | all] list [all]
[<agent endpoint windows check process key list> | all] expression [show]
[<agent endpoint windows check process key list> | all] name [show]
[<agent endpoint windows check process key list> | all] partition [show]
Delete
(<agent endpoint windows check process key list> | all) delete
3 - 68
Description
You can use the command agent endpoint windows check process to
create and manage an Endpoint Windows Check Process agent that collects
information about the Windows processes running on the client.
Examples
Creates the Endpoint Windows Check Process agent named
MyEndpointWCPagent that checks whether the client has installed either
NISUM.exe or blackd.exe, and navapsvc.*.
agent endpoint windows check process MyEndpointWCPagent
{ (NISUM.exe OR blackd.exe) AND navapsvc.* }
Displays a list of Endpoint Windows Check Process agents:

agent endpoint windows check process show
Deletes the Endpoint Windows Check Process agent named

MyEndpointWCPagent:
agent endpoint windows check process MyEndpointWCPagent delete
Options
check process:
◆ expression
Specifies the expression that you want an Endpoint Windows Check
Process agent to use to verify the processes that are running on the client
in order to allow the access policy to pass. You can use the following
operators: (and), AND, OR, NOT. You can also use wildcards in the
process name, for example, navapsvc.*.
◆ name
Specifies the name of an Endpoint Windows Check Process agent. This
◆ partition
See also
windows check fw(1), agent endpoint windows check registry(1), agent

Chapter 3
endpoint windows info os(1), agent logging(1), agent logon page(1),

agent message box(1), agent resource assign(1), agent variable assign(1),
agent vlan selection(1)
3 - 70
agent endpoint windows check registry

Manages an Endpoint Windows Check Registry agent.
Syntax
Windows Check Registry agent.
Create/Modify
Important
agent endpoint windows check registry <agent endpoint windows check registry key list> {}
agent endpoint windows check registry \
(<agent endpoint windows check registry key list> | all) \
[{] <agent endpoint windows check registry arg list> [}]
<agent endpoint windows check registry key> ::=
<name>
<agent endpoint windows check registry arg> ::=
partition <name>
Display
[<agent endpoint windows check registry key list> | all] [show [all]]
[<agent endpoint windows check registry key list> | all] list [all]
[<agent endpoint windows check registry key list> | all] expression [show]
[<agent endpoint windows check registry key list> | all] name [show]
[<agent endpoint windows check registry key list> | all] partition [show]
Delete
(<agent endpoint windows check registry key list> | all) delete

Chapter 3
Description
You can use the command agent endpoint windows check registry to
create and manage an Endpoint Windows Check Registry agent that collects
information about the Windows® registry keys on the client that is
attempting to connect.
Examples
Creates the Endpoint Windows Check Registry agent named
MyEndpointWCRagent that checks the registry on the client for version
5.0.2800.0 of Internet Explorer in the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft directory:
agent endpoint windows check registry MyEndpointWCRagent {
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"."Version">= "5.0.2800.0" }
Displays a list of Endpoint Windows Check Registry agents:

agent endpoint windows check registry show
Deletes the Endpoint Windows Check Registry agent named

MyEndpointWCRagent:
agent endpoint windows check registry MyEndpointWCRagent delete
Options
check registry:
◆ expression
Specifies the expression that you want an Endpoint Windows Check
Registry agent to use to verify the registry entries that are present on the
client in order to allow the access policy to pass. You can use the
following operators: (and), AND, OR, NOT.
You must use quotation marks (" ") around key and value arguments, and
in data when the content contains spaces, commas, slashes, tabs, or other
delimiters. If quotation marks exist as part of a registry path or value
name, you must use quotation marks around those quotation marks.
The system treats data in the formats d.d[.d][.d] or d,d[,d][,d] (where d
is a number) as a version number. The system treats data in the format
mm/dd/yyyy as a date.
If the check is successful, the system returns 1. If the check fails, the
system returns 0 (zero). If the expression is incorrect, the system returns
-1.
◆ name
Specifies the name of the an Endpoint Windows Check Registry agent.
3 - 72

◆ partition
See also
windows check fw(1), agent endpoint windows info os(1), agent

Chapter 3
agent endpoint windows group policy

agent endpoint windows group policy command - Verifies that a
configuration file has been applied to the Windows Group Policy, and
creates result session variable.
Syntax
Use this command to manage an Endpoint Windows Group Policy agent.
Create/Modify
Important
bigpipe agent endpoint windows group policy (<agent endpoint windows group policy key> ||
all) [{] <agent endpoint windows group policy arg list> [}]
<agent endpoint windows group policy key> ::=
<name>
<agent endpoint windows group policy arg> ::=
name <name>
policy (<windows group policy key> | none)
Display
bigpipe agent endpoint windows group policy [<agent endpoint windows group policy key>
|all] [show [all]]
bigpipe agent endpoint windows group policy [<agent endpoint windows group policy key>
|all] list [all]
bigpipe agent endpoint windows group policy (<agent endpoint windows group policy key>
|all) edit
|all) name [show]
|all) partition [show]
|all) policy [show]
3 - 74
Delete
|all) delete
Description
You can use the command agent endpoint windows group policy to create,
modify, display, or delete an Endpoint Windows Group Policy agent.
Endpoint Windows Group Policy agents allow you to apply Windows
Group Policy to client machine. For more information see the Configuration
Guide for BIG-IP Local Traffic Manager/
Examples
Creates the FireWall_Setting_Template agent endpoint for the Access
Policy.
agent endpoint windows group policy> Firewall_Settings_Template
Displays a list of Endpoint Windows Info OS agents:

agent endpoint windows info os show
Edits the Firewall_Settings_Template agent endpoint for the Access

Policy:
agent endpoint windows info os MyEndpointWIOSagent delete
Options
You can use these options with the command agent endpoint windows info
os:
◆ name
Specifies the agent endpoint Windows Group Policy for the Access
Policy.
◆ policy
Specifies the Access Policy in which to apply the agent endpoint
Windows Group Policy.
See also
profile(1), <windows group policy(1), bigpipe(1)

Chapter 3
agent endpoint windows info os

Manages an Endpoint Windows Info OS agent.
Syntax
Windows Info OS agent.
Create/Modify
Important
agent endpoint windows info os <agent endpoint windows info os key list> {}
agent endpoint windows info os (<agent endpoint windows info os key list> | all) \
[{] <agent endpoint windows info os arg list> [}]
<agent endpoint windows info os key> ::=
<name>
<agent endpoint windows info os arg> ::=
partition <name>
Display
agent endpoint windows info os [<agent endpoint windows info os key list> | all] \
[show [all]]
list [all]
name [show]
partition [show]
Delete
agent endpoint windows info os (<agent endpoint windows info os key list> | all) delete
Description
You can use the command agent endpoint windows info os to create and
manage an Endpoint Windows Info OS agent that retrieves, from the client,
information about the Microsoft Windows® operating system, such as
version and hotfix number.
3 - 76
Examples
Creates the Endpoint Windows Info OS agent named
MyEndpointWIOSagent:
agent endpoint windows info os MyEndpointWIOSagent { }
Displays a list of Endpoint Windows Info OS agents:

agent endpoint windows info os show
Deletes the Endpoint Windows Info OS agent named

MyEndpointWCRagent:
agent endpoint windows info os MyEndpointWIOSagent delete
Options
os:
◆ name
Specifies the name of an Endpoint Windows Info OS agent. This setting
is required.
◆ partition
See also

Chapter 3
agent external logon page

Manages a External Logon Page agent.
Syntax
Use this command to create, modify, display, or delete a External Logon
Page agent.
Create/Modify
Important
bigpipe agent external logon page <agent external logon page key list> {}
bigpipe agent external logon page (<agent external logon page key list> | all) [{] <agent
external logon page arg list> [}]
<agent external logon page key> ::=
<name>
<agent external logon page arg> ::=
uri (<string> | none)
partition <name>
Display
bigpipe agent external logon page [<agent external logon page key list> | all] [show
[all]]
bigpipe agent external logon page [<agent external logon page key list> | all] list [all]
bigpipe agent external logon page [<agent external logon page key list> | all] uri [show]
bigpipe agent external logon page [<agent external logon page key list> | all] name
[show]
bigpipe agent external logon page [<agent external logon page key list> | all] partition
[show]
Delete
bigpipe agent external logon page (<agent external logon page key list> | all) delete
3 - 78
Description
You can use the command agent external logon page to create and manage
an External Logon Page agent. This agent creates a external logon page,
which redirects the client browser to external logon page server. External
Logon Page server URI is defined by uri attribute. The user can authenticate
to that external logon server. When succeeded, that server will redirect the
client back to BIG-IP Secure Access Manager. The administrator can also
define uri attribute using a session variable.
Examples
Creates the External Logon Page agent named
MyExternalLogonPageAgent that is associated with the uri
MyExternalLogonPageServerURI.
bigpipe agent external logon page MyExternalLogonPageAgent { uri
"MyExternalLogonPageServerURI" }>
Displays a list of External Logon Page agents:

bigpipe agent external logon page MyExternalLogonPageAgent
delete
Deletes the External Logon Page agent named

MyExternalLogonPageAgent:
bigpipe agent external logon page MyExternalLogonPageAgent
delete
Options
os:
◆ name
Specifies the name of a External Logon Page agent. This setting is
required.
◆ partition
Specifies the partition within which the object resides.\
◆ uri
Specifies a predefined configuration that contains several settings that
you want the agent to use to configure a external logon page. This setting
is required.

Chapter 3
See also
3 - 80
agent logging
Manages a Logging agent.
Syntax
Use this command to create, modify, display, or delete a Logging agent.
Create/Modify
Important
agent logging <agent logging key list> {}

agent logging (<agent logging key list> | all) [{] <agent logging arg list> [}]
<agent logging key> ::=
<name>
<agent logging arg> ::=
partition <name>
variables (<logging item variable list> | none) [add | delete]
<logging item variable> ::= [{] <logging item variable arg list> [}]
<logging item variable arg> ::=
sessionvar (<string> | none)
Display
agent logging [<agent logging key list> | all] [show [all]]
agent logging [<agent logging key list> | all] list [all]
agent logging [<agent logging key list> | all] name [show]
agent logging [<agent logging key list> | all] partition [show]
agent logging [<agent logging key list> | all] variables [show]
Delete
agent logging (<agent logging key list> | all) delete

Chapter 3
Description
You can use the command agent logging to create and manage a Logging
agent that logs access control, remote connectivity, and audit events on the
BIG-IP® Access Policy Manager. Access Control event messages pertain
specifically to events such as client authentication, status of authentication,
and access control lists. Remote Connectivity event messages pertain
specifically to events such as network access and remote logging. Audit
events messages are those that the BIG-IP Access Policy Manager logs as a
result of changes made to system configuration.
Examples
Creates the Logging agent named MyProfile_act_logging_ag in partition
Common and adds two session variables that define actions that the agent
logs:
• session.logon.* indicates to log application logon attempts
• session.windows_check_file.Company8profile_act_file_check_ag.item_
x.filename indicates to log the outcome of the file check on the client.
The x in item_x indicates the order of the files in the list configured for
the file checker. The list starts with index 0 (zero).
agent logging MyProfile_act_logging_ag {

partition Common
variables
{
sessionvar "session.logon.*"
}
{
sessionvar
"session.windows_check_file.Company8profile_act_file_check_ag.item_x.filename"
}
}
Displays a list of Logging agents:

agent logging show
Deletes the session variable session.logon.* from the Logging agent named
Company8profile_act_logging_ag:
agent logging Company8profile_act_logging_ag \
{ variables { sessionvar "session.logon.*" } delete }
3 - 82
Options
You can use these options with the command agent logging:
◆ name
Specifies the name of a Logging agent. This setting is required.
◆ partition
◆ variables
Adds a variable to or deletes a variable from a Logging agent. You use
the sessionvar option to specify a session variable that indicates what
actions the system logs.
See also
endpoint windows info os(1), agent logon page(1), agent message box(1),
agent resource assign(1), agent variable assign(1), agent vlan
selection(1)

Chapter 3
agent logon page

Manages a Logon Page agent.
Syntax
Use this command to create, modify, display, or delete a Logon Page agent.
Create/Modify
Important
agent logon page <agent logon page key list> {}

agent logon page (<agent logon page key list> | all) [{] <agent logon page arg list> [}]
<agent logon page key> ::=
<name>
<agent logon page arg> ::=
customization group (<string> | none)
partition <name>
Display
agent logon page [<agent logon page key list> | all] [show [all]]
agent logon page [<agent logon page key list> | all] list [all]
agent logon page [<agent logon page key list> | all] customization group [show]
agent logon page [<agent logon page key list> | all] name [show]
agent logon page [<agent logon page key list> | all] partition [show]
Delete
agent logon page (<agent logon page key list> | all) delete
Description
You can use the command agent logon page to create and manage a Logon
Page agent. This agent creates a logon page, which contains the form for the
user to input the credentials required by an access policy. You can use the
customization group attribute to customize the logon page.
3 - 84
Examples
Creates the Logon Page agent named MyLogonPageAgent that is
associated with the customization group MyLogonPageCG:
agent logon page MyLogonPageAgent { customization group "MyLogonPageCG" }
Displays a list of Logon Page agents:

agent logon page show
Deletes the Logon Page agent named MyLogonPageAgent:

agent logon page MyLogonPageAgent delete
Options
You can use these options with the command agent logon page:
Specifies a predefined configuration that contains several settings that
you want the agent to use to configure a logon page. This setting is
required, and the customization group that you assign must be of the type
logon.
◆ name
Specifies the name of a Logon Page agent. This setting is required.
◆ partition
See also
endpoint windows info os(1), agent logging(1), agent message box(1),
selection(1)

Chapter 3
agent message box

Manages a message box agent.
Syntax
Use this command to create, display, or delete a message box agent.
Create/Modify
Important
agent message box <agent message box key list> {}

agent message box (<agent message box key list> | all) \
[{] <agent message box arg list> [}]
<agent message box key> ::=
<name>
<agent message box arg> ::=
partition <name>
Display
agent message box [<agent message box key list> | all] [show [all]]
agent message box [<agent message box key list> | all] list [all]
agent message box [<agent message box key list> | all] name [show]
agent message box [<agent message box key list> | all] partition [show]
Delete
agent message box (<agent message box key list> | all) delete
Description
You can use the command agent message box to create, display, or delete a
message box agent.
Note
You cannot use the command line interface to create or modify the messages
that display in a message box. You can edit customizable messages using the
visual policy editor. For more information about using the editor, see
Creating Access Profiles and Access Policies in Configuration Guide for
BIG-IP® Access Policy Manager™.
3 - 86
Examples
Creates the message box agent named MyMessageBoxAgent that is
associated with the customization group named MyMessageBoxCG:
agent message box MyMessageBoxAgent { customization group "MyMessageBoxCG" }
Displays a list of message box agents:

agent message box show
Deletes the message box agent named MyMessage BoxAgent:

agent message box MyMessageBoxAgent delete
Options
You can use these options with the command agent message box:
◆ name
Specifies the name of a message box agent. This setting is required.
◆ partition
See also
selection(1)

Chapter 3
agent resource assign

Manages a resource assign agent.
Syntax
Use this command to create, modify, display, or delete a resource assign
agent.
Create/Modify
Important
agent resource assign <agent resource assign key list> {}

agent resource assign (<agent resource assign key list> | all) \
[{] <agent resource assign arg list> [}]
<agent resource assign key> ::=
<name>
<agent resource assign arg> ::=
partition <name>
rules (<resource assign rule list> | none) [add | delete]
<resource assign rule> ::= [{] <resource assign rule arg list> [}]
<resource assign rule arg> ::=
acl (<string> | none)
connectivity resource group (<string> | none)
Display
agent resource assign [<agent resource assign key list> | all] [show [all]]
agent resource assign [<agent resource assign key list> | all] list [all]
agent resource assign [<agent resource assign key list> | all] caption [show]
agent resource assign [<agent resource assign key list> | all] name [show]
agent resource assign [<agent resource assign key list> | all] partition [show]
agent resource assign [<agent resource assign key list> | all] rules [show]
Delete
agent resource assign (<agent resource assign key list> | all) delete
3 - 88
Description
You can use the command agent resource assign to create and manage a
resource assign agent that assigns an access control list (ACL), a resource
group, or both to an access policy. A resource group is a collection of
resources, ACLs, and protection criteria that includes your company intranet
servers, applications, and network shares. An ACL is a set of restrictions
associated with a resource or favorite that defines access for users and
groups.
Examples
Creates the resource assign agent named MyAssignResourceAgent that is
associated with the customization group MyAssignResourceCG:
agent assign resource MyAssignResourceAgent { customization group "MyAssignResourceCG" }
Displays a list of resource assign agents:

agent assign resource show
Deletes the resource assign agent named MyAssignResourceAgent:

agent assign resource MyAssignResourceAgent delete
Options
You can use these options with the command agent resource assign:
◆ caption
Specifies the name of the resource assign agent that displays in the visual
policy editor. This setting is required.
◆ name
Specifies the name of the resource assign agent. This setting is required.
◆ partition
◆ rules
Adds a rule to or deletes a rule from the resource assign agent. You can
use the following attributes to define a rule:
• acl
Specifies an access control list that this rule assigns to users.
• connectivity resource group
Specifies the name of the connectivity resource group to which this
rule applies.
• expression
Specifies the expression that indicates which resource groups this rule
assigns to users.

Chapter 3
See also
acl(1), agent(1), agent aaa active directory(1), agent aaa clientcert(1),
agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent
ending denied(1), agent ending redirect(1), agent ending webtop(1),
agent endpoint windows browser cache cleaner(1), agent endpoint
windows check av(1), agent endpoint windows check file(1), agent
endpoint windows check fw(1), agent endpoint windows check
logon page(1), agent message box(1), agent variable assign(1), agent
vlan selection(1)
3 - 90
agent traffic control

Allows administrator to select a predefined traffic filter and assigns the
configuration to client components through result (session) variable.
Syntax
Use this command to create, modify, display, or delete a traffic control
agent.
Create/Modify
Important
bigpipe agent traffic control <bigpipe agent traffic control key> {}

bigpipe agent traffic control (<bigpipe agent traffic control key> | all) [{] <bigpipe
agent traffic control arg list> [}]
\
<bigpipe agent traffic control key> ::= <name>
<bigpipe agent traffic control arg> ::=
name <name>
traffic filter name <traffic filter key>
Display
bigpipe agent traffic control [<bigpipe agent traffic control key> | all] [show [all]]
bigpipe agent traffic control [<bigpipe agent traffic control key> | all] list [all]
bigpipe agent traffic control (<bigpipe agent traffic control key> | all) edit
bigpipe agent traffic control (<bigpipe agent traffic control key> | all) name [show]
bigpipe agent traffic control (<bigpipe agent traffic control key> | all) partition
[show]
bigpipe agent traffic control (<bigpipe agent traffic control key> | all) traffic filter
name [show
Delete
bigpipe agent traffic control (<bigpipe agent traffic control key> | all) delete
Description
You can use the command bigpipe agent traffic control to create and
manage a traffic control agent.

Chapter 3
Examples
Creates a traffic control agent used with the client configuration named tc1,
and sets the traffic filter name to tf1:
bigpipe agent traffic control tc1 {traffic filter name tf1
Displays a list of all traffic control agents on the system:

bigpipe agent traffic control list [all]
Deletes the traffic control agent tf2 from the system:

bigpipe agent traffic control tc1 traffic filter name tf2
Options
You can use these options with the command agent resource assign:.
◆ name
Specifies which traffic filter to associate with the traffic control agent
currently used.
◆ traffic filter name
Specifies which traffic filter to associate with the traffic control agent
currently used.
See also
bigpipe(1), service_flow(1), traffic_filter(1)
3 - 92
agent variable assign

Manages a variable assignment agent.
Syntax
Use this command to create, modify, display, or delete a variable
assignment agent.
Create/Modify
Important
agent variable assign <agent variable assign key list> {}

agent variable assign (<agent variable assign key list> | all) \
[{] <agent variable assign arg list> [}]
<agent variable assign key> ::=
<name>
<agent variable assign arg> ::=
partition <name>
variables (<variable assign item list> | none) [add | delete]
<variable assign item> ::= [{] <variable assign item arg list> [}]
<variable assign item arg> ::=
varname (<string> | none)
Display
agent variable assign [<agent variable assign key list> | all] [show [all]]
agent variable assign [<agent variable assign key list> | all] list [all]
agent variable assign [<agent variable assign key list> | all] name [show]
agent variable assign [<agent variable assign key list> | all] partition [show]
agent variable assign [<agent variable assign key list> | all] variables [show]
Delete
agent variable assign (<agent variable assign key list> | all) delete

Chapter 3
Description
You can use the command agent variable assign to create and manage a
variable assignment agent that assigns one or more variables to an access
policy.
Important
F5 Networks® recommends that you use the visual policy editor to create
complex variable assignments.
Examples
Creates the Myprofile_act_variable_assign_ag variable assignment agent
that automatically assigns the value of the common name field in the client
certificate to the username field of the logon page. This is useful when an
access policy contains the variable assignment agent in between the client
certification and the AAA Active Directory server query actions.
agent variable assign Myprofile_act_variable_assign_ag {
variables
{ varname "session.logon.last.username" expression "{[mcget {session.ssl.cert.cn}]}"
}
}
Creates an access policy that carries out a configured access control list
(ACL) when a particular branch in the access policy is followed, using the
variable assignment agent to populate the appropriate variables with the
ACL name.
agent variable assign Myprofile_act_variable_assign_ag {
variables
{ varname "config.connectivity_resource_network_access.MyprofileNR2.acl_name"
expression "expr {\"MY_ACL1\"}"
}
}
Displays a list of variable assignment agents:

agent variable assign show
Deletes the variable assignment agent named MyAssignVariableAgent:

agent variable assign MyAssignVariableAgent delete
3 - 94
Options
You can use these options with the command agent variable assign:
◆ name
Specifies the name of a variable assignment agent. This setting is
required.
◆ partition
◆ variables
Adds a variable to or deletes a variable from the variable assignment
agent. You must specify the following attributes for each variable:
• expression
A Tcl expression that the system evaluates, and then assigns the value
to a specific property of the assigned network access resource, or to a
newly created session variable.
• varname
A variable name that forms the left side of the expression. You can
use the name of an existing session variable or a new session variable.
See also
agent message box(1), agent resource assign(1), agent vlan selection(1)

Chapter 3
agent vlan selection

Manages a VLAN selection agent.
Syntax
Use this command to create, modify, display, or delete a VLAN selection
agent.
Create/Modify
Important
agent vlan selection <agent vlan selection key list> {}

agent vlan selection (<agent vlan selection key list> | all) \
[{] <agent vlan selection arg list> [}]
<agent vlan selection key> ::=
<name>
<agent vlan selection arg> ::=
gateway (<string> | none)
partition <name>
Display
agent vlan selection [<agent vlan selection key list> | all] [show [all]]
agent vlan selection [<agent vlan selection key list> | all] list [all]
agent vlan selection [<agent vlan selection key list> | all] gateway [show]
agent vlan selection [<agent vlan selection key list> | all] name [show]
agent vlan selection [<agent vlan selection key list> | all] partition [show]
Delete
agent vlan selection (<agent vlan selection key list> | all) delete
Description
You can use the command agent vlan selection to create and manage a
VLAN selection agent.
3 - 96
Examples
Creates the VLAN selection agent named MyVLANselectionAgent that
assigns the gateway LegacyRoute to the access policy:
agent vlan selection MyVLANselectionAgent { gateway "LegacyRoute" }
Displays a list of VLAN selection agents:

agent vlan selection show
Deletes the VLAN selection agent named MyVLANselectionAgent:

agent vlan selection MyVLANselectionAgent delete
Options
You can use these options with the command agent vlan selection:
◆ gateway
Specifies a VLAN gateway to assign to an access policy. Note that the
gateway must be defined on the server.
◆ name
Specifies the name of a VLAN selection agent. This setting is required.
◆ partition
See also
agent message box(1), agent resource assign(1), agent variable assign(1)

Chapter 3
connectivity resource
Manages a connectivity resource.
Syntax
Use this command to display or delete a connectivity resource.
<connectivity resource key> ::=
<name>
Create/Modify
Not applicable.
Display
connectivity resource [<connectivity resource key list> | all] [show [all]]
connectivity resource [<connectivity resource key list> | all] list [all]
connectivity resource [<connectivity resource key list> | all] name [show]
Delete
connectivity resource (<connectivity resource key list> | all) delete
Description
You can use the command connectivity resource to manage a connectivity
resource that is a network access resource.
Examples
Displays information about the MyNetwork connectivity resource:
connectivity resource MyNetwork show all
Deletes the MyNetwork connectivity resource:

connectivity resource MyNetwork delete
Options
You can use these options with the command connectivity resource:
• name
Specifies the name of the connectivity resource. This setting is required.
3 - 98
See also
connectivity resource group(1), connectivity resource network access(1)

Chapter 3
connectivity resource
Manages a connectivity resource.
Syntax
Use this command to display or delete a connectivity resource.
<connectivity resource key> ::=
<name>
Create/Modify
Not applicable.
Display
connectivity resource [<connectivity resource key list> | all] [show [all]]
connectivity resource [<connectivity resource key list> | all] list [all]
connectivity resource [<connectivity resource key list> | all] name [show]
Delete
connectivity resource (<connectivity resource key list> | all) delete
Description
You can use the command connectivity resource to manage a connectivity
resource that is a network access resource.
Examples
Displays information about the MyNetwork connectivity resource:
connectivity resource MyNetwork show all
Deletes the MyNetwork connectivity resource:

connectivity resource MyNetwork delete
Options
You can use these options with the command connectivity resource:
◆ name
Specifies the name of the connectivity resource. This setting is required.

3 - 100
See also
connectivity resource group(1), connectivity resource network access(1)

Chapter 3
client rate class

Defines a subset of properties available from TCMon tool or Microsoft API
with other undefined or default values applied. Supported properties include
dcsp, rate, peak rate, mode, and interface to apply.
Syntax
Use this command to create, modify, display, or delete a bigpipe client rate
class.
Create/Modify
Important
bigpipe client rate class <bigpipe client rate class key> {}

bigpipe client rate class (<bigpipe client rate class key> | all) \
[{] <bigpipe client rate class arg list> [}]
<bigpipe client rate class key> ::=
<name>
<bigpipe client rate class arg> ::=
dscp <number>
interface (all | vpn)
mode (shape | discard | borrow )
name <name>
peak rate <number>
rate <number>
Display
bigpipe client rate class [<bigpipe client rate class key> | all] [show [all]]
bigpipe client rate class [<bigpipe client rate class key> | all] list [all]
bigpipe client rate class (<bigpipe client rate class key> | all) edit
bigpipe client rate class (<bigpipe client rate class key> | all) dscp [show]
bigpipe client rate class (<bigpipe client rate class key> | all) interface [show]
bigpipe client rate class (<bigpipe client rate class key> | all) mode [show]
bigpipe client rate class (<bigpipe client rate class key> | all) name [show]
bigpipe client rate class (<bigpipe client rate class key> | all) partition [show]
bigpipe client rate class (<bigpipe client rate class key> | all) peak rate [show]
bigpipe client rate class (<bigpipe client rate class key> | all) rate [show]
3 - 102
Delete
bigpipe client rate class (<bigpipe client rate class key list> | all) delete
Description
You can use the command bigpipe client rate class to create and manage a
bigpipe client rate class, which is used in traffic control.
Examples
Creates a bigpipe client rate class used in traffic control named bigpipe
client rate class sf1, sets the descp to 40 and the rate to 60000, sets the peak
rate to 80000, and sets the mode to shape interface VPN:
bigpipe client rate class sf1{
dscp "40"
rate "60000"
peak rate "80000 "
mode "shape interface vpn"
}>
Creates a connectivity resource group named MyCRG that contains the

connectivity resources MyNetwork:
connectivity resource group MyCRG \
{ connectivity resources MyNetwork }
Displays a list of all bigpipe client rate class on the system:

bigpipe bigpipe client rate class list [all]
Deletes the bigpipe client rate class named sf1 from the system:
bigpipe bigpipe client rate class sf1 delete
Options
You can use these options with the command client rate class command:
◆ name
Specifies the name of the bigpipe client rate class.
◆ dscp
Specifies six bits of DS field used as a codepoint to select the PHB (Per
Hope Behavior) for a packet in each network node.
◆ interface
Specifies which adapter interface to which the bigpipe client rate class is
to be added.
◆ mode
Specifies three different modes of traffic. You can select Borrow (allows
on the flow to borrow resources from other flows that are temporarily

Chapter 3
idle), Shape (delays packets submitted for transmission until they

conform to a specified flow parameters), or Discard (discards packets
that do not conform to a specified flow parameters).
◆ peak rate
Specifies a value to limit the burtness of the network traffic for a given
flow.
◆ rate
Specifies the value to specify the rate of the network traffic for a given
flow.
See also
bigpipe(1), traffic_filter(1), agent_traffic_control(1)
3 - 104
client traffic classifier

Contains a table of bigpipe client traffic classifier entries. Each bigpipe
client traffic classifier entry has property of protocol, src (ip|subnet
mask|port), dst (ip|subnet mask|port), and client rate class name.
Syntax
Use this command to create, modify, display, or delete a bigpipe client
traffic classifier.
Create/Modify
Important
bigpipe client traffic classifier <bigpipe client traffic classifier key list> {}
bigpipe client traffic classifier (<bigpipe client traffic classifier key list> | all)
[{] \
<bigpipe client traffic classifier arg list> [}]
<bigpipe client traffic classifier key> ::=
<name>
<bigpipe client traffic classifier arg> ::=
entries (<bigpipe client traffic classifier entry key list> | none) [add | delete]
<bigpipe client traffic classifier entry arg> ::=
protocol <number>
src ip <ip addr>
src mask <ip mask>
src port <number>
dst ip <ip addr>
dst mask <ip mask>
dst port <number>
client rate class name <name>
Display
bigpipe client traffic classifier [<bigpipe client traffic classifier key list> | all]
[show [all]]
list [all]
entries [show]
entries [<bigpipe client traffic classifier entry key list> | all] protocol [show]

Chapter 3
entries [<bigpipe client traffic classifier entry key list> | all] src ip [show]
entries [<bigpipe client traffic classifier entry key list> | all] src mask [show]
entries [<bigpipe client traffic classifier entry key list> | all] src port [show]
entries [<bigpipe client traffic classifier entry key list> | all] dst ip [show]
entries [<bigpipe client traffic classifier entry key list> | all] dst mask [show]
entries [<bigpipe client traffic classifier entry key list> | all] dst port [show]
entries [<bigpipe client traffic classifier entry key list> | all] client rate class
name [show]
entries [<bigpipe client traffic classifier entry key list> | all] partition [show]
Delete
bigpipe client traffic classifier (<bigpipe client traffic classifier key list> | all)
delete
Description
You can use the command bigpipe client traffic classifier to create and
manage a bigpipe client traffic classifier, which is used by traffic control
agent.
Examples
Creates a bigpipe client traffic classifier used in traffic control. Names the
bigpipe client traffic classifier sf1, sets the entry to entry1, sets the protocol
to 6, sets the dst ip to 192.168.0.0, sets the dst mask to 255.255.0.0, sets the
dst port to 0, and sets the client rate class name to sf1:
bigpipe client traffic classifier tf1{
entries entry1 {
protocol "6"
dst ip "192.168.0.0"
dst mask "255.255.0.0"
dst port "0"
client rate class name "sf1"
}>
entry2{protocol "6"
3 - 106
src ip "10.10.0.0"
src mask "255.255.255.0"
client rate class name "sf2"}}
Displays a list of all bigpipe client traffic classifiers on the system:

bigpipe client traffic classifier list [all]
Deletes the bigpipe client traffic classifier named B<tf1> from the system:
bigpipe client traffic classifier tf1 delete
Options
You can use these options with the command client rate class command:
◆ name
Specifies the name of the filtering rule.
◆ protocol
Specifies which traffic protocol to use in the filtering rule.
◆ src ip
Specifies the address from where the packet is being sent.
◆ src mask
Specifies the subnet mask for the source address.
◆ src port
Specifies a 16-bit number to identify the sending port for either UDP or
TCP network application.
◆ dst ip
Specifies the IP address of the receiver of the packet.
◆ dst mask
Specifies the subnet mask for the destination address.
◆ dst port
Specifies the 16-bit number to identify the sending port for either UDP or
TCP network application.
◆ client rate class name
Specifies to which client rate class the currently configured rule is to be
applied.
See also
bigpipe(1), service_flow(1), agent_traffic_control(1)

Chapter 3
connectivity resource group

Manages a connectivity resource group.
Syntax
Use this command to create, modify, display, or delete a connectivity
resource group.
Create/Modify
Important
connectivity resource group <connectivity resource group key list> {}

connectivity resource group (<connectivity resource group key list> | all) \
[{] <connectivity resource group arg list> [}]
<connectivity resource group key> ::=
<name>
<connectivity resource group arg> ::=
connectivity resources (<connectivity resource network access key list> | none) \
[add | delete]
partition <name>
Display
connectivity resource group [<connectivity resource group key list> | all] [show [all]]
connectivity resource group [<connectivity resource group key list> | all] list [all]
connectivity resource group [<connectivity resource group key list> | all] \
connectivity resources [show]
connectivity resource group [<connectivity resource group key list> | all] name [show]
connectivity resource group [<connectivity resource group key list> | all] \
partition [show]
Delete
connectivity resource group (<connectivity resource group key list> | all) delete
Description
You can use the command connectivity resource group to create and
manage a group of network access resources.
3 - 108
Examples
Creates a connectivity resource group named MyGroup to which you can
add connectivity resources:
connectivity resource group MyGroup { }
Creates a connectivity resource group named MyCRG that contains the

connectivity resources MyNetwork:
connectivity resource group MyCRG \
{ connectivity resources MyNetwork }
Displays a list of connectivity resource groups:

connectivity resource group MyCRG show
Deletes the connectivity resource group named MyCRG:

connectivity resource group MyCRG delete
Options
You can use these options with the command connectivity resource group:
◆ connectivity resources
Adds a connectivity resource to or deletes a connectivity resource from a
connectivity resource group.
◆ name
Specifies the name of a connectivity resource group. This setting is
required.
◆ partition
See also
connectivity resource(1), connectivity resource network access(1)

Chapter 3
connectivity resource network access

Manages network access for a connectivity resource.
Syntax
Use this command to define network access for a connectivity resource.
Create/Modify
Important
connectivity resource network access help

connectivity resource network access <connectivity resource network access key list> {}
connectivity resource network access \
(<connectivity resource network access key list> | all) \
[{] <connectivity resource network access arg list> [}]
<connectivity resource network access key> ::=
<name>
<connectivity resource network access arg> ::=
acl (<acl key> | none)
address space dhcp requests excluded (enable | disable)
address space exclude subnet (<network list> | none) [add | delete]
address space include dns name (<string list> | none) [add | delete]
address space include subnet (<network list> | none) [add | delete]
address space local subnets excluded (enable | disable)
address space protect (enable | disable)
application launch (<application launch list> | none) [add | delete]
client interface speed <number>
client ip filter engine (enable | disable)
client power management (ignore | prevent | terminate)
client proxy (enable | disable)
client proxy address (<ip addr> | none)
client proxy exclusion list (<string list> | none) [add | delete]
client proxy local bypass (enable | disable)
client proxy port (<service> | none)
client proxy script (<string> | none)
compression (none | gzip)
dns primary (<ip addr> | none)
dns secondary (<ip addr> | none)
3 - 110
dns suffix (<string> | none)

drive mapping (<drive mapping list> | none) [add | delete]
idle timeout threshold <number>
idle timeout window <number>
leasepool (<leasepool key> | none)
microsoft network client (enable | disable)
microsoft network server (enable | disable)
partition <name>
snat (none | automap)
split tunneling (enable | disable)
static host (<static host list> | none) [add | delete]
wins primary (<ip addr> | none)
wins secondary (<ip addr> | none)
<application launch> ::= [{] <application launch arg list> [}]
<application launch arg> ::=
os type (windows | mac | unix)
parameter (<string> | none
<drive mapping> ::= [{] <drive mapping arg list> [}]
<drive mapping arg> ::=
drive (d | e | f | g | h | i | j | k | l | m | n | o | p | q | r | s | t | \
u | v | w | x | y | z)
<network> ::= [{] <network arg list> [}]
<network arg> ::=
host (<ip addr> | none)
mask (<ip addr> | none)
<static host> ::= [{] <static host arg list> [}]
<static host arg> ::=
address (<ip addr> | none)
Display
[<connectivity resource network access key list> | all] [show [all]]
[<connectivity resource network access key list> | all] list [all]
[<connectivity resource network access key list> | all] acl [show]
[<connectivity resource network access key list> | all] \
address space dhcp requests excluded [show]

Chapter 3

address space exclude subnet [show]
address space include dns name [show]
address space include subnet [show]
address space local subnets excluded [show]
[<connectivity resource network access key list> | all] address space protect [show]
[<connectivity resource network access key list> | all] application launch [show]
[<connectivity resource network access key list> | all] client interface speed [show]
[<connectivity resource network access key list> | all] client ip filter engine [show]
[<connectivity resource network access key list> | all] client power management [show]
[<connectivity resource network access key list> | all] client proxy [show]
[<connectivity resource network access key list> | all] client proxy address [show]
client proxy exclusion list [show]
client proxy local bypass [show]
[<connectivity resource network access key list> | all] client proxy port [show]
[<connectivity resource network access key list> | all] client proxy script [show]
[<connectivity resource network access key list> | all] compression [show]
[<connectivity resource network access key list> | all] description [show]
[<connectivity resource network access key list> | all] dns primary [show]
[<connectivity resource network access key list> | all] dns secondary [show]
[<connectivity resource network access key list> | all] dns suffix [show]
[<connectivity resource network access key list> | all] drive mapping [show]
[<connectivity resource network access key list> | all] idle timeout threshold [show]
[<connectivity resource network access key list> | all] idle timeout window [show]
3 - 112

[<connectivity resource network access key list> | all] leasepool [show]
microsoft network client [show]
microsoft network server [show]
[<connectivity resource network access key list> | all] name [show]
[<connectivity resource network access key list> | all] partition [show]
[<connectivity resource network access key list> | all] snat [show]
[<connectivity resource network access key list> | all] snatpool [show]
[<connectivity resource network access key list> | all] split tunneling [show]
[<connectivity resource network access key list> | all] static host [show]
[<connectivity resource network access key list> | all] wins primary [show]
[<connectivity resource network access key list> | all] wins secondary [show]
Delete
(<connectivity resource network access key list> | all) delete
Description
You can use the command connectivity resource network access to define
and manage network access for a connectivity resource.
Examples
Creates the MyNetwork connectivity resource network access definition
using the access control list MyACL:
connectivity resource network access MyNetwork { acl MyACL }
Displays a list of connectivity resource network access definitions:

connectivity resource network access show
Deletes the MyNetwork connectivity resource network access definition:

connectivity resource network access MyNetwork delete

Chapter 3
Options
You can use these options with the command connectivity resource
network access:
◆ acl
Specifies an access control list for a connectivity resource.
◆ address space dhcp requests excluded
When enabled, the system sends DHCP requests on the local area
network (LAN) interface. When disabled, DHCP requests pass through
the network access connection. If you enable this option, you must also
enable the split tunneling option. The default is disable.
◆ DHCP is a protocol for assigning dynamic IP addresses to devices on a
network. With dynamic addressing, a device can be assigned a different
IP address every time it connects to the network.
◆ address space exclude subnet
Adds a list of subnets that you want the system to exclude from the
network access connection.
◆ address space include dns name
Adds a DNS server as a connectivity resource on the network.
◆ address space include subnet
Adds a list of subnets that you want the system to port forward through a
network access connection.
◆ address space local subnets excluded
When enabled, permits access to local subnets and to any host or subnet
in the routes that you have specified in the routing table of the client.
When you enable this option, the network access client does not support
integrated IP filtering. The default is disable.
◆ address space protect
When enabled, the client monitors any changes to the routing table after
the network access connection has been established, and terminates the
connection if the routing table is modified. The default is disable.
◆ application launch
Adds the information to automatically launch an application from the
client after the network access session is established. You can specify the
following information:
• os type
The type of operating system on which the application runs.
• parameter
An application parameter.
• path
A path to the application that you want to automatically launch from
the client. Do not use apostrophes (’ ’) or quotation marks (" "). An
example of a correct path is: c:\program files\internet
explorer\iexplore.exe.
3 - 114
• client interface speed

Specifies the displayed byte rate of the network access adapter on the
client. The default is 5767168.
• client ip filter engine
Enables or disables an IP address filtering engine on the client. The
default is disable.
• client power management
Specifies to ignore, prevent, or terminate client power management.
The default is ignore.
• client proxy
Enables or disables the Proxy client. The default is disable.
• client proxy address
Specifies the IP address of the Proxy client.
• client proxy exclusion list
Adds a list of Web addresses that do not need to be accessed through
your proxy server to the connectivity resource network access, or deletes
the list. You can use wild cards to match domain and host names or
addresses, for example,
www.*.com, 128.*, 240.8, 8., mygroup.*, *.*.
• client proxy local bypass
When enabled, requests for local (intranet) addresses bypass the proxy
server. The default is disable.
• client proxy port
Specifies the port number of the proxy server that you want network
access clients to use to connect to the Internet. The default is any.
• client proxy script
Specifies the URL of a proxy autoconfiguration script, if one is used with
this connection.
• compression
Specifies whether you want the traffic between the network access client
and the BIG-IP® Access Policy Manager to be compressed.
You can specify one of the following:
• gzip
Compress network access connection traffic using the gzip deflate
method.
• none
Do not compress network access connection traffic. This is the
default.
• description
Describes a connectivity resource.
• dns primary
Specifies the primary IP address of the DNS server that the network
access client uses.
• dns secondary
Specifies the secondary IP address of the DNS server that the network
access client uses.

Chapter 3
• dns suffix
Specifies the DNS suffix the client uses to resolve DNS names, before
using the existing DNS suffix.
• drive mapping
Adds the drive mapping for a network shared drive that automatically
maps when a client establishes a connection to a connectivity resource,
or deletes the drive mapping. You must specify the following attributes
to map a drive:
• description
A description of the mapping of the drive.
• drive
The letter that identifies the drive. Choose a letter between d and z,
inclusive. The default is d. Note that currently, the system supports
only the Microsoft Windows® operating system.
• path
The path to the server.
• idle timeout threshold
Specifies the timeout threshold. The default is 0 (zero), which indicates
no timeout.
The timeout threshold defines, in bytes per second, the criterion for
updating the session. If the average byte rate falls below the threshold,
the session times out according to the inactivity timeout settings defined
in the access profile.
• idle timeout window
Specifies, in seconds, the period in which the average byte rate is
calculated. The idle timeout threshold defines, in bytes per second, the
criterion for updating a session.
• leasepool
Specifies a lease pool that assigns an IP address dynamically for all
network access connections using this connectivity resource.
• microsoft network client
Enables or disables the Microsoft® network client over the network
access connection. The default is disable.
• microsoft network server
Specifies, when enabled, that the network server can access remote
resources over a VPN connection. The default is enable.
• name
Specifies the name of a connectivity resource. This setting is required.
• network
Specifies the following parameters to identify a network:
• host
The IP address of the network.
3 - 116
• mask
The netmask of the network that represents the range of IP addresses
on the network. For example, you can use
ffff:ffff:ffff:ffff:0000:0000:0000:0000 or ffff:ffff:ffff:ffff:: (with two
colons at the end), or 0000:0000:0000:0000/24.
• partition
• snat
Specifies how the system applies a selective and intelligent SNAT to
VPN traffic. You can specify one of the following:
• automap
The system uses the self IP address as the translation address. This is
the default.
• none
The system does not translate traffic.
• snatpool
Specifies the name of the SNAT pool that the BIG-IP Access Policy
Manager uses to implement selective and intelligent SNATs.
• split tunneling
When enabled, the client routes only traffic targeted to the specified
address space over the network access connection. All other traffic
bypasses the tunnel. The default is disable.
• static host
Adds a static host to or deletes a static host from a connectivity resource
that the client uses to look up DNS names after a network access
connection is established. You can specify the following attributes for a
static host:
• address
An IP address
• hostname
A host name
• wins primary
Specifies the primary IP address of the WINS server that the client uses.
Microsoft® networks need this address to function properly.
• wins secondary
Specifies the secondary IP address of the WINS server that the client
uses. Microsoft® networks need this address to function properly.
See also
acl(1), connectivity resource(1), connectivity resource group(1)

Chapter 3
connectivity resource web application

Allows to create web applications and their properties. Each web application
has its own properties.
In addition web application has items. An item is part of the application
defined by group of paths. Each item defines properties for part of the
application.
Syntax
Use this command to create, modify, display, or delete a web application.
Create/Modify
Important
connectivity resource web application <connectivity resource web application key> {}

connectivity resource web application (<connectivity resource web application key> | all)
[{] <connectivity resource web application arg list> [}]
<connectivity resource web application key> ::=
<name>
<connectivity resource web application arg> ::=
css patching (enable | disable)
host replace string (<string> | none)
host search strings (<string> | none)
html patching (enable | disable)
items (<web application resource item list> | none) [add | delete]
javascript patching (enable | disable)
name <name>
order <number>
patching type (full | minimal | no)
path match case (enable | disable)
proxy host (<string> | none)
proxy port (<service> | none)
scheme patching (enable | disable)
<web application resource item> ::= (<web application resource item key> | all) [{]
<web application resource item arg list> [}]
<web application resource item key> ::=
<name>
<web application resource item arg> ::=
3 - 118
client caching type (default | cache all | no cache)

compression type (none | gzip)
headers (<header data list> | none) [add | delete]
home tab (enable | disable)
host (<string> | none)
ip (<ip addr> | none)
log (none | summary | config | packet | verbose)
mask (<ip addr> | none)
name <name>
order <number>
paths (<string> | none)
port (<service> | none)
scheme (http | https)
session timeout (enable | disable)
session update (enable | disable)
<header data> ::= [{] <header data arg list> [}]
<header data arg> ::=
name <name>
value (<string> | none)
Display
javascript patching [show]
name [show]
order [show]
partition [show]
patching type [show]
path match case [show]
proxy host [show]
proxy port [show]
scheme patching [show]
Delete
connectivity resource web application \
(<connectivity resource web application key list> | all) delete

Chapter 3
Description
You can use the command connectivity resource web application to define
and manage web application for a connectivity resource.
Examples
Creates a web application with two items:
connectivity resource web application owa2007 {
description none
order 12
path match case enable
proxy host none
proxy port none
patching type full
host search strings none
host replace string none
scheme patching disable
html patching enable
javascript patching enable
css patching enable
partition Common
items item {
host "owa.mydomain.com"
ip 0.0.0.0
mask 0.0.0.0
scheme https
port https
paths "/exchange/* /owa/*"
order 1
log none
client caching type default
compression type none
session update enable
3 - 120
session timeout enable
home tab disable
headers none
item0 {
host "owa.mydomain2.com"
ip 0.0.0.0
mask 0.0.0.0
scheme http
port http
paths none
order 0
log none
client caching type default
compression type none
session update enable
session timeout enable
home tab enable
headers none
Displays a list of all connectivity resource web application on the system:

connectivity resource web application [<connectivity resource
web application key> | all] [show [all]

Chapter 3
Options
You can use these options with the command connectivity resource web
application:
◆ name
Specifies the name of the web application resource.
◆ css patching
Specifies whether to enable or disable patching for css content.
◆ description
Specifies an optional description of the web application resource.
◆ host replace string
Specifies the text that replaces the text in the host search string. This
applies to minimal patching cases only.
◆ host search string
Specifies the text to be identified and replaced with the text in the replace
search string. This applies to minimal patching cases only.
◆ html patching
Specifies whether to enable or disable patching for html content.
◆ items
Specifies the host name or IP address, the network mask (if the resource
is a network), the port, and any paths specified for a web application
resource. Multiple resource items in a single web application are listed
on separate lines.
◆ javascript patching
Specifies whether to enable or disable patching for javascript content.
◆ name
Specifies the name of the web application.
◆ order
Specifies the order of the web application.
◆ patching type>
Specifies the application patching type used with this application
resource. Select Full to use all application patching with your application
resource.
◆ path match case
Specifies the path to the web application.
◆ proxy host
Specifies the proxy host that the web application uses.
◆ scheme patching
This is for minimal patching, in cases where you want to change the
scheme from http to https as part of the patching instead of a complete
URI patching.
◆ client caching type
Specifies settings for client caching of web applications.
3 - 122
◆ compression type
Specifies that application data sent to the web application is either not
compressed or gzip.
◆ headers
Specifies any headers required by the web application.
◆ hometab
Specifies whether to enable or disable the home tab (toolbar) for a
particular web application resource item.
◆ host
Specifies the host of the web application resource.
◆ ip
Specifies the ip of the web application resource.
◆ log
Specifies the log level that is logged when actions of this type occur.
◆ mask
Specifies ipmask of the web application resource.
◆ order
Specifies or changes the order of your web application resource.
◆ path
Lists any paths defined for the web application resource.
The timeout threshold defines, in bytes per second, the criterion for
updating the session. If the average byte rate falls below the threshold,
the session times out according to the inactivity timeout settings defined
in the access profile.
◆ port
Lists the port defined for the for the web application resource.
◆ scheme
Specifies whether the URI scheme for the web application is http or
https.
◆ session timeout
Enables or disables the session timeout feature for a particular web
application resource.
◆ session update
Some web applications pages loaded through Web Applications
connections contain JavaScript code that regularly refreshes the page or
sends HTTP requests, regardless of user activity or inactivity. A session
that is abandoned at such a site does not time out, because it appears to
be active. When enabled, the session update feature prevents these
sessions from remaining active indefinitely.
◆ value
This a custom header value for the web application resource.

Chapter 3
See also
acl(1), connectivity resource(1), connectivity resource group(1),
connectivity resource group network access (1),
3 - 124
customization group
Manages a customization group.
Syntax
Use this command to create, modify, display, or delete a customization
group.
Create/Modify
Important
customization group <customization group key list> {}

customization group (<customization group key list> | all) \
[{] <customization group arg list> [}]
<customization group key> ::=
<name>
<customization group arg> ::=
action (update | deletefile | noop)
partition <name>
type (logon | logout | decision box | header | footer | errormap | \
message box | last)
Display
customization group [<customization group key list> | all] [show [all]]
customization group [<customization group key list> | all] list [all]
customization group [<customization group key list> | all] action [show]
customization group [<customization group key list> | all] name [show]
customization group [<customization group key list> | all] partition [show]
customization group [<customization group key list> | all] type [show]
Delete
customization group (<customization group key list> | all) delete
Description
You can use the command customization group to create and manage a
customization group. A customization group is a set of customizable
messages that the system can display. You can add a customization group to
an access profile or an agent.

Chapter 3
Examples
Creates the errormap customization group MyCG:
customization group MyCG type errormap
After you modify the MyCG customization group, activates the new setting:
customization group MyCG action update
Displays a list of customization groups:

customization group show
Deletes the customization group MyCG:

customization group MyCG delete
Options
You can use these options with the command customization group:
◆ action
Specifies the action to be performed on a parameter of the access profile
to which this customization group is associated. The default is noop. You
can specify one of the following:
• deletefile
Deletes the file that contains the settings associated with this
customization group.
• noop
Takes no action.
• update
Updates the settings associated with this customization group.
◆ name
Specifies the name of the customization group. This setting is required.
◆ partition
◆ type
Specifies the type of item you are customizing. This setting is required.
You can specify one of the following:
• decision box
A decision box displays two customized options from which the user
chooses.
• errormap
An errormap includes customized messages that are displayed when
specific errors occur during a network access session.
3 - 126
• footer
A page footer includes a string of text. This footer can contain your
custom text, with HTML tags.
• header
A page header can include left and right-aligned images and a header
background color.
• last
A placeholder that is for system use only. Do not use this type.
• logon
A logon page can contain information specific to your company.
• logout
A logoff page can contain a message for a successful logoff or an
access denied page.
• message box
A message box displays a message that you want the user to read after
taking a specific action.
See also
agent decision box(1), agent ending denied(1), agent logon page(1),
agent message box(1), profile access(1)

Chapter 3
leasepool
Manages a lease pool.
Syntax
Use this command to create, modify, display, or delete a lease pool.
Create/Modify
Important
leasepool <leasepool key list> {}

leasepool (<leasepool key list> | all) \
[{] <leasepool arg list> [}]
<leasepool key> ::=
<name>
<leasepool arg> ::=
members (<ip address range> list> | none) [add | delete]
partition <name>
Display
leasepool [<leasepool key list> | all] [show [all]]
leasepool [<leasepool key list> | all] list [all]
leasepool [<leasepool key list> | all] members [show]
leasepool [<leasepool key list> | all] name [show]
leasepool [<leasepool key list> | all] partition [show]
Delete
leasepool (<leasepool key list> | all) delete
Description
You can use the command leasepool to create and manage a lease pool.
3 - 128
Examples
Creates a lease pool named MyLeasePool that contains a range of pool
members with IP addresses from 172.168.0.1 - 172.168.0.254.
leasepool MyLeasePool members 172.168.0.1-172.168.0.254
Displays a list of lease pools:

leasepool list show
Deletes the lease pool MyLeasePool:

leasepool MyLeasePool delete
Options
You can use these options with the command leasepool:
◆ name
Specifies the name of the lease pool. This setting is required.
◆ members
Adds an IP address or a range of IP addresses to a lease pool, or deletes
an IP address or range of IP addresses from a lease pool.
◆ partition
See also
connectivity resource group(1)

Chapter 3
profile access
Manages an access profile.
Syntax
Use this command to create, modify, display, or delete an access profile.
Create/Modify
Important
profile access <profile access key list> {}

profile access (<profile access key list> | all) [{] <profile access arg list> [}]
<profile access key> ::=
<name>
<profile access arg> ::=
access policy (<access policy key> | none | default)
access policy timeout (<number> | immediate | indefinite | default)
class accepted languages (<string> | none | default)
class accepted languages display (<string> | none | default)
class browscap (<string> | none | default)
customization group (<string> | none | default)
default charset (english | arabic | baltic | central-eastern european | cyrillic |\
greek | hebrew | thai | turkish | utf-8 | vietnamese | western european | default)
defaults from (<profile access key> | none)
default language (<string> | none | default)
errormap group (<string> | none | default)
footer group (<string> | none | default)
generation action (increment | noop | default)
generation timeout (<number> | immediate | indefinite | default)
header group (<string> | none | default)
inactivity timeout (<number> | immediate | indefinite | default)
max concurrent users (<number> | default)
partition <name>
3 - 130
Display
profile access [<profile access key list> | all] stats reset
profile access [<profile access key list> | all] [show [all]]
profile access [<profile access key list> | all] list [all]
profile access [<profile access key list> | all] access policy [show]
profile access [<profile access key list> | all] access policy timeout [show]
profile access [<profile access key list> | all] class accepted languages [show]
profile access [<profile access key list> | all] class accepted languages display [show]
profile access [<profile access key list> | all] class browscap [show]
profile access [<profile access key list> | all] customization group [show]
profile access [<profile access key list> | all] default charset [show]
profile access [<profile access key list> | all] default language [show]
profile access [<profile access key list> | all] defaults from [show]
profile access [<profile access key list> | all] errormap group [show]
profile access [<profile access key list> | all] footer group [show]
profile access [<profile access key list> | all] generation action [show]
profile access [<profile access key list> | all] generation timeout [show]
profile access [<profile access key list> | all] header group [show]
profile access [<profile access key list> | all] inactivity timeout [show]
profile access [<profile access key list> | all] max concurrent users [show]
profile access [<profile access key list> | all] name [show]
profile access [<profile access key list> | all] partition [show]
profile access [<profile access key list> | all] stats [show]
Delete
profile access (<profile access key list> | all) delete
Description
You can use the command profile access to create and manage an access
profile. An access profile is a pre-configured group of settings that you can
use to configure secure network access for an application.

Chapter 3
Examples
Creates an access profile named MyAccessProfile that is based on the
default access profile named access, accepts the languages in the
my_accepted_languages class, uses English as the default language, and
utilizes these groups to customize the application pages and messages:
company_logout, company_header, company_footer and
company_errormap.
profile access MyAccessProfile {
defaults from access
class accepted languages "my_accepted_languages"
default language "en"
customization group "company_logout"
header group "company_header"
footer group "company_footer"
errormap group "company_errormap"
}
Displays a list of access profiles:

profile access show all
Deletes the access profile MyAccessProfile:

profile access MyAccessProfile delete
Options
You can use these options with the command profile access:
◆ access policy
Specifies the access policy that you want to implement using this access
profile. An access policy contains a visual representation of the steps that
the client and server go through before the BIG-IP® Access Policy
Manager grants access to a connection. This setting is required.
◆ access policy timeout
Specifies, for this access profile, the number of seconds within which a
user, who has followed through on a connection redirect, must access the
webtop. The default is 300 seconds. This option is designed to keep
malicious users from creating a DOS attack on the Access Policy
Manager.
◆ class accepted languages
Specifies the name of a class which defines the list of languages
supported by the Access Policy Manager. The default languages are en
(English), ja (Japanese), zh-cn (simplified Chinese [PRC]), and zh tw
(traditional Chinese [Taiwan]). This setting is required.
◆ class accepted languages display
This option is not currently available.
3 - 132
◆ class browscap
Specifies the name of a class, which defines a list of user agents that you
want the Access Policy Manager to support.
Specifies the customization group that defines what the successful logoff
and error pages look like. This setting is required.
◆ default charset
Do not use this option. Currently, F5 Networks® only supports UTF-8
encoding.
◆ defaults from
Specifies the default access policy from which this profile is created.
◆ default language
Specifies the default language for the Access Policy Manager that you
want to implement with this access profile. The default is en (English). If
the client requests a language that is not supported, the Access Policy
Manager uses the default value. This setting is required.
◆ errormap group
Specifies the customization settings for the error map that you want to
implement with this access profile. This setting is required.
◆ footer group
Specifies the customization settings for the footer that you want to
◆ generation action
When you modify an access profile, you create a new generation of the
access profile configuration. You can use one of the following options:
◆ Important: For the BIG-IP Access Policy Manager to use the new
generation access profile configuration, you must run the command
profile access generation action increment.
• increment
The system uses the new generation access configuration.
• noop
The system does no operation. This is the default value.
◆ generation timeout
Specifies the timeout, in seconds, for the new generation access
configuration.
◆ header group
Specifies the customization settings for the header that you want to
◆ inactivity timeout
Specifies, for this access profile, the number of seconds that the session
on the client can be idle before the server disconnects the VPN tunnel.
The default is 900 seconds.

Chapter 3
◆ max concurrent users

Specifies, for this access profile, the number of concurrent sessions
allowed. The default is 0 (zero), which represents unlimited sessions.
This field is Read-only for Application Editors. Users assigned any other
administrative role can modify this field.
◆ name
Specifies the name of the access profile. This setting is required.

◆ partition
See also
access(1)
3 - 134
profile certificate authority

Defines the settings necessary pertaining to the client certificate
authentication.
Syntax
Use this command to configure a certificate authority profile.
Create/Modify
Important
bigpipe profile certificateauthority <bigpipe profile certificateauthority key> {}

bigpipe profile certificateauthority (<bigpipe profile certificateauthority key> | all)
[{] <bigpipe profile certificateauthority arg list> [}]
<bigpipe profile certificateauthority key> ::=
<name>
<bigpipe profile certificateauthority arg> ::=
defaults from (<bigpipe profile certificateauthority key> | none)
name <name>
update crl (enable | disable)

Chapter 3
Display
bigpipe profile certificateauthority (<profile certificateauthority key> | all) delete
bigpipe profile certificateauthority [<profile certificateauthority key> | all] [show
[all]]
bigpipe profile certificateauthority [<profile certificateauthority key> | all] list
[all]
bigpipe profile certificateauthority (<profile certificateauthority key> | all) edit
bigpipe profile certificateauthority (<profile certificateauthority key> | all)
authenticate depth [show]
bigpipe profile certificateauthority (<profile certificateauthority key> | all) ca file
[show]
bigpipe profile certificateauthority (<profile certificateauthority key> | all) crl file
[show]
bigpipe profile certificateauthority (<profile certificateauthority key> | all) defaults
from [show]
bigpipe profile certificateauthority (<profile certificateauthority key> | all) name
[show]
bigpipe profile certificateauthority (<profile certificateauthority key> | all) partition
[show]
bigpipe profile certificateauthority (<profile certificateauthority key> | all) update
crl [show]
Delete
profile certificate authority(<profile certificate authority key
list> | all) delete
Description
You can use the command profile certificate authority to define certificate
authority settings.
3 - 136
Examples
Creates a certificate authority profile named mycaprofile using the system
defaults.
bigpipe profile certificateauthority mycaprofile { ca file
my_root.crt }
Displays a list of certificate authority:

profile certificate authority show all
Deletes the certificate authority MyCertificateAuthority:

profile access MyCertficateAuthority delete
Options
You can use these options with the command profile certificate authority:
◆ defaults from
Specifies the profile that you want to use as the parent profile. The new
◆ ca file
Specify the certificate authority file name or, you can usedefault, for the
default certificate authority file name. Configures certificate verification
by specifying a list of client or server CAs that the traffic management
system trusts.
◆ crl file
Specify the certificate revocation list file name or, you can use default,
for the default certificate revocation file name.
Specifies the authentication depth. This is the client certificate chain
maximum traversal depth.
◆ update crl
Specifies that the CRL file updates automatically.
See also
virtual(1)

Chapter 3
profile ppp
Manages point-to-point protocol (PPP) global statistics.
Syntax
Use this command to display and reset PPP global statistics.
Create/Modify
Important
profile ppp <profile ppp key> {}

profile ppp (<profile ppp key> | all) [{] <profile ppp arg list> [}]
<profile ppp key> ::=
<name>
<profile ppp arg> ::=
lcp echo failure <number>
lcp echo interval <number>
vj (enable | disable)
Display
bigpipe profile ppp [<profile ppp key> | all] [show [all]]
Delete
bigpipe profile ppp [<profile ppp key> | all] stats reset
Description
You can use the command profile ppp to reset the PPP global statistics.
Examples
Displays point-to-point protocol global statistics for the BIG-IP Access
Policy Manager.
bigpipe profile ppp
Options
You can use these options with the command profile ppp:
3 - 138
◆ lcp echo failure

Number of consecutive PPP LCP echo messages that must go
unanswered for the server to drop PPP connection. For example, if the
server sends <number> of consecutive PPP LCP Echo Request messages
that go unanswered (by Echo Reply), it will close the PPP connection.
◆ lcp echo interval
Specifies interval in seconds between PPP LCP Echo Request messages
that the server sends to the peer (client).
◆ vj
VJ is a data compression protocol described in RFC 1144, specifically
designed by Van Jacobson to improve TCP/IP performance over slow
serial links. Van Jacobson Header Compression (also known as VJ
compression, or just Header Compression) is an option in most versions
of PPP.
◆ stats reset
Resets the statistics to zero.
See also
access(1), profile_access(1)

Chapter 3
profile rewrite
Allows for client caching.
Syntax
Use this command to manage client caching for a web application resource.
Create/Modify
Important
bigpipe profile rewrite <bigpipe profile rewrite key> {}

bigpipe profile rewrite (<bigpipe profile rewrite key> | all) [{] <bigpipe profile rewrite
arg list> [}]
<bigpipe profile rewrite key> ::=
<name>
<bigpipe profile rewrite arg> ::=
name <string>
parent profile <name>
client caching type (CSS and Javascript | CSS, Images and Javscript | no cache |
cache all )
Display
bigpipe profile rewrite [<bigpipe profile rewrite key> | all] [show [all]] delete
bigpipe profile rewrite [<bigpipe profile rewrite key> | all] [show] name
bigpipe profile rewrite [<bigpipe profile rewrite key> | all] parent profile [show]
bigpipe profile rewrite [<bigpipe profile rewrite key> | all] partition [show]
bigpipe profile rewrite [<bigpipe profile rewrite key> | all] client caching type [CSS
and Javascript | CSS, Images and Javscript | no cache | cache all]
Delete
bigpipe profile rewrite stats reset
Description
You can use the command to manage client caching for web application
resources.
3 - 140
Options
You can use these options with the command profile ppp:
◆ name
Specifies the name of the rewrite profile.
◆ parent profile
Specifies the profile from which the rewrite profile inherits properties.
Explicitly specified properties override inherited properties.
◆ client caching type
The rewrite profile provides four options for client caching. When a web
application resource item's Client Cache setting is set to Default, the
caching option configured in the rewrite profile is used. If the Client
Cache option is configured for any other setting, the web application
resource item caching configuration overwrites the setting in the rewrite
profile.
See also
access(1), profile_access(1)

Chapter 3
profile vpn
Creates, modifies, displays, or deletes a vpn profile.
Syntax
Use this command to configure a vpn profile.
Create/Modify
Important
profile vpn <profile vpn key> {}

profile vpn (<profile vpn key> | all) [{] <profile vpn arg list> [}]
<profile vpn key> ::=
<name>
<profile vpn arg> ::=
component update (yes | prompt | no)
compress buffer size <number>
compress cpusaver (enable | disable)
compress cpusaver high <number>
compress cpusaver low <number>
compress gzip level <number>
compress gzip memlevel <number>
compress gzip windowsize <number>
defaults from (<name> | none)
enforce session settings (enable | disable)
lcp echo failure <number>
lcp echo interval <number>
location dns list (<string list> | none) [add | delete]
name <name>
save password (enable | disable)
save password method (disk | memory)
save password timeout <number>
save servers on exit (enable | disable)
server list (<string list> | none) [add | delete]
vj (enable | disable)
wm server (<string> | none)
wm work url exceptions list (<string list> | none) [add | delete]
3 - 142
Display
profile vpn (<profile vpn key> | all) delete
profile vpn [<profile vpn key> | all] [show [all]]
profile vpn [<profile vpn key> | all] list [all]
profile vpn (<profile vpn key> | all) edit
profile vpn (<profile vpn key> | all) component update [show]
profile vpn (<profile vpn key> | all) defaults from [show]
profile vpn (<profile vpn key> | all) enforce session settings [show]
profile vpn (<profile vpn key> | all) location dns list [show]
profile vpn (<profile vpn key> | all) name [show]
profile vpn (<profile vpn key> | all) save password [show]
profile vpn (<profile vpn key> | all) save password method [show]
profile vpn (<profile vpn key> | all) save password timeout [show]
profile vpn (<profile vpn key> | all) save servers on exit [show]
profile vpn (<profile vpn key> | all) server list [show]
Delete
bigpipe profile vpn (<profile vpn key list> | all) delete
Description
The VPN profile is a subset of properties that can be configured as part of
the Connectivity Profile. Connectivity Profile is a data store for various
miscellaneous settings such as PPP, compression settings, and windows and
mobile clients settings, Idle Timeout, IP ToS, and Link QoS.
Example
Creates a vpn profile named myvpnprofile that inherits its settings from the
system default vpn profile.
bigpipe profile vpn myvpnprofile { }
Options
You can use these options with the command profile vpm:
◆ name
◆ component update
Specifies how Secure Access Client handles autoupdate: Select Yes to
automatically installs client update whenever one is available. Select
Prompt to notify the user before installing client update. Select No to
disable the client from receiving automatic updates.
◆ compress buffer size
Specifies the size of the output buffers containing compressed data.

Chapter 3
◆ cpusaver
Specifies, when enabled, that the system monitors the percentage of CPU
usage and adjusts compression rates automatically when the CPU usage
reaches either the CPU Saver High Threshold or the CPU Saver Low
Threshold.
◆ cpusaver high
Specifies the percentage of CPU usage at which the system starts
automatically decreasing the amount of content being compressed, as
well as the amount of compression which the system is applying.
◆ cpusaver low
Specifies the percentage of CPU usage at which the system resumes
content compression at the user-defined rates.
◆ compress gzip level
Specifies the degree to which the system compresses the content. Higher
compression levels slows down the compression process. The default
compression level is 6, which provides a higher amount of compression
at the expense of more CPU processing time. 1 is the lowest level of
compression, and 9 is the highest level. 0 disables compression.
◆ compress gzip memlevel
Specifies the number of kilobytes of memory that the system uses for
internal compression buffers when compressing data. You can select a
value between 1 and 256.
◆ compress gzip windowsize
Specifies the number of kilobytes in the window size that the system uses
when compressing data. You can select a value between 1 and 128.
◆ defaults from
Specifies the profile from which this profile inherits properties that are
not specified explicitly.
◆ enforce session settings
Specifies whether the Access Policy Manager always honors the session
settings configured by the administrator on the server, or could use
settings selected by user.
• Select enable to ensure that the Secure Access Client always uses the
session settings configured on the server.
• Select disable to ensure that the Secure Access Client uses settings
chosen by user.
◆ lcp echo failure

Number of consecutive PPP LCP echo messages that must go
unanswered for the server to drop PPP connection. For example, if the
server sends <number> of consecutive PPP LCP Echo Request messages
that go unanswered (by Echo Reply), it will close the PPP connection.
◆ lcp echo interval
Specifies interval in seconds between PPP LCP Echo Request messages
that the server sends to the peer (client).
3 - 144
◆ location dns list

Specifies a list of DNS suffixes that is used by the Network Location
Awareness feature of the Secure Access Client. This list represents the
internal network where local resources are available without the need of
a network access connection.
◆ save password
Specifies whether Secure Access Client allows user password caching.
◆ save password method
Specifies whether Secure Access Client saves encrypted passwords on
disk, or caches passwords in memory only.
◆ save password timeout
Specifies for how many minutes a cached password should remain valid
(applies only to in-memory password caching).
◆ save servers on exit
Specifies whether Secure Access Client maintains a list of Access Policy
Manager systems that the client accessed.
◆ server list
Specifies a list of server and alias pairs in the Secure Access Client's
server list. Server and Alias entry should be delimited by double colons
("::"). For example, "server1::alias2".
◆ vj
VJ is a data compression protocol described in RFC 1144, specifically
designed by Van Jacobson to improve TCP/IP performance over slow
serial links. Van Jacobson Header Compression (also VJ compression, or
just Header Compression) is an option in most versions of PPP.
◆ wm server
Specifies a server URL to which Secure Access Client for Windows
Mobile can connect.
◆ wm work url exceptions list
Specifies IP addresses and domain names that should be accessed
through Secure Access Client. For example 192.168.*, *.company.com,
server.company.com.
See also
profile(1), virtual(1), bigpipe(1), profile_connectivity(1)

Chapter 3
sso config
Creates, edits, and deletes sso configuration.
Syntax
Use this command to create, modify, display, or delete an sso configuration.
Create/Modify
Important
sso config <sso config key> {}

sso config (<sso config key> | all) [{] <sso config arg list>
[}]
<sso config key> ::=
<name>
<sso config arg> ::=
form action (<string> | none)
form params (<string> | none)
form password (<string> | none)
form username (<string> | none)
max redirects <number>
method (http basic | http formbased | http ntlmv1 | http
ntlmv2 | last)
name <name>
ntlm domain (<string> | none)
password source (<string> | none)
start uri (<string> | none)
username source (<string> | none)
Display
sso config (<sso config key> | all) delete
sso config [<sso config key> | all] [show [all]]
sso config [<sso config key> | all] list [all]
sso config (<sso config key> | all) edit
sso config (<sso config key> | all) form action [show]
sso config (<sso config key> | all) form params [show]
sso config (<sso config key> | all) form password [show]
sso config (<sso config key> | all) form username [show]
sso config (<sso config key> | all) max redirects [show]
3 - 146
sso config (<sso config key> | all) method [show]

sso config (<sso config key> | all) name [show]
sso config (<sso config key> | all) ntlm domain [show]
sso config (<sso config key> | all) partition [show]
sso config (<sso config key> | all) password source [show]
sso config (<sso config key> | all) start uri [show]
sso config (<sso config key> | all) username source [show]
Delete
sso config (<sso config key list> | all) delete
Description
You can use the command sso config to create and manage an sso
configuration.

Chapter 3
Examples
Creates an sso configuration for http basic authentication:
sso config sso1 {
method http basic
username source "session.sso.token.username"
password source "session.sso.token.password"
}
Creates an sso configuration for http NTLMv1 authentication:

sso config sso1 {
method http ntlmv1
ntlm domain none "olympus"
}

sso config sso1 {
method http ntlmv2
ntlm domain none "olympus"
}

sso config sso1 {
sso config sso-egor-test {
method http formbased
start uri "/SSO/passform.php"
form action "/SSO/passform.php"
form username "user"
form password "password"
form params "do_login 1
redir 1"
success match type url
success match value "http://yegor.lab.fp.f5net.com/SSO/authok.html
}
Options
You can use these options with the command sso config:
◆ start uri
Defines the start URI value, and if the http request URI matched with the
start URI value, the HTTP form-based Authentication will be performed
for SSO. Multiple start URI values can be specified for this attribute and
can be specified in multiple lines.
◆ form method
Defines the method of the http form-based auth for SSO, it's either GET
or POST. By the default, the form method value is POST. If GET is
specified, then the SSO authetnication will be converted as HTTP GET
request.
3 - 148
◆ form action
Defines the form action url that is used for http auth request for the SSO.
For example, /access/oblix/apps/webgate/bin/webgate.dll. If no value is
specified for this attribute, then the orignal request URL will be used for
the SSO authentication.
◆ form username
defines the parameter name of the logon username. For example, if the
http server expect the username in the form of userid=, then userid is
specified as the attribute value here.
◆ form password
Defines the parameter name of the logon password. For example, if the
http server expect the password in the form of pass=, then pass is
specified as the attribute value here.
◆ forms params
Defines the hidden parameter list that is required for the authentication.
The list can be speclified as multiple lines, with one hidden parameter in
each line. For example, do_login 1.
◆ success match type
Defines the success detection type, its value is either cookie or url. If
cookie is specified, then authetniation success condition is determined by
examing the cookie value from the response. If url is specified, then
authentication success condition is determined by examing the the
redirect URL from the http response.
◆ success match value
Defines the value that is used by the specified success detection type
above. Multiple values can be specified for this attribute and they can be
specified in multiple lines.
See also

Chapter 3
sys-icheck
Identifies unintended modifications to BIG-IP® system files.
Syntax
Use this command at the BIG-IP system prompt to identify any unintended
modifications to BIG-IP system files. Note that a hot fix (patch) is an
intended modification that will not be identified by the command
sys-icheck.
Usage
sys-icheck [options]
Options
You can use these options with the command sys-icheck.
• -w
Use this option to report Warn issues, as well as the default, Error
issues.
• -i
Use this option to report Info and Warn issues, as well as the default,
Error issues.
Description
The command sys-icheck identifies any unintended modifications to BIG-IP
system files and returns Error issues. Use the options to report Warn or
Info issues, as well.
Examples
Runs the sys-icheck utility, and returns Info, Error, and Warn issues:
sys-reset -i
See also
sys-reset(8)
3 - 150
sys-reset
Returns the configuration of the system to the factory default (installation
time) state.
Syntax
Use this command at the BIG-IP® system prompt to return the configuration
of the system to the factory default (installation time) state.
Usage
sys-reset [options]
Options
You can use these options with the command sys-reset.
• -h
Use this option to show help for the command sys-reset.
• -p
Use this option to ignore all applied hot fixes.
• -s
Use this option to prevent the /shared file system from being changed.
• -u
Use this option to ignore unrecoverable file errors.
Description
The command sys-reset runs the sys-icheck utility, and if there are no
system integrity issues, returns the system to the factory default state. Note
that if you have applied hot fixes (patches) to a system, you must specify an
override option in order for the command sys-reset to run.
Examples
Runs the command sys-reset to restore the system to the factory default
state ignoring any hot fixes that have been applied to the system:
sys-reset -p
Runs the command sys-reset to restore the system to the factory default
state without changing the /shared file system.
sys-reset -s
See also
sys-icheck(8)

Chapter 3
traffic class
Configures a traffic class.
Syntax
Use this command to configure a traffic class on the system.
Create/Modify
Important
bigpipe traffic class <traffic class key> {}

bigpipe traffic class (<traffic class key> | all) [{] <traffic
class arg list> [}]
<traffic class key> ::=
<name>
<traffic class arg> ::=
class name <name>
classification tag (<string> | none)
dst ip (<ip addr> | none)
dst mask (<ip addr> | none)
dst port (<service> | none)
proto <number>
src ip (<ip addr> | none)
src mask (<ip addr> | none)
src port (<service> | none)
Display
bigpipe traffic class [<traffic class key> | all] [show [all]]
bigpipe traffic class [<traffic class key> | all] list [all]
bigpipe traffic class (<traffic class key> | all) edit
bigpipe traffic class (<traffic class key> | all) class name
[show]
bigpipe traffic class (<traffic class key> | all) \
classification tag [show]
bigpipe traffic class (<traffic class key> | all) dst ip [show]
bigpipe traffic class (<traffic class key> | all) dst mask
[show]
bigpipe traffic class (<traffic class key> | all) dst port
[show]
3 - 152
bigpipe traffic class (<traffic class key> | all) partition

[show]
bigpipe traffic class (<traffic class key> | all) proto [show]
bigpipe traffic class (<traffic class key> | all) src ip [show]
bigpipe traffic class (<traffic class key> | all) src mask
[show]
bigpipe traffic class (<traffic class key> | all) src port
[show]
Delete
bigpipe traffic class (<traffic class key> | all) delete
Description
You can use the traffic class command to configure a traffic class, which is
a named group of ports, machines, and subnets. You can then assign this
traffic class to a virtual server in order to configure the virtual server to
achieve specific Quality of Service (QoS) standards.

Chapter 3
Examples
Displays tags for a traffic class named my_traffic_class:
bigpipe traffic class my_traffic_class classification tag
Displays all of the properties of all of the traffic classes:

bigpipe traffic class list all
Deletes the traffic class named my_traffic_class:

bigpipe traffic class my_traffic_class delete
Options
You can use these options with the command traffic class:
◆ class name
Specifies a unique name for the component. This option is required.
◆ classification
Specifies the actual textual tag to be associated with the flow if the traffic
class is matched. This option is required.
◆ dst ip
Specifies destination IP addresses for the system to use when evaluating
traffic flow. If traffic flow matches this value, it is tagged with the value
in the classification option. The default value is none.
◆ dst mask
Specifies a destination IP address mask for the system to use when
evaluating traffic flow. If traffic flow matches this value, it is tagged with
the value in the classification option. The default value is none.
◆ dst port
Specifies a destination port for the system to use when evaluating traffic
flow. If traffic flow matches this value, it is tagged with the value in the
classification option. The default value is 0 (zero).
◆ partition
Specifies the partition to which the traffic class configuration belongs.
Only users with access to a partition can view the objects (such as traffic
class configurations) that it contains. If the traffic class configuration
resides in the Common partition, all users can access it.
◆ proto
Specifies a protocol for the system to use when evaluating traffic flow. If
traffic flow matches this value, it is tagged with the value in the
classification option. The default value is any.
◆ src ip
Specifies source IP addresses for the system to use when evaluating
3 - 154
• src mask
Specifies a source IP address mask for the system to use when evaluating
◆ scr port
Specifies a source port for the system to use when evaluating traffic flow.
If traffic flow matches this value, it is tagged with the value in the B
classification option. The default value is 0 (zero)
See also
list(1), virtual(1)

Chapter 3
vlan gateway
Manages a VLAN gateway.
Syntax
Use this command to create, modify, display, or delete a VLAN gateway.
Create/Modify
Important
vlan gateway <vlan gateway key list> {}

vlan gateway (<vlan gateway key list> | all) \
[{] <vlan gateway arg list> [}]
<vlan gateway key> ::=
<name>
<vlan gateway arg> ::=
next hop ip (<ip addr> | none)
partition <name>
vlan name <name>
Display
vlan gateway [<vlan gateway key list> | all] [show [all]]
vlan gateway [<vlan gateway key list> | all] list [all]
vlan gateway [<vlan gateway key list> | all] name [show]
vlan gateway [<vlan gateway key list> | all] next hop ip [show]
vlan gateway [<vlan gateway key list> | all] partition [show]
vlan gateway [<vlan gateway key list> | all] vlan name [show]
Delete
vlan gateway (<vlan gateway key list> | all) delete
Description
You can use the command vlan gateway to create and manage a VLAN
gateway.
3 - 156
Examples
Creates a VLAN gateway named MyVLANgateway:
vlan gateway MyVLANgateway vlan name internal next hop ip 10.10.10.18
Displays a list of VLAN gateways:

vlan gateway show all
Deletes the VLAN gateway MyVLANgateway:

vlan gateway MyVLANgateway delete
Options
You can use these options with the command vlan gateway:
◆ name
Specifies the name of the VLAN gateway. This setting is required.
◆ next hop ip
Specifies the next hop IP address for the VLAN gateway entry. This
◆ partition
◆ vlan name
Specifies the name of the VLAN that you want to use as a gateway. This
See also
access(1), agent vlan selection(1)

Chapter 3
webtop
Allows administrator to define the settings necessary to define the webtop
displayed/assigned to the end-user as part of the access policy execution.
Syntax
Use this command to create, modify, display, or delete a webtop.
Create/Modify
Important
bigpipe webtop <webtop key> {}

bigpipe webtop (<webtop key> | all) [{] <webtop arg list> [}]
<webtop key> ::=
<name>
<webtop arg> ::=
customization group (<customization group key> | none)
minimize to tray (enable | disable)
name <name>
web applications start uri (<string> | none)
Display
bigpipe webtop (<webtop key> | all) delete
bigpipe webtop [<webtop key> | all] [show [all]]
bigpipe webtop [<webtop key> | all] list [all]
bigpipe webtop (<webtop key> | all) edit
bigpipe webtop (<webtop key> | all) customization group [show]
bigpipe webtop (<webtop key> | all) minimize to tray [show]
bigpipe webtop (<webtop key> | all) name [show]
bigpipe webtop (<webtop key> | all) partition [show]
bigpipe webtop (<webtop key> | all) web applications start uri
[show]
Delete
webtop (<webtop> | all) delete
3 - 158
Description
It defines the settings necessary to define the webtop displayed assigned to
the end-user as part of the access policy execution.
Examples
Creates a webtop name mynawebtop with the customization group
mywebtopcg1 and the network access minimize to tray option is disabled:
webtop mynawebtop { customization group mywebtopcg1 minimize to tray disable }
Creates a webtop name mywawebtop with the customization group

mywebtopcg1 and the start uri for the web application resource is
“http://www.abc.com:
{ customization group mywebtopcg1 web applications start uri
'"http://www.abc.com"' }
Options
You can use these options with the command webtop:
◆ web applications start uri
Specifies the start uri for the web application resource.
◆ minimize to tray
Specifies the option to minimize to the network access launch window to
the system tray.
Specifies the customization settings for the webtop. Note that the
customization group of type "webtop" needs to be created before the
webtop can be created. For example, customization group mywebtopcg1
{ type webtop } webtop mywawebtop { customization group
mywebtopcg1 web applications start uri '"http://www.abc.com"'}.
See also
bigpipe (1)

Chapter 3
windows group policy

Manages Windows Group Policy template files, displays information,
uploads new templates, and modifies existing templates.
Syntax
Use this command to manage a group policy's setting files.
Create/Modify
Important
bigpipe windows group policy <windows group policy key> {}

bigpipe windows group policy (<windows group policy key> | all)
[{] <windows group policy arg list> [}]
<windows group policy key> ::=
<name>
<windows group policy arg> ::=
name <name>
Display
bigpipe windows group policy [<windows group policy key> | all]
[show [all]]
bigpipe windows group policy [<windows group policy key> | all]
list [all]
edit
action [show]
description [show]
name [show]
partition [show]
Delete
delete
3 - 160
Description
An integration with "GPAnywhere for VPN" allows remediation through
delivery of Windows Group Policy to the endpoint attached to the Access
Policy Manager. For more information, see the BIG-IP Configuration
Guide for Local Traffic Manager.
Examples
Creates the Firewall_Settings_Template to enable the user's firewall:
windows group policy> Firewall_Settings_Template
Edits the Firewall_Settings_Template to modify the user's firewall

settings:
windows group policy> edit Firewall_Settings_Template
Options
You can use these options with the command windows group policy:
◆ description
Provides a brief description of the Windows group policy that was
created.
◆ name
Specifies the name of the Windows Group Policy.
See also
agent endpoint windows group policy(1), profile(1)

Chapter 3
3 - 162
4
• Introduction to VIPRION system commands

Introduction to VIPRION system commands

If you are running a VIPRION® system, you can license the system for the
first time, configure, and then maintain the system using the browser-based
Configuration utility or a command line interface utility. This chapter
contains syntax for commands that are used only when configuring
VIPRION systems. You can also use the bigpipe commands listed in
Chapter 2, Bigpipe Utility Command Reference, to configure VIPRION
systems.
For more information about configuring VIPRION systems, see the
Configuration Guide for the VIPRION® System.

VIPRION systems.

Chapter 4
cluster
Configures a cluster.
Syntax
Use this command to configure clusters.
Create/Modify
cluster (<cluster key> | all) [{] <cluster arg list> [}]
<cluster key> ::=
<name>
<cluster arg> ::=
addr (<network ip> | none)
(enable | disable)
members <cluster mbr list>
name <name>
<cluster mbr> ::= (<cluster mbr key> | all) [{] <cluster mbr arg list> [}]
<cluster mbr key> ::=
(<chassis slot key> | none)
<cluster mbr arg> ::=
addr (<network ip> | none)
(enable | disable)
priming (enable | disable)
slot id (<chassis slot key> | none)
Display
cluster [<cluster key> | all] [show [all]]
cluster [<cluster key> | all] list [all]
cluster (<cluster key> | all) addr [show]
cluster (<cluster key> | all) current primary slot id [show]
cluster (<cluster key> | all) enabled [show]
cluster (<cluster key> | all) ha state [show]
cluster (<cluster key> | all) members [<cluster mbr key> | all] [show [all]]
cluster (<cluster key> | all) members [<cluster mbr key> | all] list [all]
cluster (<cluster key> | all) members (<cluster mbr key> | all) addr [show]
cluster (<cluster key> | all) members (<cluster mbr key> | all) cluster [show]
cluster (<cluster key> | all) members (<cluster mbr key> | all) enabled [show]
cluster (<cluster key> | all) members (<cluster mbr key> | all) ha state [show]
cluster (<cluster key> | all) members (<cluster mbr key> | all) licensed [show]
cluster (<cluster key> | all) members (<cluster mbr key> | all) priming [show]
cluster (<cluster key> | all) members (<cluster mbr key> | all) slot id [show]
4-2
cluster (<cluster key> | all) members (<cluster mbr key> | all) state [show]
cluster (<cluster key> | all) min up members [show]
cluster (<cluster key> | all) name [show]
Delete
cluster (<cluster key> | all) members (<cluster mbr list> | none) delete
Description
You use the cluster command to modify the configuration of the primary
blade in a cluster. When you do this, the system automatically propagates
the changes to the other blades in the cluster. This is known as cluster
synchronization.
Examples
Sets the floating management IP address for cluster default to an IP address
of 192.168.217.44:
cluster default addr 192.168.217.44/24
Displays the floating management IP address of cluster my_cluster:

cluster my_cluster addr
Deletes the floating management IP address of cluster default:

cluster default addr none
Deletes the cluster member IP address of cluster member 1:

cluster default member 1 addr none
Sets the static IP address for slot 1 of cluster default to an IP address of

192.168.217.43:
cluster default member 1 addr 192.168.217.43
Options
You can use these options with the cluster command:
◆ addr
Specifies an IP address for the cluster or cluster member.
◆ current primary slot ID
Displays the slot number into which the primary blade in the cluster is
inserted.
Enables or disables the specified cluster or cluster member.
◆ ha state
Displays the high availability state of the cluster. The options are:
• Active
Indicates that a cluster is online and actively passing traffic.

Chapter 4
• Forced Offline
Indicates that a cluster is offline and cannot become Active due to an
Administrator action.
• Offline
Indicates that a cluster is offline and cannot become Active.
• Standby
Indicates that a cluster is online and available to become Active.
A cluster with a status of Standby changes to an Active status when
the other cluster in a redundant system configuration fails over.
◆ licensed
Indicates whether the cluster member is licensed.
◆ list
Displays the current configuration of the cluster.
◆ members
Adds a member to or deletes a member from a cluster. A cluster member
is a slot into which you insert a blade. The cluster member is identified
by the number of the slot.
◆ min up members
Specifies the minimum number of cluster members that must be up for
the cluster to remain Active. The default value is 0 (zero).
◆ min up members (enable/disable)
When enabled, specifies that when the number of active cluster members
is below the value of the min up members option, the cluster fails over
to its peer. Enable this parameter when you configure a redundant system
◆ priming
When enabled, if the cluster’s primary slot becomes unavailable, the
specified cluster member can become the primary slot. The default value
is enable.
◆ show
Displays the current state of the cluster and each cluster member.
◆ state
Displays the following information about a cluster member.
• build
Displays the build number of the software that is currently installed
on the blade in the specified slot.
• hotfix version
Displays the version of the software hotfix that is currently installed
on the blade in the specified slot.
• product
Displays the type of system.
• slot id
Displays the slot number into which the blade is inserted.
4-4
• version
Displays the version of the software, including the license
information, that is currently installed on the blade in the specified
slot.
See also
bigpipe(1)

Chapter 4
daemon
Configures the high availability functionality that is built into daemons.
Syntax
Use this command to modify or display daemons.
Modify
daemon <daemon key> {}
daemon (<daemon key> | all) [{] <daemon arg list> [}]
<daemon key> ::=
<name>
<daemon arg> ::=
heartbeat monitor (enable | disable)
heartbeat monitor (reboot | restart | failover | go active | no action | \
heartbeat monitor redundant (reboot | restart | failover | go active | \
heartbeat monitor stand alone (reboot | restart | failover | go active | \
name <name>
proc not run action (reboot | restart | failover | go active | no action | \
running (enable | disable)
running timeout <number>
Display
daemon [<daemon key> | all] [show [all]]
daemon [<daemon key> | all] list [all]
daemon (<daemon key> | all) heartbeat monitor [show]
daemon (<daemon key> | all) heartbeat monitor redundant [show]
daemon (<daemon key> | all) heartbeat monitor stand alone [show]
daemon (<daemon key> | all) name [show]
daemon (<daemon key> | all) proc not run action [show]
daemon (<daemon key> | all) running [show]
daemon (<daemon key> | all) running timeout [show]
4-6
Delete
daemon (<daemon key> | all) delete
Description
The daemon command provides the ability to precisely configure the
daemons that provide high availability functionality.
Examples
Enables the system to fail over and reboot due to lack of a detected heartbeat
from the sod daemon:
daemon sod heartbeat monitor enable
Options
You can use these options with the daemon command:
◆ heartbeat monitor
Enables or disables the heartbeat on the specified daemon, or performs an
action. Typically, if a daemon does not periodically connect with its
heartbeat location, it is restarted automatically. This command enables
you to disable automatic restart. The daemons that supply a heartbeat are:
bcm56xxd, clusterd, com_srv, gtmd, mcpd, pvac, sod, and tmm. The
Specifies the action the daemon should take if no heartbeat is detected.
You can specify the following actions with the specified daemon:
• bcm56xxd
The default and only action available for use with daemon bcm56xxd
is restart.
• clusterd
The default and only action available for use with daemon clusterd is
go offline and down links and restart.
• com_srv
The default and only action available for use with daemon com_srv is
restart.
• gtmd
The actions that are available for use with the daemon gtmd when the
system is licensed for the Global Traffic Manager are restart, restart
all, reboot, go offline, go offline and restart. The default value is go
offline and restart.
• mcpd
The actions that are available for use with the daemon mcpd are
restart, restart all, reboot, go offline, go offline and restart. The
default value is restart all.
• pvac
The default and only action available for use with daemon pvac is
restart.

Chapter 4
• sod
The default and only action available for use with daemon sod is
restart all.
• tmm
The default and only action available for use with the TMM daemon
is go offline and down links.
◆ heartbeat monitor redundant
Specifies the action the daemon should take if no heartbeat is detected on
the redundant heartbeat monitor. See the heartbeat monitor option for a
list of actions that are available for each daemon.
◆ heartbeat monitor stand alone
Specifies the action the daemon should take if no heartbeat is detected on
a standalone heartbeat monitor. See the heartbeat monitor option for a
list of actions that are available for each daemon.
◆ proc not run action
Specifies the action the daemon should take if a configured traffic or
system management action is not run. See the heartbeat monitor option
for a list of actions that are available for each daemon.
◆ running
Enables or disables actions configured for the traffic management and
system management daemons. You can use this feature to disable the
action a daemon takes during failover. For example, when you want to
stop a daemon and you do not want the cluster to failover, you can issue
the running disable command for the daemon. The default value is
disable.
◆ running timeout
Specifies the length of time you want disabled actions to remain
disabled. The default value is 10 seconds.
See also
4-8
failover
Configures and controls failover for a redundant system configuration.
Syntax
Use this command to control the failover of a system and configure the
failover feature for the system.
Create/Modify
Important
BIG-IP® Systems.
Use this syntax to configure the failover feature for a system:

<failover arg> ::=
(failback | offline | online | slave | standby)
failover list [all]
failover cable [show]

<failover arg> ::=
active-active mode (enable | disable)
force active (enable | disable)
force standby (enable | disable)
multicast peer (<multicast peer list> | none) [add | delete]
network failover (enable | disable)
peer mgmt addr (<ip addr> | none)
redundant (enable | disable)
standby link down time <float>
unicast peer (<unicast peer list> | none) [add | delete]
unit <number>
<multicast peer> ::= (<multicast peer key> | all) [{] <multicast peer arg list> [}]
<multicast peer key> ::=
<name>
<multicast peer arg> ::=

Chapter 4
interface (<string> | none)

name <name>
port <number>
<unicast peer> ::= (<unicast peer key> | all) [{] <unicast peer arg list> [}]
<unicast peer key> ::=
<name>
<unicast peer arg> ::=
dest addr (<ip addr> | none)
name <name>
port <number>
source addr (<ip addr> | none)
Use this syntax to control failover of a system:

failover (standby | offline | online | failback)
Display
failover list [all]
failover active-active mode [show]
failover force active [show]
failover force standby [show]
failover multicast peer [<multicast peer key> | all] [show [all]]
failover multicast peer [<multicast peer key> | all] list [all]
failover multicast peer (<multicast peer key> | all) addr [show]
failover multicast peer (<multicast peer key> | all) interface [show]
failover multicast peer (<multicast peer key> | all) name [show]
failover multicast peer (<multicast peer key> | all) port [show]
failover network failover [show]
failover peer mgmt addr [show]
failover redundant [show]
failover standby link down time [show]
failover unicast peer [<unicast peer key> | all] [show [all]]
failover unicast peer [<unicast peer key> | all] list [all]
failover unicast peer (<unicast peer key> | all) dest addr [show]
failover unicast peer (<unicast peer key> | all) name [show]
failover unicast peer (<unicast peer key> | all) port [show]
failover unicast peer (<unicast peer key> | all) source addr [show]
failover unit [show]
4 - 10
Delete
multicast cluster peer (<multicast cluster peer list> | none) delete
unicast cluster peer (<unicast cluster peer list> | none) delete
Description
Failover is a process that occurs when one unit in a redundant system
configuration becomes unavailable, thereby requiring a peer unit to assume
the processing of traffic originally targeted for the unavailable unit. To
facilitate coordination of the failover process, each unit has a Unit ID.
Examples
Causes the active unit to go into the standby state, forcing the other unit in
the redundant system configuration to become active:
failover standby
Restores an active-active configuration after a failure:

failover failback
Options
Use these options to control failover for the system:
◆ failback
Initiates failback for an active-active system. Failback re-establishes
normal system processing when a previously-unavailable unit becomes
available again. F5 recommends that you do not use active-active mode.
◆ offline
Changes the status of a unit to Forced Offline.
◆ online
Changes the status of a unit from Forced Offline to either Active or
Standby, depending upon the status of the other unit in a redundant
◆ standby
Causes the active unit to fail over to a Standby status, causing the
standby unit to become Active.
Use these options to configure failover for the system:

◆ active-active mode
Enables or disables active mode for a unit in a redundant system
configuration. The default value is disable. F5 recommends that you do
not use active-active mode.
◆ custom addr
Specifies the self-IP address or management IP address on the unit that
the network failover mechanism uses to listen for peer responses. When
using network failover, this is a required setting.

Chapter 4
◆ custom peer addr

Specifies the self-IP address or management IP address on the peer
system that the network failover mechanism uses to determine whether
the peer is responsive. When using network failover, this is a required
setting.
◆ failover cluster peer id
Specifies the floating management IP address of the peer unit.
◆ failover multicast cluster peer
Adds a multicast unit peer or deletes a multicast unit peer from the
specified unit for failover purposes. When you add a multicast unit peer
you include the following options:
• addr
Specifies the multicast IP address associated with the management
interface on the peer unit.
• interface
Specifies the management interface of the unit you are configuring.
The options are mgmt or eth0. The default value is eth0.
• name
Specifies the name of peer unit in this redundant system
configuration.
• port
Specifies the number of the service that you want to process the
multicast failover communication traffic between the units.
◆ failover unicast cluster peer
Adds a unicast unit peer or deletes a unicast unit peer from the specified
unit for failover purposes. When you add a unicast unit peer, you include
the following options:
• dest addr
Specifies a static self IP address associated with VLAN HA1 on the
peer unit. This is the IP address on the peer that receives a failover
message from the unit you are configuring.
• name
Specifies the name of peer unit in this redundant system
configuration.
• port
Specifies the number of the service that you want to process the
unicast failover communication traffic between the units.
• source addr
Specifies a static self IP address associated with VLAN HA1 on the
unit you are configuring. Failover messages from the unit to its peer
originate from this address.
◆ force active
When enabled, makes the unit prefer to be the active unit. The default
value is disable.
4 - 12
◆ force standby
When enabled, makes the unit prefer to be the standby unit. The default
value is disable.
◆ network failover
Specifies, when enabled, that this unit uses the network to determine the
status of the peer unit. The default value is disable.
◆ partition
Displays the partition within which the failover object resides.
◆ redundant
Enables or disables redundancy for a unit in a redundant system
◆ standby link down time
Specifies the amount of time, within the valid range of 0 - 10 seconds,
that the interfaces are down before the unit fails over to standby. Use this
setting to prompt peer switches to reset and relearn their Address
Resolution Protocol (ARP) tables after a failover. The default value is 0
(zero) seconds, which disables this option.
When using network failover, do not enable this feature unless you
configure the custom addr and custom peer addr settings to use the
management port.
◆ unit
Specifies a number for a unit in a redundant system configuration. The
default value is 1.
See also
bigpipe(1), statemirror(1)

Chapter 4
pool
Configures load balancing pools on the traffic management system.
Syntax
Use this command to create, modify, display, or delete a load balancing
pool.
Create/Modify
Important
BIG-IP® Systems.
pool <pool key> {}

pool (<pool key> | all) [{] <pool arg list> [}]
<pool key> ::=
<name>
<pool arg> ::=
action on svcdown (none | reset | drop | reselect)
lb method (round robin | rr | member ratio | member least conn | member observed | \
member predictive | ratio | node ratio | least conn | fastest | observed | \
predictive | dynamic ratio | fastest app resp | least sessions | \
member dynamic ratio | l3 addr)
members (<pool member list> | none) [add | delete]
min active members <number>
min up members (reboot | restart | failover | go active | no action | \
monitor all (none | <monitor key> |
min <number> of <monitor key list>
name <name>
nat (enable | disable)
4 - 14
reselect tries <number>

slow ramp time <number>
snat (enable | disable)
unit <number>
<pool member> ::= (<pool member key> | all) [{] <pool member arg list> [}]
<pool member key> ::=
<member>
<pool member arg> ::=
addr <member>
limit <number>
(up | down)
priority <number>
ratio <number>
weight <number>
pool (<pool key> | all) stats reset
Display
pool [<pool key> | all] [show [all]]
pool [<pool key> | all] list [all]
pool (<pool key> | all) action on svcdown [show]
pool (<pool key> | all) ip tos to client [show]
pool (<pool key> | all) ip tos to server [show]
pool (<pool key> | all) lb method [show]
pool (<pool key> | all) link qos to client [show]
pool (<pool key> | all) link qos to server [show]
pool (<pool key> | all) members (<pool member key> | all) stats reset
pool (<pool key> | all) members [<pool member key> | all] [show [all]]
pool (<pool key> | all) members [<pool member key> | all] list [all]
pool (<pool key> | all) members (<pool member key> | all) addr [show]
pool (<pool key> | all) members (<pool member key> | all) dynamic ratio [show]
pool (<pool key> | all) members (<pool member key> | all) limit [show]
pool (<pool key> | all) members (<pool member key> | all) monitor [show]
pool (<pool key> | all) members (<pool member key> | all) monitor state [show]
pool (<pool key> | all) members (<pool member key> | all) pool name [show]
pool (<pool key> | all) members (<pool member key> | all) priority [show]
pool (<pool key> | all) members (<pool member key> | all) ratio [show]
pool (<pool key> | all) members (<pool member key> | all) session [show]
pool (<pool key> | all) members (<pool member key> | all) stats [show]
pool (<pool key> | all) members (<pool member key> | all) weight [show]

Chapter 4
pool (<pool key> | all) min active members [show]

pool (<pool key> | all) min up members [show]
pool (<pool key> | all) monitor all [show]
pool (<pool key> | all) name [show]
pool (<pool key> | all) nat [show]
pool (<pool key> | all) partition [show]
pool (<pool key> | all) reselect tries [show]
pool (<pool key> | all) slow ramp time [show]
pool (<pool key> | all) snat [show]
pool (<pool key> | all) stats [show]
pool (<pool key> | all) unit [show]
Delete
pool (<pool key> | all) delete
Description
The pool command creates, deletes, modifies, and displays the pool
definitions on the traffic management system. Pools group the member
servers together to use a common load balancing algorithm.
Examples
Creates a pool with two members 10.2.3.11, and 10.2.3.12, where both
members use the Round Robin load balancing method, and the default
HTTP monitor checks for member availability:
pool mypool {
monitor all http
}
Deletes the pool mypool: (Note that all references to a pool must be
removed before a pool may be deleted.)
pool mypool delete
Displays statistics for all pools:

pool show
Displays settings of pool mypool:

pool mypool show
4 - 16
Options
You can use these options with the pool command:
◆ action on svcdown
Specifies the action to take if the service specified in the pool is marked
down. Possible values are none, reset, drop, or reselect. You can
specify no action with none, you can reset the system with reset, you can
drop connections using drop, or you can reselect a node for the next
packet that comes in on a Layer 4 connection if the existing connection’s
service is marked down by specifying reselect. The default value is
none.
◆ <ip:service>
Specifies an IP address and service being assigned to a pool as a member.
For example: 10.2.3.12:http.
◆ ip tos to client and ip tos to server
Specifies the Type of Service (ToS) level to use when sending packets to
a client or server. The default value is 65535.
◆ lb method
Specifies the load balancing mode that the system is to use for the
specified pool.
• dynamic ratio
Specifies a range of numbers that you want the system to use in
number is 1.
• fastest
response of all currently active nodes in a pool. This method may be
particularly useful in environments where nodes are distributed across
different logical networks.
• fastest app resp
application response of all currently active nodes in a pool.
• l3 addr
member configured using its IP address. The IP address is a Layer 3
address.
• least conn
the least number of current connections.
• least sessions
the least number of current sessions. Least Sessions methods work
best in environments where the servers or other equipment you are
load balancing have similar capabilities. This is a dynamic load
balancing method, distributing connections based on various aspects
of real-time server performance analysis, such as the current number
of sessions.

Chapter 4
• member dynamic ratio

Indicates that the system passes a new connection to the member
based on continuous monitoring of the servers, which are continually
changing. This is a dynamic load balancing method, distributing
connections based on various aspects of real-time server performance
analysis, such as the current number of connections per node or the
fastest node response time.
• member least conn
Indicates that the system passes a new connection to the member that
has the least number of current connections.
• member observed
member based on observed status of the member.
• member predictive
member based on a predictive algorithm.
• member ratio
number is 1.
• node ratio
number is 1.
• observed
based on observed status of the member.
• predictive
based on a predictive algorithm.
• rr
member. Round Robin is the default load balancing method.
◆ link qos to client and link qos to server
Specifies the Quality of Service (QoS) level to use when sending packets
to a client or server. The default value is 0.
◆ min active members
Specifies the minimum number of members that must remain available
for traffic to be confined to a priority group when using priority-based
activation. The default value is 0.
◆ min up members
Enables or disables this feature. The default value is disable.
You can also specify the minimum number of members that must remain
up for traffic to be confined to a priority group when using priority-based
activation. If the number specified is exceeded, the action specified
happens. The default value is 0.
4 - 18
You can also specify that the system should fail over if the min up
members number is exceeded.
◆ monitor all
Creates a monitor rule for the pool. You can specify a monitor rule that
marks the pool down if the specified number of monitors are not
successful.
◆ nat
Enables or disables NAT connections for the pool.
◆ partition
Displays the partition within which the pool resides.
◆ <pool key>
Specifies a list of pool names separated by a space. A pool name is an
identifying string from 1 to 31 characters, for example: new_pools.
◆ priority
Specifies a priority that you want to assign to a pool member, to ensure
that traffic is directed to that member before being directed to a member
of a lower priority.
◆ slow ramp time
Provides the ability to cause a pool member that has just been enabled, or
marked up, to receive proportionally less traffic than other members in
the pool. The proportion of traffic the member accepts is determined by
how long the member has been up in comparison to the slow ramp time
set for the pool. For example, if a pool using Round Robin has a slow
ramp time of 60 seconds, and the pool member has been up for only 30
seconds, it receives approximately half the amount of new traffic as other
pool members that have been up for more than 60 seconds. At 45
seconds, it receives approximately three quarters of the new traffic. Slow
ramp time is particularly useful for least connections load balancing
mode. The default value is 0.
◆ snat
Enables or disables SNAT connections for the pool.
◆ unit
Specifies the Unit ID used by this pool in an active-active redundant
See also
monitor(1), node(1), virtual(1), bigpipe(1)

Chapter 4
profile udp
Configures a UDP profile.
Syntax
Use this command to create, modify, display, or delete a UDP profile.
Create/Modify
Important
BIG-IP® Systems.
profile udp <profile udp key> {}

profile udp (<profile udp key> | all) [{] <profile udp arg list> [}]
<profile udp key> ::=
<name>
<profile udp arg> ::=
allow no payload (enable | disable)
datagram lb (enable | disable)
defaults from (<profile udp key> | none)
name <name>
no cksum (enable | disable)
profile udp (<profile udp key> | all) stats reset
Display
profile udp [<profile udp key> | all] [show [all]]
profile udp [<profile udp key> | all] list [all]
profile udp (<profile udp key> | all) allow no payload [show]
profile udp (<profile udp key> | all) datagram lb [show]
profile udp (<profile udp key> | all) defaults from [show]
profile udp (<profile udp key> | all) idle timeout [show]
profile udp (<profile udp key> | all) ip tos [show]
profile udp (<profile udp key> | all) link qos [show]
profile udp (<profile udp key> | all) name [show]
profile udp (<profile udp key> | all) no cksum [show]
4 - 20
profile udp (<profile udp key> | all) partition [show]

profile udp (<profile udp key> | all) stats [show]
Delete
profile udp (<profile udp key> | all) delete
Description
The UDP profile is a configuration tool for managing UDP network traffic.
Examples
Creates a custom UDP profile named myudpprofile that inherits its settings
from the system default udp profile:
profile udp myudpprofile { }
Options
You can use these options with the profile udp command:
◆ allow payload
Provides the ability to allow the passage of datagrams that contain header
information, but no essential data. The default value is disable.
◆ datagram lb
Provides the ability to load balance UDP datagram by datagram. The
◆ defaults from
◆ idle timeout
◆ ip tos
assigns to UDP packets when sending them to clients.
◆ link qos
Specifies the Quality of Service level that the system assigns to UDP
◆ no cksum
When enabled, the system does not perform the check summing process
on the packets that the virtual server to which this profile is assigned
processes. The default value is disable.
◆ partition

Chapter 4
See also
4 - 22
software
Downloads and installs software onto a VIPRION system.
Syntax
Use this command to download software, and then install it onto a
VIPRION system.
Create/Modify
software [{] <software arg list> [}]
<software arg> ::=
desired (<software desired list> | none) [add | delete]
hotfixes (<software hotfix key list> | none) [add | delete]
images (<software image key list> | none) [add | delete]
status <software status key list>
volumes <software volume key list>
<software desired> ::= (<software desired key> | all) \
[{] <software desired arg list> [}]
<software desired key> ::=
<name>
<software desired arg> ::=
active (enable | disable)
build (<string> | none)
product (<string> | none)
retry (enable | disable)
retry count <number>
volume <name>
<software hotfix key> ::=
(<string> | none)
<software image key> ::=
(<string> | none)
<software status key> ::=
<name>
<software volume key> ::=
<name>
Display
software [show [all]]
software list [all]
software desired [<software desired key> | all] [show [all]]
software desired [<software desired key> | all] list [all]
software desired (<software desired key> | all) active [show]

Chapter 4
software desired (<software desired key> | all) build [show]

software desired (<software desired key> | all) product [show]
software desired (<software desired key> | all) retry [show]
software desired (<software desired key> | all) retry count [show]
software desired (<software desired key> | all) version [show]
software desired (<software desired key> | all) volume [show]
software hotfixes [<software hotfix key> | all] [show [all]]
software hotfixes (<software hotfix key> | all) build [show]
software hotfixes (<software hotfix key> | all) chksum [show]
software hotfixes (<software hotfix key> | all) filename [show]
software hotfixes (<software hotfix key> | all) hotfix id [show]
software hotfixes (<software hotfix key> | all) hotfix title [show]
software hotfixes (<software hotfix key> | all) product [show]
software hotfixes (<software hotfix key> | all) verified [show]
software hotfixes (<software hotfix key> | all) version [show]
software images [<software image key> | all] [show [all]]
software images (<software image key> | all) build [show]
software images (<software image key> | all) build date [show]
software images (<software image key> | all) chksum [show]
software images (<software image key> | all) file size [show]
software images (<software image key> | all) filename [show]
software images (<software image key> | all) last modified [show]
software images (<software image key> | all) product [show]
software images (<software image key> | all) verified [show]
software images (<software image key> | all) version [show]
software status [<software status key> | all] [show [all]]
software status (<software status key> | all) active [show]
software status (<software status key> | all) basebuild [show]
software status (<software status key> | all) build [show]
software status (<software status key> | all) edition [show]
software status (<software status key> | all) product [show]
software status (<software status key> | all) status [show]
software status (<software status key> | all) version [show]
software status (<software status key> | all) volume [show]
software volumes [<software volume key> | all] [show [all]]
software volumes (<software volume key> | all) active [show]
software volumes (<software volume key> | all) media [show]
software volumes (<software volume key> | all) name [show]
software volumes (<software volume key> | all) size [show]
4 - 24
Delete
software delete
software desired(<software desired list> delete
software hotfixes <software hotfix key list> delete
software images <software image key list> delete
software status <software status key list> delete
software volumes <software volume key list> delete
Description
You can use the software command to:
• Download and install software images and hotfixes onto the system
• Delete software that you have downloaded
Examples
You can install the software using the following steps as an example:
1. To copy the software image file.im to the software staging area
/root, use this syntax:
software image /root/file.im add
The system copies the software image file file.im to the software
staging area.
2. When you are currently running on volume HD1.1, to install build
565.0 of BIG-IP version 9.6.0 on volume HD1.2 of the cluster, use
this syntax:
software desired HD1.2 product BIG-IP build 565.0
version 9.6.0 add
The system returns to a UNIX prompt, and installs the specified

software.
3. To observe the progress of the software installation, use this syntax:
watch bigpipe software status status show
The system displays the installation progress.
4. When you are currently running on volume HD1.1, to reboot the
system to volume HD1.2, use this syntax
software desired HD1.2 active enable
Displays the software image table:

software image show
Displays the status of the software for each volume on each blade:
software status show

Chapter 4
Options
You can use these options with the software command:
◆ active
Displays whether the volume is running. Note that you cannot delete the
active volume.
◆ build
Displays the F5 Networks build number related to the installed software
image.
◆ build date
Displays the date associated with the software image file.
◆ chksum
Displays the MD5 checksum for the software image.
◆ desired
Installs the specified version of the software on the cluster or deletes the
specified version of the software from the cluster.
◆ file size
Displays the size of the software image file.
◆ filename
Displays the name of the software image file.
◆ hotfix id
Displays the ID number related to the hotfix.
◆ hotfix title
Displays the name of the hotfix.
◆ hotfixes
Copies the specified files to a location on the cluster from which the
system can install the hotfix.
◆ images
Copies the specified files to a location on the cluster from which the
system can install the software.
◆ last modified
Displays the date on which the software image was last changed.
◆ media
Displays the type of media on which the volume exists.
◆ name
Specifies the name of the volume.
◆ product
Displays the F5 Networks product related to the installed software.
◆ retry
Enables the retry option, which automatically retries installing in case of
install failure.
◆ size
Displays the size of the volume.
4 - 26
◆ status
Displays the current status of the software installation on all disk
volumes for all slots in the cluster.
◆ version
Displays the F5 Networks product version number related to the installed
software image.
◆ volume
Displays the volumes on the cluster.
• active (enable | disable)
• build
• product
• size
• version
Note: The volume option is not applicable to partitioned systems.
See also

Chapter 4
system
Sets up the system.
Syntax
Use this command to set up the system.
Create/Modify
Important
BIG-IP® Systems.
system [{] <system arg list> [}]

<system arg> ::=
archive encrypt (on | on request | off)
auth source type (local | ldap | radius | activedirectory | tacacs)
console inactivity timeout <number>
custom addr (<ip addr> | none)
failsafe action (go offline | reboot | restart all | go offline abort tm | failover
abort tm)
gui security banner (enable | disable)
gui security banner text (<string> | none)
gui setup (enable | disable)
host addr mode (mgmt | statemirror | custom)
hosts allow include (<string> | none)
lcd display (enable | disable)
net reboot (enable | disable)
password prompt (<string> | none)
quiet boot (enable | disable)
remote host (<remote host list> | none) [add | delete]
username prompt (<string> | none)
<remote host> ::= (<remote host key> | all) [{] <remote host arg list> [}]
<remote host key> ::=
<name>
<remote host arg> ::=
name <name>
4 - 28
Display
system [show [all]]
system list [all]
system archive encrypt [show]
system auth source type [show]
system console inactivity timeout [show]
system custom addr [show]
system failsafe action [show]
system gui security banner [show]
system gui security banner text [show]
system gui setup [show]
system host addr mode [show]
system hostname [show]
system hosts allow include [show]
system lcd display [show]
system net reboot [show]
system password prompt [show]
system quiet boot [show]
system remote host [<remote host key> | all] [show [all]]
system remote host [<remote host key> | all] list [all]
system remote host (<remote host key> | all) addr [show]
system remote host (<remote host key> | all) hostname [show]
system remote host (<remote host key> | all) name [show]
system username prompt [show]
Description
You can use the system command to set up the general properties of the
system.
Examples
Sets up the system using the system defaults:
system {}
Sets up a remote host named bigip151 with an IP address of 172.27.226.151

and a host name of bigip151.saxon.net:
system remote host bigip151 { addr 172.27.226.151 hostname
bigip151.saxon.net }

Chapter 4
Options
You can use these options with the system command:
◆ archive encrypt
Specifies whether the system archive encryption feature is set to on,
off, or on request. The default value is on request. Note that you must
configure the system archive encrypt option in conjunction with the
configsync encrypt and configsync passphrase options.
The reason for this is that when you perform a configuration
synchronization of two clusters in a redundant system configuration, the
process involves saving a UCS file from one system onto the peer
system, and then installing the saved file on the peer system. You use the
system archive encrypt option to indicate whether the process of saving
the UCS file creates an encrypted or unencrypted file. For example, you
can set the configsync encrypt option to enable, and configure a
passphrase using the configsync passphrase option. If you use the
default value, on request, for the system archive encrypt option, then
when a user saves the UCS file, and provides the passphrase, the UCS
file is encrypted. If the user does not provide the passphrase, the UCS
file is not encrypted.
◆ auth source type
Specifies the default user authorization source. The default value is local.
When user accounts that access the system reside on a remote server, the
value of auth source type is the type of server that you are using for
authentication, for example: ldap.
◆ console inactivity timeout
Specifies the number of seconds of inactivity before the system logs off a
user who is logged on. The default value is 0. This means that no timeout
is set.
◆ custom addr
Indicates a user-specified IP address for the system. The default value is
none.
It is important to note that you must set the host addr mode option to
custom, if you want to specify an IP address using custom addr. For
more information, see the host addr mode option.
◆ failsafe action
Specifies the action that the system takes when the switch board fails.
The default value is go offline and abort tm.
• go offline
Specifies that when the switch board fails, the system goes offline.
• go offline abort tm
Specifies that when the switch board fails, the system goes offline and
stops the traffic management system.
• reboot
Specifies that after the active cluster fails over to its peer, it reboots
while the peer processes the traffic.
4 - 30
• restart all
Specifies that when the switch board fails, the system restarts all
system services.
◆ gui security banner
Specifies whether the system presents on the logon screen the text you
specify in the Security banner text to show on the login screen field. If
you disable this option, the system presents an empty frame in the right
portion of the logon screen. The default value is enable.
◆ gui security banner text
Specifies the text to present on the logon screen when the Show the
security banner on the login screen option is enabled. The default
value is: Welcome to the BIG-IP Configuration Utility. Log in with
your username and password using the fields on the left.
◆ gui setup
Enables or disables the Setup utility in the browser-based Configuration
utility. The default value is enable.
When you configure a system using the command line interface, disable
this option. Disabling the gui setup option of the system command
enables your system administrators to use the browser-based
Configuration utility without having to run the Setup utility.
◆ host addr mode
Specifies the type of host address assigned to the system. The default
value is mgmt, which indicates that the host address is the management
port of the system.
If you use the statemirror option, then the host address of the system is
shared by the other cluster in a redundant system configuration. In case
of system failure, the traffic to the other system is routed to this system.
If you use the custom option, you must specify a custom IP address for
the system using the custom addr option. For more information, see the
custom addr option.
◆ hostname
Specifies a local name for the system. The default value is bigip1.
◆ hosts allow include
◆ lcd display
Enables or disables the system menu to display on the LCD panel on the
front of the system. The default value is enable.
◆ net reboot
Enables or disables the network reboot feature. The default value is
disable. If you enable this feature and then reboot the system, the system
boots from an ISO image on the network, rather than from an internal

Chapter 4
media drive. Use this option only when you want to install software on
the system, for example, for an upgrade or a re-installation. Note that this
setting reverts to disabled after you reboot the system a second time.
◆ partition
Displays the partition within which the system object resides.
◆ password prompt
Specifies the text to present above the password field (the second of the
◆ quiet boot
Enables or disables the quiet boot feature. The default value is enable. If
you enable this feature, the system suppresses informational text on the
console during the boot cycle.
◆ remote host
Adds a remote host to, or removes a remote host from, the /etc/hosts file.
The default value is none. You must enter both an IP address and a fully
qualified domain name (FQDN) or alias for each host that you want to
add to the file.
◆ username prompt
Specifies the text to present above the user name field (the first of the
See also
bigpipe(1)
4 - 32
vlan
Configures a virtual local area network (VLAN).
Syntax
Use this command to create, modify, display, or delete a VLAN.
Create/Modify
vlan <vlan key> {}
vlan (<vlan key> | all) [{] <vlan arg list> [}]
<vlan key> ::=
<name>
<vlan arg> ::=
failsafe (enable | disable)
failsafe (reboot | restart | failover | go active | no action | restart all | \
fdb (<fdb list> | none) [add | delete]
interfaces tagged (<interface key list> | none) [add | delete]
learning (enable | disable forward | disable drop)
mtu <number>
name <name>
source check (enable | disable)
tag <number>
trunks (<trunk key list> | none) [add | delete]
trunks tagged (<trunk key list> | none) [add | delete]
<fdb> ::= (<fdb key> | all) [{] <fdb arg list> [}]
<fdb key> ::=
<mac addr>
(dynamic | static)
<fdb arg> ::=
(dynamic | static)
interface <interface key>
mac addr <mac addr>
trunk <trunk key>

Chapter 4
Display
vlan [<vlan key> | all] [show [all]]
vlan [<vlan key> | all] list [all]
vlan (<vlan key> | all) failsafe [show]
vlan (<vlan key> | all) fdb [<fdb key> | all] [show [all]]
vlan (<vlan key> | all) fdb [<fdb key> | all] list [all]
vlan (<vlan key> | all) fdb (<fdb key> | all) dynamic [show]
vlan (<vlan key> | all) fdb (<fdb key> | all) interface [show]
vlan (<vlan key> | all) fdb (<fdb key> | all) mac addr [show]
vlan (<vlan key> | all) fdb (<fdb key> | all) trunk [show]
vlan (<vlan key> | all) fdb (<fdb key> | all) vlan [show]
vlan (<vlan key> | all) ifname [show]
vlan (<vlan key> | all) interfaces [<interface key> | all] [show [all]]
vlan (<vlan key> | all) interfaces (<interface key> | all) parent vname [show]
vlan (<vlan key> | all) interfaces (<interface key> | all) pending [show]
vlan (<vlan key> | all) interfaces (<interface key> | all) vmname [show]
vlan (<vlan key> | all) interfaces tagged [<interface key> | all] [show [all]]
vlan (<vlan key> | all) interfaces tagged (<interface key> | all) parent vname [show]
vlan (<vlan key> | all) interfaces tagged (<interface key> | all) pending [show]
vlan (<vlan key> | all) interfaces tagged (<interface key> | all) vmname [show]
vlan (<vlan key> | all) learning [show]
vlan (<vlan key> | all) mac masq [show]
vlan (<vlan key> | all) mac true [show]
vlan (<vlan key> | all) mtu [show]
vlan (<vlan key> | all) name [show]
vlan (<vlan key> | all) source check [show]
vlan (<vlan key> | all) tag [show]
vlan (<vlan key> | all) timeout [show]
vlan (<vlan key> | all) trunks [<trunk key> | all] [show [all]]
vlan (<vlan key> | all) trunks (<trunk key> | all) parent vname [show]
vlan (<vlan key> | all) trunks (<trunk key> | all) pending [show]
vlan (<vlan key> | all) trunks (<trunk key> | all) vmname [show]
vlan (<vlan key> | all) trunks tagged [<trunk key> | all] [show [all]]
vlan (<vlan key> | all) trunks tagged (<trunk key> | all) parent vname [show]
vlan (<vlan key> | all) trunks tagged (<trunk key> | all) pending [show]
vlan (<vlan key> | all) trunks tagged (<trunk key> | all) vmname [show]
Delete
vlan (<vlan key> | all) delete
4 - 34
Description
The vlan command enables you to create, display, and modify settings for
VLANs. VLANs are part of the configuration of the network components.
VLANs can be based on either ports or tags.
When creating a VLAN, the system automatically assigns a tag value for the
VLAN, unless you specify a tag value on the command line. VLANs can
have both tagged and untagged interfaces. You can add an interface to a
single VLAN as an untagged interface. You can also add an interface to
multiple VLANs as a tagged interface.
Examples
Create the VLAN myvlan that includes the interfaces 1.2, 1.3, and 1.4:
vlan myvlan interface 1.2 1.3 1.4
Delete the VLAN named myvlan:

vlan myvlan delete>
Options
You can use these options with the vlan command:
◆ failsafe
Enables a fail-safe mechanism that causes the active cluster to fail over to
a redundant cluster when loss of traffic is detected on a VLAN, and
traffic is not restored during the failsafe timeout period for that VLAN.
The default action set with VLAN fail-safe is restart all. When the
fail-safe mechanism is triggered, all the daemons are restarted and the
cluster fails over. The default value is disable.
◆ fdb
Specifies that the fdb (forwarding database) associates MAC addresses
with interfaces and trunks.
◆ interfaces
Specifies a list of interfaces that you want to assign to the VLAN.
◆ interfaces tagged
Specifies a list of tagged interfaces. A tagged interface is an interface that
you assign to a VLAN in a way that causes the system to add a VLAN
tag into the header of any frame passing through that interface. Use
tagged interfaces when you want to assign a single interface to multiple
VLANs.
◆ learning
Specifies whether switch ports placed in the VLAN are configured for
switch learning, forwarding only, or dropped. Possible values are:
enable, disable forward, or disable drop. The default value is enable.

Chapter 4
◆ mac masq
Configures a shared MAC masquerade address. You can share the media
access control (MAC) masquerade address between clusters in a
redundant system configuration. This has the following advantages:
• Increased reliability and failover speed, especially in lossy networks
• Interoperability with switches that are slow to respond to the network
changes
• Interoperability with switches that are configured to ignore network
changes
◆ mtu
Sets a specific maximum transition unit (MTU) for the VLAN. The
◆ source check
Specifies that only connections that have a return route in the routing
table are accepted. The default value is disable.
◆ tag
Specifies a number that the system adds into the header of any frame
passing through the VLAN.
◆ timeout
Specifies the number of seconds that an active cluster can run without
detecting network traffic on this VLAN before it initiates a failover. The
◆ trunks
Specifies a list of trunks. A trunk is a combination of two or more
interfaces and cables configured as one link.
◆ trunks tagged
Specifies a list of tagged trunks. A tagged trunk is a trunk that you assign
to a VLAN in a way that causes the system to add a VLAN tag into the
header of any frame passing through the trunk. Use tagged trunks when
you want to assign a single trunk to multiple VLANs.
See also
interface(1), self(1), vlangroup(1), virtual(1), bigpipe(1)
4 - 36
5
• Introduction to WAN Optimization commands

Introduction to WAN Optimization commands

You can use bigpipe commands to configure the WAN (Wide Area
Network) Optimization Module. This chapter includes WAN
optimization-specific commands that you can use in addition to the bigpipe
commands listed in Chapter 2, Bigpipe Utility Command Reference. It also
includes commands for rate shaping and WCCP, which you might also use
when configuring local and network traffic that does not travel through the
WAN Optimization Module.
Note
F5 Networks recommends that only advanced users of the BIG-IP system

configure WAN optimization from the command line.
For more information about configuring WAN optimization, see the

Configuration Guide for the BIG-IP® WAN Optimization Module.

WAN optimization.

Chapter 5
datastor
Configures the data storage used for optimization.
Syntax
Use this command to enable, disable, or modify the parameters for data
storage.
Create/Modify
datastor [{] <datastor arg list> [}]
<datastor arg> ::=
disk usage (enable | disable)
high water mark <number>
low water mark <number>
Display
datastor [show [all]]
datastor list [all]
datastor cache size [show]
datastor disk usage [show]
datastor high water mark [show]
datastor low water mark [show]
datastor store size [show]
Description
The datastor command specifies parameters for the data storage that is used
for disk I/O operations and optimized page cache for frequently
accessed sectors. Symmetric data deduplication is one consumer of this
storage space.
Examples
Displays the data storage settings:
datastor show all
Options
You can use these options with the datastor command:
◆ cache size
Displays the size of the data storage in megabytes (MB).
◆ disk usage
Specifies the use of the disk (in addition to memory) for data storage.
5-2
◆ high water mark

Specifies the percentage of full cache above which pruning starts. The
◆ low water mark
Specifies the percentage of full cache below which pruning stops. The
◆ store size
Displays the amount of space for each disk path specified.
See also
deduplication(1), bigpipe(1)

Chapter 5
deduplication
Configures symmetric data deduplication for WAN optimization.
Syntax
Use this command to enable, disable, or modify symmetric data
deduplication for WAN optimization.
Create/Modify
deduplication [{] <deduplication arg list> [}]
<deduplication arg> ::=
deduplication service (enable | disable)
max endpoint count <number>
Display
deduplication [show [all]]
deduplication list [all]
deduplication deduplication service [show]
deduplication max endpoint count [show]
Description
The deduplication command specifies parameters for symmetric data
deduplication, which compresses data on the WAN by identifying and
removing repetitive data patterns.
Examples
Displays the symmetric data deduplication settings for WAN optimization:
deduplication show all
Options
You can use these options with the deduplication command:
◆ deduplication service
Specifies whether symmetric data deduplication is enabled.
◆ max endpoint count
Specifies the maximum number of concurrent remote WAN
Optimization Modules supported by symmetric data deduplication, up to
a maximum of 32. The default value is 4.
See also
datastor(1), profile isession(1), bigpipe(1)
5-4
drop policy
Configures a custom drop policy that can be applied to rate shaping.
Syntax
Use this command to create, modify, display, or delete a drop policy.
Note
This command is intended for expert users only. Changing these

parameters could have an unintended negative impact on traffic shaping.
We recommend using the rate class command in most situations.
Create/Modify
drop policy <drop policy key> {}
drop policy (<drop policy key> | all) [{] <drop policy arg list> [}]
<drop policy key> ::=
<name>
<drop policy arg> ::=
average pkt size <number>
fred max active flow <number>
fred max drop mul <number>
fred min drop mul <number>
inverse weight <number>
max probability <number>
max threshold <number>
min threshold <number>
name <name>
red hard limit <number>
type (tail | red | fred)
Display
drop policy [<drop policy key> | all] [show [all]]
drop policy [<drop policy key> | all] list [all]
drop policy (<drop policy key> | all) average pkt size [show]
drop policy (<drop policy key> | all) fred max active flow [show]
drop policy (<drop policy key> | all) fred max drop mul [show]
drop policy (<drop policy key> | all) fred min drop mul [show]
drop policy (<drop policy key> | all) inverse weight [show]
drop policy (<drop policy key> | all) max probability [show]
drop policy (<drop policy key> | all) max threshold [show]
drop policy (<drop policy key> | all) min threshold [show]

Chapter 5
drop policy (<drop policy key> | all) name [show]

drop policy (<drop policy key> | all) red hard limit [show]
drop policy (<drop policy key> | all) type [show]
Delete
drop policy (<drop policy key> | all) delete
Description
A drop policy determines when and how to drop packets, if required,
when the traffic handling queue is full. Use the command drop policy in
conjunction with the command shaping queue to shape traffic.
Examples
Creates the drop policy customfred that specifies a minimum and maximum
threshold:
drop policy customfred type fred min threshold 1500 max threshold 10000
Options
You can use these options with the drop policy command:
◆ average pkt size
Specifies the average MTU (maximum transmission unit) size in the
range of 0 to 10000 bytes. The default value is 0.
◆ fred max active flow
Specifies the maximum number of flows that can be active for each
queue. The range is 0 to 10000. The default value is 0, which disables
active flow limitation.
◆ fred max drop mul
Specifies the hard drop limit in the range of 0 to 400. The default value is
0. Setting this to a small value does not change the hard drop limit, but a
higher number increases the limit.
◆ fred min drop mul
Specifies the hard no drop limit in the range of 0 to 100. The default
value is 0. Setting this to a large value prevents packets from being
dropped.
◆ inverse weight
Specifies the weight used to calculate the average queue length. Valid
values are 0, 64, 128, 256, 512, and 1024. The default value is 0.
◆ max probability
Specifies the maximum percentage probability in the range of 0 to 100
according to which packets are dropped when the average queue length is
between the minimum and maximum thresholds. The default value is 0.
5-6
◆ max threshold
Specifies the queue length below which packets are not dropped. The
default value is 0.
◆ min threshold
Specifies the queue length above which packets are not dropped. The
default value is 0.
◆ name
Specifies the custom name for the queue. Use this name in the command
shaping policy or rate class.
◆ red hard limit
Specifies the maximum queue size in kilobytes or megabytes. Additional
packets are dropped. The default value is 0. This option applies only to
the red type.
◆ type
Specifies the type of drop policy. The available settings are tail (drops
the end of the traffic stream), red (randomly drops packets), and fred
(drops packets according to the type of traffic in the flow). The default
value is red. Although you could create a drop policy based on tail, that
is already the default value for drop policy in both the shaping policy
and rate class commands.
See also
rate class(1), shaping policy(1), shaping queue(1), bigpipe(1)

Chapter 5
endpoint advertised route

Configures routes advertised by the local endpoint to remote endpoints for
WAN optimization.
Syntax
Use this command to create, display, or modify routes advertised for
optimization by the local endpoint of the WAN Optimization Module.
Create/Modify
endpoint advertised route <endpoint advertised route key> {}
endpoint advertised route (<endpoint advertised route key> | all) [{]
<endpoint advertised route arg> [}]
<endpoint advertised route key> ::=
<network ip>
<endpoint advertised route arg> ::=
addr <network ip>
include (enable | disable)
label (<string> | none)
metric <number>
Display
endpoint advertised route [<endpoint advertised route key> | all] [show [all]]
endpoint advertised route [<endpoint advertised route key> | all] list [all]
endpoint advertised route [<endpoint advertised route key> | all] addr [show]
endpoint advertised route [<endpoint advertised route key> | all] include [show]
endpoint advertised route [<endpoint advertised route key> | all] label [show]
endpoint advertised route (<endpoint advertised route key> | all) metric [show]
Delete
endpoint advertised route (<endpoint advertised route key> | all) delete
Description
The endpoint advertised route command enables you to configure routes
advertised by the local endpoint to remote endpoints. You can specify a
netmask or use slash format. Optimization is enabled for all included local
endpoint advertised routes, except for any subsets that have been excluded.
Routes are advertised to all connected WAN Optimization Modules.
5-8
Examples
Displays all endpoint advertised routes for the local WAN Optimization
Module:
endpoint advertised route show all
Options
You can use these options with the endpoint advertised route command:
◆ addr
Specifies the IP address and netmask of the advertised route.
◆ include
Specifies whether the route is included or excluded from optimization.
This allows you to define a subset of IP addresses to exclude from
optimization within a larger included subnet. Excluded endpoint
advertised routes must be a proper address range subset of an included
endpoint advertised route.
◆ label
Specifies an optional descriptive label for this route.
◆ metric
Displays a routing number to select between WAN Optimization Module
pairs. The higher the number, the more expensive the route in terms of
resources. Not implemented in this release.
See also
endpoint local(1), endpoint remote(1), endpoint remote route(1),
bigpipe(1)

Chapter 5
endpoint discovery
Configures the automatic discovery of remote endpoints for WAN
optimization.
Syntax
Use this command to enable, disable, modify, or delete remote endpoint
discovery.
Create/Modify
endpoint discovery {}
endpoint discovery [{] <endpoint discovery arg list> [}]
<endpoint discovery arg> ::=
discoverable (enable | disable)
discovered endpoint (enable | disable)
icmp max requests <number>
icmp min backoff <number>
icmp num retries <number>
max endpoint count <number>
mode (enable all | disable | enable icmp | enable tcp)
endpoint discovery stats reset
Display
endpoint discovery [show [all]]
endpoint discovery list [all]
endpoint discovery discoverable [show]
endpoint discovery discovered endpoint [show]
endpoint discovery icmp max requests [show]
endpoint discovery icmp min backoff [show]
endpoint discovery icmp num retries [show]
endpoint discovery max endpoint count [show]
endpoint discovery mode [show]
endpoint discovery stats [show]
Delete
endpoint discovery delete
5 - 10
Description
The endpoint discovery command enables you to specify parameters for
automatically discovering remote endpoints for WAN optimization. These
endpoints are configured WAN Optimized Modules on remote BIG-IP
systems that advertise themselves to the configured WAN Optimization
Module on the local BIG-IP system.
Examples
Displays the discovered remote endpoints, which are configured WAN
Optimized Modules on remote BIG-IP systems:
endpoint discovery show all
Options
You can use these options with the endpoint discovery command:
◆ discoverable
Specifies that the WAN Optimization Module responds to probe
messages it receives from WAN Optimization Modules on remote
BIG-IP systems.
◆ discovered endpoint
Specifies that the WAN Optimization Module sends out probe messages
to discover other WAN Optimization Modules on remote BIG-IP
systems in the network.
◆ icmp max requests
Specifies the maximum number of ICMP probe message requests, after
which the system stops sending probe message requests until at least one
message is cleared from the queue by either a timeout or a response. The
◆ icmp min backoff
Specifies the maximum number of seconds to wait before abandoning an
ICMP probe message request and resending it. The range is from 0 to
255. The default value is 5.
◆ icmp num retries
Specifies the maximum number of times the system sends an ICMP
probe message request for a single flow. The range is from 0 to 255. The
default value is 5.
◆ max endpoint count
Specifies the highest number of endpoints for the system to discover
before it stops sending probe messages. The range is from 0 to 255. The
default value is 0, which indicates no limit.

Chapter 5
◆ mode
Specifies the type of probe messages the system should send.
• enable icmp
Send only ICMP probe messages.
• enable tcp
Send only TCP probe messages.
• enable all
Send both ICMP and TCP probe messages.
• disable
Disable probe messages.
◆ stats
Displays information about the ICMP and TCP probe messages and the
discovered remote endpoints.
See also
endpoint local(1), endpoint remote(1), bigpipe(1)
5 - 12
endpoint local
Configures the local endpoint for the WAN Optimization Module.
Syntax
Use this command to create, modify, or delete the local endpoint for the
Create/Modify
endpoint local {}
endpoint local [{] <endpoint local arg list> [}]
<endpoint local arg> ::=
addresses (<ip addr list> | none) [add | delete]
allow nat (enable | disable)
serverssl (<string> | none)
source address (none | client | wom | tunnel)
(enable | disable)
tunnel port <number>
Display
endpoint local [show [all]]
endpoint local list [all]
endpoint local UUID [show]
endpoint local addresses [show]
endpoint local allow nat [show]
endpoint local mgmt addr [show]
endpoint local serverssl [show]
endpoint local source address [show]
endpoint local status [show]
endpoint local tunnel port [show]
endpoint local version [show]
Delete
endpoint local delete
Description
The endpoint local command enables you to configure the local endpoint
for the WAN Optimization Module on the local BIG-IP system.

Chapter 5
Examples
Configures the local endpoint for the WAN Optimization Module, which
has the IP address of 12.16.0.5, and uses the SSL profile named serverssl:
endpoint local {
addresses 12.16.0.5
serverssl serverssl
}
Options
You can use these options with the endpoint local command:
◆ addresses
Specifies the IP address used for the local endpoint. The IP address must
be in the same subnet as a self IP address on the BIG-IP system.
◆ allow nat
When enabled, specifies that the system accepts connections for traffic
behind a Network Address Translation device.
◆ mgmt addr
Displays the management IP address for the local endpoint.
◆ serverssl
Specifies the default server SSL profile the system uses for
authentication.
◆ source address
Specifies the address the system uses as the source IP address of the TCP
connection between the WAN Optimization Module and the server for
incoming traffic.
• client
Indicates that the system uses the client IP address from the tunnel
data as the source IP address. This is the default value.
• wom
Indicates that the system uses the WAN Optimization Module
endpoint local IP address as the source IP address.
• tunnel
Indicates that the system uses the source IP address in the header of
the tunnel connection as the source IP address.
When enabled, specifies that the local endpoint is available for initiating
and receiving optimized traffic. To turn off WAN optimization on this
endpoint, use disable.
◆ status
Indicates whether the local endpoint is enabled.
5 - 14
◆ tunnel port
Specifies the number of the port on the local endpoint that the WAN
Optimization Module uses for control connections. It must be a port that
is allowed access through the firewall. The range is from 1 to 65535. The
◆ UUID
Displays the Universal Unique Identifier, a 128-bit number that identifies
this local endpoint.
◆ version
Displays the number of the software release on the BIG-IP system that
hosts this local endpoint.
See also
endpoint advertised route(1), endpoint remote(1),
endpoint remote route(1), bigpipe(1)

Chapter 5
endpoint remote
Configures one or more remote endpoints for the WAN Optimization
Module.
Syntax
Use this command to create, modify, or delete the remote endpoints for the
Create/Modify
endpoint remote <endpoint remote key> {}
endpoint remote (<endpoint remote key> | all) [{] <endpoint remote arg list> [}]
<endpoint remote key> ::=
(<ip addr> | none)
<endpoint remote arg> ::=
allow routing (enable | disable)
dedup (none | cache refresh)
(enable | disable)
(discovered | configured | persistable | manually saved)
ref (<ip addr> | none)
serverssl (<string> | none)
source address (none | client | wom | tunnel)
tunnel encrypt (enable | disable)
tunnel port <number>
endpoint remote (<endpoint remote key> | all) stats reset
Display
endpoint remote [<endpoint remote key > | all] [show [all]]
endpoint remote [<endpoint remote key > | all] list [all]
endpoint remote [<endpoint remote key > | all] UUID [show]
endpoint remote [<endpoint remote key > | all] addr list [show]
endpoint remote [<endpoint remote key > | all] allow routing [show]
endpoint remote [<endpoint remote key > | all] behind nat [show]
endpoint remote [<endpoint remote key > | all] cache refresh count [show]
endpoint remote [<endpoint remote key > | all] cache refresh timestamp [show
endpoint remote [<endpoint remote key > | all] config status [show]]
endpoint remote [<endpoint remote key > | all] dedup cache [show]
endpoint remote [<endpoint remote key > | all] is enabled [show]
endpoint remote [<endpoint remote key > | all] mgmt addr [show]
endpoint remote [<endpoint remote key > | all] name [show]
endpoint remote [<endpoint remote key > | all] origin [show]
endpoint remote [<endpoint remote key > | all] ref [show]
endpoint remote [<endpoint remote key > | all] serverssl [show]
5 - 16
endpoint remote [<endpoint remote key > | all] source address [show]
endpoint remote [<endpoint remote key > | all] state [show]
endpoint remote [<endpoint remote key > | all] stats [show]
endpoint remote [<endpoint remote key > | all] tunnel encrypt [show]
endpoint remote [<endpoint remote key > | all] tunnel port [show]
endpoint remote [<endpoint remote key > | all] version [show]
Delete
endpoint remote (<endpoint remote key> | all) delete
If you delete a remote endpoint without also disabling endpoint dynamic

discovery, the remote endpoint may reappear as it is rediscovered. To
remove a remote endpoint from traffic initiated by this WAN Optimization
Module, use the disable option.
Description
The endpoint remote command enables you to configure a remote endpoint
for traffic from the WAN Optimization Module.
Examples
Configures a connection to the remote endpoint for the WAN Optimization
Module that has the IP address of 13.16.0.5:
endpoint remote 13.16.0.5 {
serverssl serverssl
}
Options
You can use these options with the endpoint remote command:
◆ allow routing
When enabled, specifies that this remote endpoint can initiate traffic to
the local endpoint. If you specify disable, the remote endpoint can
receive traffic from the local endpoint, but it cannot initiate traffic to the
local endpoint.
◆ behind nat
Indicates that this remote endpoint is on a WAN Optimization Module
located behind a Network Address Translation device.
◆ cache refresh count
Displays the number of times the cash used for symmetric data
deduplication has been refreshed since system startup.

Chapter 5
◆ cache refresh timestamp

Displays when the last refresh of the cache occurred.
◆ config status
Displays a diagnostic string used in troubleshooting.
◆ dedup
Use cache refresh to clear the cache used for symmetric data
deduplication on the remote endpoint. The default value is none.
◆ dedup cache
Displays in megabytes the total amount of cache available for symmetric
data deduplication. The system apportions this cache according to the
number of remote endpoints and the amount of cache available at each
endpoint.
When enabled, specifies that traffic can be optimized between the local
and remote endpoints. Disabling a remote endpoint affects only the
connection between the local endpoint and this remote endpoint.
◆ ip addr
Specifies the IP address that the local endpoint uses to communicate with
the WAN Optimization Module on a remote BIG-IP system.
◆ mgmt addr
Displays the management IP address for the remote endpoint.
◆ name
Displays the host name of the BIG-IP system that hosts this remote
endpoint.
◆ origin
Indicates whether the remote endpoint was discovered automatically or
configured manually. You can change the origin from discovered to
persistable, if you want to save the endpoint to the file bigip_local.conf
when you use the command b save. After you run the command b save,
this attribute changes to manually saved. Endpoints that have the
attribute discovered are not saved to the file bigip_local.conf.
◆ ref
Specifies the IP address of the remote endpoint.
◆ serverssl
Specifies the server SSL profile to use for traffic to this remote endpoint.
◆ source address
Specifies the address the system uses as the source IP address of the TCP
connection between the WAN Optimization Module and the server.
• none
Indicates that the system uses the source address value set for the
local endpoint. This is the default value.
• client
Indicates that the system uses the client IP address from the tunnel
data as the source IP address.
5 - 18
• wom
Indicates that the system uses the WAN Optimization Module
endpoint local IP address as the source IP address.
• tunnel
Indicates that the system uses the source IP address in the header of
the tunnel connection as the source IP address.
◆ state
Indicates the condition of the connection for traffic optimization between
the local endpoint and this remote endpoint.
• unknown
Appears when this endpoint is first created, before the connection is
complete.
• authenticated
Indicates that TMM has validated this connection based on the SSL
profiles.
• down
Indicates that the local endpoint cannot connect to this remote
endpoint.
• negotiating
Indicates that the connection has been made, and the endpoints are
negotiating the deduplication cache size.
• ready
Indicates that the connection is available for optimization.
• holding
Indicates that the connection is established, but the remote endpoint is
not receiving traffic.
◆ stats
Displays data about the connections and traffic between this remote
endpoint and the local endpoint.
◆ tunnel encrypt
Specifies whether traffic passing between the two WAN Optimization
Modules is encrypted.
◆ tunnel port
Specifies whether to use a specific port for traffic optimized to this
endpoint or to use port transparency (0).
◆ UUID
Displays the Universal Unique Identifier, a 128-bit number that identifies
this remote endpoint.
◆ version
Displays the number of the software release on the BIG-IP system that
hosts this remote endpoint.
See also
endpoint discovery(1), endpoint local(1), endpoint remote route(1),
endpoint advertised route(1), bigpipe(1)

Chapter 5
endpoint remote route

Displays the destination routes learned from the remote endpoints.
Syntax
Use this command to display the routes advertised by remote endpoints for
WAN optimization.
Modify
endpoint remote route <endpoint remote route key> {}
endpoint remote route (<endpoint remote route key> | all) [{] <endpoint remote route arg
list> [}]
<endpoint remote route key> ::=
[ref <endpoint remote key>] [dest <network ip>]
Display
endpoint remote route [<endpoint remote route key> | all] [show [all]]
endpoint remote route [<endpoint remote route key> | all] dest [all]
endpoint remote route [<endpoint remote route key> | all] include [show]
endpoint remote route [<endpoint remote route key> | all] label [show]
endpoint remote route [<endpoint remote route key> | all] metric [show]
endpoint remote route [<endpoint remote route key> | all] origin [show]
endpoint remote route [<endpoint remote route key> | all] ref [show]
Delete
endpoint remote route (<endpoint remote route key> | all) delete
Description
The endpoint remote route command enables you to display routes learned
from remote endpoints for WAN Optimization Modules that have been
configured on remote BIG-IP systems. You can also display the origin,
label, and include flag for these routes.
Examples
Displays the routes for all the remote endpoints on connected WAN
Optimization Modules:
endpoint remote route show all
5 - 20
Options
You can use these options with the endpoint remote route command:
◆ dest
Displays the IP address and mask of the destination route.
◆ include
Displays whether the destination route is included or excluded from
optimization for a given remote endpoint.
◆ label
Displays a descriptive label for this route.
◆ metric
Displays a routing number to select between WAN Optimization Module
pairs. The higher the number, the more expensive the route in terms of
resources. Not implemented in this release.
◆ origin
Displays whether the route was discovered or explicitly configured.
◆ ref
Displays the IP address of the remote endpoint.
See also
endpoint local(1), endpoint advertised route(1), endpoint remote(1),
bigpipe(1)

Chapter 5
profile cifs
Creates, modifies, displays, or deletes a Common Internet File System
(CIFS) profile.
Syntax
Use this command to configure a profile for CIFS traffic.
Create/Modify
Important
assigned access to all partitions, then before you create an object in a specific
partition, you must use the bigpipe shell command to set your Write partition
to the partition in which you want to create the object. For more information,
see the Configuring Administrative Partitions and Managing User Accounts
chapters in the TMOS™ Management Guide for BIG-IP® Systems.
profile cifs <profile cifs key> {}

profile cifs (<profile cifs key> | all) [{] <profile cifs arg list> [}]
<profile cifs key> ::=
<name>
<profile cifs arg> ::=
fast close (enable | disable
fast set file info (enable | disable)
name (<name> | none)
office 2003 extended (enable | disable)
read ahead (enable | disable)
record play (enable | disable)
write behind (enable | disable)
Display
profile cifs [<profile cifs key> | all] [show [all]]
profile cifs [<profile cifs key> | all] list [all]
profile cifs (<profile cifs key> | all) defaults from [show]
profile cifs (<profile cifs key> | all) fast close [show]
profile cifs (<profile cifs key> | all) fast set file info [show]
profile cifs (<profile cifs key> | all) name [show]
profile cifs (<profile cifs key> | all) office 2003 extended [show]
profile cifs (<profile cifs key> | all) partition [show]
profile cifs (<profile cifs key> | all) read ahead [show]
profile cifs (<profile cifs key> | all) record play [show]
profile cifs (<profile cifs key> | all) write behind
5 - 22
Delete
profile cifs (<profile cifs key> | all) delete
Description
The profile cifs command enables you to configure a profile for CIFS
traffic. The CIFS profile is a configuration tool for optimizing CIFS traffic
over the WAN.
Examples
Creates a CIFS profile named mycifsprofile that inherits its settings from
the system default cifs profile:
profile cifs mycifsprofile { }
Options
You can use these options with the profile cifs command:
◆ defaults from
◆ fast close
Specifies that the system speeds up file close operations by fulfilling
them through the WAN Optimization Module closer to the request
initiator. The default value is enable.
◆ fast set file info
When enabled, specifies that the system speeds up file metadata change
requests by fulfilling the requests through the WAN Optimization
Module closer to the request initiator. The default value is enable.
◆ name
Specifies a name for this custom CIFS profile.
◆ office 2003 extended
When enabled, specifies that the system performs read-ahead operations
based on parsing the Microsoft CDF file and understanding its structure.
◆ partition
◆ read ahead
When enabled, specifies that the system speeds up CIFS file downloads
by prefetching the file data on the WAN Optimization Module closer to
the request initiator. The default value is enable.
◆ record replay
When enabled, specifies that the system opens CIFS files faster by
performing more intelligent read-ahead operations. The default value is
enable.

Chapter 5
◆ write behind
When enabled, specifies that the system speeds up CIFS file uploads to
the server by fulfilling write requests through the WAN Optimization
Module closer to the request initiator. The default value is enable.
See also
5 - 24
profile isession
Creates, modifies, displays, or deletes an iSession profile.
Syntax
Use this command to configure an iSession profile, which is required for
WAN optimization.
Create/Modify
Important
profile isession <profile isession key> {}

profile isession (<profile isession key> | all) [{] <profile isession arg list> [}]
<profile isession key> ::=
<name>
<profile isession arg> ::=
compression adaptive (enable | disable)
compression deflate (enable | disable)
compression deflate level <number>
compression lzo (enable | disable)
compression null (enable | disable)
connection reuse (enable | disable)
deduplication (enable | disable)
mode (enable | disable)
name <name>
port transparency (enable | disable)
target virtual (none | host match no isession | host match all | match all)
profile isession (<profile isession key> | all) stats reset
Display
profile isession [<profile isession key> | all] [show [all]]
profile isession [<profile isession key> | all] list [all]
profile isession (<profile isession key> | all) compression adaptive [show]
profile isession (<profile isession key> | all) compression deflate [show]
profile isession (<profile isession key> | all) compression deflate level [show]
profile isession (<profile isession key> | all) compression lzo [show]

Chapter 5
profile isession (<profile isession key> | all) compression null [show]

profile isession (<profile isession key> | all) connection reuse [show]
profile isession (<profile isession key> | all) deduplication [show]
profile isession (<profile isession key> | all) defaults from [show]
profile isession (<profile isession key> | all) mode [show]
profile isession (<profile isession key> | all) name [show]
profile isession (<profile isession key> | all) partition [show]
profile isession (<profile isession key> | all) parent name [show]
profile isession (<profile isession key> | all) port transparency [show]
profile isession (<profile isession key> | all) stats [show]
profile isession (<profile isession key> | all) target virtual [show]
Delete
profile isession (<profile isession key> | all) delete
Description
Use the profile isession command to specify how the WAN Optimization
Module handles traffic.
Examples
Creates an iSession profile named myisessionprofile that inherits its
settings from the system default isession profile:
profile isession myisessionprofile { }
Options
You can use these options with the profile isession command:
◆ compression adaptive
Specifies whether the system selects the enabled compression algorithm
that is the most suitable for the current traffic. The system can use only
compression algorithms that are enabled. To establish and maintain the
connection, you must enable at least one compression setting. The
◆ compression deflate
Specifies whether the system can use the Deflate data compression
algorithm. To establish and maintain the connection, you must enable at
least one compression setting. The default value is enable.
◆ compression deflate level
Specifies the level of compression if compression deflate is enabled and
compression adaptive is disabled The range is 1 to 9. A higher value
causes the CPU to spend more time looking for matches, which may
result in better compression. The default value is 1.
5 - 26
◆ compression lzo
Specifies whether the system can use the Lempel-Ziv-Oberhumer (LZO)
data compression algorithm. To establish and maintain the connection,
you must enable at least one compression setting. The default value is
enable.
◆ compression null
When enabled, and all other compression algorithms are disabled,
specifies that the system does not use compression. Enabling this setting
allows the connection, even when you do not want compression. To
establish and maintain the connection, you must enable at least one
compression setting. The default value is enable.
◆ connection reuse
Specifies that the system saves and reuses connections between the local
and remote WAN Optimization Modules. The default value is enable.
◆ deduplication
When enabled, specifies that the system optimizes traffic using
symmetric data deduplication, which means locating byte patterns that
were previously sent over the WAN, and replacing them with references.
◆ defaults from
◆ mode
When enabled, specifies that this profile is used for WAN optimization
traffic. The default value is enable.
◆ name
Specifies a name for this profile.
◆ partition
◆ port transparency
When enabled, specifies that the destination port specified by the client is
preserved over the WAN. The default value is enable.
◆ stats
Displays information about the connections and traffic to which this
iSession profile has been applied.
◆ target virtual
For terminated iSession traffic, specifies the matching criteria that a
client-side BIG-IP system uses to select a target virtual server on the
server-side BIG-IP system.
The default value is match all. The options are:
• none
Specifies that the system sends the terminated iSession traffic directly
to the server.

Chapter 5
• host match no isession

Specifies that the system matches only host virtual servers with no
iSession profile.
• host match all
Specifies that the system selects the closest match from all the host
virtual servers.
• match all
Specifies that the system selects the closest match from all the virtual
servers.
See also
5 - 28
profile mapi
Creates, modifies, displays, or deletes a Messaging Application Profile
Interface (MAPI) profile.
Syntax
Use this command to configure a profile for MAPI traffic.
Create/Modify
Important
profile mapi <profile mapi key> {}

profile mapi (<profile mapi key> | all) [{] <profile mapi arg
list> [}]
<profile mapi key> ::=
<name>
<profile mapi arg> ::=
discover exchange servers (enable | disable)
name <name>
native compression (enable | disable)
Display
profile mapi [<profile mapi key> | all] [show [all]]
profile mapi [<profile mapi key> | all] list [all]
profile mapi (<profile mapi key> | all) defaults from [show]
profile mapi (<profile mapi key> | all) discover exchange servers [show]
profile mapi (<profile mapi key> | all) name [show]
profile mapi (<profile mapi key> | all) native compression [show]
profile mapi (<profile mapi key> | all) partition [show]
Delete
profile mapi (<profile mapi key> | all) delete

Chapter 5
Description
The MAPI profile is a configuration tool for optimizing MAPI traffic over
the WAN.
Examples
Creates a MAPI profile named mymapiprofile that inherits its settings from
the system default mapi profile:
profile mapi mymapiprofile { }
Options
You can use these options with the profile mapi command:
◆ defaults from
◆ discover exchange servers
When enabled, specifies that the system automatically discovers the
Microsoft Exchange servers in the network and creates a virtual server
for each one discovered. The default value is disable.
◆ name
Specifies a name for this custom MAPI profile.
◆ native compression
Enables or disables native Microsoft Exchange compression. The default
value is disable, because symmetric adaptive compression yields better
results. Use the command profile isession to enable symmetric adaptive
compression. The default value is disable.
◆ partition
See also
profile(1), profile isession(1), virtual(1), bigpipe(1)
5 - 30
rate class
Configures rate classes.
Syntax
Use this command to create, modify, display, or delete a rate class.
Create/Modify
rate class <rate class key> {}
rate class (<rate class key> | all) [{] <rate class arg list> [}]
<rate class key> ::=
<name>
<rate class arg> ::=
burst <number>
ceiling <number>[bps]
direction (any | to client | to server | vlan egress)
name <name>
parent (<rate class key> | none)
rate <number>[bps]
shaping policy (<shaping policy key> | none)
type (<shaping queue key> | none)
rate class (<rate class key> | all) stats reset
Display
rate class [<rate class key> | all] [show [all]]
rate class [<rate class key> | all] list [all]
rate class [<rate class key> | all] burst [show]
rate class [<rate class key> | all] ceiling [show]
rate class [<rate class key> | all] direction [show]
rate class [<rate class key> | all] drop policy [show]
rate class [<rate class key> | all] name [show]
rate class [<rate class key> | all] parent [show]
rate class [<rate class key> | all] percent ceil [show]
rate class [<rate class key> | all] percent rate [show]
rate class [<rate class key> | all] rate [show]
rate class [<rate class key> | all] shaping policy [show]
rate class [<rate class key> | all] stats [show]
rate class [<rate class key> | all] type [show]

Chapter 5
Delete
rate class (<rate class key> | all) delete
Description
A rate class is a rate-shaping policy that you assign to a type of traffic, such
as Layer 3 traffic that specifies a certain source, destination, or service. More
specifically, a rate class defines the number of bits per second that the system
allows per connection, and it also defines the number of packets in a queue.
You configure rate shaping by creating a rate class and then assigning the
rate class to a packet filter, a virtual server, or from within an iRule.
Examples
Creates the rate class myRTclass with a rate of 500 Mbps:
rate class myRTclass { rate 500M }
Deletes the rate class myRTclass:

rate class myRTclass delete
Options
You can use these options with the rate class command:
◆ burst
beyond the specified rate. You can configure the rate in kilobits per
(Gbps).
◆ ceiling
Specifies how far beyond the value of the rate class that traffic can flow
when bursting. This number sets an absolute limit. No traffic can exceed
this rate. You can configure the rate in bits per second (bps), kilobits per
(Gbps).
◆ direction
Specifies the direction of traffic to which the rate class is applied.
Possible values are any, to client, and to server.
◆ drop policy
Specifies the drop policy for this rate class, which tells the system when
and how to drop packets, if required, when the traffic handling queue is
full. The available pre-configured policies are red (randomly drops
packets), fred (drops packets according to the type of traffic in the flow),
and tail (drops the end of the traffic stream). The default value is tail.
You can create a customized drop policy using the command drop
policy. If you specify a custom shaping policy, the drop policy specified
in the shaping policy takes precedence and changes this value to conform.
5 - 32
◆ name
Specifies the name of this rate class.
◆ parent
Associates this class with another class. The class you are configuring
can borrow any unused bandwidth from the parent class' ceiling, thereby
supplementing the rate of the child class. Note that borrowing bandwidth
affects the rate, ceiling, and queuing method. The default value is none.
◆ percent ceil
class that is available for this rate class. The default value is 0 (zero),
which indicates that the system uses the value of the ceiling option.
◆ percent rate
the associated parent class that is available for this rate class. The default
value is 0 (zero), which indicates that the system uses the value of the
rate option.
◆ rate
Specifies the maximum throughput rate allowed for traffic handled by
the rate class. Packets that exceed the specified number are dropped. This
feature is required. You can configure the rate in bits per second (bps),
kilobits per second (Kbps), megabits per second (Mbps), or gigabits per
second (Gbps).
◆ shaping policy
Specifies the name of a shaping policy that includes customized values
for drop policy and queuing method. The system automatically changes
the values for percent ceil, drop policy, burst, type, and percent rate
options of this class to match the values in the specified shaping policy.
◆ type
Specifies the queuing method. The pre-configured options are sfq and
pfifo.
• sfq
method using the command shaping queue.

Chapter 5
• pfifo
See also
packet filter(1), shaping policy(1), drop policy(1), shaping queue(1),
bigpipe(1)
5 - 34
shaping policy
Configures rate class parameters for handling specific traffic flows.
Syntax
Use this command to customize the parameters for a rate class.
Note
This command is intended only for expert users. Changing these parameters
could have an unintended negative impact on traffic shaping. We
recommend using the command rate class in most situations.
Create/Modify
shaping policy <shaping policy key> {}
shaping policy (<shaping policy key> | all) [{] <shaping policy
arg list> [}]
<shaping policy key> ::=
<name>
<shaping policy arg> ::=
burst <number>
name <name>
queue (<shaping queue key> | none)
Display
shaping policy [<shaping policy key> | all] [show [all]]
shaping policy [<shaping policy key> | all] list [all]
shaping policy (<shaping policy key> | all) burst [show]
shaping policy (<shaping policy key> | all) drop policy [show]
shaping policy (<shaping policy key> | all) name [show]
shaping policy (<shaping policy key> | all) percent ceil [show]
shaping policy (<shaping policy key> | all) percent rate [show]
shaping policy (<shaping policy key> | all) queue [show]
Delete
shaping policy (<shaping policy key> | all) delete

Chapter 5
Description
A shaping policy specifies settings customized for a particular type of
traffic. Settings can include drop policy and queue type. You can use the
commands shaping queue and drop policy together with the command
shaping policy to build a custom rate class.
Examples
Creates a shaping policy called custom that uses a drop policy called
tunedfred (created using the command drop policy) with a queue called
customsfq (created using the command shaping queue):
shaping policy custom drop policy tunedfred queue customsfq
Options
You can use these options with the shaping policy command:
◆ burst
beyond the rate.
◆ drop policy
Specifies the drop policy for this traffic flow, which tells the system
when and how to drop packets, if required, when the traffic handling
queue is full. The available settings are tail (drops the end of the traffic
stream), red (randomly drops packets), and fred (drops packets
according to the type of traffic in the flow). The default value is tail. You
can create a customized drop policy using the command drop policy.
◆ name
Specifies a name for the shaping policy. Use this name in the command
rate class.
◆ percent ceil
class that is available for the rate class with which this shaping policy is
associated. The default value is 0 (zero).
◆ percent rate
the associated parent class in the command rate class that is available for
this traffic flow.
◆ queue
Specifies the queuing method for this traffic flow. Available pre-defined
settings are pfifo (Priority First in, First out), sfq (Stochastic Fair Queuing),
and none. The default value is none. You can create a customized queuing
method using the command shaping queue. You cannot use a shaping
policy with the queue value none in the command rate class.
5 - 36
See also
rate class(1), shaping queue(1), drop policy(1), bigpipe(1)

Chapter 5
shaping queue
Configures a queuing method that can be applied to rate shaping policies.
Syntax
Use this command to create, modify, display, or delete a queuing method.
Note
This command is intended only for expert users. Changing these parameters
could have an unintended negative impact on traffic shaping. We
recommend using the command rate class in most situations.
Create/Modify
shaping queue <shaping queue key> {}
shaping queue (<shaping queue key> | all) [{] <shaping queue arg
list> [}]
<shaping queue key> ::=
<name>
<shaping queue arg> ::=
name <name>
pfifo max size <number>
pfifo min size <number>
sfq bucket count <number>
sfq bucket size <number>
sfq perturbation <number>
type (none | sfq | pfifo | drr)
Display
shaping queue [<shaping queue key> | all] [show [all]]
shaping queue [<shaping queue key> | all] list [all]
shaping queue (<shaping queue key> | all) name [show]
shaping queue (<shaping queue key> | all) pfifo max size [show]
shaping queue (<shaping queue key> | all) pfifo min size [show]
shaping queue (<shaping queue key> | all) sfq bucket count [show]
shaping queue (<shaping queue key> | all) sfq bucket size [show]
shaping queue (<shaping queue key> | all) sfq perturbation [show]
shaping queue (<shaping queue key> | all) type [show]
Delete
shaping queue (<shaping queue key> | all) delete
5 - 38
Description
The queuing method determines how the rate class handles traffic.
Examples
Creates the shaping queue customsfq that uses Stochastic Fair Queuing with
a perturbation value of 10:
shaping queue customsfq type sfq sfq perturbation 10
Options
You can use these options with the shaping queue command:
◆ name
Specifies a name for the custom queue. Use this name in the command
shaping policy or rate class.
◆ pfifo max size
Specifies the size in kilobytes (k) or megabytes (m) of the largest queue
for the pfifo type only.
◆ pfifo min size
Specifies the size in kilobytes (k) or megabytes (m) of the smallest queue
for the pfifo type only.
◆ sfq bucket count
Specifies the number of buckets in kilobytes (k) or megabytes (m) into
which the queue is divided when you are configuring the sfq type. Valid
values are 0, 16, 32, 64, 128, 256, 512, and 1024.
◆ sfq bucket size
Specifies the bucket size in kilobytes (k) or megabytes (m) for the sfq
type.
◆ sfq perturbation
Specifies the interval in seconds at which the system reconfigures the
SFQ hash function. This option applies only to the sfq type.
◆ type
Specifies the queuing method this custom queue uses. The available
values are none, sfq, and pfifo.
• sfq
method using the command shaping queue.

Chapter 5
• pfifo
See also
rate class(1), drop policy(1), shaping policy(1), bigpipe(1)
5 - 40
wccp
Configures Web Cache Communication Protocol (WCCP) services.
Syntax
Use this command to create, display, modify, or delete WCCP services.
Create/Modify
wccp <wccp key> {}
wccp (<wccp key> | all) [{] <wccp arg list> [}]
<wccp key> ::=
<name>
<wccp arg> ::=
services (<wccp service list> | none) [add | delete]
wccp name <name>
<wccp service> ::= (<wccp service key> | all) [{] <wccp service arg list> [}]
<wccp service key> ::=
<number>
<wccp service arg> ::=
egress method (negotiated | ip forwarding)
hash fields [destip] [destport] [srcip] [srcport] | none
password (<string> | none)
port (<number list> | none) [add | delete]
port type (none | dest | source)
priority <number>
protocol <protocol>
redirection (gre | l2)
return (gre | l2)
routers (<ip addr list> | none) [add | delete]
traffic assign (hash | mask)
tunnel local addr (<ip addr> | none)
tunnel remote addr (<ip addr> | none) [add | delete]
weight <number>
Display
wccp [<wccp key> | all] [show [all]]
wccp [<wccp key> | all] list [all]
wccp [<wccp key> | all] cache timeout [show]
wccp [<wccp key> | all] services [<wccp service key> | all] [show [all]]
wccp [<wccp key> | all] services [<wccp service key> | all] egress method [show]
wccp [<wccp key> | all] services [<wccp service key> | all] hash fields [show]

Chapter 5
wccp [<wccp key> | all] services [<wccp service key> | all] password [show]
wccp [<wccp key> | all] services [<wccp service key> | all] port [show]
wccp [<wccp key> | all] services [<wccp service key> | all] port type [show]
wccp [<wccp key> | all] services [<wccp service key> | all] priority [show]
wccp [<wccp key> | all] services [<wccp service key> | all] protocol [show]
wccp [<wccp key> | all] services [<wccp service key> | all] redirection [show]
wccp [<wccp key> | all] services [<wccp service key> | all] return [show]
wccp [<wccp key> | all] services [<wccp service key> | all] routers [show]
wccp [<wccp key> | all] services [<wccp service key> | all] traffic assign [show]
wccp [<wccp key> | all] services [<wccp service key> | all] tunnel local addr [show]
wccp [<wccp key> | all] services [<wccp service key> | all] tunnel remote addr [show]
wccp [<wccp key> | all] services [<wccp service key> | all] wccp name [show]
wccp [<wccp key> | all] services [<wccp service key> | all] weight [show]
Delete
wccp (<wccp key> | all) delete
Description
The wccp command enables you to create WCCP services and groups of
services, or to display, modify, or delete existing WCCP services and
groups.
Examples
Displays all wccp services on the system:
wccp all show
Options
You can use these options with the wccp command:
◆ cache timeout
Specifies the frequency of control messages between the system and the
router. The range is from 1 to 10 seconds.
◆ egress method
Specifies how the return method is determined. The default value is
negotiated. Options are:
• negotiated
Specifies that the system negotiates with the router regarding the
return method for optimized traffic, depending on whether the router
can support the method specified for the option return.
• ip forwarding
Specifies that the system forwards optimized traffic normally (without
tunneling), regardless of the value specified for the option return.
5 - 42
◆ hash fields
Specifies which traffic attributes the router should use to determine
which BIG-IP system it should forward traffic to for load balancing. You
can specify the following options: destination IP address (destip),
destination port (destport), source IP address (srcip), and/or source port
(srcport).
◆ name
Specifies the name of a WCCP service group.
◆ password
Specifies a password or none.
◆ port
Specifies one or more ports (up to 8) for which traffic is redirected.
◆ port type
Specifies whether the WCCP interception of traffic is based on the
destination port (dest) or source port (source), or is not specified (none).
The default value is none.
◆ priority
Specifies the precedence of the service group relative to the other service
groups. The range is from 1 to 255.
◆ protocol
Specifies the network protocol used to redirect traffic: TCP or UCP.
The default value is tcp.
◆ redirection
Specifies the method the router uses to redirect traffic: GRE or L2. The
default value is gre.
◆ return
Specifies the method used to return passthrough traffic to the router;
GRE or L2. The default value is gre.
◆ routers
Specifies the IP addresses of the WCCP-enabled routers that redirect
traffic.
◆ traffic assign
Specifies whether load balancing is achieved by a hash algorithm or a
mask. If you specify hash, specify one or more attributes using the
option hash fields.
◆ tunnel local addr
Specifies an IP address on the BIG-IP system to which the
WCCP-enabled routers should redirect traffic. Specify a self IP address
of an external VLAN on the BIG-IP system.
◆ tunnel remote addr
Specifies the Router Identifier IP address of the router that redirects
traffic.
◆ WCCP service
Specifies a group number between 51 and 255. Numbers between 0 and
50 are reserved and cannot be used.

Chapter 5
◆ weight
Specifies the relative importance of this traffic in a load balancing
environment. The range is from 1 to 100.
See also
bigpipe(1)
5 - 44
Glossary
Glossary
administrative partition
An administrative partition is a logical container that you create, containing
a defined set of BIG-IP® system objects, such as virtual servers, pools, and
profiles. See also pool, profile, and virtual server.
allow list
An allow list displays which service and protocol ports allow connections
from outside the system.
ARP (Address Resolution Protocol)

ARP is an industry-standard protocol that determines a host’s Media Access
Control (MAC) address based on its IP address.
authentication
Authentication is the process of verifying a user’s identity when the user is
attempting to log on to a system.
authentication profile
An authentication profile is a configuration tool that you use to implement a
PAM authentication module. Types of authentication modules that you can
implement with an authentication profile are: LDAP, RADIUS, TACACS+,
SSL Client Certificate LDAP, and OCSP. See also profile.
bigdb
Every BIG-IP system includes a bigdb database. The bigdb database holds a
set of bigdb database variables, which define the behavior of various aspects
of the BIG-IP system.
bigpipe
The BIG-IP system includes a command line tool known as the bigpipe
utility. It consists of an extensive set of commands that you can use to
manage the BIG-IP system.
bigtop
The bigtop utility is a statistical monitoring utility that ships on the BIG-IP
system. This utility provides real-time statistical information.
CA (certificate authority)
A CA is an external, trusted organization that issues a signed digital
certificate to a requesting computer system for use as a credential to obtain
authentication for SSL network traffic. See also certificate.
certificate
A certificate is an online credential signed by a trusted certificate authority
and used for SSL network traffic as a method of authentication. See also CA
(certificate authority).
Bigpipe Utility Reference Guide Glossary - 1

Glossary
certificate verification
Certificate verification is the part of an SSL handshake that verifies that a
client’s SSL credentials have been signed by a trusted certificate authority.
See also certificate.
class
A class is a list of data that you define and use with iRules™ operators.
Internal classes are stored in the bigip.conf file. External classes are stored
in external files that you define.
client-side SSL profile

A client-side SSL profile is an SSL profile that controls the behavior of SSL
traffic going from a client system to the BIG-IP system. See also profile.
clone pool
A clone pool replicates all traffic coming into it and sends that traffic to a
duplicate pool. See also pool.
configuration object
A configuration object is a user-created object that the BIG-IP system uses
to implement a PAM authentication module. There is one type of
configuration object for each type of authentication module that you create.
Configuration utility
The Configuration utility is the browser-based application that you use to
configure the BIG-IP system.
connection persistence
Connection persistence is an optimization technique whereby a network
connection is intentionally kept open for the purpose of reducing
handshaking.
cookie persistence
Cookie persistence is a mode of persistence where the BIG-IP system stores
persistent connection information in a cookie.
CRL (certificate revocation list)

A CRL is a list that an authenticating system checks to see if the SSL
certificate that the requesting system presents for authentication has been
revoked. See also certificate.
CRLDP (Certificate Revocation List Distribution Point)

A CRLDP authentication module is a mechanism for handling certificate
revocations on a network, for client connections passing through the BIG-IP
system.
Glossary - 2
Glossary
current partition
When a user logs in, the system determines the default current partition
(usually the Common partition) based on the user’s account. If the user’s
account grants permission to access more than one partition, the user can
change the current partition, and can also change the default current
partition. See also administrative partition.
custom monitor
A custom monitor is a user-created monitor. See also monitor.
custom profile
A custom profile is a profile that you create. A custom profile can inherit its
default settings from a parent profile that you specify. See also profile.
default-deny policy
A default-deny policy restricts all network traffic unless it is explicitly
permitted.
failover
Failover is the process whereby a standby unit in a redundant system
configuration takes over when a software failure or a hardware failure is
detected on the active unit. See also redundant system configuration.
floating IP address
An IP address assigned to a VLAN and shared between two computer
systems is known as a floating IP address. See also VLAN (virtual local area
network).
hash persistence
Hash persistence allows you to create a persistence hash based on an
existing iRule. See also iRules.
health monitor
A health monitor checks a node to see if it is up and functioning for a given
service. If the node fails the check, it is marked down. Different monitors
exist for checking different services. See also monitor.
host
A host is a virtual server that represents a specific site, such as an Internet
web site or an FTP site, and it load balances traffic targeted to content
servers that are members of a pool. See also virtual server and pool.
HTTP header transformation

When the BIG-IP system performs an HTTP transformation, the system
manipulates the Connection header of a server-side HTTP request, to ensure
that the connection stays open.

Glossary
HTTP redirect
An HTTP redirect sends an HTTP 302 Object Found message to clients.
You can configure a pool with an HTTP redirect to send clients to another
node or virtual server if the members of the pool are marked down. See also
virtual server and pool.
ICMP (Internet Control Message Protocol)

ICMP is an Internet communications protocol used to determine information
about routes to destination addresses.
interface
An interface is a physical port on a BIG-IP system.
internal VLAN
The internal VLAN is a default VLAN on the BIG-IP system. In a basic
configuration, this VLAN has the administration ports open. In a normal
configuration, this is a network interface that handles connections from
internal servers. See also VLAN (virtual local area network).
iRules
iRules™ are user-written scripts that control the behavior of a connection
passing through the BIG-IP system. iRules are an F5 Networks feature and
are frequently used to direct certain connections to a non-default load
balancing pool. However, iRules can perform other tasks, such as
implementing secure network address translation and enabling session
persistence.
LACP (Link Aggregation Control Protocol)

LACP is an industry-standard protocol that aggregates links in a trunk, to
increase bandwith and provide for link failover.
last hop
A last hop is the final hop a connection takes to get to the BIG-IP system.
You can allow the BIG-IP system to determine the last hop automatically to
send packets back to the device from which they originated. You can also
specify the last hop manually by making it a member of a last hop pool. See
also pool.
Layer 1 through Layer 7

Layers 1 through 7 refer to the seven layers of the Open System
Interconnection (OSI) model. Thus, Layer 2 represents the data-link layer,
Layer 3 represents the IP layer, and Layer 4 represents the transport layer
(TCP and UDP). Layer 7 represents the application layer, handling traffic
such as HTTP and SSL.
Glossary - 4
Glossary
LDAP (Lightweight Directory Access Protocol)

LDAP is an Internet protocol that email programs use to look up contact
information from a server.
LDAP authentication module

An LDAP authentication module is a user-created module that you
implement on an BIG-IP system to authenticate client traffic using a remote
LDAP server. See also LDAP (Lightweight Directory Access Protocol).
link aggregation
The main objective of link aggregation is to provide increased bandwith at a
lower cost, without having to upgrade hardware. The bandwidth of the
aggregated trunk is the sum of the capacity of individual member links.
Thus it provides an option for linearly incremental bandwith as opposed to
bandwith options available through physical layer technology. The traffic
management system supports link aggregation control protocol (LACP). See
also LACP (Link Aggregation Control Protocol).
load balancing method

A load balancing method is a method of determining how to distribute
connections across a load balancing pool. See also pool.
local traffic management

Local traffic management is the process of managing network traffic that
comes into or goes out of a local area network (LAN), including an intranet.
MAC (Media Access Control)

MAC is a protocol that defines the way workstations gain access to
transmission media, and is most widely used in reference to LANs. For
IEEE LANs, the MAC layer is the lower sublayer of the data link layer
protocol.
MAC address
A MAC address is used to represent hardware devices on an Ethernet
network. See also MAC (Media Access Control).
management interface
The management interface is a special port on the BIG-IP system, used for
managing administrative traffic. Named MGMT, the management interface
does not forward user application traffic, such as traffic slated for load
balancing.
management route
A management route is a route that forwards traffic through the special
management (MGMT) interface. See also management interface.

Glossary
MCPD (Master Control Program Daemon) service

The MCPD service manages the configuration data on a BIG-IP system.
MGMT
See management interface.
monitor
The BIG-IP system uses monitors to determine whether nodes are up or
down. There are several different types of monitors, and they use various
methods to determine the status of a server or service.
monitor association
A monitor association is an association that a user makes between a health
or performance monitor and a pool, pool member, or node. See also
monitor.
NAT (Network Address Translation)

A NAT is an alias IP address that identifies a specific node managed by the
BIG-IP system to the external network.
network virtual server

A network virtual server is a virtual server whose IP address has no bits set
in the host portion of the IP address (that is, the host portion of its IP address
is 0). There are two kinds of network virtual servers: those that direct client
traffic based on a range of destination IP addresses, and those that direct
client traffic based on specific destination IP addresses that the BIG-IP
system does not recognize. See also virtual server.
node address
A node address is the IP address associated with one or more nodes. This IP
address can be the real IP address of a network server, or it can be an alias IP
address on a network server.
non-terminated SSL session

A non-terminated SSL session is a session in which the system does not
perform the tasks of SSL certificate authentication, encryption and
re-encryption. See also SSL (Secure Sockets Layer).
OCSP (Online Certificate Status Protocol)

Online Certificate Status Protocol (OCSP) is a protocol that authenticating
systems can use to check on the revocation status of digitally-signed SSL
certificates. The use of OCSP is an alternative to the use of a CRL. See also
CRL (certificate revocation list).
Glossary - 6
Glossary
OCSP responder
An OCSP responder is an external server used for communicating SSL
certificate revocation status to an authentication server such as the BIG-IP
system. See also OCSP (Online Certificate Status Protocol).
OneConnect
The F5 Networks OneConnect™ feature optimizes the use of network
connections by keeping server-side connections open and pooling them for
reuse.
packet rate
The packet rate is the number of data packets per second processed by a
server.
PAM (pluggable authentication module)

A pluggable authentication module is a mechanism that integrates multiple
low-level authentication schemes into a high-level application programming
interface.
partition
See administrative partition.
persistence profile
A persistence profile is a pre-configured object that automatically enables
persistence when you assign the profile to a virtual server. See also profile.
pool
A pool is composed of a group of network devices (called members). The
BIG-IP system load balances requests to the nodes within a pool based on
the load balancing method and persistence method you choose when you
create the pool or edit its properties.
pool member
A pool member is a server that is a member of a load balancing pool. See
also pool.
pre-configured monitor
A pre-configured monitor is a monitor that the BIG-IP system provides. See
also monitor.
profile
A profile is a configuration tool containing settings for defining the behavior
of network traffic. The BIG-IP system contains profiles for managing
FastL4, HTTP, TCP, FTP, SSL, and RTSP traffic, as well as for
implementing persistence and application authentication.

Glossary
profile setting
A profile setting is a configuration attribute within a profile that has a value
associated with it. You can configure a profile setting to customize the way
that the BIG-IP system manages a type of traffic. See also profile.
QoS (Quality of Service) level

The QoS level is a means by which network equipment can identify and
treat traffic differently based on an identifier. Essentially, the QoS level
specified in a packet enforces a throughput policy for that packet. See also
ToS (Type of Service) level.
rate class
A rate class determines the volume of traffic allowed through a rate filter.
rate shaping
Rate shaping is a type of extended IP filter. Rate shaping uses the same IP
filter method but applies a rate class, which determines the volume of
network traffic allowed.
redundant system configuration

A redundant system configuration is a pair of units that are configured for
failover. In a redundant system configuration, there are two units, one
running as the active unit and one running as the standby unit. If the active
unit fails, the standby unit takes over and manages connection requests.
self IP address
A self IP address is an IP address that is assigned to the system. Self IP
addresses are part of the base configuration. You must define at least one
self IP address for each VLAN.
SIP (Session Initiation Protocol) persistence

SIP persistence is a type of persistence used for servers that receive Session
Initiation Protocol (SIP) messages sent through UDP. SIP is a protocol that
enables real-time messaging, voice, data, and video.
SNAT (Secure Network Address Translation)

A SNAT is a feature you can configure on the BIG-IP system. A SNAT
defines a routable alias IP address that one or more nodes can use as a
source IP address when making connections to hosts on the external
network.
SNAT pool
A SNAT pool is a pool of translation addresses that you can map to one or
more original IP addresses. Translation addresses in a SNAT pool are not
self-IP addresses. See also pool.
Glossary - 8
Glossary
SSH (Secure Shell)

SSH is a protocol for secure remote logon and other secure network services
over a non-secure network.
SSL (Secure Sockets Layer)

Secure Sockets Layer (SSL) is a network communications protocol that uses
public-key technology as a way to transmit data in a secure manner.
SSL persistence
SSL persistence is a type of persistence that tracks non-terminated SSL
sessions, using the SSL session ID. See also SSL (Secure Sockets Layer).
SSL profile
An SSL profile is a configuration tool that you use to terminate and initiate
SSL connections from clients and servers. See also SSL (Secure Sockets
Layer) and profile.
STP (Spanning Tree Protocol)

Defined by IEEE, STP is a protocol that provides loop resolution in
configurations where one or more external switches are connected in
parallel with the BIG-IP system.
TACACS (Terminal Access Controller Access Control System)

TACACS is an older authentication protocol common to UNIX systems.
TACACS allows a remote access server to forward a user’s logon password
to an authentication server. See also TACACS+.
TACACS+
TACACS+ is an authentication mechanism designed as a replacement for
the older TACACS protocol. There is little similarity between the two
protocols, however, and they are therefore not compatible. See also
TACACS (Terminal Access Controller Access Control System).
Tcl (Tools Command Language)

Tcl is an industry-standard scripting language. On the BIG-IP system, users
use Tcl to write iRules. See also iRules.
TMM (Traffic Management Microkernel) service

The TMM service is the process running on the BIG-IP system that
performs most traffic management for the product.
ToS (Type of Service) level

The ToS level is another means, in addition to the QoS level, by which
network equipment can identify and treat traffic differently based on an
identifier. See also QoS (Quality of Service) level.

Glossary
trunking
Trunking is link aggregation that allows multiple physical links to be treated
as one logical link. The main objective of link aggregation is to provide
increased bandwidth at a lower cost, without having to upgrade hardware.
The bandwidth of the aggregated trunk is the sum of the capacity of
individual member links. Thus it provides an option for linearly incremental
bandwidth as opposed to bandwidth options available through physical layer
technology. The traffic management system supports LACP (Link
Aggregation Control Protocol).
trusted CA file
A trusted CA file is a file containing a list of certificate authorities that an
authenticating system can trust when processing client requests for
authentication. A trusted CA file resides on the authenticating system and is
used for authenticating SSL network traffic. See also CA (certificate
authority).
trusted MAC address

A trusted MAC address is a MAC address that passes MAC address-based
authentication. See also MAC address.
user role
A user role is a type and level of access that you assign to a BIG-IP system
user account. By assigning user roles, you can control the extent to which
BIG-IP system administrators can view or modify the BIG-IP system
configuration.
virtual address
A virtual address is an IP address associated with one or more virtual servers
managed by the BIG-IP system.
virtual server
A virtual server is a specific combination of virtual address and virtual port,
associated with a content site that is managed by an BIG-IP system or other
type of host server.
VLAN (virtual local area network)

A virtual local area network (VLAN) is a logical grouping of interfaces
connected to network devices. You can use a VLAN to logically group
devices that are on different network segments. Devices within a VLAN use
Layer 2 networking to communicate and define a broadcast domain.
VLAN group
A VLAN group is a logical container that includes two or more distinct
VLANs. VLAN groups are intended for load balancing traffic in a Layer 2
network, when you want to minimize the reconfiguration of hosts on that
network. See also VLAN (virtual local area network).
Glossary - 10
Index
Index
A and command history 1-2

aaa active directory server command 3-2, 3-17 and escape feature 1-5
aaa ldap server command 3-5 and grep functionality 1-4
aaa radius server command 3-8, 3-11 and log file 1-2
access command 3-11 controlling 1-1
access policy item command 3-21 customizing 1-4
access session command 3-25 using 1-1
acl command 3-26, 3-30, 3-36 using command continuation 2-325
additional information bigpipe shell command 2-28
in bigpipe man pages 1-8 bigpipe shell prompt, customizing 1-4
in the Configuration Guide for the BIG-IP Access bigpipe utility
Policy Manager Module 3-1 defined 1-5
in the Configuration Guide for the BIG-IP WAN using man pages 1-8
Optimization Module 5-1 bigstart command 1-5
on Ask F5 1-8 bigtop utility
on Configuration utility Welcome screen 1-8 defined 1-5
on support.f5.com 1-8
agent aaa active directory command 3-32 C
agent aaa ldap command 3-38
class command 2-30
agent aaa radius command 3-42
cli audit command 1-3
agent decision box command 3-44
cli command 2-35
agent ending denied command 3-46
client rate class command 3-102
agent ending redirect command 3-48
client traffic classifier command 3-105
agent ending webtop command 3-50
cluster command 4-2
agent endpoint linus check file command 3-52
cluster synchronization 4-3
agent endpoint windows browser cache cleaner
command completion 1-3
command 3-55
command continuation 1-3, 2-325
agent endpoint windows check av command 3-58
command history 1-2
agent endpoint windows check file command 3-61
command line utilities and tools 1-5
agent endpoint windows check fw command 3-65
command syntax for bigpipe shell command, identifying
agent endpoint windows check process command 3-68
1-6
agent endpoint windows check registry command 3-71
config command 2-38
agent endpoint windows group policy 3-74
config utility, defined 1-5
agent endpoint windows info os command 3-76
configsync command 2-41
agent external logon page command 3-78
Configuration Guide for the BIG-IP Access Policy
agent logging command 3-81
Manager 3-1
agent logon page command 3-84
Configuration Guide for the BIG-IP WAN Optimization
agent message box command 3-86
Module 5-1
agent resource assign command 3-88
Configuration utility
agent traffic control command 3-91
about Welcome screen 1-8
agent variable assign command 3-93
conn command 2-44
agent vlan selection command 3-96
connectivity resource command 3-98
arp command 2-3
connectivity resource group command 3-108
auth crldp command 2-6
connectivity resource network access command 3-110
auth krbdelegate command 2-8
connectivity resource web application command 3-118
auth ldap command 2-10
crldp server command 2-46
auth radius command 2-15
customization group command 3-125
auth ssl cc ldap command 2-18
auth ssl ocsp command 2-23
auth tacacs command 2-25 D
daemon command 2-48
daemon command, on VIPRION systems 4-6
B
daemon mcpd command 2-51
bigpipe shell
daemon tmm command 2-53
and command completion 1-3
datastor command 5-2
and command continuation 1-3
db command 2-56
Bigpipe Utility Reference Guide Index - 1

Index
deduplication command 5-4 list command 2-99

dns command 2-58 load command 2-100
drop policy command 5-5 log file 1-2
logrotate command 2-103
ltm command 2-105
E
endpoint advertised route command 5-8
endpoint discovery command 5-10 M
endpoint local command 5-13 mac addr command 2-109
endpoint remote command 5-16 man pages
endpoint remote route command 5-20 about 1-8
escape feature, using in the bigpipe shell 1-5 accessing from shell prompt 1-8
exit command 1-1, 2-60 accessing from system prompt 1-8
export command 2-61 mcp command 2-110
memory command 2-111
merge command 2-112
F mgmt command 2-114
f5adduser command 2-63 mgmt route command 2-116
failover command 2-65 mirror command 2-118
failover command, on VIPRION systems 4-9 monitor command 2-120
fasthttp command 2-69
fastL4 command 2-70
fastl4 command 2-69 N
finding help 1-8 nat command 2-137
fipscardsync command 2-71 ndp command 2-140
fipsutil command 2-72 node command 2-142
formatting conventions 1-6 ntp command 2-145
ftp command 2-75
O
G ocsp responder command 2-147
gencert utility oneconnect command 2-152
defined 1-5 opening brace, using in command syntax 1-4
global command 2-76 openssl utility 1-6
grep functionality 1-4
P
H packet filter command 2-153
ha table command 2-77, 2-80 partition command 2-159
hardware command 2-82 password policy command 2-161
help command 2-83 persist command 2-164
help, finding 1-8 platform command 2-168
http command 2-84 pool command 2-170
httpd command 2-85 pool command, on VIPRION systems 4-14
profile access command 3-130
profile auth command 2-177
I profile certificate authority command 3-135
icmp command 2-89 profile cifs command 5-22
import command 2-90 profile clientssl command 2-182
interface command 2-92 profile command 2-176
ip addr command 2-97 profile diameter command 2-192
ip command 2-96 profile dns command 2-190
iRules profile fasthttp command 2-194
and Tcl commands 1-6 profile fastl4 command 2-199
profile ftp command 2-204
L profile http command 2-206
profile httpclass command 2-217
leasepool command 3-128
Index - 2
Index
profile isession command 5-25 T

profile mapi command 5-29 Tcl, defined 1-6
profile oneconnect command 2-220 tcp command 2-345
profile persist command 2-223 technical support 1-8
profile ppp command 3-138 tmm command 2-346
profile rewrite command 3-140 Tools Command Language 1-6
profile rtsp command 2-230 traffic class command 3-152
profile sctp command 2-233 trunk command 2-350
profile sip command 2-245
profile vpn command 3-142
pva command 2-264 U
udp command 2-353
unit command 2-354
Q user command 2-355
quit command 1-1
V
R version command 2-358
rate class command 5-31 VIPRION system, commands for configuring 4-1
remote users command 2-271 virtual address command 2-365
remoterole command 2-273 virtual command
route domain command 2-279 and command syntax 2-359
rtsp command 2-281 vlan command 2-368
vlan command, on VIPRION systems 4-33
S vlan gateway command 3-156
vlangroup command 2-372
save command 2-285
sctp command 2-287
shaping policy command 5-35 W
shaping queue command 5-38 WAN optimization 5-1
shell prompt, accessing man pages from 1-8 WAN Optimization Module, commands for configuring
SIP profile 2-245 5-1
snat command 2-294 wccp command 5-41
snat translation command 2-296 webtop command 3-158
snatpool command 2-298 Welcome screen, in the Configuration utility 1-8
snmpd command 2-300 wide area network optimization 5-1
software command 2-313 windows group policy command 3-160
software command, on VIPRION systems 4-23
sshd command 2-318
ssl command 2-322
sso config command 3-146
statemirror command 2-323
stop command 1-1, 2-325
stp command 2-326
stp instance command 2-329
stream command 2-333
style conventions 1-6
support, technical 1-8
sys-icheck command 2-334, 3-150
syslog command 2-336
sys-reset command 2-335, 3-151
system command 2-340
system command, on VIPRION systems 4-28
system prompt
accessing man pages from 1-8
identifying command syntax 1-6
Bigpipe Utility Reference Guide Index - 3

Index
Index - 4

Bigpipe Utility Reference Guide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bigpipe Utility Reference Guide

Uploaded by

Copyright:

Available Formats

Bigpipe Utility Reference Guide

Export Regulation Notice

Bigpipe Utility Reference Guide i

Bigpipe Utility Reference Guide v

hardware ........................................................................................................................................ 2-82

rate class ...................................................................................................................................... 2-267

Bigpipe Utility Reference Guide vii

agent ................................................................................................................................................ 3-30

pool ................................................................................................................................................. 4-14

Bigpipe Utility Reference Guide ix

• About the bigpipe utility

• Technical support resources

About the bigpipe utility

About the bigpipe shell

Bigpipe Utility Reference Guide 1-1

The bigpipe shell command history feature

To access commands in the bigpipe history

The bigpipe shell audit feature

The bigpipe shell command completion feature

The bigpipe shell command continuation feature

Bigpipe Utility Reference Guide 1-3

grep functionality in the bigpipe shell

For more information about grep, see http://www.gnu.org/software/grep/.

Customizing the bigpipe shell

To customize the bigpipe shell prompt

the system changes the shell prompt to:

The bigpipe shell escape feature

Additional command line utilities and tools

Bigpipe Utility Reference Guide 1-5

Identifying references to objects, names, and commands

Identifying command syntax

Table 1.1 explains additional special conventions used in command line

Item in text Description

| Indicates a choice between options on either side of the pipe.

() Indicates that the syntax inside the parentheses is optional in tmsh.

... Indicates that you can type a series of items.

Table 1.1 Command line syntax conventions

Bigpipe Utility Reference Guide 1-7

Technical support resources

To access this site, you need to register at https://support.f5.com.

• Introduction to command syntax

• Alphabetical list of commands

Introduction to command syntax

The all keyword

Bigpipe Utility Reference Guide 2-1

Alphabetical list of commands

Bigpipe Utility Reference Guide 2-3

Displays dynamic ARP entries specific to route domain 0:

Displays dynamic ARP entries specific to route domain 1:

Displays dynamic ARP entries across all route domains:

Displays all dynamic ARP entries for the system:

Displays all static ARP entries for the system:

Displays the ARP entry for the IP address 10.10.10.20:

Deletes the ARP entry for the IP address 10.10.10.20:

Deletes all static ARP entries for the system:

Deletes all dynamic arp entries specific to route domain 0:

Deletes all dynamic arp entries specific to route domain 2:

Bigpipe Utility Reference Guide 2-5

auth crldp <auth crldp key> {}

Deletes the configuration object named my_auth_crldp:

Bigpipe Utility Reference Guide 2-7

auth krbdelegate <auth krbdelegate key> {}

Deletes the configuration object named my_auth_krbdelegate: