February 15, 2008
F5 commandline cheatsheet
Some of the stuff is relevant to existing VIPs and you would have to change the name to meet your needs.
# F5 – commandline hints
tmctl global_stats.memory_used
tmstat
# F5 – Full power cycle
To accomplish this, either power-cycle the system
or use the /usr/bin/full_box_reboot command
# F5 – 3DNS
x – 3dprint sum # to get information on principle and other 3dns settings
# Boot CDROM on separate intel server to provide Network Install for F5 device
x – option 2 (setup server to provide network installation)
x – use defaults
– be sure to have bigip/3dns on connected to same vlan
x – enable net_reboot (b global net_reboot enable) – May not be supported)
note: on 3dns must reboot and with 10 secs, push “network” pin on front
panel
x – reboot and connect to network boot server
x – login (root/default)
x – run setup
# F5 – BigIP
# Recover install to new server
x – power on
x – hook up console cable
x – login as root (password is default)
x – set date/time
x – set the passwords for root and admin
nx – run hostname and set new hostname
x – run config and setup mgmt NIC to arbitrary address
x – setup direct connection to mgt NIC and laptop (normal eth cable)
x – copy ucs file from backup on loghost1
x – copy hotfix Hotfix-BIG-IP-9.1.1-CR58090.im
x – if ucs file is zipped (has extension “.gz”) on loghost1, unzip it
x – run b config install
nx – run keyswap.sccp (to pass new keys with sccp)
nx root: default
nx admin: (?) need admin password to get into GUI
x – login and run get_dossier -b # reg_key found in /config/RegKey.license
x – go to F5 (http://license.f5.com) site and paste dossier to get new license
x – paste new license information into /config/bigip.license
x – reboot
x – connect with laptop (need to setup new IP on laptop to reflect the
production ip for mgmt device – ifconfig eth0 on bigip to get IP/network).
x – run loaddb -local /config/BigDB.dat.cs
x – im Hotfix-BIG-IP-9.1.1-CR58090.im
x – b db Pva.Acceleration none
x – reboot
x – connect to gui (using admin because radius is unavailable) and see that all is good.
OR
x – manually get old config items
b vlan list | perl -ne ‘chomp $_ unless (/}/); print;’ | while read line; do echo b $line;
b self list | perl -ne ‘chomp $_ unless (/}/); print;’ | while read line; do echo b $line;
b mgmt route list | perl -ne ‘chomp $_ unless (/}/); print;’ | while read line; do echo b $line;
b interface list | perl -ne ‘chomp $_ unless (/}/); print;’ | while read line; do echo b $line;
b route list
b inter
# Get a command version for every command.
b list | perl -ne ‘chomp; s/^}/ }\n/g; print;’
Notes:
x – console is disabled on reboot unless you have a serial cable connected
– you can override this by vi /etc/ttys and change the tty00 line to:
tty00 “/usr/libexec/getty pccons” vt100 on secure
# To verify Certs
/usr/bin/openssl x509 -enddate -noout -in /config/ssl/ssl.crt/.crt
# To get output of a tcpdump on ssl port, use the following
ssldump -i vl_140 -Aedn -N -k /config/ssl/ssl.key/webconnect.abc.com.key -p host x.x.x.x and host x.x.x.x
# To get information on wideip pool members status
3dpipe wideip cvpn.abc.com pool cvpn-pool virtual show
# Email support call to support@f5.com
# tech@f5.com, devcentral@f5.com
# Problems (tcpdumps, remember to quickly)
# tcpdump -ni -c -s 1600 -X -w /var/tmp/.dmp
tcpdump -ni external -c 500 -s 1600 -X -w /var/tmp/external.dmp
tcpdump -ni internal -c 500 -s 1600 -X -w /var/tmp/internal.dmp
tcpdump -ni int-server -c 500 -s 1600 -X -w /var/tmp/int-server.dmp
top -n5 -b >/var/tmp/top.dmp
qkview
# Logfiles
/var/log/bigip.log
/var/log/messages.log
/var/log/bigd.log
# Full box reboot
/usr/bin/full_box_reboot
# Cheat commandline items
bigtop -once
b virtual
b node
b pool
qkview (to gather stats)
b ha table show # show high avail settings
# RamCache
# ram cache setting notes:
# Age Rate 0-10 = (#mins)(2^age_rate) = Effective Age Time (in minutes)
# = (3)(2^2) = 12 minutes (using age rate of 2 after 3
# minutes)
# to list ram cache
b profile http all ramcache dump
b profile http http-canadatest ramcache dump
b profile http http-canadatest ramcache uri asp dump
# to clear ram cache entry
b profile http all ramcache reset
b profile http http-canadatest ramcache reset
b profile http http-canadatest ramcache uri /ca/images/find.gif host canadacert.abc.com reset
**********
HTTP/HTTPS
**********
HTTP – pool
===========
b pool xx-80 { monitor all tcp member xx:http }
HTTP – virtual
==============
b virtual vs_199.41.238.xx-80 { destination 199.41.238.xx:http snat automap ip protocol tcp profile http oneconnect tcp pool xx-80 }
HTTP to HTTPS – virtual
virtual vs_xx-80 { destination xx:http snat automap ip protocol tcp profile http tcp pool pl_dummy-for-irule rule ir-redir_HTTP-to-HTTPS }
HTTPS – profile
=============
b profile clientssl pr-sslcli_xx.abc.com { defaults from clientssl key \”xx.abc.com.key\” cert \”xx.abc.com.crt\” }
HTTPS – virtual
===============
b virtual vs_x.x.x.x-443 { destination x.x.x.x:https snat automap ip protocol tcp profile http oneconnect pr-sslcli_xx.abc.com tcp pool pl_xx.abc.com-80 }
***
FTP
***
FTP – pool
==========
# for external
b pool pl_xx.abc.com-21 { monitor all tcp_half_open member x.x.x.x:ftp }
# for internal
b pool pl_xx.abc.com-21 { member x.x.x.x:ftp }
FTP – virtual
==========
# for external
b virtual vs_x.x.x.x-21 { destination x.x.x.x:ftp ip protocol tcp profile ftp tcp pool pl_xx.abc.com-21 rule ir-snat_abcNets }
# for internal
b virtual vs_x.x.x.x-21 { destination x.x.x.x:ftp snat automap ip protocol tcp profile ftp tcp pool pl_xx.abc.com-21 }
******
RADIUS
******
Monitor Radius (udp)
==============
b monitor udp_1645 { defaults from radius interval 30 timeout 91 debug \”no\” password \”abc123\” secret \”mybIgIp_forradius\” username \”bigip@local\” }
Pool Radius (udp)
===========
b pool pl_radius2-proxy.abc.com-1645 { monitor all udp_1645 member x.x.x.x:datametrics }
b pool pl_radius2-proxy.abc.com-1646 { monitor all udp member x.x.x.x:sa-msg-port }
Virtual Radius (udp)
==============
b virtual vs_x.x.x.x-1645 { destination x.x.x.x:datametrics ip protocol udp pool pl_radius2-proxy.abc.com-1645 }
b virtual vs_x.x.x.x-1646 { destination x.x.x.x:sa-msg-port ip protocol udp pool pl_radius2-proxy.abc.com-1646 }
Pool SMTP (tcp)
===========
b pool pl_abcsameday.abc.com-25 { monitor all tcp member x.x.x.x:25 member x.x.x.x:25 }
Virtual SMTP (tcp)
==============
b virtual vs_x.x.x.x-25 { destination x.x.x.x:25 ip protocol tcp profile tcp pool pl_abcsameday.abc.com-25 }
IRULES
======
Here is the iRule I was trying to implement.
when CLIENT_ACCEPTED {
if {[matchclass [IP::client_addr] equals $::dg_source]} {
forward
} else {
drop
}
}
Here is what I did to troubleshoot it. It basically echo’s the result
the logs. It was very helpful.
— Troubleshoot i-rule, place the log local0. statement below the to output
information to the log.
when CLIENT_ACCEPTED {
log local0. “checking for address [IP::client_addr] in dg_source list”
if {[matchclass [IP::client_addr] equals $::dg_source]} {
log local0. “address [IP::client_addr] is being allowed through”
forward
} else {
log local0. “address [IP::client_addr] not valid, dropping connection”
drop
}
}
# Sample i-rules
#
# Traffic sourced from port 8080 and 8081
# gets a new source address by way of
# Secure NAT (10.0.0.200)
#
rule i-SNAT {
when CLIENT_ACCEPTED {
if {[UDP::client_port] == 8080} {
snat 10.0.0.200
}
if {[UDP::client_port] == 8081} {
snat 10.0.0.200
}
}
}
#
# Good when you need to do trouble shooting
# the arrows are not correct. that still needs
# some work. The arrows will all depend where
# this i-rule is places. Very handy when you need
# to know what i-rule traffic is hitting.
#
rule i-conns {
when CLIENT_ACCEPTED {
log local0. “Test1 – VN: [virtual name] CIP: [IP::client_addr]:[client_port]”
}
when SERVER_CONNECTED {
log local0. “Test1 – VN: [virtual name] CIP: [IP::server_addr]:[server_port] -> [client_addr]:[client_port]”
log local0. “Test2 – VN: [virtual name] CIP: [IP::client_addr]:[client_port] -> [server_addr]:[server_port]”
}
}
#
# Similar to the one above but a Secure NAT is made
# when the F5 receives syslog data from the network.
#
rule i-Syslog_515 {
when CLIENT_ACCEPTED {
if {[UDP::client_port] == 514} {
snat 10.0.1.95
}
when SERVER_CONNECTED {
log local0. “Test1 – VN: [virtual name] CIP: [IP::server_addr]:[server_port] -> [client_addr]:[client_port]”
log local0. “Test2 – VN: [virtual name] CIP: [IP::client_addr]:[client_port] -> [server_addr]:[server_port]”
}
}
# Scripts
#########
# to get virtual and pool information
#
b virtual pool | awk ‘/tas/ {print $3, $6}’ | while read virt pool; do echo ===========; b virtual $virt list; b pool $pool list ; done