C1 SC10 Setup Cli Ja

DIGITAL EDUCATION SERIES
JOB AID
Setting Up a Standalone
BIG-IP System Using the
Command Line Interface
(CLI)
DIGITAL EDUCATION SERIES
JOB AID
TABLE OF CONTENTS
Introduction 3
Requirements for Initially Setting Up a Standalone BIG-IP System 3
Sample Deployment Summary 3
Configure the Management Port 4

Configure the Management Port IP Address and Netmask from the BIG-IP Console 4
License the BIG-IP System 9

Generate Dossier and Activate License for the BIG-IP System 9
Provision BIG-IP Product Modules 10

Provision BIG-IP Product Modules 10
Install a Device Certificate 11

Install a Self-Signed Device Certificate and Key Pair 11
Confirm Platform and User Properties 13

Update Administrative Credentials and Security Settings 13
Configure Time Zone Settings 14
Set the BIG-IP System Host Name 15
Configure the BIG-IP Network 16

Configure the Internal (Server-Facing) Network 17
Configure the External (Client-Facing) Network 17
Configure the High Availability Network 18
Confirm Network Configurations 18
Configure Device DNS Settings 19

Define a DNS Lookup Server on the BIG-IP System 19
Configure NTP Servers 20

Configure the BIG-IP to Synchronize Its Clock with an NTP Service 20
Configure High Availability Communication Settings 21

Define the Self IP for ConfigSync Operations 21
Define the Self IPs for Mirroring 22
Define the Self IPs for Failover 23
Configure Basic Administrative Security Settings 24

Update Idle Administrative Session Timeout Settings 24
Disable Default Administrative User Accounts 24
Configure Security Banners 25
Restrict Administrative Access to the BIG-IP System 26
Wrap-Up 27
DIGITAL 2
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
SETTING UP A STANDALONE BIG-IP SYSTEM USING

THE COMMAND LINE INTERFACE (CLI)
Introduction
This document will walk you through an example of setting up a two-armed standard network configuration on a BIG-
IP system, as shown in the figure below. Although the steps were carried out using a BIG-IP appliance running
software version 14.1, they are largely applicable for BIG-IP versions v11.4 and later.
Requirements for Initially Setting Up a Standalone BIG-IP System
If you are setting up a BIG-IP Virtual Edition, ensure that you have the base registration key for your BIG-IP system
available. The base registration key should be provided to you by email after you purchase the F5 product. If you
cannot locate your base registration key, please contact F5 Technical Support for assistance. If you are activating a
BIG-IP appliance or VIPRION, the base registration key is preinstalled in your system.
Sample Deployment Summary
• The management interface is configured on the 192.168/16 network. SSH access is limited to clients in
192.168/16 network. The instructions in this document show you how to configure the management
interface using the LCD panel on a BIG-IP hardware device. (The CLI version of this document shows you
how to configure the management interface using the config command from the command line.)
DIGITAL 3
EDUCATION
SERIES
• VLAN external is client-facing, and includes hosts in the 10.10/16 network. The static self IP for this VLAN
is 10.10.2.31 and the floating self IP is 10.10.2.33.
• VLAN internal is server-facing, and includes hosts in the 172.16/16 network. The static self IP for this VLAN
is 172.16.2.31 and the floating self IP is 172.16.2.33.
• Most configuration steps in this document are performed using the Setup utility wizard. References to
comparable Configuration utility pages are provided throughout. (The CLI version of this document shows
you how to perform the same configuration steps using the command line.)
Configure the Management Port

Before you initially configure the BIG-IP system, you need to set up the management port with an IP address and
netmask. In the example provided in this section, we manually configure the BIG-IP management port with an IP
address and netmask by connecting using the console display on our hypervisor’s management software and
accessing the F5 Management Port Setup Utility.
Configure the Management Port IP Address and Netmask from the BIG-IP
Console
1. Log into the BIG-IP system’s console interface using username root and password default. (Alternatively, you
can log into the system using its default management IP address, 192.168.1.245.) The system will prompt you
to change the password for the root user. Follow the directions to complete this activity.
2. After changing the root user’s password, start the F5 Management Port Setup utility:
[root@localhost:NO LICENSE:Standalone] config # config
3. On the Configuration Utility panel, select OK to begin the configuration process.
DIGITAL 4
EDUCATION
SERIES
4. Select the appropriate IP family type for the address you will configure, either IPv4 or IPv6. In this example, we
are using an IPv4 address.
5. On the Configure IP Address panel, note the default settings for the IP address, netmask and default route.
You can configure your BIG-IP system’s management port manually or via DHCP. If connecting to the
management port at its default IP address, you may lose connectivity when performing this configuration step.
We recommend connecting to your BIG-IP system console instead. In this example, select No to configure the
management port manually.
DIGITAL 5
EDUCATION
SERIES
6. Enter the appropriate IP address for the management port and select OK to continue.
7. On the Configure Netmask panel, enter the appropriate netmask value for the management port, then select
OK to continue.
DIGITAL 6
EDUCATION
SERIES
8. The last step in the wizard is to confirm your settings. On the Confirm Configuration panel, select Yes to
confirm that the settings displayed are accurate.
9. Confirm that the new configuration was set correctly by listing the management IP address and mask.
[root@localhost:NO LICENSE:Standalone] config # tmsh list /sys

management-ip
sys management-ip 192.168.2.31/16 {

description configured-statically
}
DIGITAL 7
EDUCATION
SERIES
10. The Management Route panel allows you to create a default route for the management port. A default route is
only required if you want to connect to the management port from another subnet. In this deployment, we are
not going to configure a default route, so select No to continue.
DIGITAL 8
EDUCATION
SERIES
License the BIG-IP System

Licensing the BIG-IP system enables you to activate the purchased software modules on your system. In the
deployment below, generate a dossier and send it to the F5 License server to generate a license, then download and
install the license on the BIG-IP system.
Generate Dossier and Activate License for the BIG-IP System
1. Open an SSH session to the new Management port IP address and log in as the root user.
2. To generate a dossier, run the command below substituting A1234-56789-01234-12345-6789012 with the
correct base registration key. The output appears similar to the example shown below. This sample dossier has
been truncated for clarity.
[root@localhost:NO LICENSE:Standalone] config # get_dossier –b A1234-

56789-01234-12345-6789012
bed67ebd2b812914f9791dcb1368ed8def454b157099b216695e447e0c810043ecffbe416
0011dc3ce1966e62f6af98459d9043d48fecc4fd6adc4ab2f212f5facc75e3af187e7bd85
5e1d6ab2ffd21335e8bdde1aee57b35c52e444d9c3480f52a4dec33fb2ce41e0cabdbfaa8
8e057a9c727243628b6d52d8ada28afe422a2197b156adf58fdede2cdc5851d16f65f19f8
0d78bf7d8fe6d508deded4f26870e821d3b4c66ae6e05d7acd2226acce6379de1356df83
3. Highlight and copy the dossier contents to your clipboard. Make sure that you copy the dossier text only and not
any part of the command you’ve just issued.
4. Open a secure browser session to the F5 Licensing Server at activate.f5.com. Follow the instructions provided
on the screen to generate and retrieve your BIG-IP license. Copy the entire license contents to your clipboard.
5. Open the /config/bigip.license file with the vi editor.
[root@localhost:NO LICENSE:Standalone] config # vi /config/bigip.license
6. Paste the license contents that you copied in the previous step and save the changes made to the file.
7. Activate the license by running the command below. When successfully activated, notice the prompt changes to
include the word Active to indicate that the license is now operational.
[root@localhost:NO LICENSE:Standalone] config # reloadlic

[root@localhost:Active:Standalone] config #
DIGITAL 9
EDUCATION
SERIES
Provision BIG-IP Product Modules

Once your BIG-IP license is activated, you can select the software modules you want to run on your system and
allocate resources to them. In this example, you will provision the Local Traffic (LTM) and Application Security
(ASM) modules with Nominal resource allocations.
Provision BIG-IP Product Modules
The general command format for provisioning a software module on your BIG-IP system is shown below:
(tmos)# modify /sys provision <module> level <provisioning_level>
1. Use TMSH to provision the appropriate modules at the appropriate level. In this example, we are provisioning
the Local Traffic Manager (LTM) and the Application Security Manager (ASM) modules as Nominal.
(tmos)# modify /sys provision ltm level nominal

(tmos)# modify /sys provision asm level nominal
2. Verify that the provisioning configuration has been successfully changed by examining the current provisioning
settings. This example shows the ASM and LTM modules have been successfully provisioned.
(tmos)# list /sys provision

sys provision afm { }
sys provision am { }
sys provision apm { }
sys provision asm {
level nominal
}
sys provision avr { }
sys provision fps { }
sys provision gtm { }
sys provision ilx { }
sys provision lc { }
sys provision ltm {
level nominal
}
3. Save the running configuration to the stored configuration.
(tmos)# save /sys config

Saving running configuration...
/config/bigip.conf
/config/bigip_base.conf
/config/bigip_user.conf
Saving Ethernet mapping...done
DIGITAL 10
EDUCATION
SERIES
Install a Device Certificate

The BIG-IP system uses SSL device certificates and keys for inter-device communication and administrative HTTPS
connections to the Configuration utility. When creating a new BIG-IP device certificate, F5 recommends that you
specify unique and meaningful subject data in it for easy identification. Including accurate Country and Locality
information in your device certificate makes your BIG-IP certificate easy to distinguish in a BIG-IP DNS trusted
certificate store.
In this deployment, you will create a new BIG-IP x509 self-signed device certificate and key pair, and you will replace
its default attributes with relevant details.
Install a Self-Signed Device Certificate and Key Pair
The general command format for creating a new x509 BIG-IP self-signed certificate and key pair is shown below:
openssl req –x509 –nodes –days <# of days> –newkey rsa:<keysize> –keyout
/config/httpd/conf/ssl.key -out/config/httpd/conf/ssl.crt/server.crt
1. At the bash prompt, enter the following command to create a new self-signed certificate and key pair:
# openssl req –x509 –nodes –days 3650 –newkey rsa:2048 –keyout

/config/httpd/conf/ssl.key/server.key –out
/config/httpd/conf/ssl.crt/server.crt
Generating a 2048 bit RSA private key

..........................................................................
...............................................+++++
........+++++
writing new private key to '/config/httpd/conf/ssl.key/server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
DIGITAL 11
EDUCATION
SERIES
2. Enter the certificate attributes: (use the Enter key to confirm the information provided)
Country Name (2 letter code) (XX): US
State or Province Name (full name) []: Washington
Locality Name (eg, city) (Default City): Seattle
Organization Name (eg, company) (Default Company Ltd): F5 Networks
Organizational Unit Name (eg, section) []: Global Services Technical

Training
Common Name (eg, the name or your server's hostname): bigip2.f5trn.com
Email address: admin@f5trn.com
3. Restart the httpd daemon to force the BIG-IP system to authenticate with the new certificate.
# bigstart restart httpd

Stopping httpd: [ OK ]
Starting httpd: [ OK ]
4. Confirm that the new certificate has been successfully deployed. The sample output below has been truncated
for space reasons.
# openssl x509 -noout -text -in /config/httpd/conf/ssl.crt/server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 12345678910111213141 (0x123a4bcd5fgh6ij7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Seattle, O=F5 Networks,
OU=Training, CN=bigip2.f5trn.com
Validity
Not Before: Dec 13 18:17:40 2016 GMT
Not After : Dec 11 18:17:40 2026 GMT
Subject: C=US, ST=Washington, L=Seattle, O=F5 Networks,
OU=Training, CN=bigip2.f5trn.com
DIGITAL 12
EDUCATION
SERIES
Confirm Platform and User Properties

Part of managing a BIG-IP system involves configuring and maintaining a set of platform and user properties. In this
deployment, you will assign an FQDN host name to the BIG-IP, select a time zone, update the passwords for its
default system administration accounts, and restrict administrative access to the BIG-IP system to a trusted IP
address range.
Update Administrative Credentials and Security Settings
The general command format for updating the default password for the admin administrative account is:
(tmos)# modify / auth password admin...
The general command format for updating the default password for the root administrative account is:
(tmos)# modify / auth password root...
The general command format for restricting SSH access to the BIG-IP system is:
(tmos)# modify / sys sshd allow add { <IP address or IP address range> }
5. Update the default passwords for the default command line interface (root) and the default Configuration utility
(admin) administrative users.
(tmos)# modify / auth password admin

changing password for admin
new password:
confirm password:
(tmos)# modify / auth password root

changing password for root
new password:
confirm password:
6. For security reasons, you should configure the BIG-IP system to restrict SSH administrative access to only
systems on the 192.168/16 network. List the setting afterward to confirm it was set correctly. Note: This setting
is better performed from the Configuration utility as you may inadvertently lock yourself out of SSH access if
your IP address is included in the list.
(tmos)# tmsh modify /sys sshd allow replace-all-with {192.168.*.*}

(tmos)# tmsh list /sys sshd allow
sys sshd {
allow { 192.168.*.* }
}
DIGITAL 13
EDUCATION
SERIES
Configure Time Zone Settings
The general command format for setting the BIG-IP time zone is:
(tmos)# modify /sys ntp timezone "<region>/<time_zone>"
1. From the BIG-IP bash prompt, navigate to the /usr/share/zoneinfo directory and list its contents. The output
displays a list of directories that match geographical regions. Identify the geographical region related to the time
zone that you wish to configure on the BIG-IP system - in this deployment, we will use America.
# ls /usr/share/zoneinfo
Africa
America
Antarctica
Arctic
…
2. List its contents of the directory you chose in the previous step (in this case, America). The output displays a list
of time zone files. In this example, the closest match to the time zone that we would like to set for the BIG-IP
system is Los_Angeles.
# ls /usr/share/zoneinfo/America
Adak
Anchorage
…
Los Angeles
…
3. Use the information identified in the previous steps to set the appropriate time zone on the BIG-IP system.
(tmos)# modify /sys ntp timezone "America/Los_Angeles"

(tmos)# list /sys ntp timezone
sys ntp {
timezone America/Los_Angeles
}
DIGITAL 14
EDUCATION
SERIES
Set the BIG-IP System Host Name
The general command format for assigning a host name to the BIG-IP system is:
(tmos)# modify /sys global-settings hostname <newhostname>
1. Assign an appropriate FQDN host name to the BIG-IP system.
(tmos)# modify /sys global-settings hostname bigip2.f5trn.com

(tmos)# list /sys global-settings hostname
sys global-settings {
hostname bigip2.f5trn.com
}
config # tmsh save /sys config

/config/bigip.conf
DIGITAL 15
EDUCATION
SERIES
Configure the BIG-IP Network

After configuring your BIG-IP’s general and user administration properties, you will want to define the configuration
objects that allow the BIG-IP system to integrate into your application delivery network. This example uses TMSH to
create a basic two-armed deployment. Two application delivery VLANs (and their associated interfaces and self IPs)
will be created – one designed for client-facing (external) traffic and the other designed for server-facing traffic
(internal).
Even though you are currently setting up this BIG-IP system as a standalone device, you will also configure settings
that will permit future inclusion in a high availability environment, including a separate VLAN for device service
clustering (DSC) communication, and ConfigSync, failover, and mirroring settings.
The VLAN names used in these examples are identical to the VLAN names that
are created when using the Setup utility to do the same thing. With the Setup
utility, you have no control over VLAN names. With TMSH, you may name your
VLANs as desired.
The general command format for creating a VLAN, and associating it with a BIG-IP interface is:
(tmos)# create /net vlan <vlan_name> interfaces add {<interface_number>

{tagged/untagged}}
The general command format for creating self IP, and associating it with an existing VLAN is:
(tmos)# create /net self <self_IP_name> address <self_IP_address/netmask>

vlan <vlan_name> description "<self_IP_description>" allow-service
<add|all|default|none>
The general command for creating a floating self IP, and associating it with an existing VLAN is:
(tmos)# create /net self <floating_self_IP_name> address

<floating_self_IP_address/netmask> vlan <vlan_name>
"floating_self_IP_description"
allow-service <add|all|default|none> default <traffic-group-name>
DIGITAL 16
EDUCATION
SERIES
Configure the Internal (Server-Facing) Network
1. Configure a VLAN named internal to process untagged traffic received on interface 1.2.
(tmos)# create /net vlan internal interfaces add {1.2 {untagged} }
2. Create a static (non-floating) self IP on the VLAN named internal. (You must do this before you can create a
floating self IP on the same VLAN.) In this example, port lockdown settings on the self IP will allow
connections for system default protocols. By default, the self IP will be associated with traffic-group-local-only,
which is what makes the self IP non-floating.
(tmos)# create /net self internal_static address 172.16.2.31/16 vlan

internal description "Static self IP on VLAN internal" allow-service
default
3. Create a floating self IP on the VLAN named internal. To make a self IP “floating,” simply assign it to any traffic
group other than traffic-group-local-only. This example creates a new floating self IP in traffic-group-1, and
allow connections to that IP address using any of the system default protocols.
(tmos)# create /net self internal_floating address 172.16.2.33/16 vlan

internal description " Floating self IP on VLAN internal " allow-service
default traffic-group traffic-group-1
Configure the External (Client-Facing) Network
4. Configure a VLAN named external to process untagged traffic received on interface 1.1.
(tmos)# create /net vlan external interfaces add {1.1 {untagged} }
5. Create a static (non-floating) self IP on the VLAN named external. In this example, port lockdown settings on
the self IP will not allow any services.
(tmos)# create /net self external_static address 10.10.2.31/16 vlan

external description " Static self IP on VLAN external" allow-service none
6. Create a floating self IP on the VLAN named external and assign it to traffic-group-1. Once again, no services
will be allowed to this self IP.
(tmos)# create /net self external_float address 10.10.2.33/16 vlan

external description "Floating self IP on VLAN external" allow-service
none traffic-group traffic-group-1
DIGITAL 17
EDUCATION
SERIES
Configure the High Availability Network
7. Configure a VLAN named HA that will be used for high-availability (also known as Device Service Clustering or
DSC). HA communication will occur over the 1.3 untagged interface on this system. F5 recommends
configuring a dedicated VLAN for high availability, as we are doing our deployment below. If a dedicated VLAN
for HA is not possible, use a non-floating self IP on a non-client-facing VLAN.
(tmos)# create /net vlan HA interfaces add {1.3 {untagged} }
8. Create a static (non-floating) self ip on the VLAN named HA, and allow default services.
(tmos)# create /net self HA_static address 172.30.2.71/16 vlan HA

description "Static self IP on VLAN HA" allow-service default
Confirm Network Configurations
9. Confirm the successful creation of VLANs and self IP addresses. (Some output has been truncated to save
space.)
(tmos)# list /net self

net self external_float {
address 10.10.2.33/16
allow-service none
description "Floating self IP on VLAN external"
traffic-group traffic-group-1
vlan external
net self external_static {
address 10.10.2.31/16
allow-service none
description "Static self IP on VLAN external"
traffic-group traffic-group-local-only
vlan external
...
(tmos)# show /net vlan

-------------------------------------
Net::Vlan: external
-------------------------------------
Interface Name external
Mac Address (True) 00:50:56:9f:93:f1
MTU 1500
Tag 4093
Customer-Tag
...
DIGITAL 18
EDUCATION
SERIES
10. Save the changes to the BIG-IP stored configuration.

/config/bigip.conf
Configure Device DNS Settings

In this deployment, you will add a DNS lookup server to your BIG-IP configuration. This will enable the BIG-IP system
to use fully qualified domain names (FQDN) to identify network objects such as nodes. As a requirement for DNS
configuration, your BIG-IP system needs to have network access network access to DNS infrastructure that can
resolve hosts specified on the BIG-IP system.
Define a DNS Lookup Server on the BIG-IP System
The general command format to add DNS lookup servers to the BIG-IP system is shown below:
(tmos)# modify /dns name-servers add {<dns-server-ip1> [<dns-server-ip2>]}
1. Specify the IP address of the DNS lookup server that the BIG-IP system will use to validate DNS lookups and
resolve host names. List the setting afterward to confirm it was set correctly:
(tmos)# modify /sys dns name-servers add { 10.10.17.53 }

(tmos)# list /sys dns name-servers
sys dns {
name-servers { 10.10.17.53 }
}

/config/bigip.conf
DIGITAL 19
EDUCATION
SERIES
Configure NTP Servers

In this section, you will set up the BIG-IP system to synchronize its clock with a Network Time Protocol (NTP) server.
This is a crucial configuration for time-dependent functions such as high availability and BIG-IP DNS sync group
communication. If you want to access a public NTP service, your BIG-IP system must be able to access the Internet.
Note that if you want to specify an NTP server by its hostname, you will need to configure the BIG-IP system’s DNS
settings first.
Configure the BIG-IP to Synchronize Its Clock with an NTP Service
The general command format for adding an NTP server to a BIG-IP system’s configuration is shown below:
(tmos)# modify /sys ntp add { <ntp_server_hostname> }

(tmos)# modify /sys ntp add { <ntp_server_ip_address> }
1. Configure the BIG-IP system to synchronize its clock with an NTP server with a hostname of time.google.com.
List the setting afterward to confirm it was set correctly:
(tmos)# modify /sys ntp servers add { time.google.com }

(tmos)# list /sys ntp
sys ntp {
servers {time.google.com}
}
2. From the bash prompt, execute the ntpstat command from the bash shell to verify connectivity to the NTP peer
server.
# ntpstat
synchronized to NTP server (216.239.35.4) at stratum 3
time correct to within 7975 ms
polling server every 64 s
3. From TMSH, save the changes to the BIG-IP stored configuration.

/config/bigip.conf
DIGITAL 20
EDUCATION
SERIES
Configure High Availability Communication Settings

You can optionally set up the BIG-IP system’s HA communication settings for future participation in a high availability
configuration, which include:
• Defining the IP address that will be used for synchronizing configuration data (ConfigSync)
• Specifying mirroring IP addresses to use for connection and persistence mirroring. In addition to the primary
mirroring IP address, you can optionally specify a secondary mirroring address to be used as a backup for
the primary.
• Selecting IP addresses to use for failover communication
Define the Self IP for ConfigSync Operations
The general TMSH command format for defining the local ConfigSync IP address is shown below:
(tmos)# modify /cm device <device-name> configsync-ip <ip-address>
The general TMSH command format for changing the BIG-IP system device name is shown below:
(tmos)# mv /cm device <current-device-name> <new-device-name>
Device name is used to uniquely identify a BIG-IP system in a high availability

configuration. When initially setting up a BIG-IP using TMSH, the default device
name for the BIG-IP system is set to bigip1.
1. Update the BIG-IP system’s device name to bigip2-SEA, to comply with your company’s BIG-IP naming policy:
(tmos)# mv /cm device bigip1 bigip2-SEA
2. Set the IP address the system will use for ConfigSync operations to the non-floating self IP on the VLAN named
HA. List the setting afterward to confirm it was set correctly:
(tmos)# modify /cm device bigip2-SEA configsync-ip 172.30.2.71

(tmos)# list /cm device bigip2-SEA configsync-ip
cm device bigip2-SEA {
configsync-ip 172.30.2.71
}
DIGITAL 21
EDUCATION
SERIES
Define the Self IPs for Mirroring
The general command format to define primary and secondary mirror IP addresses are shown below:
(tmos)# modify /cm device <device-name> mirror-ip <ip-address>

(tmos)# modify /cm device <device-name> mirror-secondary-ip <ip-address>
3. Set the primary mirroring IP address to the IP address of the non-floating self IP on the VLAN named HA, and
list it to confirm it was set properly:
(tmos)# modify /cm device bigip2-SEA mirror-ip 172.30.2.71

(tmos)# list /cm device bigip2-SEA mirror-ip
mirror-ip 172.30.2.71
}
DIGITAL 22
EDUCATION
SERIES
Define the Self IPs for Failover
General command format to define primary and secondary failover IP addresses:
(tmos)# modify /cm device <device-name> unicast-address {

{ ip <primary-ip-address> } { ip <secondary-ip-address> } }
multicast-ip <ip-address>
4. Set primary and secondary unicast IP addresses for failover and list them to confirm they were set properly. For
primary, we are using the non-floating self IP on the VLAN named HA. For secondary, we are using the
management IP address:
(tmos)# modify /cm device bigip2-SEA unicast-address { { ip 172.30.2.71 }

{ ip 192.168.2.31 } }
(tmos)# list /cm device bigip2-SEA unicast-address
unicast-address {
{
effective-ip 172.30.2.71
effective-port cap
ip 172.30.2.71
port cap
}
{
effective-ip management-ip
effective-port cap
ip management-ip
port cap
}
}
}

/config/bigip.conf
DIGITAL 23
EDUCATION
SERIES
Configure Basic Administrative Security Settings

There are several tasks that you can perform to secure administrative access to the BIG-IP system. In this
deployment, you will harden your BIG-IP by configuring some basic security settings, such as specifying idle
administrative session timeout settings, disabling and replacing the default administrative accounts, and configuring
security banners to be displayed before user authentication.
Update Idle Administrative Session Timeout Settings
General TMSH command format for modifying authentication timeout values for idle administrative SSH connections
to the BIG-IP system:
(tmos)# modify /sys sshd inactivity-timeout <number of seconds>
General TMSH command format for modifying authentication timeout values for idle Configuration utility sessions:
(tmos)# modify /sys httpd auth-pam-idle-timeout <number of seconds>
General TMSH command format for modifying authentication timeout values for idle console sessions to the BIG-IP
system:
(tmos)# modify /sys glob console-inactivity-timeout <number of seconds>
1. As a security measure, update the default value for the amount of time that Configuration utility, SSH and
console sessions to the BIG-IP system can be idle before automatic user logout to 300 seconds.
(tmos)# modify /sys sshd inactivity-timeout 300

(tmos)# modify /sys httpd auth-pam-idle-timeout 300
(tmos)# modify /sys glob console-inactivity-timeout 300
Disable Default Administrative User Accounts
The general TMSH command format for creating a new user account with bash shell privileges and access to all
system partitions in an administrator role is shown below:
(tmos)# create /auth user <username> shell bash partition-access add {

all-partitions { role admin } } prompt-for-password
The general TMSH command format for disabling the default admin user and assigning primary administrator rights
to a new administrative user account is shown below:
(tmos)# modify /sys db systemauth.primaryadminuser value <new admin user

username>
The general TMSH command format for disabling access for the default root account is shown below:
(tmos)# modify /sys db systemauth.disablerootlogin value true
DIGITAL 24
EDUCATION
SERIES
2. Create a new BIG-IP administrative user account with bash shell privileges and full partition access. When
prompted, type and confirm the password for the new user account.
(tmos)# create /auth user jdoe shell bash partition-access add { all-
partitions { role admin } } prompt-for-password
changing password for jdoe
new password:
confirm password:
Skip the next step to preserve the default admin user account.
3. Disable the default admin user by assigning primary administrator privileges to the new user account you’ve
created in the previous step. Note that executing this command will immediately disconnect any administrative
users currently connected to the BIG-IP Configuration utility.
(tmos)# modify /sys db systemauth.primaryadminuser value jdoe
4. Disable access for the default root account. This setting should not be changed until you have created at least
one administrative user with advanced shell access on the device.
(tmos)# modify /sys db systemauth.disablerootlogin value true
Configure Security Banners
The general TMSH command format for enabling and configuring a security banner to be displayed when opening an
SSH connection to the BIG-IP system is shown below:
(tmos)# modify /sys sshd banner enabled

(tmos)# modify /sys sshd banner-text "<banner message>"
The general TMSH command format for setting up a security banner to be displayed on the login screen of the
Configuration utility is shown below:
(tmos)# modify /sys global-settings gui-security-banner-text "<banner

message>"
DIGITAL 25
EDUCATION
SERIES
5. As a security measure, configure a custom legal warning banner to be displayed before users initiate an SSH
session to the BIG-IP system.
(tmos)# modify /sys sshd banner-text enabled

(tmos)# modify /sys sshd banner-text "This system is for authorized use
only. The owner reserves the right to monitor use of this system at any
time."
6. Configure a legal warning to be displayed on the login screen of the Configuration utility.
(tmos)# modify /sys global-settings gui-security-banner-text "This system

is for authorized use only. The owner reserves the right to monitor use of
this system at any time."
Restrict Administrative Access to the BIG-IP System
The general TMSH command format for restricting administrative SSH access to the BIG-IP system is shown below:
(tmos)# modify /sys sshd allow <replace-all-with|add> { <IP address or IP

address range> }
The general TMSH command format for restricting administrative Configuration utility access to the BIG-IP system is
shown below:
(tmos)# modify /sys httpd allow <replace-all-with|add> {IP address or IP

address range}
7. Configure the BIG-IP system to allow SSH administrative access from clients in the 192.168/16 network.
(tmos)# modify / sys sshd allow replace-all-with { 192.168.*.* }

(tmos)# list / sys sshd allow
sys sshd {
allow { 192.168.*.* }
}
8. Limit Configuration utility administrative access to clients on the 192.168/16 network.
(tmos)# modify /sys httpd allow replace-all-with {192.168.*.*}

(tmos)# list /sys httpd allow
sys httpd {
allow { 192.168.*.* }
}
DIGITAL 26
EDUCATION
SERIES

/config/bigip.conf
Wrap-Up
This completes the final step in setting up a standalone BIG-IP system. You can now move on to other follow-up
activities that may be of interest after initial setup, such as adding routes, creating a backup of your system, installing
hotfixes, or pairing this BIG-IP system with another BIG-IP system for redundancy. Or, you may just move into
configuring the system for application delivery, adding virtual servers, pools, profiles, and more.
DIGITAL 27
EDUCATION
SERIES

C1 SC10 Setup Cli Ja

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

C1 SC10 Setup Cli Ja

Uploaded by

Copyright:

Available Formats

DIGITAL EDUCATION SERIES

Configure the Management Port 4

License the BIG-IP System 9

Provision BIG-IP Product Modules 10

Install a Device Certificate 11

Confirm Platform and User Properties 13

Configure the BIG-IP Network 16

Configure Device DNS Settings 19

Configure NTP Servers 20

Configure High Availability Communication Settings 21

Configure Basic Administrative Security Settings 24

SETTING UP A STANDALONE BIG-IP SYSTEM USING

Requirements for Initially Setting Up a Standalone BIG-IP System

Sample Deployment Summary

Configure the Management Port

[root@localhost:NO LICENSE:Standalone] config # config

3. On the Configuration Utility panel, select OK to begin the configuration process.

[root@localhost:NO LICENSE:Standalone] config # tmsh list /sys

sys management-ip 192.168.2.31/16 {

License the BIG-IP System

Generate Dossier and Activate License for the BIG-IP System

[root@localhost:NO LICENSE:Standalone] config # get_dossier –b A1234-

[root@localhost:NO LICENSE:Standalone] config # vi /config/bigip.license

[root@localhost:NO LICENSE:Standalone] config # reloadlic

Provision BIG-IP Product Modules

Provision BIG-IP Product Modules

(tmos)# modify /sys provision <module> level <provisioning_level>

(tmos)# modify /sys provision ltm level nominal

(tmos)# list /sys provision

3. Save the running configuration to the stored configuration.

(tmos)# save /sys config

Install a Device Certificate

Install a Self-Signed Device Certificate and Key Pair

# openssl req –x509 –nodes –days 3650 –newkey rsa:2048 –keyout

Generating a 2048 bit RSA private key

Country Name (2 letter code) (XX): US

State or Province Name (full name) []: Washington

Locality Name (eg, city) (Default City): Seattle

Organization Name (eg, company) (Default Company Ltd): F5 Networks

Organizational Unit Name (eg, section) []: Global Services Technical

Common Name (eg, the name or your server's hostname): bigip2.f5trn.com

Email address: admin@f5trn.com

# bigstart restart httpd

# openssl x509 -noout -text -in /config/httpd/conf/ssl.crt/server.crt

Confirm Platform and User Properties

Update Administrative Credentials and Security Settings

(tmos)# modify / auth password admin...

(tmos)# modify / auth password root...

(tmos)# modify / auth password admin

(tmos)# modify / auth password root

(tmos)# tmsh modify /sys sshd allow replace-all-with {192.168.*.*}

Configure Time Zone Settings

(tmos)# modify /sys ntp timezone "<region>/<time_zone>"

(tmos)# modify /sys ntp timezone "America/Los_Angeles"

Set the BIG-IP System Host Name

(tmos)# modify /sys global-settings hostname <newhostname>

1. Assign an appropriate FQDN host name to the BIG-IP system.

(tmos)# modify /sys global-settings hostname bigip2.f5trn.com

2. Save the running configuration to the stored configuration.

config # tmsh save /sys config

Configure the BIG-IP Network

(tmos)# create /net vlan <vlan_name> interfaces add {<interface_number>

(tmos)# tmsh modify /sys sshd allow replace-all-with {192.168..}

(tmos)# modify / sys sshd allow replace-all-with { 192.168.. }

(tmos)# modify /sys httpd allow replace-all-with {192.168..}