System settings overview¶
You can access system settings in the webUI.
System alarms and events overview¶
You can view active system alarms and events in the webUI.
Display system alarms and events from the webUI¶
The Alarms & Events screen lists alert information for system components (such as PSU, firmware, and LCD) that have currently crossed a performance or health threshold. Use this screen to identify the specific component that is affected.
Log in to the webUI using an account with admin access.
On the left, click System Monitoring > Alarm & Events.
Choose from one of these actions:
To refresh the alarms or events list, select a value from the Time filter dropdown.
To display events result by time preference, click the down arrow next to the Refresh icon and select a value from the list. The default value is one hour. For example, select five minutes to display any event that occurred in the last five minutes.
To display events by severity, select a value from the Severity list. The default value is Informational.
Here’s the text converted into a Markdown table format:
| Option | Description |
|---|---|
| Emergency | Emergency system panic messages |
| Alert | Serious errors that require administrator intervention |
| Critical | Critical errors, including hardware and file system failures |
| Error | Non-critical, but possibly important, error messages |
| Warning | Warning messages that should be logged and reviewed |
| Notice | Messages that contain useful information but might be ignored |
| Informational | Messages that contain useful information but might be ignored |
| Debug | Detailed messages used for troubleshooting |
Management Interface Overview¶
You can access management interface settings in the webUI.
Configure the management interface from the webUI.
You can view or change settings for the management interface from the webUI.
Steps to Configure Management Interface¶
Log in to the webUI using an account with admin access.
On the left, click System Settings > Management Interface.
Click edit icon on the Management IP Address card. The drawer form opens.
For DHCP, select either Enabled or Disabled.
Under IPv4 and IPv6, you can configure either one management IP address type or both types for the system:
a) For IP Address, enter IP addresses in the appropriate sections for IPv4 or IPv6, or in both sections if using both.
The supported IPv4 format is, for example,192.0.2.101. The supported IPv6 format is, for example,2001:DB80:3238:DFE1:63::FEFB.b) For Prefix Length, enter or select the prefix length.
The prefix length values must be between 1 and 32 for IPv4 and between 1 and 128 for IPv6.c) For Gateway, enter the gateway IP address.
d) Click Save.
Under Interface Settings, you can configure the management port:
a) Click edit icon on the Interface Settings card. The drawer form opens.
b) For State, select either Enabled or Disabled.
c) For Auto-negotiation, select either Enabled or Disabled.
If you enable auto-negotiation, port speed and duplex mode are set automatically.
d) For Port Speed, select one of these options:
SPEED_1GB,SPEED_10MB, orSPEED_100MB.e) For Duplex Mode, select FULL or HALF.
f) Click Save.
System security overview¶
You can access settings for hardening the security of your system in the webUI.
Allow list overview¶
An allow list enables you to specify either specific IPv4 or IPv6 addresses, ports, or a netmask as an accepted source that can access the system.
When the IP address is configured and saved to the system allow list, only traffic coming from that IP address and port is accepted by the system’s management interface. You can also edit or delete entries in the allow list after you have configured them.
Configure the system allow list from the webUI¶
You can configure the system allow list from the webUI. To edit an existing allow list entry, select the IP address that you want to edit. You cannot change the designated name, but you can change all other fields.
Log in to the webUI using an account with admin access.
Steps to Add an IP Address to the Allow List¶
On the left, click System Settings > System Security.
In the Allowed IP Addresses area, click Add to add an IP address to the allow list.
For Name, enter a descriptive name for the IP address.
For IPv4/IPv6, select IPv4 or IPv6.
For Address, enter the IP address to be added to the allow list.
For Prefix Length, enter or select the prefix length.
The prefix length values must be between 1 and 32 for IPv4 and between 1 and 128 for IPv6.
For Port, select a port number for the IP address. Available options are:
443 (HTTPS): Allow only HTTP with SSL traffic on this IP address.
80 (HTTP): Allow only HTTP traffic on this IP address.
8888 (RESTCONF): Allow only RESTCONF traffic on this IP address.
161 (SNMP): Allow only SNMP traffic on this IP address.
7001 (VCONSOLE): Allow only VCONSOLE traffic on this IP address.
22 (SSH): Allow only SSH traffic on this IP address.
Click Save.
Appliance Mode Overview¶
You can run the system in appliance mode. Appliance mode adds a layer of security by removing user access to Root and Bash. Enabling appliance mode disables all Root and Bash shell access for the system.
You can enable appliance mode at each of these levels:
System
Tenant
Appliance mode is disabled at all levels by default. You can enable it from the webUI or the CLI. The appliance mode option for the system is available to users with admin access under System Settings > General in the webUI. For tenants, it is available in the webUI under Tenant Management > Tenant Deployments.
These are the effects of enabling appliance mode at each of the different levels.
System-Level Appliance Mode¶
Root or Bash access is disabled on the system.
Console access: Root or Bash access is disabled on the system. Users can log in to the system CLI from the console using an admin account.
Tenant Appliance Mode¶
Root access to the tenant is disabled by all means. Bash access is disabled for users (with a terminal shell flag enabled) inside the tenant.
Users can access the tenant only through the webUI.
Configure Appliance Mode from the WebUI¶
You can enable or disable appliance mode from the webUI. Enable appliance mode to disable all root and Bash shell access.
Note: The appliance mode option for tenants is available in the webUI under Tenant Management > Tenant Deployments.
Log in to the webUI using an account with admin access.
On the left, click System Settings > System Security.
In the Shell & LCD Access card, click on the update button. The drawer form opens.
For Appliance Mode, select either Enabled or Disabled. The default value is Disabled.
Click Save.
Deny root SSH mode overview¶
With appliance mode disabled, enabling the deny root SSH option will restrict the root user from accessing the appliance through SSH. However, root users can still be able to access the appliance system using the console. This provides a maintenance window for system administrators without compromising on system security through SSH.
Note: All users excluding root users can access the appliance through SSH. If appliance mode is enabled, it overrides the deny root SSH option.
Configure deny root SSH mode from the webUI¶
You can enable or disable root SSH from the webUI. Configuring deny root SSH to enable, disables the root SSH access but allows console root access.
Log in to the webUI using an account with admin access.
On the left navigation pane, click System Setting > System Security.
In the Shell & LCD Access card, click on the update button. The drawer form opens.
For the Deny Root SSH, select either Enabled or Disabled. The default value is Disabled.
Click Save.
LCD mode overview¶
The LCD touchscreen enables you to view system status and manage the system without attaching a console or network cable. You can configure the LCD to meet security requirements by changing to a more restrictive operational mode.
The LCD touchscreen supports these modes:
| Standard | Allows access to all options. |
|---|---|
| Secure | Allows access only to management and setup options. A padlock icon displays next to limited options. |
| Disabled | Does not allow access to any options and displays only an image to indicate that the LCD touchscreen is disabled. |
Configure the LCD mode from the webUI¶
You can configure the operational mode of the touchscreen LCD from the webUI.
Log in to the webUI using an account with admin access.
On the left navigation pane, click System Setting > System Security.
In the Shell & LCD Access card, click on the update button. The drawer form opens.
For the LCD, select one of these options:
Select Disabled to not allow access to any options; displays only an image to indicate that the LCD touchscreen is disabled.
Select Secure to allow access only to management and setup options; displays a padlock icon next to limited options.
Select Standard to allow access to all options.
Click Save.
Cryptographic agility overview¶
Cryptographic agility on F5 rSeries systems enables you to replace cryptographic implementations for the httpd and sshd services. This applies to the F5OS management interface.
Configure cryptographic implementations from the webUI¶
You can configure the cryptographic implementations on the system for the httpd and sshd services from the webUI.
Log in to the webUI using an account with admin access.
On the left navigation pane, click System Setting > System Security.
Expand the Services card to view the configued values.
Click edit icon on the card. A drawer form opens.
For httpd Cipher Suites, enter the SSL cipher suites used for the httpd service.
You can specify more than one cipher suite by separating the cipher suite names with a colon.
For sshd Ciphers, enter the ciphers to use for the sshd service.
For example, aes128-cbc or aes128-ctr. The cipher string can take several additional forms. It can consist of a single cipher suite or a list of cipher suites containing a certain algorithm, or cipher suites of a certain type. You can combine lists of cipher suites into a single cipher string by enclosing them in square brackets and delimiting them with a space.
For sshd KEX Algorithms, enter the key exchange algorithms used for the sshd service.
For example, diffie-hellman-group14-sha1 or diffie-hellman-group14-sha256. You can combine lists of KEX algorithms into a single string by enclosing them in square brackets and delimiting them with a space.
For sshd MAC Algorithms, enter the MAC algorithms used for the sshd service.
For example, hmac-sha2-512 or AEAD_AES_128_GCM. You can combine lists of MAC algorithms into a single string by enclosing them in square brackets and delimiting them with a space.
For sshd Host Key Algorithms, enter the host key algorithms used for the sshd service.
The following secure host key algorithms are supported when system is in non-FIPS mode and these are non- configurable:
| S.No | Host Key Algorithms |
|---|---|
| 1 | rsa-sha2-512 |
| 2 | rsa-sha2-256 |
| 3 | ecdsa-sha2-nistp256 |
| 4 | ssh-ed25519 |
| 5 | ecdsa-sha2-nistp256-cert-v01@openssh.com |
You can configure the following supported insecure host key algorithms:
Host key algorithms: ssh-rsa
Click Save.
Allowed SSL cipher suites for httpd service¶
When you configure ciphers for httpd, you can use multiple formats. You can specify a single cipher suite, such as RC4-SHA. You can also represent a list of cipher suites containing a certain algorithm or cipher suites of a certain type using a shortened name. For example, SHA1 represents all cipher suites using the digest algorithm SHA1, and SSLv3 represents all SSLv3 algorithms. You can combine lists of cipher suites into a single cipher string using the + character as a logical AND operation. For example, SHA1+DES represents all cipher suites containing the SHA1 and DES algorithms.
These are the allowed SSL cipher suites for general appliances:
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
ECDH-RSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-GCM-SHA384
ECDH-RSA-AES256-SHA384
ECDH-ECDSA-AES256-SHA384
ECDH-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
CAMELLIA256-SHA
PSK-AES256-CBC-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-DSS-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
ECDH-RSA-AES128-GCM-SHA256
ECDH-ECDSA-AES128-GCM-SHA256
ECDH-RSA-AES128-SHA256
ECDH-ECDSA-AES128-SHA256
ECDH-RSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
CAMELLIA128-SHA
PSK-AES128-CBC-SHA
These are the allowed SSL cipher suites for systems that have a FIPS software license applied. It does not apply to the F5 r5900-DF or r10900-DF platforms that have an embedded FIPS hardware security module (HSM).
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA384
Allowed SSL Cipher Suites for SSHD Service¶
When you configure ciphers for sshd, you enclose the cipher string in square brackets and include more than one by separating them with a space. These ciphers are allowed on the system.
Key Algorithms¶
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group16-sha512
diffie-hellman-group14-sha256
diffie-hellman-group14-sha1
Encryption Algorithms¶
aes128-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
aes128-cbc
aes256-cbc
Message Authentication Code (MAC) Algorithms¶
umac-64-etm@openssh.com
umac-128-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha1-512-etm@openssh.com
hmac-sha1-etm@openssh.com
umac-64@openssh.com
umac-128@openssh.com
hmac-sha2-256
hmac-sha2-512
hmac-sha1
CLI idle timeout overview¶
For security purposes, you can configure how long management sessions can remain idle before you are logged out of the system. If you are connected using an SSH connection, the system closes the SSH connection after this time expires.
Configure the CLI timeout from the webUI¶
You can configure how long management sessions can remain idle before you are logged out of the system from the webUI. If you are connected using an SSH connection, the system closes the SSH connection after this time expires.
Log in to the webUI using an account with admin access.
On the left navigation pane, click System Settings > System Security.
Expand the Services card to view the configued values.
Click edit icon on the card. A drawer form opens.
For CLI Idle Timeout, enter a time, in seconds, for how long management sessions can remain idle before they time out. A value of 0 (zero) sets the time to infinity, so the user is never logged out. The timeout can be a value from 0 through 8192 seconds. The default value is 1800 seconds (30 minutes).
Click Save
Software management overview¶
The Software Management screen on the webUI includes options for uploading, importing and updating Base OS software for the system. It also displays information about the images imports, cluster and firmware install status.
Manage Base OS Software Images from the WebUI¶
You can manage software images from the webUI.
Log in to the webUI using an account with admin access.
On the left navigation pane, click System Settings > Software Management.
To import a Base OS image:
a) Click Import. A drawer opens.
b) For URL, enter the URL of the remote image server.
F5 recommends that the remote host be an HTTPS server with PUT/POST enabled and have a valid CA-signed certificate. You can opt to select the Ignore Certificate Warnings checkbox if you want to skip the certificate check.
c) For Username, type the user name for an account on the remote image server, if required.
d) For Password, type the password for the account, if required.
e) Select Ignore Certificate Warnings to skip the certificate check.
f) Click Add Image.
Note: Depending on the image file size and network availability, the import might take a few minutes. When the import is successful, the software image is listed in the webUI.
To upload a Base OS image that you have downloaded to your local workstation:
a) Click Upload.
b) Navigate to the image file and select it.
c) Click Open.To delete a Base OS image, select the image and click Delete.
Software images that are in use cannot be deleted.
You can view the following information:
View the status of image imports under Image Transfer Status, which shows information about Remote Host, File, Status, and Time.
Status of Cluster upgrade under Cluster Install Status, which includes Stage, Status, Timestamp, Version, and Description. Click Show to display the information.
Status of Firmware upgrade under Firmware Install Status, which includes Name, Installed Version, Desired Version, Configurable state, Update Status, and Restart Required. Click Show to display the information.
Update Base OS Software Images from the WebUI¶
Before you begin, you must have added or uploaded an updated software image before you can perform the update. You can update Base OS software while the system is up and running from the webUI.
Important: During a software update, there is an interruption to traffic, so F5 recommends that you perform the update during a maintenance window.
Log in to the webUI using an account with admin access.
On the left, click System Settings > Software Management.
In the Base OS Software card, click upgrade button. A drawer form opens.
To install a full F5OS-A version release, select Bundled. a) For ISO Image, select the full version release ISO image from the drop-down.
To install F5OS-A and service version releases independently, select Unbundled. a) For Base OS Version, select the F5OS version from the drop-down. b) For Service Version, select the service version release from the drop-down.
Click Save
DNS Overview¶
The DNS screen on the webUI includes options for configuring Domain Name System (DNS) lookup servers and search domains for use with the system.
Configure DNS from the WebUI¶
You can configure DNS for the system from the webUI. This is used for name resolution, such as when setting up the system.
Log in to the webUI using an account with admin access.
On the left, click System Settings > DNS.
Under DNS Lookup Servers, specify the name servers that the system uses to validate DNS lookups and resolve host names. For each name server you want to add:
a) Click Add.
b) For Lookup Server, enter the IPv4 or IPv6 IP Address of the name server that you want to add to the list.
c) Click Save.Under DNS Search Domains, specify the domains that the system searches for local domain lookups and to resolve local host names. For each domain you want to add:
a) Click Add.
b) For Search Domain, enter the Domain Name of the name server that you want to add to the list (for example,DNSsearch.com).
c) Click Save.DNS lookup servers and search domains are now specified for the system.
5.Under Host Entries, you can configure hostname for the system.
a) Click Add. b) For Hostname, enter the hostname of the host system. c) For Alias, enter the alias for the hostname. d) For the IPv4 Address or IPv6 Address, enter the adresses of the host system. e) Click Save
Log and report configuration overview¶
The webUI includes options for configuring remote log servers and the log severity level for individual software components and services.
From the webUI you can generate a system report, or QKView file, to collect configuration and diagnostic information from the rSeries system if you have any concerns about your system operation. The QKView file contains machine-readable (JSON) diagnostic data and combines the data into a single compressed tar.gz format file. You can upload the QKView file to F5 iHealth where you can get help to verify proper operation of the system and get help with troubleshooting and understanding any issues you might be having and ensure that the system is operating at its maximum efficiency.
Configure Log Settings from the WebUI¶
You can add and display information about configured remote log servers from the webUI. You can also change the log severity level for individual software components and services.
Log in to the webUI using an account with admin access.
On the left, click System Monitoring > Log Settings.
To include the hostname configured for your system in the logs, click edit icon on the Include Hostname card. A drawer form opens. a) Select True from the Include Hostname dropdown.
Note: By default, the Include Hostname dropdown value is set to true.
To add access to a Remote Log Server, click Add.
In the Server field, enter the IPv4 address, IPv6 address, or fully qualified domain name (FQDN) of the remote server. After the remote log server is saved, you cannot modify the server address.
In the Port field, enter the port number of the remote server. The default port value is 514.
For Protocol, select UDP or TCP to choose between TCP or UDP input. When the TCP protocol is selected, the Authentication field displays.
From the Facility list, select AUTHPRIV or LOCAL0.
F5OS supports LOCAL0 and AUTHPRIV logging facility. To add more selectors, click the add button. To remove the existing selectors, select it and click the remove button.From the Severity list, select the severity level of the messages to log.
| Option | Description |
|---|---|
| Emergency | Emergency system panic messages |
| Alert | Serious errors that require administrator intervention |
| Critical | Critical errors, including hardware and file system failures |
| Error | Non-critical, but possibly important, error messages |
| Warning | Warning messages that should be logged and reviewed |
| Notice | Messages that contain useful information but might be ignored |
| Informational | Messages that contain useful information but might be ignored |
| Debug | Verbose messages used for troubleshooting |
For Authentication, select the enable or disable option from the list. The default value is Disabled. This option is visible when the TCP protocol is selected while configuring the remote log server. If the UDP protocol is selected, the authentication value is saved as N/A.
Click Save.
To delete a remote log server, select the server and click Delete.
To configure Host Log Settings, click edit icon on the Host Log Settings card. The drawer form opens.
a) For Host Log Forwarding, select the Enabled or Disabled for remote forwarding. The default value is Disabled. b) For Selectors, select the required facility and severity options from the list. To add more selectors, click the +Add. To remove existing selectors, select the selector and click Delete. C) To add the required host log files to the Selected Files panel, click on the directories to view the files and sub-directories in the respective directories and select individual files within the directory. The Selected Files option allows the host log files to be forwarded from the directory and subdirectories.
For Custom Log File, enter the log file in the text box and click Add to manually add host log file names to the Selected Files panel.
Expand the TLS Certificate & Key tile. Click edit icon on the card to open the drawer form. It displays TLS Certificate and TLS Key options. If the authentication value is set as enabled for any of the remote log servers, you cannot clear the TLS configuration fields.
For CA Bundles, click Add to enter the name and TLS CA certificate. When any of the remote server authentications are enabled, you cannot delete the CA bundle.
On the Log Settings screen, review the software component log levels for individual software components and adjust them as needed. Click Update if you made changes.
The log levels determine at what level events (and all higher levels) are logged for each service. Informational is the default, so all except debug-level events are logged.
| Component | Description |
|---|---|
| alert-service | Software component that handles alerts and events at the system level. These components use ConfD to process updates and manage the status of the Alarm LED depending on the severity of the alert. |
| dagd-service | Software component that manages the distribution of Tenant traffic. |
| fips-service | Software component for System FIPS configuration and handles system integrity check requests. |
| kubehelper | Software component triggered during tenant deployment and runs as an assistant task before tenant container is created. |
| For BIG-IP: • Convert qcow2 image to raw format for BIG-IP tenant only. • Reserves huge pages for the tenant • Creates host-net interface for host and tenant communication purposes. • Creates a tenant management interface for BIG-IP NEXT tenants and includes route integration. |
|
| lldpd | Software component for LLDP configuration. |
| rsyslog-configd | Software component for remote syslog configuration handling. |
| orchestration-agent | Software component for Tenant Orchestration which includes tenant configuration and deployments. |
| platform-monitor | The Monitoring Agent is responsible for: • Creating telemetry pipelines that query data periodically. • Applying processors to the data. • Sending the data to various destinations. |
| rsyslog-configd | Software component for remote syslog configuration handling. |
| sys-host-config | Software component responsible for: • Setting up management IP to access the device, collecting management interface stats, and enabling/disabling of management interface. • Setting up DNS configurations. • Updating required files for internal subnet changes. • Exchanging internal subnet changes to LCD server. • Updating Base MAC and MAC pool size in ConfD. • Addition/Deletion of SSH IP table rules. Additionally, it offers backend code support for various ConfD configurations such as: • Hostname • Date • Motd Banner • System Reboot • SSH idle timeout |
| utils-agent | Software component that manages file transfer operations such as import, export, delete, and download/upload. |
| api-svc-gateway | Software component that manages requests and subscriptions for Tenants on the appliance. |
| datapath-cp-proxy | Software component that manages Tenant datapath setup requests and configuration. |
| firewall-manager | Software component that enables the setting up of a whitelist for designated source IP addresses and destination ports such as HTTP, HTTPS, RESTCONF, SNMP, and vConsole. |
| l2-agent | Software component responsible for managing the setup and status of physical connections (such as interfaces and portgroups) and the configuration and status of Layer-2 components (such as VLANs, LAGs, and FDB). |
| lopd | Software component to manage communication with the LOP (AOM). |
| partition-common | The system component incorporates standard ConfD utility functions that enhance the CLI interface. |
| platform-stats | Software component responsible for capturing the various utilization stats of the CPU, drives, and memory and storing the data in TMSTAT stat tables. |
| snmp-service | Software component used to configure system SNMP configuration such as community, target, and user. |
| system-control | System component that implements configuration backup and restore. |
| vconsole | Software component for providing authenticated virtual console access to F5OS tenants. |
| appliance-orchestration-manager | Appliance Onboard Monitoring Daemon (OMD) is a service daemon that oversees the internal coordination of tasks via Kubernetes (K3S). It is responsible for setting up and controlling all required device plugins that enable communication with different hardware components. |
| diag-agent | The Diagnostic Agent is responsible for running various diagnostic profiles, gathering and exporting telemetry data, and providing system health information and producing hardware alerts. |
| http-server | Software component responsible for running the Apache HTTPD server. |
| lacpd | Daemon responsible for negotiation of LACP over system interfaces. |
| network-manager | Software component responsible for managing datapath related resources, such as MAC Addresses. It also manages datapath tables that route traffic between Tenants and Interfaces. |
| platform-diag | Software component for providing statistics reports and measurements on top of the low-level hardware. |
| platform-stats-bridge | Software components responsible for handling the platform statistics to display on user interfaces. |
| snmp-trapd | Software component that processes the system alerts/events as traps and sends it to SNMP manager. |
| tmstat-agent | Software component for providing the framework which can be used to store the statistics data in a centralized location on each host. |
| audit-service | Software component for capturing the system configuration related logs in audit log. |
| diag-data | Software component primarily tasked with collecting important information periodically from an F5OS device and sending that data back to F5 for analysis purposes. |
| ihealth-upload-service | Software component for providing a secure way of transporting support packages to F5 to different target destinations. This service offers historical track records of support package uploads with configurable data retention policy. |
| lacpd-proxy | Daemon responsible for reporting the results of LACP negotiation from lacpd. |
| nic-manager | Software component which manages the datapath network interfaces. |
| platform-fwu | Software component responsible for updating and reporting firmware. |
| qat-confd-service | Service for communicating QAT device tenant assignments to ConfD tables. |
| sshd-crypto | Service that manages all the crypto algorithms configuration for sshd. |
| tmstat-merged | Software component for providing a framework to integrate and divide statistics streams. |
| authd | Software component responsible for managing the configuration settings for various AAA (Authentication, Authorization, Accounting) mechanisms supported by the F5OS system. |
| disk-usage-statd | Software component responsible for disk usage statistics. |
| ihealthd | Software component responsible for handling ihealth configuration parameters and starting a qkview upload by sending a request to ihealth. |
| license-service | Software component responsible for system licensing installation. |
| node-agent | Software component triggered during tenant deployment and node reboots. • Creates a tenant management interface for BIG-IP NEXT tenants and includes route integration. • Adds watermarking rules for BIG-IP NEXT tenants. • In charge of allocating large pages for chassis during tenant deployments. |
| platform-hal | Software component that provides other services with access to platform/hardware data and configuration. |
| qat-plugin | Kubernetes device plugin for reporting and managing QAT device resources and resource activities related to their respective tenant assignments. |
| stpd | Software component for configuring STP L2 protocol in platform. |
| upgrade-service | Software component for processing the system image and package upgrade requests. |
| confd-key-migrationd | Software component for transferring ConfD configuration from one system to another requiring the same encryption key. This is necessary to migrate encrypted element values successfully. |
| dma-agent | Software component for Core Offload feature that functions as a buffer broker, allowing multiple tenants to share access to the FPGA while remaining isolated from one another. |
| image-agent | A software module that manages the validation of imported tenant images and displays the current status of both tenant and platform images on the user interface. |
| line-dma-agent | Software component which is a fundamental layer of tcpdump in the VELOS/rSeries family. |
| optics-mgr | Software component that is responsible for storing the tuning values for supported optics. When provided with an optic, returns the proper tuning. |
| platform-mgr | This software component displays the versions of platform components, CPUs, memory, and firmware. It also automatically initiates firmware upgrades when upgrading or installing a new ISO and rebooting. |
| qkviewd | Software component designed to create diagnostic snapshots in containerized systems, known as QKView. A QKView file is a compressed file with diagnostic info from containers, the host, and other systems. The main qkviewd service operates within a container, while qkviewd-host service collects data on the host. A peer system is another system running the qkviewd daemon. |
| sw-rbcast | Software component that is responsible for forwarding broadcast traffic received on a shared VLAN to the tenants which share that VLAN. A secondary responsibility is to forward DLF (destination look-up failures) requests to the fpgamgr component, so that they can be resolved. |
| user-manager | Software component responsible for the management and configuration of local users on the system such as user accounts, groups/roles, and passwords. |
| fpgamgr | Software component that manages the datapath FPGAs. This includes front panel interfaces, L2 functionality, and other advanced FPGA features. |
| lcd-webserver | Software component providing a webserver to operate the LCD user interface. |
| sshd-crypto | Software component for handling sshd crypto agility configurations. |
File Utilities Overview¶
You can import, export, download, or delete files asynchronously depending on which directory you select to work in. All file transfers are done using the HTTPS protocol.
File Import¶
You can import a file from an external server into the system from either the webUI or the CLI. HTTPS is the supported protocol. The remote host should be an HTTPS server with PUT/POST enabled and have a valid CA-signed certificate.
Note: If you want to import the contents of a tar file, you need to extract the contents first before you can import them onto the F5 system.
You can import files into these directories on the system:
configs/diags/sharedimages/tenantimages/import/iso/images/import/os/images/import/services
File Download¶
You can download files in these directories from the system to your local workstation from the webUI:
configsdiags/corediags/crashdiags/sharedlog/confdlog/systemlog/host
File Upload¶
You can upload files in these directories from your local workstation to the system from the webUI:
configsimages/stagingimages/tenantimages/import/iso/images/import/os/images/import/services/
File Export¶
You can export a file from the system to an external server from either the webUI or the CLI. HTTPS is the supported protocol. The remote host should be an HTTPS server with PUT/POST enabled and have a valid CA-signed certificate.
You can export files into these directories from the system:
configslog/log/confdlog/controllerlog/hostlog/systemdiags/diags/corediags/crashdiags/sharedimages/images/importimages/stagingimages/tenantimages/import/iso/images/import/os/images/import/services/
File Deletion¶
You can delete files (to which you have file permissions) on the system only from the diags/shared or configs directories from either the webUI or the CLI.
Manage Files from the webUI¶
File Utilities are available in the webUI. You can use File Utilities to upload, download, import, export, and/or delete files asynchronously depending on which directory you select to work in. All file transfers are done using HTTPS protocol.
Log in to the webUI using an account with admin access.
On the left, click System Monitoring > File Utilities.
From the Base Directory list, browse the directories and click subfolders to view their contents and the commands that are available from each one.
From a subfolder, click the left arrow next to the path to navigate back to the main folder.
To Import a File: a) Click Import.
b) In the drawer, enter the URL of the file to import.
c) Provide the Username and Password only if required by the remote host.
d) Select Ignore Certificate Warnings if you want to skip warnings when importing files (such as if the remote host does not have a valid CA-signed certificate).
e) Click Import File to begin the import.To Export a File: a) Select the file and click Export.
b) In the drawer, enter the Server URL for where to export the file.
c) Provide the Username and Password only if required by the remote host.
d) Select Ignore Certificate Warnings if you want to skip warnings when exporting files.
e) Click Export File to begin the export.To Upload or Download a File: a) For Upload, click on Upload button and make a selection from your system. For download, select the file and click Download button..
The selected file will be uploaded or downloaded.
To Delete a File, select the file and click Delete.
You can delete files only from the
diags/shareddirectory.
You can view the status of a file transfer operation to view its progress and see if it was successful. If an operation fails, hover over the warning icon to see the error that occurred.
Note: A runtime error displays in the File Transfer status area if an invalid operation is performed.
Time settings overview¶
You can configure Network Time Protocol (NTP) for the rSeries system. An NTP server ensures that the system clock is synchronized with Coordinated Universal Time (UTC). The system also provides authentication support for NTP, which can enhance security by ensuring that the system sends time-of-day requests only to trusted NTP servers. You can also configure the time zone and set the time and date manually, if NTP is disabled. You can use either the CLI or webUI to configure time settings.
Configure time settings from the webUI¶
After the system license is activated, you can configure Network Time Protocol (NTP) servers, including authentication support for NTP, time zone, and manual configuration of date and time, if NTP is disabled. The NTP server ensures that the system clock is synchronized with Coordinated Universal Time (UTC). You can specify a list of servers that you want the system to use when updating the time on network systems. You can configure time settings for the system from the webUI.
Log in to the webUI using an account with admin access.
On the left, click System Settings > Time Settings.
To synchronize the system clock with an NTP server, on the Settings card, click on the Update button. a) To enable the NTP service:
For NTP Service, select Enabled. By default, the NTP Service is set to Disabled.
b) To use authentication support for NTP:
For NTP Authentication, select Enabled.
By default, the NTP Authentication is set to Disabled.
c) To manually set the time and date:
Click NTP Service dropdown, and select Disabled.
Pick a date from Date calendar input, enter a value for Time, and select Time Zone from the list of options in the dropdown.
d) Click Save
For NTP Keys, click Add. The Add NTP Key drawer displays.
a) For Key ID, enter an identifier used by the client and server to designate a secret key. The client and server must use the same key ID.
d) For Key Type, select the encryption type used for the NTP authentication key. The default value is F5_NTP_AUTH_SHA256.
Select from these options:F5_NTP_AUTH_MD5
F5_NTP_AUTH_SHA1
F5_NTP_AUTH_SHA256
F5_NTP_AUTH_SHA384
F5_NTP_AUTH_SHA512
e) For Key Value, paste the text of the NTP authentication key.
f) Click Save.
To specify an NTP server:
a) Click Add. a drawer form opens. b) In the Server field, enter the IPv4 address, IPv6 address, or the Fully Qualified Domain Name (FQDN) of the NTP server.
> **Note:** If specifying an FQDN, you must configure a resolvable DNS server for the system.
c) Set iburst Mode to True if necessary. It is set to False by default. d) Select a Key ID defined on the system from the list of options. e) Click Save.
SNMP configuration overview¶
Simple Network Management Protocol (SNMP) is an industry-standard protocol that enables you to use a standard SNMP management system to remotely manage network devices. F5 rSeries systems support SNMPv1, SNMPv2c, and SNMPv3. You can configure the system from the webUI.
SNMP software support¶
SNMP support is available in different ways, depending on which F5OS software version you are using. On F5 rSeries systems, SNMP is available the webUI.
F5 recommends using the newer system snmp commands, which include support for SNMP versions 1, 2c, and 3. For more information on the older commands, see:
| F5OS-A Software Version | Older CLI (v1/v2c only) | Newer CLI (v1/v2c/v3) |
|---|---|---|
| 1.2.0 | SNMP-COMMUNITY-MIB SNMP-NOTIFICATION-MIB SNMP-TARGET-MIB SNMP-VIEW-BASED-ACM-MIB SNMPv2-MIB |
system snmp communities system snmp engine-id system snmp targets system snmp users |
Prerequisites for SNMP configuration¶
Prerequisites for SNMP Configuration¶
Before you configure SNMP access for F5 rSeries systems:
Add the SNMP manager IP address to the system allow list. For more information, see Configure the system allow list from the webUI.
Download the F5 MIB files from File Utilities in the webUI (on the left, click System Monitoring > File Utilities, and then from Base Directory, select mibs, select a
.tar.gzfile, and click Download).Configure a DNS name server if you would like to use a fully-qualified domain name (FQDN) instead of an IP address for the SNMP trap destination. For more information, see Configure DNS from the webUI.
SNMP log overview¶
You can view SNMP information in the /log/system/snmp.log file. You can download the log file to your local workstation from the File Utilities screen in the webUI (on the left, click System Monitoring > File Utilities, and then from Base Directory, select log/system, select snmp.log, and click Download). For more information about managing files from the webUI or CLI, see File utilities overview.
SNMPWALK Overview¶
SNMPWALK is an application on an SNMP management system that performs SNMP GETNEXT requests to query a network device for information. You can provide an object identifier (OID) to specify which portion of the object identifier space to search using GETNEXT requests. The SNMP management system queries all variables in the subtree below the specified OID, displays these values to the user, and stops when it returns results that are no longer inside the range of the specified OID.
These SNMP system object IDs (OIDs) are defined for each F5 rSeries system type:
1.3.6.1.4.1.12276.1.3.1.1(f5OsAppR5x00)1.3.6.1.4.1.12276.1.3.1.2(f5OsAppR10x00)1.3.6.1.4.1.12276.1.3.1.3(f5OsAppR2x00)1.3.6.1.4.1.12276.1.3.1.4(f5OsAppR4x00)
The IDs display in text format when the corresponding MIB is loaded in your SNMP management system. If the MIB is not loaded, the walk displays in OID format.
To more accurately map these system OIDs, you must download the F5-OS-SYSTEM-MIB.mib file and load it into your SNMP management system. To download the F5 MIB files, use File Utilities in the webUI (on the left, click System Monitoring > File Utilities, and then from Base Directory, select mibs, select a .tar.gz file, and click Download).
SNMP Configuration from the webUI¶
Configure SNMP Port from the webUI¶
You can configure the SNMP port from the rSeries webUI.
Log in to the webUI using an account with admin access.
On the left, click System Monitoring > SNMP.
Click edit icon on the Properties card. A drawer form displays.
For Port, enter the required value. The allowed values for the Port are either 161 or in the ranges of
[1024-7000, 7033-8887, 8889-65535]. To check whether a port is valid or not, we have inline validation.
Note: The port configured in the SNMP Configuration area is reflected on the Allow List Entry screen of the Allowed IP Addresses section under System Security in the System Settings chapter. When an allowlist is created with an SNMP port, the user is not allowed to change the SNMP Port on the SNMP Configuration area, which can cause an error. For more information, see Configure the system allow list from the webUI.
Click Save.
Configure SNMP Communities from the webUI¶
You can configure SNMP communities with either version 1, version 2c, or both security models from the webUI.
Log in to the webUI using an account with admin access.
On the left, click System Monitoring > SNMP.
In the Communities area, click Add. The Add Community drawer displays.
For Community, enter a descriptive name.
For Security Model, select from these security models: v1, v2c, and v1 and v2c.
Click Save.
Configure SNMP Users from the webUI¶
You can configure SNMP version 3, which is a user-based security model, from the webUI. This model provides support for additional authentication and privacy protocols.
Log in to the webUI using an account with admin access.
On the left, click System Monitoring > SNMP.
In the Users area, click Add. The Add v3 User drawer displays.
For User, enter the user name.
For Authentication Protocol, select from these protocols: MD5, SHA, or None.
For Authentication Password, enter the password for the specified user.
For Privacy Protocol, select from these protocols: AES128, DES, or None.
Click Save.
Configure SNMP Targets from the webUI¶
Before you can add an SNMP target, you must have already configured either the SNMPv1/v2c community or SNMPv3 user.
You can configure SNMP targets from the webUI. These are required to send system-generated traps to a manager. You can choose either community (v1/v2c) or user-based (v3) security.
Log in to the webUI using an account with admin access.
On the left, click System Monitoring > SNMP.
In the Targets area, click Add. The Add Target drawer displays.
For Name, enter a descriptive name.
For Security Model, select from these security models: v1, v2c, or v3.
Select one of these options, depending on the selected security model:
If you selected v1 or v2c, for Community, select the community that you created with that security model.
If you selected v3, for User, select the user that you created.
For IPv4/IPv6, select either IPv4 or IPv6.
For Address, enter the IPv4 address, IPv6 address, or fully qualified domain name (FQDN) of the target.
For Port, enter the port number for the target. The default value is 162, and the range is from 1024 to 65535.
Click Save.
Configure SNMP Properties from the webUI¶
You can configure the SNMP properties from the webUI.
Log in to the webUI using an account with admin access.
On the left, click System Monitoring > SNMP.
Click edit icon on the Properties card. A drawer form displays.
Enter values in the required fields:
System Contact
System Location
System Name
Note: The maximum number of characters limit is 255.
Click Save.
Back up system configuration from the webUI¶
You can back up the system configuration from the webUI.
Log in to the webUI using an account with admin access.
On the left, click System Settings > Configuration Backup.
Click Create.
The Create Configuration Backup drawer opens.In the Name field, enter a name for the backup (for example,
system-12-21-21).Click Create.
The backup is created and added to the list.To delete a backup file, select the file and click Delete.
Note: System configuration backups are stored in
configs/. Backups should be stored off the system.
System licensing overview¶
You can activate a license for the rSeries system from either the CLI or webUI. There is one license per rSeries system, which is also used by any tenants.
There are two ways to license the system:
| Automatically | If your system is connected to the internet, use the Automatic method to prompt the system to contact the F5 license server and activate the license. |
|---|---|
| Manually | If your system is not connected to the internet, use a management workstation that is connected to the internet to retrieve an activation key from F5 and then transfer it to the system. |
Important: Adding or reactivating a license on an active rSeries system might impact traffic on tenants. Traffic processing will stop briefly on the tenants, and then restart automatically. This occurs when the tenant receives a new or reactivated license causing a configuration reload on the tenants. For more information, see these other references:
F5 rSeries Systems: Installation and Upgrade at Documentation - F5OS-A and F5 rSeries
For information about BIG-IP Next licensing, also see the documentation on my.f5.com and clouddocs.f5.com.
System Licensing from the webUI¶
License the system automatically from the webUI¶
You can license a system using the automatic method from the webUI, as long as the system has Internet access.
Log in to the webUI using an account with admin access.
On the left, click System Settings > Licensing.
For the Base Registration Key field, the registration key is auto-populated.
You can choose to overwrite this field with a new registration key by clicking Reactivate and overwriting the field.
For the Add-On Keys field, the associated add-on keys are auto-populated.
You can choose to change these keys by clicking Reactivate and then click + or x to add or remove additional add-on keys.
For the Activation Method, select Automatic.
Click Activate. The End User License Agreement (EULA) displays.
Click Agree to accept the EULA.
The system is now licensed. If a base registration key or add-on key fails to activate, try re-activating the license or contact F5 Support at support.f5.com.
License the system manually from the webUI¶
You can license a system without access to the Internet using the manual activation method from the webUI.
Log in to the webUI using an account with admin access.
On the left, click System Settings > Licensing.
For the Base Registration Key field, the registration key is auto-populated.
You can choose to overwrite this field with a new registration key by clicking Reactivate and overwriting the field.
For the Add-On Keys field, the associated add-on keys are auto-populated.
You can choose to change these keys by clicking Reactivate and then click + or x to add or remove additional add-on keys.
For the Activation Method, select Manual.
For the Device Dossier, click Get Dossier.
The system refreshes and displays the dossier.
Copy the dossier text in the Device Dossier field.
Click Click here to access F5 Licensing Server.
The Activate F5 Product page displays.
Paste the dossier in the Enter Your Dossier field.
Click Next. The license key text displays.
Copy the license key text.
Alternatively, you can use the F5 license activation portal at activate.f5.com/license.
In the License Text field, paste the license key text.
Click Activate. The End User License Agreement (EULA) displays.
Click Agree to accept the EULA.
The system is now licensed. If a base registration key or add-on key fails to activate, try re-activating the license or contact F5 Support at support.f5.com.
RAID overview¶
F5 r10000 platforms include two storage drives that support drive mirroring using a redundant array of independent disks (RAID) by default. You can manage the software RAID array from either the CLI or the webUI.
Important: If you need to swap out a faulty drive, you must first remove the drive from the software RAID array before physically removing the drive from the platform.
Configure RAID from the webUI¶
You can configure a software RAID (redundant array of independent disks) for the system from the webUI.
Log in to the webUI using an account with admin access.
On the left, click System Settings > RAID.
To remove a drive from the software RAID array:
a) Select the drive to remove.
b) Click Remove.When prompted, click OK to confirm drive removal.
To add a drive to the software RAID array:
a) Select the drive to add.
b) Click Add.When prompted, click OK to confirm drive addition.
General System Configuration Overview¶
You can configure general system settings for the rSeries system, such as system hostname, login banner, and message of the day (MOTD) banner. Depending on which setting you want to configure, you can use either the CLI or the webUI.
Configure Hostname, Login Banner, and MOTD from the webUI¶
You can configure the hostname, login banner, message of the day (MOTD) banner, and an advisory banner for the system from the webUI. When enabled and configured, the advisory banner will display at the top of the webUI after authentication.
Log in to the webUI using an account with admin access.
On the left, click System Settings > General.
Click edit icon on the Properties card. Properties drawer form displays.
For Hostname, enter a custom hostname for the system.
For Login Banner, enter any text to be shown when users log in to the system.
For MOTD Banner, enter any text to be used as a MOTD when users log in to the system.
For Advisory Banner, select Enabled or Disabled.
For Advisory Banner Color, select the color for the banner.
For Advisory Banner Text, enter the text for the banner. The maximum number of characters is 80.
Click Save.
System reboot overview¶
If you are having an issue with the system (such as unusually high CPU or memory usage or lockup), it is possible that rebooting might help to resolve the issue.
When there is a problem, the system sends alerts that you would see on the dashboard or on the Alarms & Events screen. You should rarely have to reboot the system, however, because typically if the system needs to reboot, it will do so automatically without administrator intervention. F5 recommends working with customer support if you think a system reboot is necessary.
Reboot the system from the webUI¶
You can reboot the system from the webUI.
Log in to the webUI using an account with admin access.
On the left, click System Settings > General.
Review the system status on the System Operations & Status card.
The Reboot button will not be available if the system is currently being rebooted.
If you decide that a reboot is necessary, in the System Operations & Status area, click Reboot.
A popup displays asking you to confirm the reboot operation. It takes a few minutes for the system to reboot, and you will be logged out from the webUI.
OpenTelemetry overview¶
OpenTelemetry streamlines observability in distributed systems through standardized APIs, libraries, and tools for collecting telemetry data, including traces, metrics, and logs.
F5OS OpenTelemetry enables the efficient collection of streaming metrics and logs in a structured format from the F5OS product to display in your observability platform. All the metrics and logs will be exported through a gRPC connection. The F5OS supports gRPC endpoints and each OpenTelemetry Line Protocol (OTLP) endpoint is provided with the ability to toggle instrument based filtering.
OpenTelemetry Metrics overview¶
Telemetry subsystem within the F5OS platform layer generates common attributes and different metrics to display in your observability platform.
Instrument Overview¶
An instrument is an area of metrics, which contain multiple metrics and can be enabled selectively. F5OS Resource includes instruments.
| Instrument Name | Description |
|---|---|
| all | All the logs and metrics produced by the F5OS platform layer |
| logs | All the F5OS logs file |
| platform-log | All the F5OS platform logs file |
| event-log | All the F5OS ConfD event log |
| metrics | All the F5OS metrics |
| platform | Standard platform metrics such as memory, disk, CPU, and interface |
| hardware | The low-level platform hardware sensors |
| optics | The front-panel optic DDM metrics |
| tenant | Tenant-initiated metrics such as memory, disk, CPU, and interface |
| datapath | F5OS data-path metrics such as those generated by the FPGA and DMA |
| tmstat | F5OS tmstat tables exported as metrics |
| container | Docker container metrics for F5OS services |
Note: Support for the intrument tenant is provided only for BIP-IP tenants.
This image provides a representation how the F5OS Resource includes instruments with multiple metrics:
Common Attributes¶
The table lists the set of attributes that can be applied to all metrics produced by the platform. The scope indicates which product the attribute applies to:
F5 - Applies to all metrics produced by F5
F5OS - Applies to all metrics produced by the F5OS product
| Name | Value | Type | Scope | Description |
|---|---|---|---|---|
| host.name | string | F5 | The host-name for F5OS, derived from ConfD system hostname. | |
| f5.system.id | string | F5 | A_unique_instance_ID_per product. | |
| f5.product.version | string | F5 | A version string, which represents the version of the product. | |
| f5.product.name | string | F5 | The high-level F5 product generating the metric/log: - F5OS, - BIGIP-Next, - SPK, - CNF | |
| f5.product.type | string | F5OS | The platform type. | |
| f5.platform.serial_number | string | F5OS | Serial number of an appliance, blade, or controller. | |
| f5.platform.role | string | F5OS | The appliance is straight-forward. However, for chassis products, the telemetry data can originate from multiple places. The role can help identify a location.- Blade - The data originated from a blade within a partition.- Partition - The data originated from a partition-level service.- Controller - The data originated from a system controller. | |
| f5.platform.pid | C137 | string | F5OS | The platform ID |
| f5.platform.name | string | F5OS | The platform Name | |
| f5.tenant.name | string | F5OS | The name of the tenant which acts as | |
| a tenant ID | ||||
| f5.tenant.image | string | F5OS | The tenant image version | |
| f5.tenant.type | BIG-IP, BIG-IP NEXT | string | F5OS | The tenant type name |
Platform Metrics¶
Front-Panel Interface Metrics¶
Note: These metrics are relevant to Platforms.
| Metric Name | Metric Type | Value Type | Attributes | Unit |
|---|---|---|---|---|
| f5os.interface.packCeotusnter | f5os.interface.packCeotusnter | int64 | interface.name="1.{0p"ackets} direction="receive" | packets |
| f5os.interface.packCeotusnter | f5os.interface.packCeotusnter | int64 | interface.name="1.{0p"ackets} direction="transmit" | packets |
| f5os.interface.byteCsounter | f5os.interface.byteCsounter | int64 | interface.name="1.B0y"tes direction="receive" | bytes |
| f5os.interface.byteCsounter | f5os.interface.byteCsounter | int64 | interface.name="1.B0y"tes direction="transmit" | bytes |
| f5os.interface.erroCrosunter | f5os.interface.erroCrosunter | int64 | interface.name="1.{0p"ackets} direction="receive" | packets |
| f5os.interface.erroCrosunter | f5os.interface.erroCrosunter | int64 | interface.name="1.{0p"ackets} direction="transmit" | packets |
| f5os.interface.dropCpoeudnter | f5os.interface.dropCpoeudnter | int64 | interface.name="1.{0p"ackets} direction="receive" | packets |
| f5os.interface.dropCpoeudnter | f5os.interface.dropCpoeudnter | int64 | interface.name="1.{0p"ackets} direction="transmit" | packets |
| f5os.interface.broaCdocuanstter | f5os.interface.broaCdocuanstter | int64 | interface.name="1.{0p"ackets} direction="receive" | packets |
| f5os.interface.broaCdocuanstter | f5os.interface.broaCdocuanstter | int64 | interface.name="1.{0p"ackets} direction="transmit" | packets |
| f5os.interface.multCiocuanstter | f5os.interface.multCiocuanstter | int64 | interface.name="1.{0p"ackets} direction="receive" | packets |
| f5os.interface.multCiocuanstter | f5os.interface.multCiocuanstter | int64 | interface.name="1.{0p"ackets} direction="transmit" | packets |
| f5os.interface.etheCronuenter | f5os.interface.etheCronuenter | int64 | name="1.0" {packets} direction="transmit" | packets |
Optic DDM Metrics¶
Reports the front-panel Optic DDM metrics. Common Attributes include:
**port.group**=<string>The F5OS port group name associated with the Optic.
-
**port.name**="1.0"..The front-panel port number.
**channel**=1..NFor metrics which are per-channel, identifies the individual channel number.
**direction**="transmit" | "receive"An indication of transmit or receive direction.
CPU Metrics¶
The schema of the CPU metrics is based on the OpenTelemetry semantic conventions. For more information, see Metrics Semantic Conventions.
| Metric Name | Metric Type | Value Type | Attributes | Unit |
|---|---|---|---|---|
| system.cpu | Counter | int64 | thread cou | Seconds |
| state= |
||||
| system.cpu.Gauge | float64 | pu=cpu0...cpu | {percent} | |
| thread=0..N | ||||
| state= |
Disk IO Metrics¶
The Disk IO Metrics are based on the OpenTelemetry semantic conventions. For more information, see Metrics Semantic Conventions.
Memory Metrics¶
The Memory Metrics are based on the OpenTelemetry semantic conventions. For more information, see Metrics Semantic Conventions
File system Metrics¶
The File system Metrics are based on the OpenTelemetry semantic conventions. For more information, see Metrics Semantic Conventions
Uptime Metrics¶
The Uptime Metrics are based on the OpenTelemetry semantic conventions. For more information, see Metrics Semantic Conventions
| Metric Name | Metric Type | Value Type | Attributes | Unit |
|---|---|---|---|---|
| system.uptime | Counter | int64 | S |
Raid Metrics¶
The Raid Metrics are based on the OpenTelemetry semantic conventions. For more information, see Metrics Semantic Conventions.
Note: Applicable for F5 r10000/12000 platforms with only two hard disks.
F5OS Data Path Metrics¶
Summarizes the metrics that are associated with each tenant as they enters and exits the platform hardware at the DMA level.
Tenant Data Path¶
Note: This metric is the sum of all internal tenant interfaces and independent of the F5 platform front-panel interface.
F5OS Tenant Metrics¶
The following tenant metrics are currently reported by the BIG-IP tenant into the F5OS platform layer. The metrics visible at the platform layer are only a limited subset of the total number of metrics available to the tenant. You can view the full tenant metrics by using the BIG-IP metric reporting capability.
Common Tenant Attributes¶
This table lists the attributes that are associated with the tenant-based metrics.
CPU Metrics¶
Memory Metrics¶
Disk IO Metrics¶
Interface Counter Metrics¶
Docker Container Metrics¶
F5OS OpenTelemetry exporter will only report the metrics that are associated with the Docker containers managed by the platform layer. For more information about the docker container metrics, see Docker stats documentation.
Common Attributes¶
| Attributes | Metric Value Type | Description |
|---|---|---|
container.name |
string |
The name of the container |
container.image.name |
string |
The container image name |
Metrics¶
Platform Hardware Sensors¶
The platform hardware sensors represent physical sensors associated with the hardware which measure: temperature, current, power, voltage, RPM and percent humidity.
Common Attributes¶
f5os.sensor.name=<sensor name>
Examples:
Temperature:
Inlet
Outlet
Central
Voltage:
12V
3.3 V BCM
Current:
12V Main
Current In
Power:
Controller Power
Total Power Supply Unit (PSU) Power In
Total Power Supply Unit (PSU) Power Out
f5os.sensor.source=<component name>
Examples:
psu-[1..N]
fantray-[1..N]
psu-controller-[1..N]
blade-[1..N]
controller-[1..2]
platform
Metrics¶
F5OS TMSTAT Metrics¶
The metric schema is heavily dependent upon the internal representation of the tmstat tables within F5OS.
Note: When you select instrument type as “all” and/or “metrics”, the instrument type “tmstat” is set to off and cannot be selected. You have to manualy enable the instrument “tmstat”. Using this instrument is more tailored to internal F5 use cases, such as deep diagnostics.
OpenTelemetry configuration from the webUI¶
Configure an exporter from the webUI¶
You can configure an exporter from the web UI.
On the left, click System Monitoring > Telemetry.
The Telemetry screen displays.
Under the Telemetry exporters area, click Add.
The Add Exporter drawer displays.
Enter Name of the Exporter (up to 20 characters).
The first character in the name cannot be a number. After that, only lowercase alphanumeric characters and hyphens are allowed.
For Endpoint:
For IP Address, enter the IPv4 address, IPv6 address, or Fully Qualified Domain Name (FQDN) for an exporter.
For Port, enter the port number of the Server.
For Enable, select True if you want to enable and send the telemetry data to the exporter, or False to disable it.
For Instruments, select one or more instruments for an exporter.
| Option | Description |
|----------------------------|---------------------------------------------------------------------------------------------------|
| all | Reports all logs and metrics produced by the F5OS platform layer |
| logs | Reports all F5OS logs file through the OpenTelemetry 'log' API |
| platform-log | Exports the F5OS platform log through the OpenTelemetry 'log' API |
| event-log | Exports the F5OS confd event log through the OpenTelemetry 'log' API |
| metrics | Reports all F5OS metrics through the OpenTelemetry 'metric' API |
| platform | F5OS platform metrics such as memory, disk, CPU, interface, file system, and RAID stats |
| hardware | F5OS hardware sensors such as voltage, current, temperature, power, and fan speeds |
| optics | F5OS front-panel Optic DDM metrics |
| tenant | Low-level tenant reported metrics such as memory, disk, CPU, and interface stats |
| datapath | F5OS data-path metrics such as those generated by the FPGA and DMA |
| tmstat| F5OS tmstat tables exported as metrics|
|container|F5OS Per-Container metrics such as cpu, block-io, network, memory|
For Compression, select the compression type. By default, gzip will be selected.
For Attributes, specify the attributes for the exporter.
Click Add to add another attribute. Select an attribute and click Delete to delete it. Attributes are reference data that can be associated with the exporter.For Secure, select True to enable and configure the Transport Layer Security (TLS) to secure the connections. The default option is False.
Note: Before you can enable TLS encryption, you must configure a key and certificate on the system.
You can secure connections by using one of these methods:
Server Authentication only:
For TLS CA Certificate, paste the contents of the certificate (self-signed or from a CA) for server TLS authentication.
Both Server and Client Authentication:
a. For TLS CA Certificate, paste the contents of the certificate (self-signed or from a CA) for server TLS authentication.
b. In the TLS Certificate field, paste the text of the local certificate for client TLS authentication.
c. In the TLS Key field, paste the text of the private key for client TLS authentication.
For Reload Interval, specify the duration to reload the certificate within the specified timeframe.
Note: You can only specify the duration value in nanoseconds (ns), microseconds (us or μs), milliseconds (ms), seconds, minutes, and hours.
Click Save.
Delete an Exporter from the WebUI¶
You can delete an exporter from the webUI.
On the left, click System Monitoring> Telemetry.
The Telemetry screen displays the existing exporter and associated details.
To delete an exporter, in the Telemetry exporters area, select the exporter from the list and then click Delete.
Add Attributes to All Exporters from the WebUI¶
Attributes are reference data that can be associated with the exporter. Attributes can be specified in the key:value format. Spaces must be included between each entry. You can add attributes to all the configured exporters from the webUI.
On the left, click System Monitoring > Telemetry.
The Telemetry screen displays the existing exporter and associated details.
On Telemetry Attributes, click edit icon. Attributes drawer form displays.
Click Add to add another attribute. Select an attribute and click Delete to delete it.
Click Save.
System statistics overview¶
You can monitor data and metrics related to the usage, performance, and behavior of the system from the webUI. These statistics are crucial for monitoring, managing, and optimizing the system. You can monitor the following system details:
System CPU Usage: Shows the measurement of CPU utilization by the system.
System Memory Usage: Shows the measurement of memory utilization by the system.
System Disk Usage: Shows the measurement of disk utilization by the system.
Display system statistics from the webUI¶
To monitor the system’s statistics, follow the steps below:
Log in to the webUI using an account with admin access.
On the left, click System Monitoring > System Details.
You can now see the following statistics and status of the system:System CPU Usage: Displays the vCPU’s current utilization of the system by default. However, if multiple vCPUs are available, You can monitor the usage for a limited set of vCPUs depending on the screen resolution. You can view the next set of vCPUs by clicking the right chevron icon to go to next page or you can select a specific set of vCPUs from vCPUs dropdown and change the time series to view the historical data and analyze the vCPU utilization.
System Memory Usage: Displays the current memory utilization of the system by default. However, you can change the time series to view the historical data and analyze memory utilization.
System Disk Usage: Displays the disk’s current utilization of the system by default. However, if multiple disks are available, you can select a disk, data type, and change the time series to view the historical data and analyze memory utilization.