BIG-IP and general example declarations¶
The following are example declarations for BIG-IP, with some general examples that could also be used with BIG-IQ and the container.
1: Standalone declaration¶
The following is an example declaration that onboards a standalone BIG-IP system. See Composing a Declarative Onboarding declaration for a standalone BIG-IP for specific details on this example.
{
"schemaVersion": "1.0.0",
"class": "Device",
"async": true,
"webhook": "https://example.com/myHook",
"label": "my BIG-IP declaration for declarative onboarding",
"Common": {
"class": "Tenant",
"mySystem": {
"class": "System",
"hostname": "bigip.example.com",
"cliInactivityTimeout": 1200,
"consoleInactivityTimeout": 1200,
"autoPhonehome": false
},
"myLicense": {
"class": "License",
"licenseType": "regKey",
"regKey": "AAAAA-BBBBB-CCCCC-DDDDD-EEEEEEE"
},
"myDns": {
"class": "DNS",
"nameServers": [
"8.8.8.8",
"2001:4860:4860::8844"
],
"search": [
"f5.com"
]
},
"myNtp": {
"class": "NTP",
"servers": [
"0.pool.ntp.org",
"1.pool.ntp.org",
"2.pool.ntp.org"
],
"timezone": "UTC"
},
"root": {
"class": "User",
"userType": "root",
"oldPassword": "default",
"newPassword": "myNewPass1word"
},
"admin": {
"class": "User",
"userType": "regular",
"password": "asdfjkl",
"shell": "bash"
},
"guestUser": {
"class": "User",
"userType": "regular",
"password": "guestNewPass1",
"partitionAccess": {
"Common": {
"role": "guest"
}
}
},
"anotherUser": {
"class": "User",
"userType": "regular",
"password": "myPass1word",
"shell": "none",
"partitionAccess": {
"all-partitions": {
"role": "guest"
}
}
},
"myProvisioning": {
"class": "Provision",
"ltm": "nominal",
"gtm": "minimum"
},
"internal": {
"class": "VLAN",
"tag": 4093,
"mtu": 1500,
"interfaces": [
{
"name": "1.2",
"tagged": true
}
],
"cmpHash": "dst-ip"
},
"internal-self": {
"class": "SelfIp",
"address": "10.10.0.100/24",
"vlan": "internal",
"allowService": "default",
"trafficGroup": "traffic-group-local-only"
},
"external": {
"class": "VLAN",
"tag": 4094,
"mtu": 1500,
"interfaces": [
{
"name": "1.1",
"tagged": true
}
],
"cmpHash": "src-ip"
},
"external-self": {
"class": "SelfIp",
"address": "10.20.0.100/24",
"vlan": "external",
"allowService": "none",
"trafficGroup": "traffic-group-local-only"
},
"default": {
"class": "Route",
"gw": "10.10.0.1",
"network": "default",
"mtu": 1500
},
"managementRoute": {
"class": "ManagementRoute",
"gw": "1.2.3.4",
"network": "default",
"mtu": 1500
},
"myRouteDomain": {
"class": "RouteDomain",
"id": 100,
"bandWidthControllerPolicy": "bwcPol",
"connectionLimit": 5432991,
"flowEvictionPolicy": "default-eviction-policy",
"ipIntelligencePolicy": "ip-intelligence",
"enforcedFirewallPolicy": "enforcedPolicy",
"stagedFirewallPolicy": "stagedPolicy",
"securityNatPolicy": "securityPolicy",
"servicePolicy": "servicePolicy",
"strict": false,
"routingProtocols": [
"RIP"
],
"vlans": [
"external"
]
},
"dbvars": {
"class": "DbVariables",
"ui.advisory.enabled": true,
"ui.advisory.color": "green",
"ui.advisory.text": "/Common/hostname"
}
}
}
2: Clustered declaration¶
The following is an example declaration that onboards a clustered BIG-IP system. See Composing a Declarative Onboarding declaration for a cluster of BIG-IPs for specific details on this example.
{
"schemaVersion": "1.0.0",
"class": "Device",
"async": true,
"label": "Onboard BIG-IP into an HA Pair",
"Common": {
"class": "Tenant",
"hostname": "bigip1.example.com",
"myLicense": {
"class": "License",
"licenseType": "regKey",
"regKey": "AAAAA-BBBBB-CCCCC-DDDDD-EEEEEEE"
},
"myDns": {
"class": "DNS",
"nameServers": [
"8.8.8.8",
"2001:4860:4860::8844"
],
"search": [
"f5.com"
]
},
"myNtp": {
"class": "NTP",
"servers": [
"0.pool.ntp.org",
"1.pool.ntp.org",
"2.pool.ntp.org"
],
"timezone": "UTC"
},
"root": {
"class": "User",
"userType": "root",
"oldPassword": "foo",
"newPassword": "bar"
},
"admin": {
"class": "User",
"userType": "regular",
"password": "asdfjkl",
"shell": "bash"
},
"anotherUser": {
"class": "User",
"userType": "regular",
"password": "foobar",
"partitionAccess": {
"Common": {
"role": "guest"
}
}
},
"myProvisioning": {
"class": "Provision",
"ltm": "nominal"
},
"internal": {
"class": "VLAN",
"tag": 4093,
"mtu": 1500,
"interfaces": [
{
"name": "1.2",
"tagged": false
}
]
},
"internal-self": {
"class": "SelfIp",
"address": "10.10.0.100/24",
"vlan": "internal",
"allowService": "default",
"trafficGroup": "traffic-group-local-only"
},
"external": {
"class": "VLAN",
"tag": 4094,
"mtu": 1500,
"interfaces": [
{
"name": "1.1",
"tagged": false
}
]
},
"external-localself": {
"class": "SelfIp",
"address": "10.20.0.100/24",
"vlan": "external",
"allowService": "none",
"trafficGroup": "traffic-group-local-only"
},
"external-self": {
"class": "SelfIp",
"address": "10.20.0.200/24",
"vlan": "external",
"allowService": "none",
"trafficGroup": "traffic-group-1"
},
"default": {
"class": "Route",
"gw": "10.10.0.1",
"network": "default",
"mtu": 1500
},
"configsync": {
"class": "ConfigSync",
"configsyncIp": "/Common/internal-self/address"
},
"failoverAddress": {
"class": "FailoverUnicast",
"address": "/Common/internal-self/address"
},
"failoverGroup": {
"class": "DeviceGroup",
"type": "sync-failover",
"members": [
"bigip1.example.com",
"bigip2.example.com"
],
"owner": "/Common/failoverGroup/members/0",
"autoSync": true,
"saveOnAutoSync": false,
"networkFailover": true,
"fullLoadOnSync": false,
"asmSync": false
},
"trust": {
"class": "DeviceTrust",
"localUsername": "admin",
"localPassword": "pass1word",
"remoteHost": "/Common/failoverGroup/members/0",
"remoteUsername": "admin",
"remotePassword": "pass2word"
}
}
}
3: Using JSON Pointers¶
The following is another example using a declaration for use in a container, but in this case, it also contains a number of examples of using JSON pointers in a declaration. For more information on JSON pointers, see JSON Pointers.
{
"class": "DO",
"targetHost": "1.2.3.4",
"targetUsername": "/declaration/Credentials/1/username",
"targetPassphrase": "/declaration/Credentials/1/password",
"declaration": {
"schemaVersion": "1.0.0",
"class": "Device",
"label": "Use App Services Gateway to license BIG-IP via BIG-IQ when BIG-IP is reachable from BIG-IQ",
"Credentials": [
{
"username": "bigIqAdmin",
"password": "foofoo"
},
{
"username": "admin",
"password": "barbar"
}
],
"Common": {
"class": "Tenant",
"hostname": "bigip.example.com",
"myLicense": {
"class": "License",
"licenseType": "licensePool",
"bigIqHost": "10.0.1.200",
"bigIqUsername": "/Credentials/0/username",
"bigIqPassword": "/Credentials/0/password",
"licensePool": "myUtilityLicense",
"skuKeyword1": "key1",
"skuKeyword2": "key2",
"unitOfMeasure": "hourly",
"reachable": true,
"bigIpUsername": "/Credentials/1/username",
"bigIpPassword": "/Credentials/1/password"
},
"myDns": {
"class": "DNS",
"nameServers": [
"8.8.8.8",
"2001:4860:4860::8844"
],
"search": [
"f5.com"
]
},
"myNtp": {
"class": "NTP",
"servers": [
"0.pool.ntp.org",
"1.pool.ntp.org",
"2.pool.ntp.org"
],
"timezone": "UTC"
},
"root": {
"class": "User",
"userType": "root",
"oldPassword": "foo",
"newPassword": "bar"
},
"admin": {
"class": "User",
"userType": "regular",
"password": "asdfjkl",
"shell": "bash"
},
"anotherUser": {
"class": "User",
"userType": "regular",
"password": "foobar",
"partitionAccess": {
"Common": {
"role": "guest"
}
}
},
"myProvisioning": {
"class": "Provision",
"ltm": "nominal"
},
"internal": {
"class": "VLAN",
"tag": 4093,
"mtu": 1500,
"interfaces": [
{
"name": "1.2",
"tagged": true
}
]
},
"internal-self": {
"class": "SelfIp",
"address": "10.10.0.100/24",
"vlan": "internal",
"allowService": "default",
"trafficGroup": "traffic-group-local-only"
},
"external": {
"class": "VLAN",
"tag": 4094,
"mtu": 1500,
"interfaces": [
{
"name": "1.1",
"tagged": true
}
]
},
"external-self": {
"class": "SelfIp",
"address": "10.20.0.100/24",
"vlan": "external",
"allowService": "none",
"trafficGroup": "traffic-group-local-only"
},
"default": {
"class": "Route",
"gw": "10.10.0.1",
"network": "default",
"mtu": 1500
}
}
}
}
4: Creating an Analytics profile to enable AVR data streaming¶
In this example, we are licensing a new BIG-IP, provisioning AVR, and creating an Analytics profile (you must have AVR provisioned to create an Analytics profile). This allows you to stream AVR data for consumption by F5 Telemetry Steaming or similar applications.
{
"schemaVersion": "1.5.0",
"class": "Device",
"label": "Adding support for AVR streaming",
"async": true,
"Common": {
"class": "Tenant",
"hostname": "avr.example.com",
"myLicense": {
"class": "License",
"licenseType": "regKey",
"regKey": "AAAAA-BBBBB-CCCCC-DDDDD-EEEEEEE"
},
"myProvisioning": {
"class": "Provision",
"ltm": "nominal",
"avr": "nominal"
},
"analytics": {
"class": "Analytics",
"debugEnabled": true,
"interval": 60,
"offboxProtocol": "tcp",
"offboxTcpAddresses": [
"192.0.2.1"
],
"offboxTcpPort": 80,
"offboxEnabled": true
}
}
}
5: Adding public SSH keys to a declaration¶
In this example, we are adding public SSH keys to the root user and a guestUser. This can provide a higher level of security and easier automation.
Important notes about using the keys property
- Only the root user’s primary key (noted by the
Host Processor Superuser), in authorized_keys will be preserved. All other keys configured prior to running this declaration, WILL BE DELETED. - If the keys field is left empty it will default to an empty array. This means leaving it empty will clear the authorized_keys file, except for the root’s master key.
- For non-root users, the path to the authorized_keys is /home/{username}/.ssh/authorized_keys.
- For root, the path is /root/.ssh/authorized_keys.
- DO will set the non-root user’s .ssh directory permissions to 700, with the authorized_keys permissions set to 600.
{
"schemaVersion": "1.0.0",
"class": "Device",
"async": true,
"Common": {
"class": "Tenant",
"hostname": "bigip.example.com",
"root": {
"class": "User",
"userType": "root",
"oldPassword": "examplePass",
"newPassword": "examplePass",
"keys": [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwHJLJY+/U/ioAAAADAQABAAACAQCwHJLJY+z0Rb85in7Ean6JS2J9dzo1nSssm7ZyQvGgc1e7EVtztbVpHThsvw92+1hx9wlSogXN6Co5zrtqlN8/mvlQkRRQ+sp2To8PcSMeEVI+TqBOg6BWbwwNQLz9/eUJq2o4vBfSpsn7GSDIf6C3F9EahRPGCR/z0kw5GZob3Q== test2",
"ssh-rsa AAAAB3NzaC1yc2EAu2Gr14xRiVLnG8KxNp2fO1/U/ioAz0Rb85in7Ean6JS2J9dzo1nSssm7ZyQvGgc1e7EVtztbVpHThsvw92+/mvlQkRRQ+sp2To8PcSMeEVI+TqBOg6BWbwwNQLzu2Gr14xRiVLnG8KxNp2fO19/eUJq2o4vBfSpsn7GSDIf6C3F9EahRPGCR/z0kw5GZob3Q== test"
]
},
"guestUser": {
"class": "User",
"userType": "regular",
"password": "guestNewPass1",
"partitionAccess": {
"Common": {
"role": "guest"
}
},
"keys": [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwHJLJY+/U/ioAAAADAQABAAACAQCwHJLJY+z0Rb85in7Ean6JS2J9dzo1nSssm7ZyQvGgc1e7EVtztbVpHThsvw92+1hx9wlSogXN6Co5zrtqlN8/mvlQkRRQ+sp2To8PcSMeEVI+TqBOg6BWbwwNQLz9/eUJq2o4vBfSpsn7GSDIf6C3F9EahRPGCR/z0kw5GZob3Q== test2",
"ssh-rsa AAAAB3NzaC1yc2EAu2Gr14xRiVLnG8KxNp2fO1/U/ioAz0Rb85in7Ean6JS2J9dzo1nSssm7ZyQvGgc1e7EVtztbVpHThsvw92+/mvlQkRRQ+sp2To8PcSMeEVI+TqBOg6BWbwwNQLzu2Gr14xRiVLnG8KxNp2fO19/eUJq2o4vBfSpsn7GSDIf6C3F9EahRPGCR/z0kw5GZob3Q== test"
]
}
}
}
6: Adding Route Domains to a declaration¶
In this example, we show how to use a Route Domain in a declaration. A route domain is a configuration object that isolates network traffic for a particular application on the network. For more information on Route Domains, see Route Domain documentation.
In the following declaration, we include a VLAN to show how to reference a VLAN that is being created. The SelfIp and the Route both show using the RouteDomain with %100, which is the id of the RouteDomain.
{
"schemaVersion": "1.0.0",
"class": "Device",
"async": true,
"Common": {
"class": "Tenant",
"hostname": "bigip.example.com",
"newVlan": {
"class": "VLAN",
"tag": 100,
"interfaces": [
{
"name": "1.1",
"tagged": true
}
]
},
"Route": {
"class": "Route",
"gw": "10.1.0.1",
"network": "192.168.0.0%100/16"
},
"newSelfIp": {
"class": "SelfIp",
"address": "10.1.0.20%100/0",
"vlan": "newVlan"
},
"theRouteDomain": {
"class": "RouteDomain",
"id": 100,
"bandWidthControllerPolicy": "bwcPol",
"connectionLimit": 5432991,
"flowEvictionPolicy": "default-eviction-policy",
"ipIntelligencePolicy": "ip-intelligence",
"enforcedFirewallPolicy": "enforcedPolicy",
"stagedFirewallPolicy": "stagedPolicy",
"securityNatPolicy": "securityPolicy",
"servicePolicy": "servicePolicy",
"strict": false,
"routingProtocols": [
"BGP"
],
"vlans": [
"newVlan"
]
}
}
}
7: Setting the DAG IPv6 prefix length¶
In this example, we show how to use the DagGlobals class to set or modify the DAG global IPv6 prefix length. DAG Globals contain the global disaggregation settings; see the Disaggregation DAG modes documentation for more information.
In the following declaration snippet, we show only the DagGlobals class. You can use this class as a part of a larger Declarative Onboarding declaration.
{
"schemaVersion": "1.0.0",
"class": "Device",
"async": false,
"Common": {
"class": "Tenant",
"dagGlobals": {
"class": "DagGlobals",
"icmpHash": "ipicmp",
"ipv6PrefixLength": 101,
"roundRobinMode": "local"
}
}
}
8: Configuring SNMP in a declaration¶
In this example, we show how to configure SNMP in a Declarative Onboarding declaration. You can use DO to configure SNMP agents, users, communities, trap events, and trap destinations. See the Monitoring BIG-IP System Traffic with SNMP in the BIG-IP documentation for specific information.
In the following declaration snippet we show only the classes related to SNMP. You can use this class as a part of a larger Declarative Onboarding declaration.
{
"schemaVersion": "1.7.0",
"class": "Device",
"label": "Configuring SNMP",
"async": true,
"Common": {
"class": "Tenant",
"mySnmpAgent": {
"class": "SnmpAgent",
"contact": "Op Center <ops@example.com>",
"location": "Seattle, WA",
"allowList": [
"10.30.100.0/23",
"10.40.100.0/23",
"10.8.100.0/32",
"10.30.10.100",
"10.30.10.200"
]
},
"snmpUser1": {
"class": "SnmpUser",
"authentication": {
"protocol": "sha",
"password": "pass1W0rd!"
},
"privacy": {
"protocol": "aes",
"password": "P@ssW0rd"
},
"oid": ".1",
"access": "rw"
},
"public": {
"class": "SnmpCommunity",
"ipv6": false,
"source": "all",
"oid": ".1",
"access": "ro"
},
"snmpCommunityWithSpecialChar": {
"class": "SnmpCommunity",
"name": "special!community",
"ipv6": false,
"source": "all",
"oid": ".1",
"access": "ro"
},
"myTraps": {
"class": "SnmpTrapEvents",
"agentStartStop": true,
"authentication": true,
"device": true
},
"myV2SnmpDestination": {
"class": "SnmpTrapDestination",
"version": "2c",
"community": "my_snmp_community",
"destination": "10.0.10.100",
"port": 80,
"network": "other"
},
"myV3SnmpDestination": {
"class": "SnmpTrapDestination",
"version": "3",
"destination": "10.0.10.1",
"port": 80,
"network": "other",
"securityName": "someSnmpUser",
"authentication": {
"protocol": "sha",
"password": "P@ssW0rd"
},
"privacy": {
"protocol": "aes",
"password": "P@ssW0rd"
},
"engineId": "0x80001f8880c6b6067fdacfb558"
}
}
}
9: Configuring BIG-IP authentication methods¶
In this example, we show how to configure RADIUS, LDAP, and TACACS authentication in a Declarative Onboarding declaration using the Authentication class. The authentication class can (but does not have to) contain multiple authentication method subclasses but only one can be enabled at a time using the enableSourceType property (which matches the BIG-IP UI behavior).
This example declaration contains all three authentication methods with the enableSourceType property set to radius. It also includes the SSL options for LDAP introduced in DO 1.13.
For more information on options and DO usage, see Authentication and the subsequent entries in the Schema Reference.
In the following declaration snippet we show only the classes related to authentication. You can use this class as a part of a larger Declarative Onboarding declaration.
{
"schemaVersion": "1.7.0",
"async": true,
"class": "Device",
"label": "LDAP, RADIUS, and TACACS auth",
"Common": {
"class": "Tenant",
"myAuth": {
"class": "Authentication",
"enabledSourceType": "radius",
"fallback": true,
"remoteUsersDefaults": {
"partitionAccess": "all",
"terminalAccess": "tmsh",
"role": "resource-admin"
},
"radius": {
"serviceType": "call-check",
"servers": {
"primary": {
"server": "1.2.3.4",
"port": 1811,
"secret": "mySecret"
},
"secondary": {
"server": "my.second.server",
"secret": "anotherSecret",
"port": 1888
}
}
},
"ldap": {
"bindDn": "searchingName",
"bindPassword": "pass1w0rd",
"bindTimeout": 40,
"checkBindPassword": true,
"checkRemoteRole": true,
"filter": "filter",
"groupDn": "groupName",
"groupMemberAttribute": "attribute",
"idleTimeout": 20,
"ignoreAuthInfoUnavailable": true,
"ignoreUnknownUser": true,
"loginAttribute": "attributeToLogin",
"port": 654,
"searchScope": "base",
"searchBaseDn": "searchName",
"searchTimeout": 687,
"servers": [
"my.host.com",
"1.2.3.4",
"FE80:0000:0000:0000:0202:B3FF:FE1E:8329"
],
"ssl": "enabled",
"sslCheckPeer": true,
"sslCiphers": [
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-CBC-SHA",
"ECDHE-RSA-AES128-SHA256"
],
"userTemplate": "uid=%s,ou=people,dc=siterequest,dc=com",
"version": 2
},
"tacacs": {
"accounting": "send-to-first-server",
"authentication": "use-first-server",
"debug": false,
"encryption": true,
"protocol": "ip",
"secret": "aSecret1",
"servers": [
"my.host.com",
"1.2.3.4",
"FE80:0000:0000:0000:0202:B3FF:FE1E:8329"
],
"service": "ppp"
}
}
}
}
10: Configuring Remote Roles for authentication¶
In this example, we show how to configure a remote role for authentication using the RemoteAuthRole class. See RemoteAuthRole Class in the Schema reference for a description of each of the parameters for this class.
Important: The BIG-IP only allows one role per user for each partition/tenant. Because some remote servers allow multiple user roles, the BIG-IP uses the lineOrder parameter to choose one of the conflicting roles for the user at login time. In these cases, the system chooses the role with the lowest line-order number. See Line Order in the BIG-IP documentation for more information and examples.
In the following declaration snippet we show only the classes related to remote auth roles. You can use this class as a part of a larger Declarative Onboarding declaration.
{
"schemaVersion": "1.7.0",
"class": "Device",
"async": true,
"Common": {
"class": "Tenant",
"TEAM1": {
"class": "RemoteAuthRole",
"attribute": "memberOF=CN=Team-1,add-ldap-path",
"console": "tmsh",
"lineOrder": 925,
"role": "admin",
"remoteAccess": false,
"userPartition": "all"
},
"TEAM2": {
"class": "RemoteAuthRole",
"attribute": "memberOF=CN=Team-2,add-ldap-path",
"console": "tmsh",
"lineOrder": 940,
"role": "guest",
"remoteAccess": true,
"userPartition": "all"
}
}
}
11: Configuring Traffic Control properties¶
In this example, we show how you can configure BIG-IP LTM global traffic control settings (ltm global-settings traffic-control) using a Declarative Onboarding declaration. For descriptions and usage details on these properties, see TrafficControl Class in the Schema Reference.
In the following declaration snippet we show only the classes related to Traffic Control. You can use this class as a part of a larger Declarative Onboarding declaration.
{
"schemaVersion": "1.7.0",
"class": "Device",
"label": "Configuring traffic control",
"async": true,
"Common": {
"class": "Tenant",
"myglobals": {
"class": "TrafficControl",
"acceptIpOptions": true,
"acceptIpSourceRoute": true,
"allowIpSourceRoute": true,
"continueMatching": true,
"maxIcmpRate": 867,
"maxPortFindLinear": 867,
"maxPortFindRandom": 867,
"maxRejectRate": 867,
"maxRejectRateTimeout": 200,
"minPathMtu": 867,
"pathMtuDiscovery": false,
"portFindThresholdWarning": false,
"portFindThresholdTrigger": 10,
"portFindThresholdTimeout": 200,
"rejectUnmatched": false
}
}
}
12: Configuring a System Log (syslog) Destination in declaration¶
In this example, we show how to configure a syslog destination using the SyslogRemoteServer class. For information on syslog destinations, see External Monitoring and the Configuring remote logging Knowledge Base article. Also see SyslogRemoteServer Class in the Schema reference for usage options.
Important: The remote syslog server must be accessible from your BIG-IP system on the default route domain (Domain 0) or management network, and conversely, your BIG-IP system is accessible from the remote syslog server.
In the following declaration snippet we show only the SyslogRemoteServer class. You can use this class as a part of a larger Declarative Onboarding declaration.
{
"schemaVersion": "1.7.0",
"class": "Device",
"async": true,
"Common": {
"class": "Tenant",
"LocalDCSyslog": {
"class": "SyslogRemoteServer",
"host": "local-ip",
"localIp": "172.28.68.42",
"remotePort": 514
},
"DRDCSyslog": {
"class": "SyslogRemoteServer",
"host": "dr-ip",
"localIp": "172.28.68.42",
"remotePort": 514
}
}
}
13: Using the CMP Hash property in a VLAN¶
Starting in 1.7.0, you have the option of using the cmp-hash property on a VLAN. The CMP Hash setting allows all connections from a client system to use the same set of TMMs, improving system performance. For more information, see Additional VLAN Configuration Options in the BIG-IP documentation. You can also see VLAN Class in the Schema Reference for usage options.
In the following declaration snippet we show only the VLAN class with cmp-hash using Source Address as the traffic disaggregation method. You can use this class as a part of a larger Declarative Onboarding declaration.
{
"schemaVersion": "1.7.0",
"class": "Device",
"async": true,
"webhook": "https://example.com/myHook",
"Common": {
"class": "Tenant",
"external": {
"class": "VLAN",
"tag": 4094,
"mtu": 1500,
"interfaces": [
{
"name": "1.1",
"tagged": true
}
],
"cmpHash": "src-ip"
}
}
}
14: Configuring SSHD settings in a declaration¶
In this example, we show how you can configure SSHD (SSH daemon) settings in a Declarative Onboarding declaration. For usage and options, see SSHD in the Schema Reference.
In the following declaration, we show only the SSHD class. You can use this class as a part of a larger Declarative Onboarding declaration.
New in DO 1.15
Declarative Onboarding v1.15 and later includes the ability to set the source IP addresses that are allowed to log into the system, using the new allow property. You can allow all addresses by using the all value, or disallow all addresses using the none value; otherwise, you can specify an array of IP address as shown in the updated example.
Important
If you attempt to use the following declaration on a version prior to 1.15, it will fail. To use the example on a previous version, delete the allow property and IP addresses (the hightlighted lines)
{
"schemaVersion": "1.8.0",
"class": "Device",
"async": false,
"label": "Configuring SSHD settings",
"Common": {
"class": "Tenant",
"sshSettings": {
"class": "SSHD",
"allow": [
"10.0.0.1",
"10.0.1.0/28",
"192.168.1.*"
],
"banner": "Banner to display",
"inactivityTimeout": 123,
"ciphers": [
"aes128-ctr",
"aes192-ctr",
"aes256-ctr"
],
"loginGraceTime": 100,
"MACS": [
"hmac-sha1",
"hmac-ripemd160",
"hmac-md5"
],
"maxAuthTries": 10,
"maxStartups": "5",
"protocol": 1
}
}
}
15: Configuring HTTPD settings in a declaration¶
In this example, we show how you can configure HTTPD (HTTP daemon) settings in a Declarative Onboarding declaration. For usage and options, see HTTPD in the Schema Reference.
Note
If you use the BIG-IP Configuration utility, we recommend you exit the utility before changes are made to the system using the HTTPD component. Making changes to the system using this component causes a restart of the httpd daemon, and restarting the httpd daemon requires a restart of the Configuration utility.
In the following declaration, we show only the HTTPD class. You can use this class as a part of a larger Declarative Onboarding declaration.
{
"schemaVersion": "1.8.0",
"class": "Device",
"async": false,
"Common": {
"class": "Tenant",
"httpdSettings": {
"class": "HTTPD",
"allow": [
"10.10.0.0/24",
"10.11.1.2"
],
"authPamIdleTimeout": 86400,
"maxClients": 10,
"sslCiphersuite": [
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES128-SHA",
"ECDHE-RSA-AES256-SHA",
"ECDHE-RSA-AES128-SHA256",
"ECDHE-RSA-AES256-SHA384",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES128-SHA",
"ECDHE-ECDSA-AES256-SHA",
"ECDHE-ECDSA-AES128-SHA256",
"ECDHE-ECDSA-AES256-SHA384",
"AES128-GCM-SHA256",
"AES256-GCM-SHA384",
"AES128-SHA",
"AES256-SHA",
"AES128-SHA256"
],
"sslProtocol": "all -SSLv2 -SSLv3 -TLSv1"
}
}
}
16: Configuring System settings in a declaration¶
In this example, we show how you can configure some System settings in a Declarative Onboarding declaration. This enables you to set auto-timeout values for serial console (CLI) and TMSH interactive mode sessions, as well as set a hostname, if you have not set one in the Common class.
Important
If you set a hostname in the Common class, you cannot use the hostname property in the System class; they are mutually exclusive.
For usage and options, see System in the Schema Reference.
DO 1.13 introduced the ability to disable the automatic update check feature. The autoCheck property controls whether the BIG-IP checks for and recommends software updates. See K15000 for more information.
In the following declaration, we show only the System class (including autoCheck introduced in 1.13). You can use this class as a part of a larger Declarative Onboarding declaration.
Important: If you try to use this declaration with a DO version prior to 1.13, it will fail. Either upgrade to 1.13, or remove the autoCheck line.
{
"schemaVersion": "1.13.0",
"class": "Device",
"label": "Configuring System",
"async": true,
"Common": {
"class": "Tenant",
"mySystem": {
"class": "System",
"hostname": "my.bigip.com",
"cliInactivityTimeout": 1200,
"consoleInactivityTimeout": 1200,
"autoCheck": false,
"autoPhonehome": true
}
}
}
17: Clustered declaration with IP addresses for Device Group owner and members¶
The following is an example declaration that onboards a clustered BIG-IP system, but shows how you can use an IP address for the Device Group members and owner.
See Device Group class for more information.
{
"class": "Device",
"schemaVersion": "1.0.0",
"async": true,
"label": "BIG-IP declaration for declarative onboarding",
"Common": {
"class": "Tenant",
"hostname": "do.example.1",
"configSync": {
"class": "ConfigSync",
"configsyncIp": "10.0.0.1"
},
"failoverAddress": {
"class": "FailoverUnicast",
"address": "10.0.0.1"
},
"trust": {
"class": "DeviceTrust",
"localUsername": "exampleUsername",
"localPassword": "examplePassword",
"remoteHost": "10.0.0.1",
"remoteUsername": "exampleUsername",
"remotePassword": "examplePassword"
},
"failoverGroup": {
"class": "DeviceGroup",
"type": "sync-failover",
"members": [
"10.0.0.1",
"10.0.0.2"
],
"owner": "/Common/failoverGroup/members/0",
"autoSync": true,
"saveOnAutoSync": false,
"networkFailover": false,
"fullLoadOnSync": false,
"asmSync": false
}
}
}
18: Updating the TLS/SSL Device Certificate in a declaration¶
This example declaration shows how you can create/upload a device certificate in a Declarative Onboarding declaration. The BIG-IP system uses the device certificate to authenticate access to the Configuration utility and to accommodate device-to-device communication processes, such as configuration synchronization.
For more information and how this process works manually, see the KB article Updating a self-signed SSL device certificate on a BIG-IP system.
A couple of things to note when including certificates and keys in a declaration:
- DO always writes to /config/httpd/conf/ssl.crt/server.crt and ssl.key/server.key
- If the device certificate is updated (that is, if the certificate in the declaration does not match the certificate in those directories), DO reboots the BIG-IP device in order to include the updated certificate
- DO makes backups of the certificates and keys in those directories before overwriting the existing certificate and key
- Like other settings in DO, if a subsequent declaration is posted without the certificate, DO will restore the certificate that was there when it first ran.
See DeviceCertificate in the schema reference for more information and usage.
{
"schemaVersion": "1.0.0",
"class": "Device",
"Common": {
"class": "Tenant",
"hostname": "bigip.example.com",
"deviceCertificate": {
"class": "DeviceCertificate",
"certificate": {
"base64": "F5fakecerTdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ5RENDQXR3Q0NRQ0x2QUZoZVJaRlNqQU5CZ2txaGtpRzl3MEJBUXNGQURDQnV6RUxNQWtHQTFVRUJoTUMKVlZNeEV6QVJCZ05WQkFnTUNsZGhjMmhwYm1kMGIyNHhFREFPQmdOVkJBY01CMU5sWVhSMGJHVXhDekFKQmdOVgpCQW9NQWtZMU1SOHdIUVlEVlFRTERCWkVaV05zWVhKaGRHbDJaU0JQYm1KdllYSmthVzVuTVNZd0pBWURWUVFECkRCMW1OUzFrWldOc1lYSmhkR2wyWlMxdmJtSnZjbUZrYVc1bkxtTnZiVEV2TUMwR0NTcUdTSWIzRFFFSkFSWWcKYldWQVpqVXRaR1ZqYkdGeVlYUnBkbVV0YjI1aWIyRnlaR2x1Wnk1amIyMHdIaGNOTVRrd01UQTBNakV3T1RRNApXaGNOTWpBd01UQTBNakV3T1RRNFdqQ0J1ekVMTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnTUNsZGhjMmhwCmJtZDBiMjR4RURBT0JnTlZCQWNNQjFObFlYUjBiR1V4Q3pBSkJnTlZCQW9NQWtZMU1SOHdIUVlEVlFRTERCWkUKWldOc1lYSmhkR2wyWlNCUGJtSnZZWEprYVc1bk1TWXdKQVlEVlFRRERCMW1OUzFrWldOc1lYSmhkR2wyWlMxdgpibUp2Y21Ga2FXNW5MbU52YlRFdk1DMEdDU3FHU0liM0RRRUpBUllnYldWQVpqVXRaR1ZqYkdGeVlYUnBkbVV0CmIyNWliMkZ5WkdsdVp5NWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRG0KZGUxQkRKOEdReWhqSHZTTjJ5TThDOTZjT1VuS0NRVWs2d2JKRFRQME1RNEJYUnhFVUJFTjhwOHFTN3FSaDdQcQpvVWt2enVBYVl0cGlxcjZLb0tSWXRobVFwYlBIVXFmckZDVUs0TjB0L29YdjdhY0x1SEVuYW1OZmlrYU5VVTZDClh0TlZFUmZwZTlmU21kRTlzVCtKTDRPNWNpc1RCcWlESGIwaWpOa1lSMHE2cHEwdEpkZGtGNTZ1bGo2WUtOazUKb3EzTVBUeENGQzJCVFRIcmc1N0tMeTdwZjZUL0NjUHk5ZDBSUC81K2NyK1o0NjVTMitEYVBZR3dvQzdKd1RZQgo1L0doelpwc1ovQVN0ZjdwYnJuSVFLVW5pSk1pNjhVZURZWXpyYjhYYjAzeHVNMHE5bXhhS01Hd0VCd2ZKWmZ1CjhZaDFXL1VFYS9Ic3pYNklDSFhqQWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQ1o4NzNYcHdJaHIKd0dVTGZTYWpqeWdvUXZzOFRPQ2N5YWUwTnl3emw0NEE5VVZsUTVJZVpWVzdyYk1BUDhTMkh4RnJzSmk2VCthNQphSFFsc09jeWZGZ3Q1MHoyRXhvekJIcFY3eHNUb3JMTGx4RUpqMk55RnA1OXIrZXhEVnhPMHUwbTRjR2xiVUVKCndZZEQ5VkFTWTZlZ1QrWXkzaVlMK0NWdmpJQk9wRC8zaDBmOHB2TjJlek02MGE3L0FNWnRyRzNuSXlUZkJZMkcKOG5NdUY1Qk5vTFAzNFVQOUJDeE5LMi8zR2YwNHFyNDk2MnVCbHQ0UjJNR3N4enZGS1JIb2JJRm9XbkpQMWVXbApzQVhzajlUVit1UVFPb2xXdG1xUE5qVGNIc2V2am9EdUpUMjRudzU0TUs0bVg4eXlJbEkyNERvYlhFMEJNK2hoCkhWS0xmT1o0TWYwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
},
"privateKey": {
"base64": "F5fakeKeyJTiBioQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRG1kZTFCREo4R1F5aGoKSHZTTjJ5TThDOTZjT1VuS0NRVWs2d2JKRFRQME1RNEJYUnhFVUJFTjhwOHFTN3FSaDdQcW9Va3Z6dUFhWXRwaQpxcjZLb0tSWXRobVFwYlBIVXFmckZDVUs0TjB0L29YdjdhY0x1SEVuYW1OZmlrYU5VVTZDWHROVkVSZnBlOWZTCm1kRTlzVCtKTDRPNWNpc1RCcWlESGIwaWpOa1lSMHE2cHEwdEpkZGtGNTZ1bGo2WUtOazVvcTNNUFR4Q0ZDMkIKVFRIcmc1N0tMeTdwZjZUL0NjUHk5ZDBSUC81K2NyK1o0NjVTMitEYVBZR3dvQzdKd1RZQjUvR2h6WnBzWi9BUwp0ZjdwYnJuSVFLVW5pSk1pNjhVZURZWXpyYjhYYjAzeHVNMHE5bXhhS01Hd0VCd2ZKWmZ1OFloMVcvVUVhL0hzCnpYNklDSFhqQWdNQkFBRUNnZ0VBWDFOQUE3d1l1eHBrUmp1enBFbVVWVzREY2xNdjltV3N2d3lJRGZsc0dBR0MKYllYNS96ZXZGam5aSkVHV3RrT1BZK202d0ErdUdydnc0UWNITVlnbzhwakFFbGkzK0NaMFZvUktuaWxNMDQySQpFU29ZQW4wVU1OMk1wU1FvOHFOQytpSUhBQlRGODBuS2g4NGdBb2lpWXpoSUlCamRRRTFzdm04Nm9HUHFHR1A3CnlYcFNiWXNHOElVSzVNcGRObjBXWkR6eGRiTGhCZFhWSHd0ZENaWm9Vak5FbjZSeUUrVlBjWjUxRW9vbFZPY20KZVRKMEs0YzRZa2E0cnJYbzlMYWYxbXRIcEdMYVVPbDRQQkU3eWRpbnJsZElkU05Ddnd0VlNJR0RzOG9vNGZZYQpiVmVRNDNkQ2dxVWN0ejNYRC9mZ1FFTGxGR2ptRXRYb04zcm56L1g0NFFLQmdRRDI5R2RzR2dBbVN2U21RSVJ2CldyNmdVYUg2VFQvelBiUnNRcjkvZmtyVVp4UHp1TTJzc1NkcjlyNnZOalliQlZ3alQ2T0piclBXUzJSdmwvZ0QKY2JqNm5uNzNKZ3k5Q0k1SmFuOGRoRkxaa3MrU2h1YmZ6OHdaTWwyUmd4UVN6UEhBeWJoa0xhNjY2eG5WRER4QQp4clYrYzZOZVp2OVBjS3NwRVllTHJac1F0UUtCZ1FEdTV0MVh2YS9VYkFQR0ltVUwzRVl0UWxRaE5QdzlWb0hnCkdSMHo2T2JnY1IvdEtGL29JaVdOSlA2UkovNUsvQ21VVVBjNXpMM2xFank3QXdaMVc1WkNsK3pvRFcxbENxcDEKbkdDQ2ViclJYMnRYbzFxbHFvMkVoZVZCRHVnTXAwWmxmM2dpbjcrSXNjOWEraFRGSGVXZGJZYU1wNnZXVHlkMwpMSnhZcXNiRE53S0JnUURnZkM3L1QydFBZOWVjd1EwaUJFVkFpclJKU2F1V08wTWxIay9oWHpZNmVqRGkzZHpvCjNHalBkWTdFeXV6SUIwbElOLzZhMFd6Y29jLzh1UklVWDI0ZE03S0tpNllNdUJoUG1HVlF1Wlp1ZlV2L0VHNFMKaVZ3b2syWUcvalpqR0xXeDRDeWpzL3Nmb3RMcW5hS3Y1M0hZTHRvVTJGL0JJTlFXRXY4NTgyZi8rUUtCZ0NSNQpqeFhVV2tJZWM3ME9oMHIyU0tpa1ZkLzBEUWI0YkQvZzFicVZOcHJSNnNQMHhCL1hCdEN6ODBJS1R5TDN1UWx5CkN5MEIrNFE3OHBYQzhudDhqa2FBbDZVZVY3TnptMjcxZnk2c2t6OWdTQzFMUFkzSnFtMnZXNzlCSFdEQk1WaFIKeSsvTllCcm91dlh5OUxUYnliRHRoZnQzcGg3RVd3d3cvWFgwTFFDbEFvR0JBTUFSWHpoT0RsdTV3TFdHRlpQdApJUGF1VG05UWhjNHJSUkxhR1FwWlJVL08zaGJrdm9vbzdHWHp1NXNlZFFHN1VxcjZBTGtPWXdpVWhETUZwUHJtCldsRlpoaVc1V2FHeENxRzNncXRtc2pCQXdjamh0cjZPaENidVhPQXNwdFl0bmU3d1BRcVQ3SE4xam5KNi9PTEQKRTFPdzQ5cUpJNWZHOGhoUmI5MUsxZisvCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K"
}
}
}
}
19: Using the userAgent Controls property¶
In this example, we show how you can use the userAgent property in the new Controls class. The userAgent property allows you to set a unique identifier in usage data.
This declaration includes the Controls class with userAgent set to BIG-IQ/7.1 Configured by API.
See Device_Controls in the Schema Reference for more information.
{
"schemaVersion": "1.12.0",
"class": "Device",
"label": "Configuring System",
"async": true,
"controls": {
"class": "Controls",
"userAgent": "BIG-IQ/7.1 Configured by API"
},
"Common": {
"class": "Tenant",
"mySystem": {
"class": "System",
"hostname": "my.bigip.com",
"cliInactivityTimeout": 1200,
"consoleInactivityTimeout": 1200,
"autoPhonehome": true
}
}
}
20: Configuring Audit Logging in a declaration¶
In this example, we show how you can configure audit logging in the System class of a Declarative Onboarding declaration. This allows audit logging to start as early as possible.
See System in the Schema Reference for DO usage and options. For detailed information about audit logging on the BIG-IP, see the Audit Logging documentation.
Important
guiAuditLog is only available on TMOS v14.0 and later
{
"schemaVersion": "1.13.0",
"class": "Device",
"async": false,
"Common": {
"class": "Tenant",
"mySys": {
"class": "System",
"tmshAuditLog": true,
"guiAuditLog": true,
"mcpAuditLog": "enable"
}
}
}
21: Configuring MAC Masquerading on Traffic Groups¶
In this example, we show how you can configure MAC Masquerading on Traffic Groups. This is a part of the new MAC_Masquerade class.
For detailed information about Mac Masquerade on the BIG-IP, see K13502: Configuring MAC masquerade.
See Mac_Masquerade in the Schema Reference for DO usage and options.
{
"schemaVersion": "1.13.0",
"class": "Device",
"async": false,
"Common": {
"class": "Tenant",
"myMac": {
"class": "MAC_Masquerade",
"source": {
"interface": "1.1"
},
"trafficGroup": "traffic-group-1"
}
}
}
22: Configuring VLAN Failsafe¶
In this example, we show how you can configure VLAN Failsafe settings in a Declarative Onboarding declaration. This is a part of the VLAN Class, and includes the new properties failsafeEnabled, failsafeAction, and failsafeTimeout.
For detailed information about VLAN Failsafe on the BIG-IP, see K13297: Overview of VLAN failsafe.
See VLAN Class in the Schema Reference for DO usage and options.
{
"schemaVersion": "1.14.0",
"class": "Device",
"async": true,
"Common": {
"class": "Tenant",
"external": {
"class": "VLAN",
"tag": 4094,
"mtu": 1500,
"interfaces": [
{
"name": "1.1",
"tagged": true
}
],
"failsafeEnabled": true,
"failsafeAction": "reboot",
"failsafeTimeout": 300
}
}
}
23: Configuring a DNS Resolver¶
In this example, we show how you create a DNS Resolver in a Declarative Onboarding declaration using the DNS_Resolver class introduced in DO 1.14. The DNS Resolver is the internal DNS resolver the BIG-IP system uses to fetch the internal proxy response.
See DNS_Resolver in the Schema Reference for DO usage and options.
For detailed information about the DNS Resolver, see BIG-IP DNS documentation on AskF5.
{
"schemaVersion": "1.0.0",
"class": "Device",
"async": false,
"Common": {
"class": "Tenant",
"myResolver": {
"class": "DNS_Resolver",
"answerDefaultZones": false,
"cacheSize": 5767168,
"randomizeQueryNameCase": true,
"routeDomain": "0",
"forwardZones": [
{
"name": "forward.net",
"nameservers": [
"10.10.10.10:53",
"10.10.10.11:53"
]
}
],
"useIpv4": true,
"useIpv6": true,
"useTcp": true,
"useUdp": true
}
}
}
24: Configuring a TCP Forward Tunnel¶
In this example, we show how you create a TCP Forward Network Tunnel in a Declarative Onboarding declaration using the Tunnel class introduced in DO 1.14.
Currently, tcp_forward is the only profile (tunnelType) Declarative Onboarding supports. The tcp_forward profile specifies a tunnel used for forward proxy connections.
See Tunnel in the Schema Reference for DO usage and options.
{
"class": "Device",
"schemaVersion": "1.14.0",
"async": true,
"Common": {
"class": "Tenant",
"newTcpForwardTunnel": {
"class": "Tunnel",
"tunnelType": "tcp-forward",
"mtu": 2000,
"usePmtu": false,
"typeOfService": 123,
"autoLastHop": "default"
}
}
}
25: Configuring Traffic Groups¶
This example shows how to create Traffic Groups using Declarative Onboarding 1.14 and later. A traffic group is a group of configuration objects on a BIG-IP which is able to float to another device in a device group in case of failure. For more information, see Traffic Group class on the Clustering page, and BIG-IP Device Service Clustering: Administration.
See TrafficGroup in the Schema Reference for DO usage and options.
Important
The HA Score failover method is not currently supported. DO uses the HA Order failover method.
Because DO uses HA Order for failover, the declaration must include a hostname, located inside of a deviceGroup. In the following example, the declaration defines a Device Group with a host name. See Device Group class for information on Device Groups.
{
"schemaVersion": "1.14.0",
"class": "Device",
"label": "Configuring System",
"async": false,
"Common": {
"class": "Tenant",
"hostname": "do.example.com",
"failoverGroup": {
"class": "DeviceGroup",
"type": "sync-failover",
"members": [
"do.example.com"
],
"owner": "do.example.com",
"autoSync": true,
"saveOnAutoSync": false,
"networkFailover": true,
"fullLoadOnSync": false,
"asmSync": false
},
"testTrafficGroup": {
"class": "TrafficGroup",
"autoFailbackEnabled": false,
"autoFailbackTime": 50,
"failoverMethod": "ha-order",
"haLoadFactor": 1,
"haOrder": [
"do.example.com"
]
}
}
}
26: Configuring multiple failover unicast addresses¶
This example shows how to specify multiple failover unicast addresses using Declarative Onboarding 1.15 and later. The unicast addresses you specify are the main address that other devices in the device group use to communicate continually with the local device to assess the health of that device. For more information on failover on the BIG-IP, see Failover documentation.
For additional information, see Failover Unicast class on the Clustering page. See FailoverUnicast in the Schema Reference for DO usage and options.
To use this feature:
- The failover unicast addresses must be pointing at IP addresses on the BIG-IP system (Self IP addresses)
- Self IPs require a VLAN. Some systems, such as 1 NIC BIG-IP systems, are not able to have multiple VLANs. Check the device on which you are deploying a declaration using this feature.
In the following example, the declaration creates a VLAN, that is then used by 2 external Self IP addresses, and then updates the device with two Failover Unicast addresses.
{
"schemaVersion": "1.15.0",
"class": "Device",
"label": "Configuring System",
"Common": {
"class": "Tenant",
"failoverUnicastMgmt": {
"class": "FailoverUnicast",
"addressPorts": [
{
"address": "10.0.0.0",
"port": 356
},
{
"address": "10.1.1.0"
}
]
},
"external": {
"class": "VLAN",
"tag": 4094,
"mtu": 1500,
"interfaces": [
{
"name": "1.1",
"tagged": true
}
],
"cmpHash": "src-ip"
},
"external-self": {
"class": "SelfIp",
"address": "10.0.0.0/24",
"vlan": "external",
"allowService": "none",
"trafficGroup": "traffic-group-local-only"
},
"external-self2": {
"class": "SelfIp",
"address": "10.1.1.0/24",
"vlan": "external",
"allowService": "none",
"trafficGroup": "traffic-group-local-only"
}
}
}
27: Enabling traces in DO responses¶
In this example, we show how you can use the trace and traceResponse properties to enable more visibility into what DO is configuring. These properties are included in the Device_Controls class.
Warning
Trace files may contain sensitive configuration data.
When trace is set to true (the default is false), DO creates a detailed trace of the configuration process for subsequent analysis. This information is written to files in the /tmp directory where DO is running.
The files are:
- /tmp/DO_current.json
- /tmp/DO_desired.json
- /tmp/DO_diff.json
When traceResponse is set to true (the default is false), the response (or response to a subsequent GET request in the case of asynchronous requests) contains the same information that would be found in the trace files.
This example shows both the declaration and the response from DO.
{
"schemaVersion": "1.15.0",
"class": "Device",
"async": true,
"webhook": "https://example.com/myHook",
"label": "my BIG-IP declaration for declarative onboarding",
"controls": {
"trace": true,
"traceResponse": true
},
"Common": {
"class": "Tenant",
"mySystem": {
"class": "System",
"hostname": "bigip.example.com",
"cliInactivityTimeout": 1200,
"consoleInactivityTimeout": 1200,
"autoPhonehome": false
}
}
}
Example Response
Here is the response returned by DO from the declaration, showing the trace for the tenant (your output will vary based on the configuration of your device).
{
"id": "e34cd96e-a1dc-4432-9efa-ff687e09117f",
"selfLink": "https://localhost/mgmt/shared/declarative-onboarding/task/e34cd96e-a1dc-4432-9efa-ff687e09117f",
"result": {
"class": "Result",
"code": 200,
"status": "OK",
"message": "success"
},
"declaration": {
"schemaVersion": "1.15.0",
"class": "Device",
"async": true,
"webhook": "https://example.com/myHook",
"label": "my BIG-IP declaration for declarative onboarding",
"controls": {
"trace": true,
"traceResponse": true
},
"Common": {
"class": "Tenant",
"mySystem": {
"class": "System",
"hostname": "bigip.example.com",
"cliInactivityTimeout": 1200,
"consoleInactivityTimeout": 1200,
"autoPhonehome": false
}
}
},
"traces": {
"desired": {
"Common": {
"System": {
"hostname": "bigip.example.com",
"cliInactivityTimeout": 1200,
"consoleInactivityTimeout": 1200,
"autoPhonehome": false
},
"DNS": {
"nameServers": [
"172.27.1.1"
],
"search": [
"localhost"
]
},
"NTP": {
"timezone": "America/Los_Angeles"
},
"Provision": {
"afm": "none",
"am": "none",
"apm": "none",
"asm": "none",
"avr": "none",
"cgnat": "none",
"dos": "none",
"fps": "none",
"gtm": "none",
"ilx": "none",
"lc": "none",
"ltm": "nominal",
"pem": "none",
"sslo": "none",
"swg": "none",
"urldb": "none"
},
"VLAN": {},
"DNS_Resolver": {
"f5-aws-dns": {
"name": "f5-aws-dns",
"answerDefaultZones": false,
"cacheSize": 5767168,
"randomizeQueryNameCase": true,
"routeDomain": "0",
"useIpv4": true,
"useIpv6": true,
"useTcp": true,
"useUdp": true,
"forwardZones": [
{
"name": "amazonaws.com",
"nameservers": [
{
"name": "8.8.8.8:53"
}
]
},
{
"name": "idservice.net",
"nameservers": [
{
"name": "8.8.8.8:53"
}
]
}
]
}
},
"Trunk": {},
"SelfIp": {},
"Route": {},
"ConfigSync": {
"configsyncIp": "none"
},
"FailoverUnicast": {
"unicastAddress": "none"
},
"ManagementRoute": {
"default": {
"name": "default",
"mtu": 0,
"network": "default",
"gw": "10.145.127.254"
}
},
"RouteDomain": {
"0": {
"name": "0",
"connectionLimit": 0,
"id": 0,
"strict": true,
"vlans": [
"/Common/http-tunnel",
"/Common/socks-tunnel",
"/Common/external",
"/Common/internal"
]
}
},
"Authentication": {
"fallback": false,
"enabledSourceType": "local",
"remoteUsersDefaults": {
"role": "no-access",
"partitionAccess": "all",
"terminalAccess": "disabled"
}
},
"RemoteAuthRole": {},
"SnmpAgent": {
"contact": "Customer Name <admin@customer.com>",
"location": "Network Closet 1",
"allowList": [
"127.0.0.0/8"
]
},
"SnmpTrapEvents": {
"device": true,
"authentication": false,
"agentStartStop": true
},
"SnmpUser": {},
"SnmpCommunity": {
"comm-public": {
"name": "public",
"access": "ro",
"ipv6": false,
"source": "default"
}
},
"SnmpTrapDestination": {},
"DagGlobals": {
"icmpHash": "icmp",
"roundRobinMode": "global",
"ipv6PrefixLength": 128
},
"TrafficControl": {
"acceptIpOptions": false,
"acceptIpSourceRoute": false,
"allowIpSourceRoute": false,
"continueMatching": false,
"maxIcmpRate": 100,
"maxRejectRate": 250,
"maxRejectRateTimeout": 30,
"minPathMtu": 296,
"pathMtuDiscovery": true,
"portFindThresholdTimeout": 30,
"portFindThresholdTrigger": 8,
"portFindThresholdWarning": true,
"rejectUnmatched": true,
"maxPortFindLinear": 16,
"maxPortFindRandom": 16
},
"HTTPD": {
"allow": [
"All"
],
"authPamIdleTimeout": 1200,
"maxClients": 10,
"sslCiphersuite": [
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES128-SHA",
"ECDHE-RSA-AES256-SHA",
"ECDHE-RSA-AES128-SHA256",
"ECDHE-RSA-AES256-SHA384",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES128-SHA",
"ECDHE-ECDSA-AES256-SHA",
"ECDHE-ECDSA-AES128-SHA256",
"ECDHE-ECDSA-AES256-SHA384",
"AES128-GCM-SHA256",
"AES256-GCM-SHA384",
"AES128-SHA",
"AES256-SHA",
"AES128-SHA256",
"AES256-SHA256"
],
"sslProtocol": "all -SSLv2 -SSLv3 -TLSv1"
},
"SSHD": {
"inactivityTimeout": 0
},
"Tunnel": {
"http-tunnel": {
"name": "http-tunnel",
"mtu": 0,
"usePmtu": true,
"autoLastHop": "default",
"tunnelType": "tcp-forward",
"typeOfService": "preserve"
},
"socks-tunnel": {
"name": "socks-tunnel",
"mtu": 0,
"usePmtu": true,
"autoLastHop": "default",
"tunnelType": "tcp-forward",
"typeOfService": "preserve"
}
},
"TrafficGroup": {
"traffic-group-1": {
"name": "traffic-group-1",
"autoFailbackEnabled": "false",
"autoFailbackTime": 60,
"failoverMethod": "ha-order",
"haLoadFactor": 1
},
"traffic-group-local-only": {
"name": "traffic-group-local-only",
"autoFailbackEnabled": "false",
"autoFailbackTime": 60,
"failoverMethod": "ha-order",
"haLoadFactor": 1
}
}
},
"parsed": true
},
"current": {
"parsed": true,
"Common": {
"System": {
"consoleInactivityTimeout": 1200,
"hostname": "bigip.example.com",
"guiAuditLog": false,
"cliInactivityTimeout": 1200,
"tmshAuditLog": true,
"autoCheck": true,
"autoPhonehome": false
},
"Provision": {
"afm": "none",
"am": "none",
"apm": "none",
"asm": "none",
"avr": "none",
"cgnat": "none",
"dos": "none",
"fps": "none",
"gtm": "none",
"ilx": "none",
"lc": "none",
"ltm": "nominal",
"pem": "none",
"sslo": "none",
"swg": "none",
"urldb": "none"
},
"NTP": {
"timezone": "America/Los_Angeles"
},
"DNS": {
"nameServers": [
"172.27.1.1"
],
"search": [
"localhost"
]
},
"DNS_Resolver": {
"f5-aws-dns": {
"name": "f5-aws-dns",
"answerDefaultZones": false,
"cacheSize": 5767168,
"randomizeQueryNameCase": true,
"routeDomain": "0",
"useIpv4": true,
"useIpv6": true,
"useTcp": true,
"useUdp": true,
"forwardZones": [
{
"name": "amazonaws.com",
"nameservers": [
{
"name": "8.8.8.8:53"
}
]
},
{
"name": "idservice.net",
"nameservers": [
{
"name": "8.8.8.8:53"
}
]
}
]
}
},
"Trunk": {},
"VLAN": {
"external": {
"name": "external",
"cmpHash": "default",
"failsafeAction": "failover-restart-tm",
"failsafeTimeout": 90,
"mtu": 1500,
"tag": 4094,
"failsafeEnabled": false,
"interfaces": [
{
"name": "1.1",
"tagged": false
}
]
},
"internal": {
"name": "internal",
"cmpHash": "default",
"failsafeAction": "failover-restart-tm",
"failsafeTimeout": 90,
"mtu": 1500,
"tag": 4093,
"failsafeEnabled": false,
"interfaces": [
{
"name": "1.2",
"tagged": false
}
]
}
},
"SelfIp": {
"external-self": {
"name": "external-self",
"address": "10.20.0.100/24",
"trafficGroup": "traffic-group-local-only",
"vlan": "external",
"allowService": "none"
},
"internal-self": {
"name": "internal-self",
"address": "10.10.0.100/24",
"trafficGroup": "traffic-group-local-only",
"vlan": "internal",
"allowService": "default"
}
},
"Route": {},
"ConfigSync": {
"configsyncIp": "none"
},
"FailoverUnicast": {
"addressPorts": "none"
},
"TrafficGroup": {
"traffic-group-1": {
"name": "traffic-group-1",
"autoFailbackEnabled": "false",
"autoFailbackTime": 60,
"failoverMethod": "ha-order",
"haLoadFactor": 1
},
"traffic-group-local-only": {
"name": "traffic-group-local-only",
"autoFailbackEnabled": "false",
"autoFailbackTime": 60,
"failoverMethod": "ha-order",
"haLoadFactor": 1
}
},
"MAC_Masquerade": {
"traffic-group-1": {
"mac": "none",
"trafficGroup": "traffic-group-1"
},
"traffic-group-local-only": {
"mac": "none",
"trafficGroup": "traffic-group-local-only"
}
},
"ManagementRoute": {
"default": {
"name": "default",
"mtu": 0,
"network": "default",
"gw": "10.145.127.254"
}
},
"SyslogRemoteServer": {},
"Authentication": {
"fallback": false,
"enabledSourceType": "local",
"remoteUsersDefaults": {
"role": "no-access",
"partitionAccess": "all",
"terminalAccess": "disabled"
}
},
"RouteDomain": {
"0": {
"name": "0",
"connectionLimit": 0,
"id": 0,
"strict": true,
"vlans": [
"/Common/http-tunnel",
"/Common/socks-tunnel",
"/Common/external",
"/Common/internal"
]
}
},
"RemoteAuthRole": {},
"SnmpTrapEvents": {
"device": true,
"authentication": false,
"agentStartStop": true
},
"SnmpTrapDestination": {},
"SnmpAgent": {
"contact": "Customer Name <admin@customer.com>",
"location": "Network Closet 1",
"allowList": [
"127.0.0.0/8"
]
},
"SnmpUser": {},
"SnmpCommunity": {
"comm-public": {
"name": "public",
"access": "ro",
"ipv6": false,
"source": "default"
}
},
"DagGlobals": {
"icmpHash": "icmp",
"roundRobinMode": "global",
"ipv6PrefixLength": 128
},
"HTTPD": {
"allow": [
"All"
],
"authPamIdleTimeout": 1200,
"maxClients": 10,
"sslCiphersuite": [
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES128-SHA",
"ECDHE-RSA-AES256-SHA",
"ECDHE-RSA-AES128-SHA256",
"ECDHE-RSA-AES256-SHA384",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES128-SHA",
"ECDHE-ECDSA-AES256-SHA",
"ECDHE-ECDSA-AES128-SHA256",
"ECDHE-ECDSA-AES256-SHA384",
"AES128-GCM-SHA256",
"AES256-GCM-SHA384",
"AES128-SHA",
"AES256-SHA",
"AES128-SHA256",
"AES256-SHA256"
],
"sslProtocol": "all -SSLv2 -SSLv3 -TLSv1"
},
"TrafficControl": {
"acceptIpOptions": false,
"acceptIpSourceRoute": false,
"allowIpSourceRoute": false,
"continueMatching": false,
"maxIcmpRate": 100,
"maxRejectRate": 250,
"maxRejectRateTimeout": 30,
"minPathMtu": 296,
"pathMtuDiscovery": true,
"portFindThresholdTimeout": 30,
"portFindThresholdTrigger": 8,
"portFindThresholdWarning": true,
"rejectUnmatched": true,
"maxPortFindLinear": 16,
"maxPortFindRandom": 16
},
"SSHD": {
"allow": [
"ALL"
],
"inactivityTimeout": 0
},
"Tunnel": {
"http-tunnel": {
"name": "http-tunnel",
"mtu": 0,
"usePmtu": true,
"autoLastHop": "default",
"tunnelType": "tcp-forward",
"typeOfService": "preserve"
},
"socks-tunnel": {
"name": "socks-tunnel",
"mtu": 0,
"usePmtu": true,
"autoLastHop": "default",
"tunnelType": "tcp-forward",
"typeOfService": "preserve"
}
},
"Disk": {
"applicationData": 26128384
}
}
},
"diff": [
{
"kind": "D",
"path": [
"Common",
"System",
"guiAuditLog"
],
"lhs": false
},
{
"kind": "D",
"path": [
"Common",
"System",
"tmshAuditLog"
],
"lhs": true
},
{
"kind": "D",
"path": [
"Common",
"System",
"autoCheck"
],
"lhs": true
},
{
"kind": "D",
"path": [
"Common",
"VLAN",
"external"
],
"lhs": {
"name": "external",
"cmpHash": "default",
"failsafeAction": "failover-restart-tm",
"failsafeTimeout": 90,
"mtu": 1500,
"tag": 4094,
"failsafeEnabled": false,
"interfaces": [
{
"name": "1.1",
"tagged": false
}
]
}
},
{
"kind": "D",
"path": [
"Common",
"VLAN",
"internal"
],
"lhs": {
"name": "internal",
"cmpHash": "default",
"failsafeAction": "failover-restart-tm",
"failsafeTimeout": 90,
"mtu": 1500,
"tag": 4093,
"failsafeEnabled": false,
"interfaces": [
{
"name": "1.2",
"tagged": false
}
]
}
},
{
"kind": "D",
"path": [
"Common",
"SelfIp",
"external-self"
],
"lhs": {
"name": "external-self",
"address": "10.20.0.100/24",
"trafficGroup": "traffic-group-local-only",
"vlan": "external",
"allowService": "none"
}
},
{
"kind": "D",
"path": [
"Common",
"SelfIp",
"internal-self"
],
"lhs": {
"name": "internal-self",
"address": "10.10.0.100/24",
"trafficGroup": "traffic-group-local-only",
"vlan": "internal",
"allowService": "default"
}
},
{
"kind": "D",
"path": [
"Common",
"FailoverUnicast",
"addressPorts"
],
"lhs": "none"
},
{
"kind": "N",
"path": [
"Common",
"FailoverUnicast",
"unicastAddress"
],
"rhs": "none"
},
{
"kind": "D",
"path": [
"Common",
"SSHD",
"allow"
],
"lhs": [
"ALL"
]
},
{
"kind": "D",
"path": [
"Common",
"Disk"
],
"lhs": {
"applicationData": 26128384
}
}
]
},
"lastUpdate": "2020-08-24T16:44:41.140Z"
}
28: Creating Routes in the LOCAL_ONLY partition¶
This example shows how to create a route in a special LOCAL_ONLY partition/tenant using the new localOnly property in the Route class. When using this feature, if this partition doesn’t exist, Delclarative Onboarding creates it.
This partition is required to configure an Amazon Web Services (AWS) Across Network cluster.
See Route in the Schema Reference for DO usage and options.
- Important notes:
- While DO can create the LOCAL_ONLY partition if it does not exist, it cannot currently delete it, and the partition will remain even if you delete the DO configuration.
- A Route cannot be directly swapped from one partition to another. If you attempt to swap value of localOnly, the declaration will fail. As a workaround, change the network of the Route to another IP and set localOnly to what you want it to be. Submit that using DO. Once that is complete, you can change the network to the desired value.
{
"schemaVersion": "1.15.0",
"class": "Device",
"async": true,
"Common": {
"class": "Tenant",
"hostname": "bigip.example.com",
"newVlan": {
"class": "VLAN",
"tag": 100,
"interfaces": [
{
"name": "1.1",
"tagged": true
}
]
},
"localRoute": {
"class": "Route",
"target": "newVlan",
"network": "10.1.0.244/32",
"localOnly": true
},
"newSelfIp": {
"class": "SelfIp",
"address": "10.1.0.20/32",
"vlan": "newVlan"
}
}
}
29: Configuring connection and persistence mirroring¶
This example shows how you can include connection and persistence mirroring information in a Declarative Onboarding declaration.
The connection and persistence mirroring feature allows you to configure BIG-IP systems in a high availability (HA) configuration to duplicate connection and persistence information to peer members of the BIG-IP device group. This feature provides higher reliability but may affect system performance. For more information, see the Overview of connection and persistence mirroring article on AskF5.
See MirrorIp in the Schema Reference for DO usage and options. Also see MirrorIp class on the Clustering page.
{
"schemaVersion": "1.16.0",
"class": "Device",
"async": true,
"Common": {
"class": "Tenant",
"hostname": "bigip.example.com",
"newVlan": {
"class": "VLAN",
"tag": 100,
"interfaces": [
{
"name": "1.1",
"tagged": true
}
]
},
"newSelfIp": {
"class": "SelfIp",
"address": "10.1.0.20/0",
"vlan": "newVlan"
},
"myMirror": {
"class": "MirrorIp",
"primaryIp": "10.1.0.20",
"secondaryIp": "any6"
}
}
}
30: Warning users the BIG-IP is under AS3 automation¶
This example shows how you can use Delclarative Onboarding to discourage unintended configuration changes to a device that is managed by AS3. This example configures an advisory banner using the DbVariables class.
{
"class": "DO",
"declaration": {
"schemaVersion": "1.11.0",
"class": "Device",
"async": true,
"Common": {
"class": "Tenant",
"myDbVariables": {
"class": "DbVariables",
"ui.advisory.enabled": "true",
"ui.advisory.color": "red",
"ui.advisory.text": "Configuration deployed with AS3. Do not make any change directly on the BIG-IP or those changes may be lost."
}
}
}
}
31: Increasing the memory allocated to the restjavad daemon¶
This example shows how you can use Delclarative Onboarding to increase the amount of memory allocated to restjavad, using the DbVariables class.
See (see Why is my BIG-IP experiencing occasional high CPU usage and slower performance?) for reasons you may want to increase this memory allocation.
{
"schemaVersion": "1.0.0",
"class": "Device",
"async": "true",
"Common": {
"class": "Tenant",
"dbvars": {
"class": "DbVariables",
"provision.extramb": 1000,
"restjavad.useextramb": true
}
}
}