Appendix A: Schema Reference

This page is a reference for the objects you can use in your Declarations for Declarative Onboarding. For more information on BIG-IP objects and terminology, see the BIG-IP documentation at https://support.f5.com/csp/home.

Analytics

Global analytics properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“Analytics” Indicates that this property contains global analytics configuration
debugEnabled (boolean) false true, false Enable debug mode. If debug mode is disabled, internal statistics are collected only if interval is set to the default value (300 seconds)
interval (integer) 300 [20, 300] Analytics data collection interval in seconds. If this interval is different from the default value (300 seconds), internal statistics are not collected unless debugEnabled is set to true. Minimum interval is 20 seconds, maximum interval is 300 seconds.
offboxEnabled (boolean) false true, false Enables all communication with the offbox application on the global level
offboxProtocol (string)
“https”, “tcp” Protocol for communication with offbox analytics application
offboxTcpAddresses (array<string>)
Server IP addresses used only if the ‘tcp/https’ protocol is chosen
offboxTcpPort (number)
Server TCP port for the server IP addresses used only if the ‘tcp’ protocol is chosen
sourceId (string)
Unique value to signify the source of data
tenantId (string)
Unique id for the tenant using the analytics backend system

Authentication

Authentication properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“Authentication” Indicates that this property contains authentication configuration.
enabledSourceType (string) “local” “radius”, “local”, “tacacs”, “ldap”, “activeDirectory” Type of remote authentication source to enable for the system.
fallback (boolean) false true, false Specifies that the system uses the Local authentication method if the remote authentication method is not available.
ldap (Authentication_ldap)
Remote LDAP authentication info
radius (Authentication_radius)
Remote RADIUS authentication info.
remoteUsersDefaults (Authentication_remoteUsersDefaults)
The default values that the BIG-IP system applies to any user account that is not part of a remotely-stored user group.
tacacs (Authentication_tacacs)
TACACS+ authentication info

Authentication_ldap

Authentication ldap possible properties

Properties:

Name (Type) Default Values Description
bindDn (string)
Distinguished name of the server account. If server is a Microsoft Windows Active Directory server, the name must be an email address
bindPassword (string)
Password for the server account
bindTimeout (integer) 30 [0, 4294967295] Timeout limit in seconds to bind to remote authentication server
checkBindPassword (boolean) false true, false Confirms the password for the server account
checkRemoteRole (boolean) false true, false Verifies a user’s group membership based on the remote-role definition, formatted as *member*of=”group-dn”
filter (string)
Filter used for authorizing client traffic
groupDn (string)
Group distinguished name for authorizing client traffic
groupMemberAttribute (string)
Group member attribute for authorizing client traffic
idleTimeout (integer) 3600 [0, 4294967295] Connection timeout limit in seconds
ignoreAuthInfoUnavailable (boolean) false true, false Ignores authentication information if not available
ignoreUnknownUser (boolean) false true, false Ignores a user that is unknown
loginAttribute (string)
Logon attribute. If server is a Microsoft Windows Active Directory server, the value must be the account name “samaccountname”
port (integer) 389 [0, 65535] Port number for the LDAP service
referrals (boolean) true true, false Specifies whether automatic referral chasing should be enabled. This is for BIG-IP 15.1+
searchBaseDn (string)
Search base distinguished name
searchScope (string) “sub” “base”, “one”, “sub” Level of remote server’s directory to search for user authentication, either base object, one level, or subtree
searchTimeout (integer) 30 [0, 4294967295] Search timeout limit in seconds
servers (array<string>)
IP addresses or hostnames of the remote authentication servers.
ssl (string) “disabled” “enabled”, “disabled”, “start-tls” Enables SSL
sslCaCert (reference | reference)
SSL certificate issued by a certificate authority
sslCheckPeer (boolean) false true, false Specifies whether the system checks an SSL peer
sslCiphers (array<string>)   “ECDHE-RSA-AES128-GCM-SHA256”, “ECDHE-RSA-AES128-CBC-SHA”, “ECDHE-RSA-AES128-SHA256”, “ECDHE-RSA-AES256-GCM-SHA384”, “ECDHE-RSA-AES256-CBC-SHA”, “ECDHE-RSA-AES256-SHA384”, “ECDHE-RSA-CHACHA20-POLY1305-SHA256”, “ECDH-RSA-AES128-GCM-SHA256”, “ECDH-RSA-AES128-SHA256”, “ECDH-RSA-AES128-SHA”, “ECDH-RSA-AES256-GCM-SHA384”, “ECDH-RSA-AES256-SHA384”, “ECDH-RSA-AES256-SHA”, “AES128-GCM-SHA256”, “AES128-SHA”, “AES128-SHA256”, “AES256-GCM-SHA384”, “AES256-SHA”, “AES256-SHA256”, “CAMELLIA128-SHA”, “CAMELLIA256-SHA”, “ECDHE-ECDSA-AES128-GCM-SHA256”, “ECDHE-ECDSA-AES128-SHA”, “ECDHE-ECDSA-AES128-SHA256”, “ECDHE-ECDSA-AES256-GCM-SHA384”, “ECDHE-ECDSA-AES256-SHA”, “ECDHE-ECDSA-AES256-SHA384”, “ECDHE-ECDSA-CHACHA20-POLY1305-SHA256”, “ECDH-ECDSA-AES128-GCM-SHA256”, “ECDH-ECDSA-AES128-SHA”, “ECDH-ECDSA-AES128-SHA256”, “ECDH-ECDSA-AES256-GCM-SHA384”, “ECDH-ECDSA-AES256-SHA”, “ECDH-ECDSA-AES256-SHA384”, “DHE-RSA-AES128-GCM-SHA256”, “DHE-RSA-AES128-SHA”, “DHE-RSA-AES128-SHA256”, “DHE-RSA-AES256-GCM-SHA384”, “DHE-RSA-AES256-SHA”, “DHE-RSA-AES256-SHA256”, “DHE-RSA-CAMELLIA128-SHA”, “DHE-RSA-CAMELLIA256-SHA”, “DHE-DSS-AES128-GCM-SHA256”, “DHE-DSS-AES128-SHA”, “DHE-DSS-AES128-SHA256”, “DHE-DSS-AES256-GCM-SHA384”, “DHE-DSS-AES256-SHA”, “DHE-DSS-AES256-SHA256”, “DHE-DSS-CAMELLIA128-SHA”, “DHE-DSS-CAMELLIA256-SHA”, “ADH-AES128-GCM-SHA256”, “ADH-AES128-SHA”, “ADH-AES256-GCM-SHA384”, “ADH-AES256-SHA”, “ECDHE-RSA-DES-CBC3-SHA”, “ECDH-RSA-DES-CBC3-SHA”, “DES-CBC3-SHA”, “ECDHE-ECDSA-DES-CBC3-SHA”, “ECDH-ECDSA-DES-CBC3-SHA”, “DHE-RSA-DES-CBC3-SHA”, “ADH-DES-CBC3-SHA”, “DHE-RSA-DES-CBC-SHA”, “DES-CBC-SHA”, “ADH-DES-CBC-SHA”, “RC4-SHA”, “RC4-MD5”, “ADH-RC4-MD5”, “EXP1024-DES-CBC-SHA”, “EXP1024-RC4-SHA”, “EXP-RC4-MD5”, “EXP-DES-CBC-SHA”, “TLS13-AES128-GCM-SHA256”, “TLS13-AES256-GCM-SHA384”, “TLS13-CHACHA20-POLY1305-SHA256”, “NULL-SHA”, “NULL-MD5” Specifies SSL ciphers
userTemplate (string)
Specifies a user template for the LDAP application to use for authentication.
version (integer) 3 [2, 3] Specifies the version number of the LDAP application.

Authentication_radius

Authentication radius possible properties

Properties:

Name (Type) Default Values Description
servers (reference)
RADIUS servers settings
serviceType (string) “default” “administrative”, “authenticate-only”, “call-check”, “callback-administrative”, “callback-framed”, “callback-login”, “callback-nas-prompt”, “default”, “framed”, “login”, “nas-prompt”, “outbound” Type of service used for the RADIUS server.

Authentication_remoteUsersDefaults

Authentication remoteUsersDefaults possible properties

Properties:

Name (Type) Default Values Description
partitionAccess (string) “all” “Common”, “all” Default accessible partitions for remote users.
role (string) “no-access” “acceleration-policy-editor”, “admin”, “application-editor”, “auditor”, “certificate-manager”, “firewall-manager”, “fraud-protection-manager”, “guest”, “irule-manager”, “manager”, “no-access”, “operator”, “resource-admin”, “user-manager”, “web-application-security-administrator”, “web-application-security-editor” Role for the remote users.
terminalAccess (string) “disabled” “tmsh”, “disabled” Default terminal access for remote users.

Authentication_tacacs

Authentication tacacs possible properties

Properties:

Name (Type) Default Values Description
accounting (string) “send-to-first-server” “send-to-all-servers”, “send-to-first-server” Specifies how the system returns accounting information, such as which services users access and how much network resources they consume, to the TACACS+ server. The default setting is Send to first available server.
authentication (string) “use-first-server” “use-all-servers”, “use-first-server” Specifies the process the system employs when sending authentication requests. The default is Authenticate to first server.
debug (boolean) false true, false Specifies whether to log Syslog debugging information at the LOG_DEBUG level. We do not recommend enabling this setting for normal use. The default is Disabled.
encryption (boolean) true true, false Specifies whether to use encryption of TACACS+ packets. The default is Enabled.
protocol (string)
“lcp”, “ip”, “ipx”, “atalk”, “vines”, “lat”, “xremote”, “tn3270”, “telnet”, “rlogin”, “pad”, “vpdn”, “ftp”, “http”, “deccp”, “osicp”, “unknown” Specifies the protocol associated with the value specified in Service Name, which is a subset of the associated service being used for client authorization or system accounting. You can use following values: lcp, ip, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, ftp, http, deccp, osicp, and unknown. Note that the majority of TACACS+ implementations are of protocol type ip, so try that first.
secret (string)
Type the secret key used to encrypt and decrypt packets sent or received from the server. Do not use the pound sign ( # ) in the secret for TACACS+ servers.
servers (array<string>)
Specifies a list of the IPv4 addresses for servers using the Terminal Access Controller Access System (TACACS)+ protocol with which the system communicates to obtain authorization data. For each address, an alternate TCP port number may be optionally specified by entering the address in the format address:port. If no port number is specified, the default port 49 is used.
service (string)
“slip”, “ppp”, “arap”, “shell”, “tty-daemon”, “connection”, “system”, “firewall” Specifies the name of the service that the user is requesting to be authorized to use. Identifying what the user is asking to be authorized for, enables the TACACS+ server to behave differently for different types of authorization requests. You can use following values: slip, ppp, arap, shell, tty-daemon, connection, system, and firewall. Specifying this setting is required. Note that the majority of TACACS+ implementations are of service type ppp, so try that first.

ConfigSync

Clustering properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“ConfigSync” Indicates that this property contains config sync IP configuration.
configsyncIp (string)
ConfigSync IP

DagGlobals

Network properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“DagGlobals” Indicates that this property contains DAG Globals configuration.
icmpHash (string) “icmp” “icmp”, “ipicmp” Specifies ICMP hash for ICMP echo request and ICMP echo reply in SW DAG.
ipv6PrefixLength (integer) 128 [0, 128] Specifies whether SPDAG or IPv6 prefix DAG should be used to disaggregate IPv6 traffic when vlan cmp hash is set to src-ip or dst-ip.
roundRobinMode (string) “global” “global”, “local” Specifies whether the round robin disaggregator (DAG) on a blade can disaggregate packets to all the TMMs in the system or only to the TMMs local to the blade.

DbVariables

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“DbVariables” Indicates that this property contains global db variable configuration.

Device

Top level schema for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
$schema (string)
format: uri URL of schema against which to validate. Used by validation in your local environment only (via Visual Studio Code, for example)
async (boolean) false true, false Tells the API to return a 202 HTTP status before processing is complete. User must then poll for status.
class (string)
“Device” Indicates this JSON document is a Device declaration
Common (Device_Common) {“class”:”Tenant”}
Special tenant Common holds objects other tenants can share
controls (Device_controls)
Options to control configuration process
Credentials (array<Device_Credentials>)
-, - Credentials which can be referenced from other parts of the declaration or the remote wrapper.
label (string)
result (Device_result)
Status of current request. This is set by the system.
schemaVersion (string)
“1.43.0”, “1.42.0”, “1.41.0”, “1.40.0”, “1.39.0”, “1.38.0”, “1.37.0”, “1.36.0”, “1.35.0”, “1.34.0”, “1.33.0”, “1.32.0”, “1.31.0”, “1.30.0”, “1.29.0”, “1.28.0”, “1.27.0”, “1.26.0”, “1.25.0”, “1.24.0”, “1.23.0”, “1.22.0”, “1.21.0”, “1.20.0”, “1.19.0”, “1.18.0”, “1.17.0”, “1.16.0”, “1.15.0”, “1.14.0”, “1.13.0”, “1.12.0”, “1.11.1”, “1.11.0”, “1.10.0”, “1.9.0”, “1.8.0”, “1.7.0”, “1.6.1”, “1.6.0”, “1.5.1”, “1.5.0”, “1.4.1”, “1.4.0”, “1.3.0”, “1.2.0”, “1.1.0”, “1.0.0” Version of BIG-IP Declarative Onboarding schema this declaration uses.
webhook (string)
format: uri URL to post results to

Device_Common

Device Common possible properties

Properties:

Name (Type) Default Values Description
class (string)
“Tenant”
hostname (string)
format: hostname Hostname to set for the device. Note: If you set the hostname as part of the System class, you CANNOT set a hostname in the Common class (they are mutually exclusive).

Device_controls

Device controls possible properties

Properties:

Name (Type) Default Values Description
class (string)
“Controls”
dryRun (boolean) false true, false Boolean that indicates if this declaration will be run as a dry-run. If true, the declaration will NOT make any changes to the system, but will respond with whether or not it would.
trace (boolean) false true, false If true, create a detailed trace of the configuration process for subsequent analysis (default false). Warning: trace files may contain sensitive configuration data.
traceResponse (boolean) false true, false If true, the response will contain the trace files.
userAgent (string)
User Agent information to include in TEEM report.

Device_Credentials

Device Credentials possible properties when object type

Properties:

Name (Type) Default Values Description
password (string)
regex: ^.{0,254}$ Password for username account. This is generally not required to configure ‘localhost’ and is not required when you populate tokens
tokens (Device_Credentials_tokens)
One or more HTTP headers (each a property, like ‘X-F5-Auth-Token’: ‘ABCABC’) you want to send with queries to the device management service as authentication/authorization tokens
username (string)
regex: ^[^:]{0,254}$ Username of principal authorized to modify configuration of device (may not include the character ‘:’). NOTE: this is generally not required to configure ‘localhost’ because client authentication and authorization precede invocation of DO. It is also not required for any host if you populate tokens

Device_result

Device result possible properties

Properties:

Name (Type) Default Values Description
class (string)
“Result”
code (string)
“OK”, “ERROR” Status code.
message (string)
Further detail about the status.

DeviceCertificate

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
certificate (DeviceCertificate_certificate)
X.509 public-key certificate
class (string)
“DeviceCertificate” Indicates that this property contains device certificate information
privateKey (DeviceCertificate_privateKey)
Private key matching certificate’s public key (optional)
updateTrustCerts (boolean) false true, false Specifies whether or not to update the device trust certificates with the new device certificate.

DeviceCertificate_certificate

DeviceCertificate certificate possible properties

Properties:

Name (Type) Default Values Description
base64 (string)
format: f5base64 Base64-encoded value (in JSON string)
url (string)
format: uri The URL for a required resource

DeviceCertificate_privateKey

DeviceCertificate privateKey possible properties

Properties:

Name (Type) Default Values Description
base64 (string)
format: f5base64 Base64-encoded value (in JSON string)
url (string)
format: uri The URL for a required resource

DeviceGroup

Clustering properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
asmSync (boolean) false true, false Whether or not the device group should sync ASM properties
autoSync (boolean) false true, false Whether or not the device group should auto sync
class (string)
“DeviceGroup” Indicates that this property contains device group configuration.
fullLoadOnSync (boolean) false true, false Whether or not the device group should do a full load on sync
members (array<string>)
Members to add to the device group if they are already in the trust domain
networkFailover (boolean) false true, false Whether or not the device group supports network failover
owner (string)
Owning device. Config will be pushed from this device. If this is present, device group will only be created if the current device is the owner. If not present, device group will be created if it does not exist
saveOnAutoSync (boolean) false true, false Whether or not the device group should save on auto sync
type (string)
“sync-failover”, “sync-only” Type of the device group

DeviceTrust

Clustering properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“DeviceTrust” Indicates that this property contains device trust configuration.
localPassword (string)
The password for the localUsername
localUsername (string)
The username for the local device
remoteHost (string)
The remote hostname or IP address
remotePassword (string)
Password for the remote user in remoteUsername
remoteUsername (string)
An admin user on the remote host

Disk

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
applicationData (integer)
[0, infinity] Specifies the size in kilobytes for the application data. This size should be less than the current size. This API is experimental and subject to change.
class (string)
“Disk” Indicates this contains Disk configuration. This API is experimental and subject to change.

DNS

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“DNS” Indicates that this property contains DNS configuration.
nameServers (array<string>)
IP addresses of name servers to use for DNS.
search (array<string>)
format: hostname Search domain to use for DNS.

DNS_Resolver

Network properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
answerDefaultZones (boolean) false true, false Specifies whether the resolver answers queries for default zones: localhost, reverse 127.0.0.1, ::1, and AS112 zones.
cacheSize (integer) 5767168 [10, 9437184] Specifies the maximum cach size in bytes of the DNS Resolver object
class (string)
“DNS_Resolver” Indicates that this property contains DNS Resolver configuration.
forwardZones (array<DNS_Resolver_forwardZones>)
Forward zones on a DNS Resolver. A given zone name should only use the symbols allowed for a fully qualified domain name (FQDN), namely ASCII letters a through z, digits 0 through 9, hyphen, nad period. For example site.example.com would be a valid zone name. A DNS Resolver configured with a forward zone will forward any queries that resulted in a cache-miss and which also match a configured zone name, to the nameserver specified on the zone.
randomizeQueryNameCase (boolean) true true, false Specifies whether the resolver randomizes the case of query names.
routeDomain (string) “0”
Specifies the name of the route domain the resolver uses for outbound traffic.
useIpv4 (boolean) true true, false Specifies whether the resolver sends DNS queries to IPv4
useIpv6 (boolean) true true, false Specifies whether the resolver sends DNS queries to IPv6
useTcp (boolean) true true, false Specifies whether the resolver sends DNS queries over TCP
useUdp (boolean) true true, false Specifies whether the resolver sends DNS queries over UDP

DNS_Resolver_forwardZones

DNS_Resolver forwardZones possible properties when object type

Properties:

Name (Type) Default Values Description
name (string)
Name of a forward zone.
nameservers (array<string>)
Specifies the IP address and service port of a recursive nameserver that answers DNS queries when the response cannot be found in the internal DNS resolver cache. Enter each address in the format address:port (IPv4) or addrss.port (IPv6). The port is usually 53.

DO

Schema for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
$schema (string)
format: uri URL of schema against which to validate. Used by validation in your local environment only (via Visual Studio Code, for example)
bigIqSettings (DO_bigIqSettings)
Settings for the management of a BIG-IP which is onboarded via a BIG-IQ.
class (string)
“DO” Indicates that this is a BIG-IP Declarative Onboarding request
declaration (DO_declaration)
Declaration to deploy to targetHost
targetHost (string) “localhost”
Hostname or IP address of ADC to which request applies (default localhost)
targetPassphrase (string)
Passphrase for targetUsername account. This is generally not required to configure ‘localhost’ and is not required when you populate targetTokens
targetPort (integer) 0 [0, 65535] TCP port number of management service on targetHost; default 0 means try common ports
targetSshKey (DO_targetSshKey)
Private key for use in ssh operations. Corresponding public key must be in the targetUsername’s ~/.ssh/authorized_keys file on the targetHost. This is only used to do initial account creation in environments where that is necessary. If this value is present, BIG-IP DO will look in the declaration for a user matching targetUsername and set its password via ssh.
targetTimeout (integer) 900 [1, 900] Maximum delay allowed while communicating with targetHost device (seconds, default 900)
targetTokens (string | DO_targetTokens)
  One or more HTTP headers (each a property, like ‘X-F5-Auth-Token’: ‘ABCABC’) you want to send with queries to the targetHost management service as authentication/authorization tokens
targetUsername (string)
Username of principal authorized to modify configuration of targetHost (may not include the character ‘:’). NOTE: this is generally not required to configure ‘localhost’ because client authentication and authorization precede invocation of BIG-IP DO. It is also not required for any targetHost if you populate targetTokens

DO_bigIqSettings

DO bigIqSettings possible properties

Properties:

Name (Type) Default Values Description
accessModuleProperties (DO_bigIqSettings_accessModuleProperties)
Key/value properties for importing access module. If apm module is not listed in provision section of current declaration, BIG-IQ will only discover/import ltm module.
clusterName (string)
Cluster display name on BIG-IQ.
conflictPolicy (string)
“NONE”, “USE_BIGIP”, “USE_BIGIQ”, “KEEP_VERSION” Conflict policy for shared objects. For Access, a shared import will Accept/USE_BIGIP for all shared and device-specific objects.
deployWhenDscChangesPending (boolean)
true, false Deploy when there are pending DSC changes on BIG-IP.
deviceConflictPolicy (string)
“NONE”, “USE_BIGIP”, “USE_BIGIQ”, “KEEP_VERSION” Conflict policy for device-specific objects. For Access, a device-specific import will Accept/USE_BIGIP for all device-specific objects. If value not provided the value will be the same as conflictPolicy.
failImportOnConflict (boolean) false true, false Whether or not to fail import task on conflicts.
snapshotWorkingConfig (boolean) false true, false Whether or not to snapshot the working configuration for current device before the import.
statsConfig (DO_bigIqSettings_statsConfig)
Options for configuring http analytics/avr on BIG-IQ.
useBigiqSync (boolean)
true, false Instead of using the BIG-IP cluster sync to synchronize cluster devices configuration, use BIG-IQ to push changes to cluster devices during deployment.
versionedConflictPolicy (string)
“NONE”, “USE_BIGIP”, “USE_BIGIQ”, “KEEP_VERSION” Conflict policy for version-specific objects. This is used for all the devices for which device specific versionedConflictPolicy is not specified. If value not provided the value will be the same as conflictPolicy.

DO_bigIqSettings_statsConfig

DO_bigIqSettings statsConfig possible properties

Properties:

Name (Type) Default Values Description
enabled (boolean) false true, false Whether or not to enable collecting statistics for this device
zone (string) “default”
User-defined names that associate BIG-IP devices with one or more data collection device (DCD) systems to provide optimal routing for statistics traffic.

DO_declaration

DO declaration possible properties

Properties:

Name (Type) Default Values Description
$schema (string)
format: uri URL of schema against which to validate. Used by validation in your local environment only (via Visual Studio Code, for example)
async (boolean) false true, false Tells the API to return a 202 HTTP status before processing is complete. User must then poll for status.
class (string)
“Device” Indicates this JSON document is a Device declaration
Common (DO_declaration_Common) {“class”:”Tenant”}
Special tenant Common holds objects other tenants can share
controls (DO_declaration_controls)
Options to control configuration process
Credentials (array<DO_declaration_Credentials>)
-, - Credentials which can be referenced from other parts of the declaration or the remote wrapper.
label (string)
result (DO_declaration_result)
Status of current request. This is set by the system.
schemaVersion (string)
“1.43.0”, “1.42.0”, “1.41.0”, “1.40.0”, “1.39.0”, “1.38.0”, “1.37.0”, “1.36.0”, “1.35.0”, “1.34.0”, “1.33.0”, “1.32.0”, “1.31.0”, “1.30.0”, “1.29.0”, “1.28.0”, “1.27.0”, “1.26.0”, “1.25.0”, “1.24.0”, “1.23.0”, “1.22.0”, “1.21.0”, “1.20.0”, “1.19.0”, “1.18.0”, “1.17.0”, “1.16.0”, “1.15.0”, “1.14.0”, “1.13.0”, “1.12.0”, “1.11.1”, “1.11.0”, “1.10.0”, “1.9.0”, “1.8.0”, “1.7.0”, “1.6.1”, “1.6.0”, “1.5.1”, “1.5.0”, “1.4.1”, “1.4.0”, “1.3.0”, “1.2.0”, “1.1.0”, “1.0.0” Version of BIG-IP Declarative Onboarding schema this declaration uses.
webhook (string)
format: uri URL to post results to

DO_declaration_Common

DO_declaration Common possible properties

Properties:

Name (Type) Default Values Description
class (string)
“Tenant”
hostname (string)
format: hostname Hostname to set for the device. Note: If you set the hostname as part of the System class, you CANNOT set a hostname in the Common class (they are mutually exclusive).

DO_declaration_controls

DO_declaration controls possible properties

Properties:

Name (Type) Default Values Description
class (string)
“Controls”
dryRun (boolean) false true, false Boolean that indicates if this declaration will be run as a dry-run. If true, the declaration will NOT make any changes to the system, but will respond with whether or not it would.
trace (boolean) false true, false If true, create a detailed trace of the configuration process for subsequent analysis (default false). Warning: trace files may contain sensitive configuration data.
traceResponse (boolean) false true, false If true, the response will contain the trace files.
userAgent (string)
User Agent information to include in TEEM report.

DO_declaration_Credentials

DO_declaration Credentials possible properties when object type

Properties:

Name (Type) Default Values Description
password (string)
regex: ^.{0,254}$ Password for username account. This is generally not required to configure ‘localhost’ and is not required when you populate tokens
tokens (DO_declaration_Credentials_tokens)
One or more HTTP headers (each a property, like ‘X-F5-Auth-Token’: ‘ABCABC’) you want to send with queries to the device management service as authentication/authorization tokens
username (string)
regex: ^[^:]{0,254}$ Username of principal authorized to modify configuration of device (may not include the character ‘:’). NOTE: this is generally not required to configure ‘localhost’ because client authentication and authorization precede invocation of DO. It is also not required for any host if you populate tokens

DO_declaration_result

DO_declaration result possible properties

Properties:

Name (Type) Default Values Description
class (string)
“Result”
code (string)
“OK”, “ERROR” Status code.
message (string)
Further detail about the status.

DO_targetSshKey

DO targetSshKey possible properties

Properties:

Name (Type) Default Values Description
path (string)
Full path to private ssh key. File must be owned by restnoded.

FailoverMulticast

Clustering properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
address (string) “any6”
IP address to listen on for multicast failover. This address cannot have a CIDR.
class (string)
“FailoverMulticast” Indicates that this property contains multicast failover configuration.
interface (string) “none”
Specifies the interface name used for the failover multicast IP address. Specifying ‘none’ (the default) here disables Failover Multicast on the BIG-IP.
port (number) 0
Port to listen on for failover heartbeats.

FailoverUnicast

Clustering properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
address (string)
IP address to listen on for failover heartbeats
addressPorts (array<FailoverUnicast_addressPorts>)
An array of address and port objects, that will create multiple failover unicast objects in the BIG-IP device. This array is mutually exclusive from using the other address and port features. Available in BIG-IP DO 1.15 and later.
class (string)
“FailoverUnicast” Indicates that this property contains failover unicast address configuration.
port (number)
Port to listen on for failover heartbeats. The default is 1026.

FailoverUnicast_addressPorts

FailoverUnicast addressPorts possible properties when object type

Properties:

Name (Type) Default Values Description
address (string)
IP address to listen on for failover heartbeats
port (number) 1026
Port to listen on for failover heartbeats

FirewallAddressList

Network properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
addresses (array<string>)
A list of IPv4 and IPv6 addresses and address ranges. You can specify a network with CIDR slash notation.
class (string)
“FirewallAddressList”
fqdns (array<string>)
format: hostname A list of fully qualified domain names.
geo (array<string>)
A list of geographic locations (for example, US:Washington).
label (string)
remark (string)

FirewallPolicy

Network properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“FirewallPolicy” Indicates that this property contains firewall policy configuration
label (string)
remark (string)
rules (array<FirewallPolicy_rules>)
Specifies the list of firewall policy rules

FirewallPolicy_rules

FirewallPolicy rules possible properties when object type

Properties:

Name (Type) Default Values Description
action (string)
“accept”, “drop”, “accept-decisively”, “reject” Specifies the action that the firewall rule will take on matching packets
destination (FirewallPolicy_rules_destination)
Configures the packet destination to which the network firewall rule applies
label (string)
loggingEnabled (boolean) false true, false Specifies whether the system enables or disables logging for the firewall rule
name (string)
Specifies the name of the firewall rule
protocol (string) “any” “any”, “tcp”, “udp” Specifies the protocol to which the firewall rule applies
remark (string)
source (FirewallPolicy_rules_source)
Configures the packet sources to which the network firewall rule applies

FirewallPolicy_rules_destination

FirewallPolicy_rules destination possible properties

Properties:

Name (Type) Default Values Description
addressLists (array<string>)
Specifies a list of address lists against which the packet will be compared.
portLists (array<string>)
Specifies a list of port lists against which the packet will be compared.

FirewallPolicy_rules_source

FirewallPolicy_rules source possible properties

Properties:

Name (Type) Default Values Description
addressLists (array<string>)
Specifies a list of address lists against which the packet will be compared.
portLists (array<string>)
Specifies a list of port lists against which the packet will be compared.

FirewallPortList

Network properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“FirewallPortList”
label (string)
ports (array<integer | string>)
[-infinity, infinity] A list of ports and port ranges (for example, 80, “8080-8090”).
remark (string)

GSLBDataCenter

GSLB properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“GSLBDataCenter”
contact (string)
Specifies the name of the administrator or the name of the department that manages the data center
enabled (boolean) true true, false Specifies whether the data center is enabled or disabled
location (string)
Specifies the location of the data center
proberFallback (string) “any-available” “any-available”, “inside-datacenter”, “none”, “outside-datacenter”, “pool” Specifies the type of prober to use to monitor servers defined in this data center when the preferred type is not available. The default value is any-available
proberPool (string)
Specifies a prober pool to monitor servers defined in the data center when proberPreferred or proberFallback are a value of pool.
proberPreferred (string) “inside-datacenter” “inside-datacenter”, “outside-datacenter”, “pool” Specifies the type of prober to use to monitor servers defined in this data center. The default value is inside-data-center. Note: Prober pools are not used by the bigip monitor
remark (string)

GSLBGlobals

GSLB properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“GSLBGlobals” Indicates that this property contains gslb global settings configuration.
general (GSLBGlobals_general)
GSLB general global settings.

GSLBGlobals_general

GSLBGlobals general possible properties

Properties:

Name (Type) Default Values Description
synchronizationEnabled (boolean) false true, false Specifies if the system is a member of a synchronization group.
synchronizationGroupName (string) “default”
Specifies the name of the synchronization group that the system belongs to.
synchronizationTimeout (integer) 180 [0, 4294967295] Specifies the number of seconds that the system attempts to sync with the GSLB configuration with a sync group member.
synchronizationTimeTolerance (integer) 10 [0, 600] Specifies the number of seconds that one system can be out of sync with another in the synchronization group. A value of 0 turns time synchronization off. The values 1-4 are not allowed.

GSLBMonitor

GSLB properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
ciphers (string) “DEFAULT”
Ciphersuite selection string
class (string)
“GSLBMonitor”
clientCertificate (string)
Pointer to client Certificate declaration, for TLS authentication (optional)
debugEnabled (boolean) false true, false When enabled, the monitor sends error messages and additional information to a log file created and labeled specifically for this monitor. The default is false (disabled)
ignoreDownResponseEnabled (boolean) false true, false Specifies whether the monitor immediately marks an object down when it recieves a down response. If enabled, the monitor ignores the down response for the duration of timeout. The default is false (disabled)
interval (integer) 30 [0, 86399] Specifies, in seconds, the frequency at which the system issues the monitor check when either the resource is down or the status of the resource is unknown
label (string)
monitorType (string)
“http”, “https”, “gateway-icmp”, “tcp”, “udp” Specifies the type of monitor
probeAttempts (integer) 3 [0, infinity] Specifies the number of times the BIG-IP system attempts to probe the host server, after which the BIG-IP system considers the host server down or unavailable
probeInterval (integer) 1 [0, infinity] Specifies the frequency at which the BIG-IP system probes the host server
probeTimeout (integer) 5 [0, 86400] Specifies the number of seconds after which the system times out the probe request to the system
receive (string) “HTTP/1.”
Specifies the text string that the monitor looks for in the returned resource. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only
remark (string)
reverseEnabled (boolean) false true, false When enabled, a successful check marks the monitored object down instead of up. You can use the Reverse mode only if you configure both the send and receive options
send (string) “HEAD / HTTP/1.0rnrn”
Specifies the text string that the monitor sends to the target object. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only
target (string) :
Specifies the IP address and service port of the resource that is the destination of this monitor. Format is ip:port
timeout (integer) 120 [0, 86400] Specifies the number of seconds the target has in which to respond to the monitor request
transparent (boolean) false true, false Enables monitoring of pool members through firewalls. The default value is false (disabled)

GSLBProberPool

GSLB properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“GSLBProberPool” Indicates that this property contains GSLB Prober Pool configuration
enabled (boolean) true true, false Specifies whether this pool is available for conducting probes
label (string)
lbMode (string) “global-availability” “global-availability”, “round-robin” Specifies the load balancing mode that the system uses to select the members of this pool
members (array<GSLBProberPool_members>)
Specifies the members of the prober pool
remark (string)

GSLBProberPool_members

GSLBProberPool members possible properties when object type

Properties:

Name (Type) Default Values Description
enabled (boolean) true true, false Specifies whether the server can be used as a member of a prober pool
label (string)
remark (string)
server (string)
Specifies the GSLB Server name of the pool member

GSLBServer

GSLB properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
bpsLimit (integer) 0 [0, infinity] Specifies the maximum allowable data throughput rate, in bits per second, for the virtual servers on the server. If the network traffic volume exceeds this limit, the system marks the server as unavailable
bpsLimitEnabled (boolean) false true, false Enables or disables the maximum Bits Per Second (BPS) option for the virtual servers on the server. The default value is false (disabled)
class (string)
“GSLBServer” Indicates that this property contains GSLB server configuration
connectionsLimit (integer) 0 [0, infinity] Specifies the number of current connections allowed for the virtual servers on the server. If the current connections exceed this value, the system marks the server as unavailable
connectionsLimitEnabled (boolean) false true, false Enables or disables the maximum current connections option for the virtual servers on the server. The default value is false (disabled)
cpuUsageLimit (integer) 0 [0, infinity] Specifies the percent of CPU usage. If percent of CPU usage goes above the limit, the system marks the server as unavailable
cpuUsageLimitEnabled (boolean) false true, false Enables or disables the CPU Usage limit option for this pool. The default value is false (disabled)
dataCenter (string)
Specifies the GSLB data center to which the server belongs
devices (array<GSLBServer_devices>)
Specifies the actual device(s) that are represented by this server object
enabled (boolean) true true, false Specifies whether the server is enabled or disabled
exposeRouteDomainsEnabled (boolean) false true, false Allows virtual servers from all route domains to be auto-discovered. The default setting is false
label (string)
memoryLimit (integer) 0 [0, infinity] Specifies the available memory in kilobytes required by the virtual servers on the server. If available memory falls below this limit, the system marks the server as unavailable
memoryLimitEnabled (boolean) false true, false Enables or disables the maximum Bits Per Second (BPS) option for this pool. The default value is false (disabled)
monitors (array<string>)
Specifies the path and name of the health monitors that the system uses to determine whether it can use this server for load balancing
pathProbeEnabled (boolean) true true, false Specifies whether this BIG-IP device will be used to conduct a path probe before traffic will be delegated to it. The default value is (true) enabled
ppsLimit (integer) 0 [0, infinity] Specifies the maximum allowable data transfer rate, in packets per second, for the virtual servers on the server. If the network traffic volume exceeds this value, the system marks the server as unavailable
ppsLimitEnabled (boolean) false true, false Enables or disables the maximum Packets Per Second (PPS) option for the virtual servers on the server. The default value is false (disabled)
proberFallback (string) “inherit” “inherit”, “any-available”, “inside-datacenter”, “none”, “outside-datacenter”, “pool” Specifies the type of prober to use to monitor servers defined in this data center when the preferred type is not available. The default value is inherit
proberPool (string)
Specifies the name of a prober pool to use to monitor this server’s resources when either the proberPreferred or proberFallback value is pool
proberPreferred (string) “inherit” “inherit”, “inside-datacenter”, “outside-datacenter”, “pool” Specifies the type of prober to use to monitor servers defined in this data center. The default value is inherit. Note: Prober pools are not used by the bigip monitor
remark (string)
serverType (string) “bigip” “bigip”, “generic-host” Specifies the server type. The server type determines the metrics that the system can collect from the server
serviceCheckProbeEnabled (boolean) true true, false Specifies whether this BIG-IP device will be used to conduct a service check probe before traffic will be delegated to it. The default value is (true) enabled
snmpProbeEnabled (boolean) true true, false Specifies whether this BIG-IP device will be used to conduct a SNMP probe before traffic will be delegated to it. The default value is (true) enabled
virtualServerDiscoveryMode (string) “disabled” “disabled”, “enabled”, “enabled-no-delete” Specifies virtual server auto-discovery settings. Use ‘enabled’ (add, modify, delete), ‘enabled-no-delete’ (add, modify) or the default ‘disabled’ (manual configuration)
virtualServers (array<GSLBServer_virtualServers>)
Specifies the virtual server(s) that are resources on this server object

GSLBServer_devices

GSLBServer devices possible properties when object type

Properties:

Name (Type) Default Values Description
address (string)
format: f5ip Specifies an external (public) address for the device. If BIG-IP DNS configuration synchronization is enabled and all existing addresses for a device are being replaced, new addresses should be added and synchronized before old addresses are removed, otherwise the changes may fail to synchronize. Alternatively, the address configuration changes can be performed on each BIG-IP DNS system
addressTranslation (string)
format: f5ip Specifies the internal (private) address that corresponds to the external address
label (string)
remark (string)

GSLBServer_virtualServers

GSLBServer virtualServers possible properties when object type

Properties:

Name (Type) Default Values Description
address (string)
format: f5ip Specifies the IP address for the virtual server
addressTranslation (string)
format: f5ip Specifies the public address that this virtual server translates into when the GSLB provider communicates between the network and the Internet
addressTranslationPort (integer) 0 [0, 65535] Specifies the translation port number for the virtual server
enabled (boolean) true true, false Specifies whether the virtual server is enabled or disabled
label (string)
monitors (array<string>)
Specifies the health monitors that the system uses to determine whether it can use this linked virtual server for load balancing
name (string)
Specifies the name of the virtual server
port (integer) 0 [0, 65535] Specifies the L4 port for the service (like 443 for HTTPS)
remark (string)

HTTPD

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
allow (string | array<string>) “all” “all”, “none” Configures IP addresses for the HTTP clients from which the httpd daemon accepts requests.
authPamIdleTimeout (integer) 1200 [120, 2147483647] Specifies the number of seconds of inactivity that can elapse before the GUI session is automatically logged out.
class (string)
“HTTPD” Configures the HTTP daemon for the system. Important: F5 Networks recommends that users of the Configuration utility exit the utility before changes are made to the system using the httpd component. This is because making changes to the system using this component causes a restart of the httpd daemon. Additionally, restarting the httpd daemon creates the necessity for a restart of the Configuration utility.
maxClients (integer) 10 [10, 256] Maximum number of clients allowed to be simultaneously connected.
sslCiphersuite (array<string>) ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256 regex: ^[0-9A-Za-z!:-+.~@$%^&*()_=[]|]+$ Specifies the ciphers that the system uses.
sslProtocol (string) “all -SSLv2 -SSLv3 -TLSv1”
The list of SSL protocols to accept on the management console. A space-separated list of tokens in the format accepted by the Apache mod_ssl SSLProtocol directive.

License

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
addOnKeys (array<string>)
regex: ^[A-Z]{7}-[A-Z]{7}$ Add on keys.
bigIpPassword (string)
Password for the user in bigIpUsername. Used by BIG-IQ to login to BIG-IP if ‘reachable’ is true.
bigIpUsername (string)
An admin user on the BIG-IP. Used by BIG-IQ to login to BIG-IP if ‘reachable’ is true.
bigIqAuthProvider (string)
Name of auth provider on BIG-IQ. Default is to use TMOS.
bigIqHost (string)
The BIG-IQ hostname or IP address.
bigIqPassword (string)
Password for the user in bigIqUsername.
bigIqPasswordUri (string)
format: uri URI which will return the password for the user in bigIqUsername.
bigIqUsername (string)
An admin user on the BIG-IQ.
chargebackTag (string)
An optional text string which can be used as a charge back tag.
class (string)
“License” Indicates that this property contains licensing information.
hypervisor (string)
  Hypervisor which is running the BIG-IP. Required by BIG-IQ if ‘reachable’ is false.
licensePool (string)
Name of the BIG-IQ license pool from which to get a new license.
licenseType (string)
“regKey” The type of license
overwrite (boolean) false true, false Whether or not to overwrite the current license if the device is already licensed.
reachable (reference)
regKey (string)
regex: ^([A-Z]{5}-[A-Z]{5}-[A-Z]{5}-[A-Z]{5}-[A-Z]{7})|([A-Z][0-9]{4}-[0-9]{5}-[0-9]{5}-[0-9]{5}-[0-9]{7})$ Registration key.
revokeCurrent (boolean) false true, false Whether or not to revoke the current license if the device is already licensed.
revokeFrom (string | License_revokeFrom)
  Current license should be revoked from the pool specified. Either just the name of the pool (if old license is on the same BIG-IQ as in the main License section) or full licensePoolInfo (if old license is on a different BIG-IQ)
skuKeyword1 (string)
skuKeyword1 parameter for subscription licensing.
skuKeyword2 (string)
skuKeyword2 parameter for subscription licensing.
tenant (string)
An optional description for the license. Can be useful in a clustered environment. Requires that reachable is set to false.
unitOfMeasure (string)
“yearly”, “monthly”, “daily”, “hourly” unitOfMeasure parameter for subscription licensing.

License_revokeFrom

License revokeFrom possible properties

Properties:

Name (Type) Default Values Description
bigIqAuthProvider (string)
Name of auth provider on BIG-IQ. Default is to use TMOS.
bigIqHost (string)
The BIG-IQ hostname or IP address.
bigIqPassword (string)
Password for the user in bigIqUsername.
bigIqPasswordUri (string)
format: uri URI which will return the password for the user in bigIqUsername.
bigIqUsername (string)
An admin user on the BIG-IQ.
licensePool (string)
Name of the BIG-IQ license pool.
reachable (boolean) true true, false Whether or not BIG-IQ has a route to the BIG-IP device.

MAC_Masquerade

Clustering properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“MAC_Masquerade” Indicates that this property contains MAC masquerade configuration.
source (MAC_Masquerade_source)
  MAC address source to use for masquerading.
trafficGroup (string) “traffic-group-1” “traffic-group-local-only”, “traffic-group-1” Traffic group to apply the MAC masquerade to.

MAC_Masquerade_source

MAC_Masquerade source possible properties

Properties:

Name (Type) Default Values Description
interface (string)
Generate a MAC address from an interface

ManagementIp

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
address (string)
format: ipWithRequiredPrefix IP address.
class (string)
“ManagementIp” Indicates this property contains management IP configuration. Note that if you set this you will have to poll for status on the new address.
remark (string)

ManagementIpFirewall

Network properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“ManagementIpFirewall” Indicates this property contains management IP firewall configuration.
label (string)
remark (string)
rules (array<ManagementIpFirewall_rules>)
Specifies the list of firewall rules

ManagementIpFirewall_rules

ManagementIpFirewall rules possible properties when object type

Properties:

Name (Type) Default Values Description
action (string)
“accept”, “drop”, “accept-decisively”, “reject” Specifies the action that the firewall rule will take on matching packets
destination (ManagementIpFirewall_rules_destination)
Configures the packet destination to which the network firewall rule applies
label (string)
loggingEnabled (boolean) false true, false Specifies whether the system enables or disables logging for the firewall rule
name (string)
Specifies the name of the firewall rule
protocol (string) “any” “any”, “tcp”, “udp” Specifies the protocol to which the firewall rule applies
remark (string)
source (ManagementIpFirewall_rules_source)
Configures the packet sources to which the network firewall rule applies

ManagementIpFirewall_rules_destination

ManagementIpFirewall_rules destination possible properties

Properties:

Name (Type) Default Values Description
addressLists (array<string>)
Specifies a list of address lists against which the packet will be compared.
portLists (array<string>)
Specifies a list of port lists against which the packet will be compared.

ManagementIpFirewall_rules_source

ManagementIpFirewall_rules source possible properties

Properties:

Name (Type) Default Values Description
addressLists (array<string>)
Specifies a list of address lists against which the packet will be compared.
portLists (array<string>)
Specifies a list of port lists against which the packet will be compared.

ManagementRoute

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“ManagementRoute” Indicates this property contains management route configuration
gw (string)
Gateway for the management route.
mtu (integer) 0 [0, 65535] MTU for the management route.
network (string) “default”
IP address/netmask for the management route
remark (string)
type (string)
“interface”, “blackhole” Type of the management route

MirrorIp

Clustering properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“MirrorIp” Indicates IP addresses to use for connection and persistence mirroring.
primaryIp (string) “any6”
IP of primary mirror. Specify ‘any6’ to disable.
secondaryIp (string) “any6”
IP of secondary mirror. Specify ‘any6’ to disable.

NetAddressList

Network properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
addresses (array<string>)
A list of IPv4 and IPv6 addresses and address ranges. You can specify a network with CIDR slash notation.
class (string)
“NetAddressList”
remark (string)

NetPortList

Network properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“NetPortList”
ports (array<integer | string>)
[-infinity, infinity] A list of ports and port ranges (for example, 80, “8080-8090”).
remark (string)

NTP

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“NTP” Indicates that this property contains NTP configuration.
servers (array<string>)
IP addresses of servers to use for NTP.
timezone (string) “UTC”
The timezone to set.

PasswordPolicy

Authentication properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“PasswordPolicy” Indicates that this property contains password policy configuration.
expirationWarningDays (integer) 7 [1, 255] Specifies the number of days prior to password expiration that the system sends a warning message to users.
lockoutDurationSeconds (integer) 0 [0, 999999] Specifies number of seconds in which to automatically reinstate users after being locked out. 0 means users must be manually reinstated. This is for BIG-IP 15.1+
maxDurationDays (integer) 99999 [0, 99999] Specifies the maximum number of days a password is valid.
maxLoginFailures (integer) 0 [0, 65535] Specifies the number of consecutive unsuccessful login attempts that the system allows before locking out the user. 0 means disabled.
minDurationDays (integer) 0 [0, 255] Specifies the minimum number of days a password is valid.
minLength (integer) 6 [6, 255] Specifies the minimum number of characters in a valid password.
passwordMemory (integer) 0 [0, 127] Specifies the number of former passwords that the BIG-IP system retains to prevent the user from reusing a recent password.
policyEnforcementEnabled (boolean) true true, false Enables or disables the password policy.
requiredLowercase (integer) 0 [0, 127] Specifies the number of lowercase alpha characters that must be present in a password for the password to be valid.
requiredNumeric (integer) 0 [0, 127] Specifies the number of numeric characters that must be present in a password for the password to be valid.
requiredSpecial (integer) 0 [0, 127] Specifies the number of special characters that must be present in a password for the password to be valid.
requiredUppercase (integer) 0 [0, 127] Specifies the number of uppercase alpha characters that must be present in a password for the password to be valid.

Provision

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“Provision” Indicates that this property contains module provisioning configuration.

RemoteAuthRole

Authentication properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
attribute (string)
Specifies an attribute-value pair that an authentication server supplies to the BIG-IP system to match against entries in /config/bigip/auth/remoterole. The specified pair typically identifies users with access rights in common. This option is required.
class (string)
“RemoteAuthRole” Indicates that this property contains RemoteAuthRole configuration.
console (string | string) “disabled” “disabled”, “tmsh”, regex: ^%.+ Specifes if the remotely-authenticated users have tmsh console access or not. Accepted values are ‘disabled’ and ‘tmsh’.
lineOrder (integer)
[0, 4294967295] The BIG-IP only allows one role per user for each partition/tenant. Because some remote servers allow multiple user roles, the BIG-IP uses the lineOrder parameter to choose one of the conflicting roles for the user at login time. In these cases, the system chooses the role with the lowest line-order number. See line order in the BIG-IP documentation for more information and examples.
remoteAccess (boolean) false true, false Enables the specified group of remotely-authenticated users, remote access.
role (string | string) “no-access” “admin”, “application-editor”, “auditor”, “certificate-manager”, “firewall-manager”, “fraud-protection-manager”, “guest”, “irule-manager”, “manager”, “no-access”, “operator”, “resource-admin”, “user-manager”, “web-application-security-administrator”, “web-application-security-editor”, regex: ^%.+ Specifies the role that you want to grant to the specified group of remotely-authenticated users.
userPartition (string | string) “Common”
Specifies the BIG-IP partition to which you are assigning access to the specified group of remotely-authenticated users. The default value is Common. This option is required.

Route

Network properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“Route” Indicates that this property contains Route configuration.
gw (string)
format: f5ip Gateway for the route.
localOnly (boolean) false true, false A boolean to indicate if the Route should be added to the LOCAL_ONLY partition. ‘Across Network’ clusters in AWS require this partition to be configured.
mtu (integer)
[0, 9198] MTU for the route.
network (string) “default”
IP address/netmask for route
target (string)
The VLAN or Tunnel for the Route.

RouteDomain

Network properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
bandWidthControllerPolicy (string)
Specifies the bandwidth controller policy for the route domain.
class (string)
“RouteDomain” Indicates that this property contains Route Domain configuration.
connectionLimit (integer) 0 [0, 4294967295] The connection limit for the route domain.
enforcedFirewallPolicy (string)
Specifies an enforced firewall policy on the route domain.
flowEvictionPolicy (string)
Specifies a flow eviction policy for the route domain to use.
id (integer)
[0, 65534] Specifies a unique numeric identifier for the route domain.
ipIntelligencePolicy (string)
Specifies an IP intelligence policy for the route domain to use.
parent (string)
Specifies the route domain the system searches when it cannot find a route in the configured domain.
routingProtocols (array<string>)
“BFD”, “BGP”, “IS-IS”, “OSPFv2”, “OSPFv3”, “PIM”, “RIP”, “RIPng” Specifies routing protocols for the system to use in the route domain.
securityNatPolicy (string)
Specifies the security NAT policy for the route domain.
servicePolicy (string)
Specifies the service policy for the route domain.
stagedFirewallPolicy (string)
Specifies a staged firewall policy on the route domain.
strict (boolean) true true, false Determines whether a connection can span route domains.
vlans (array<string>)
Specifies VLANS for the system to use in the route domain.

RouteMap

Network properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“RouteMap” Indicates that this property contains route map configuration.
entries (array<RouteMap_entries>)  
An array that holds action to take when corresponding entries are matched.
routeDomain (string) “0”
Specifies the name of the route domain used by the route map

RouteMap_entries

RouteMap entries possible properties when object type

Properties:

Name (Type) Default Values Description
action (string)
“permit”, “deny” An action to take
match (RouteMap_entries_match) {“ipv4”:{“address”:{},”nextHop”:{}},”ipv6”:{“address”:{},”nextHop”:{}}}
AS path and addresses to match
name (integer)
[-infinity, infinity] Name of the entity

RouteMap_entries_match

RouteMap_entries match possible properties

Properties:

Name (Type) Default Values Description
asPath (string)
RoutingAsPath to match. Defines a BGP AS path access list.
ipv4 (RouteMap_entries_match_ipv4) {“address”:{},”nextHop”:{}}
IPv4 to match
ipv6 (RouteMap_entries_match_ipv6) {“address”:{},”nextHop”:{}}
IPv6 to match

RouteMap_entries_match_ipv4

RouteMap_entries_match ipv4 possible properties

Properties:

Name (Type) Default Values Description
address (RouteMap_entries_match_ipv4_address) {}
IPv4 addresses to match
nextHop (RouteMap_entries_match_ipv4_nextHop) {}
IPv4 next hops to match

RouteMap_entries_match_ipv4_address

RouteMap_entries_match_ipv4 address possible properties

Properties:

Name (Type) Default Values Description
prefixList (string)
RoutingPrefixList to match

RouteMap_entries_match_ipv4_nextHop

RouteMap_entries_match_ipv4 nextHop possible properties

Properties:

Name (Type) Default Values Description
prefixList (string)
RoutingPrefixList to match

RouteMap_entries_match_ipv6

RouteMap_entries_match ipv6 possible properties

Properties:

Name (Type) Default Values Description
address (RouteMap_entries_match_ipv6_address) {}
IPv6 addresses to match
nextHop (RouteMap_entries_match_ipv6_nextHop) {}
IPv6 next hops to match

RouteMap_entries_match_ipv6_address

RouteMap_entries_match_ipv6 address possible properties

Properties:

Name (Type) Default Values Description
prefixList (string)
RoutingPrefixList to match

RouteMap_entries_match_ipv6_nextHop

RouteMap_entries_match_ipv6 nextHop possible properties

Properties:

Name (Type) Default Values Description
prefixList (string)
RoutingPrefixList to match

RoutingAccessList

Network properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“RoutingAccessList” Indicates that this property contains routing access list configuration.
entries (array<RoutingAccessList_entries>)  
An array that holds sources and destinations.
label (string)
remark (string)

RoutingAccessList_entries

RoutingAccessList entries possible properties when object type

Properties:

Name (Type) Default Values Description
action (string)
“permit”, “deny” Permit or deny access
destination (string) “::” format: ipWithOptionalPrefix IPv4 or IPv6 address or address range. Specify either [address] or [address/prefixlength].
exactMatchEnabled (boolean) false true, false Perform exact matching. A single entry with exactMatchEnabled true disallows any entry to have a non-default destination.
name (integer)
[-infinity, infinity] Name of the entity identified as an integer
source (string) “::” format: ipWithOptionalPrefix IPv4 or IPv6 address or address range. Specify either [address] or [address/prefixlength].

RoutingAsPath

Network properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“RoutingAsPath” Indicates that this property contains routing AS path configuration.
entries (array<RoutingAsPath_entries>)  
An array that holds action and regex objects

RoutingAsPath_entries

RoutingAsPath entries possible properties when object type

Properties:

Name (Type) Default Values Description
name (integer)
[-infinity, infinity] Name of the entity
regex (string)
A regex string

RoutingBGP

Network properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
addressFamilies (array<RoutingBGP_addressFamilies>)
Address family
class (string)
“RoutingBGP” Indicates that this property contains Border Gateway Protocol configuration.
gracefulRestart (RoutingBGP_gracefulRestart) {}
Graceful restart
holdTime (integer) 90 [0, 65535] Globally set or reset the hold time for all of the neighbors. The holdTime must be either 0 or at least 3 times keepAlive.
keepAlive (integer) 30 [0, 65535] Globally set or reset the keep alive for all of the neighbors
localAS (integer)
[1, 4294967295] Local Autonomous System. After the RoutingBGP has been created this value cannot be modified.
neighbors (array<RoutingBGP_neighbors>)  
Neighbors
peerGroups (array<RoutingBGP_peerGroups>)  
Peer group
routeDomain (string) “0”
Specifies the name of the route domain used by the routing bgp
routerId (string) “any6”
Manually override current router identifier (peers will reset)

RoutingBGP_addressFamilies

RoutingBGP addressFamilies possible properties when object type

Properties:

Name (Type) Default Values Description
internetProtocol (string)
“ipv4”, “ipv6”, “all” Address family. The value ‘all’ sets both ‘ipv4’ and ‘ipv6’ to the ‘all’ values.
redistributionList (array<RoutingBGP_addressFamilies_redistributionList>)
Redistribution list

RoutingBGP_addressFamilies_redistributionList

RoutingBGP_addressFamilies redistributionList possible properties when object type

Properties:

Name (Type) Default Values Description
routeMap (string)
Route map
routingProtocol (string)
“connected”, “isis”, “kernel”, “ospf”, “rip”, “static” Routing protocol

RoutingBGP_gracefulRestart

RoutingBGP gracefulRestart possible properties

Properties:

Name (Type) Default Values Description
gracefulResetEnabled (boolean) false true, false Graceful reset capability
restartTime (integer) 0 [0, 3600] Maximum time needed for neighbor(s) to restart (seconds)
stalePathTime (integer) 0 [0, 3600] Maximum time to retain stale paths from restarting neighbor(s) (seconds)

RoutingBGP_neighbors

RoutingBGP neighbors possible properties when object type

Properties:

Name (Type) Default Values Description
address (string)
format: f5ip Name
addressFamilies (array<RoutingBGP_neighbors_addressFamilies>)
Address family
ebgpMultihop (integer) 1 [1, 255] Allow external BGP members not on directly connected networks
peerGroup (string)
Peer group

RoutingBGP_neighbors_addressFamilies

RoutingBGP_neighbors addressFamilies possible properties when object type

Properties:

Name (Type) Default Values Description
asOverrideEnabled (boolean) false true, false Enables override AS path.
internetProtocol (string)
“ipv4”, “ipv6”, “all” Address family. The value ‘all’ sets both ‘ipv4’ and ‘ipv6’ to the ‘all’ values.

RoutingBGP_peerGroups

RoutingBGP peerGroups possible properties when object type

Properties:

Name (Type) Default Values Description
addressFamilies (array<RoutingBGP_peerGroups_addressFamilies>)
Address family
name (string)
Name
remoteAS (integer) 0 [-infinity, infinity] Remote Autonomous System

RoutingBGP_peerGroups_addressFamilies

RoutingBGP_peerGroups addressFamilies possible properties when object type

Properties:

Name (Type) Default Values Description
internetProtocol (string)
“ipv4”, “ipv6” Address family
routeMap (RoutingBGP_peerGroups_addressFamilies_routeMap) {}
Route maps
softReconfigurationInboundEnabled (boolean) false true, false Soft reconfiguration inbound enabled

RoutingBGP_peerGroups_addressFamilies_routeMap

RoutingBGP_peerGroups_addressFamilies routeMap possible properties

Properties:

Name (Type) Default Values Description
in (string)
Incoming route map
out (string)
Outgoing route map

RoutingPrefixList

Network properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“RoutingPrefixList” Indicates that this property contains routing prefix list configuration.
entries (array<RoutingPrefixList_entries>)  
An array that holds action, prefix, and prefixLengthRange.
routeDomain (string) “0”
Specifies the name of the route domain used

RoutingPrefixList_entries

RoutingPrefixList entries possible properties when object type

Properties:

Name (Type) Default Values Description
action (string)
“permit”, “deny” An action to take
name (integer)
[-infinity, infinity] Name of the entity
prefix (string) “::/0” format: ipWithRequiredPrefix Address with prefix length [address/prefix length]
prefixLengthRange (string) “0” regex: ^d*:?d*$ Prefix length range. Examples: Specify ‘1:32’ for greater than or equal to 1 and less than or equal to 32. Specify ‘1:’ for greater than or equal to 1. Specify ‘:32’ for less than or equal to 32. Specify ‘32’ for equal to 32. Must be 0 or greater than the length on the prefix property.

SecurityAnalytics

Security properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
aclRules (SecurityAnalytics_aclRules)
Firewall (ACL) security statistics collection options.
class (string)
“SecurityAnalytics” Indicates that this property contains SecurityAnalytics configuration.
collectAllDosStatsEnabled (boolean) false true, false Specifies whether to enable or disable the collection of all DoS statistics.
collectDnsStatsEnabled (boolean) true true, false Specifies whether to enable or disable DNS statistics collection.
collectDosL3StatsEnabled (boolean) true true, false Specifies whether to enable or disable the collection of DoS L3 statistics.
collectedStatsExternalLoggingEnabled (boolean) false true, false Specifies whether to enable or disable external logging of collected statistics.
collectedStatsInternalLoggingEnabled (boolean) false true, false Specifies whether to enable or disable internal logging of collected statistics.
collectFirewallAclStatsEnabled (boolean) true true, false Specifies whther to enable or disable the collection of firewall ACL statistics.
collectFirewallDropsStatsEnabled (boolean) true true, false Specifies whether to enable or disable the collection of firewall drops statistics.
collectIpReputationStatsEnabled (boolean) true true, false Specifies whether to enable or disable the collection of IP reputation statistics.
collectSipStatsEnabled (boolean) true true, false Specifies whether to enable or disable the collection of SIP statistics.
collectStaleRulesEnabled (boolean) false true, false Specifies whether statistics about all firewall rules should be collected in order to present information regarding rule staleness.
dns (SecurityAnalytics_dns)
DNS security statistics collection options.
dosL2L4 (SecurityAnalytics_dosL2L4)
Network DoS statistics collection options.
l3L4Errors (SecurityAnalytics_l3L4Errors)
Firewall errors statistics collection options.
publisher (string)
Specifies the external logging publisher used to send statistical data to one or more destinations.
smtpConfig (string)
Specifies the default SMTP configuration used for exporting CSV or PDF security analytics reports.

SecurityAnalytics_aclRules

SecurityAnalytics aclRules possible properties

Properties:

Name (Type) Default Values Description
collectClientIpEnabled (boolean) true true, false Specifies whether source/client IP address should be collected for ACL rule matching.
collectClientPortEnabled (boolean) false true, false Specifies whether source/client port should be collected for ACL rule matching.
collectDestinationIpEnabled (boolean) true true, false Specifies whether the destination IP address should be collected for ACL rule matching.
collectDestinationPortEnabled (boolean) true true, false Specifies whether the destination port should be collected for ACL rule matching.
collectServerSideStatsEnabled (boolean) false true, false Specifies whether server side statistics (source address translation information, self IP address and pool member address) should be collected for ACL rule matching.

SecurityAnalytics_dns

SecurityAnalytics dns possible properties

Properties:

Name (Type) Default Values Description
collectClientIpEnabled (boolean) true true, false Specifies whether source/client IP address should be collected for DNS security.
collectDestinationIpEnabled (boolean) true true, false Specifies whether the destination IP address should be collected for DNS security.

SecurityAnalytics_dosL2L4

SecurityAnalytics dosL2L4 possible properties

Properties:

Name (Type) Default Values Description
collectClientIpEnabled (boolean) true true, false Specifies whether source/client IP address should be collected for network layer’s DoS security.
collectDestinationGeoEnabled (boolean) true true, false Specifies whether the destination geo should be collected for network layer’s DoS security.

SecurityAnalytics_l3L4Errors

SecurityAnalytics l3L4Errors possible properties

Properties:

Name (Type) Default Values Description
collectClientIpEnabled (boolean) true true, false Specifies whether source/client IP address should be collected for firewall errors.
collectDestinationIpEnabled (boolean) true true, false Specifies whether the destination IP address should be collected for firewall errors.

SecurityWaf

Security properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
advancedSettings (array<SecurityWaf_advancedSettings | object>)
Specifies WAF advanced settings.
antiVirusProtection (SecurityWaf_antiVirusProtection)
Specifies anti virus protection options.
class (string)
“SecurityWaf” Indicates that this property contains SecurityWaf configuration.

SecurityWaf_advancedSettings

SecurityWaf advancedSettings possible properties when object type

Properties:

Name (Type) Default Values Description
name (string)
“ecard_regexp_decimal”, “ecard_regexp_email”, “ecard_regexp_phone”, “icap_uri”, “virus_header_name”, “WhiteHatIP1”, “WhiteHatIP2”, “WhiteHatIP3”, “WhiteHatIP4” Specifies the name of the setting.
value (string)
Specifies the desired value for the setting.

SecurityWaf_antiVirusProtection

SecurityWaf antiVirusProtection possible properties

Properties:

Name (Type) Default Values Description
guaranteeEnforcementEnabled (boolean) true true, false Specifies whether the system should perform virus checking even if this may slow down the web application.
hostname (string)
format: hostname Specifies the server hostname.
port (integer) 1344 [1, 65535] Specifies the server port.

SelfIp

Network properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
address (string)
format: f5ip IP address.
allowService (string | array<string>) “none” “all”, “none”, “default”, regex: (w+:d+|default) Which services (ports) to allow on the self IP. Value should be ‘all’, ‘none’, ‘default’, or array of ‘<service:port>’. NOTE: The default value is not recommended and a value of ‘none’ should be used if possible.
class (string)
“SelfIp” Indicates that this property contains Self IP configuration.
enforcedFirewallPolicy (string)
Specifies an enforced firewall policy on the self IP.
stagedFirewallPolicy (string)
Specifies a staged firewall policy on the self IP.
trafficGroup (string) “traffic-group-local-only” “traffic-group-local-only”, “traffic-group-1” Traffic group for the Self IP.
vlan (string)
VLAN or Tunnel for the self IP.

SnmpAgent

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
allowList (array<string>)
format: f5ip Allowed client IP addresses.
class (string)
“SnmpAgent” Indicates that this property contains basic SNMP agent configuration.
contact (string)
The name of the person who administers the SNMP service for this system.
location (string)
The description of this system’s physical location.
snmpV1 (boolean) true true, false Enables snmpd daemon support of snmpV1 queries.
snmpV2c (boolean) true true, false Enables snmpd daemon support of snmpV2c queries.

SnmpCommunity

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
access (string) “ro” “ro”, “rw” Whether the user’s access level to the MIB is readOnly.
class (string)
“SnmpCommunity” Indicates that this property contains SNMP v1 or v2c community configuration.
ipv6 (boolean) false true, false Specifies whether the record applies to IPv6 addresses.
name (string)
Overrides using the object name as the community name. Use this if you want special characters in the community name.
oid (string)
Specifies the current object identifier (OID) for the record.
source (string)
Specifies the source address for access to the MIB.

SnmpTrapDestination

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
authentication (SnmpTrapDestination_authentication)
Specifies the user’s authentication method and password.
class (string)
“SnmpTrapDestination” Indicates that this property contains SNMP trap configuration.
community (string)
Specifies the community name for the trap destination. — Note: This property is available only when version is NOT ‘3’
destination (string)
  Specifies the address for the trap destination.
engineId (string)
Specifies the unique identifier (snmpEngineID) of the remote SNMP protocol engine.
network (string) “management” “management”, “other” Specifies the trap network. The system sends the SNMP trap out the specified network. ‘management’ specifies that the system sends the trap out of the management IP address. ‘other’ specifies that the system sends the trap out of the interface based on the routing tables.
port (integer) 162 [0, 65535] Specifies the port for the trap destination.
privacy (SnmpTrapDestination_privacy)
Specifies the privacy protcol to use to deliver authentication information for this user.
securityName (string)
Specifies the user name the system uses to handle SNMP v3 traps.
version (string) “2c” “1”, “2c”, “3” Specifies to which Simple Network Management Protocol (SNMP) version the trap destination applies.

SnmpTrapDestination_authentication

SnmpTrapDestination authentication possible properties

Properties:

Name (Type) Default Values Description
password (string)
Specifies the password for the user.
protocol (string)
“sha”, “md5” Authentication protocol.

SnmpTrapDestination_privacy

SnmpTrapDestination privacy possible properties

Properties:

Name (Type) Default Values Description
password (string)
Specifies the password for the user.
protocol (string)
“aes”, “des” Specifies the encryption protocol.

SnmpTrapEvents

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
agentStartStop (boolean) true true, false Indicates whether to send a trap when the SNMP agent starts/stops.
authentication (boolean) false true, false Indicates whether to send authentication warning traps.
class (string)
“SnmpTrapEvents” Indicates that this property contains SNMP trap configuration.
device (boolean) true true, false Indicates whether to send device warning traps.

SnmpUser

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
access (string) “ro” “ro”, “rw” Whether the user’s access level to the MIB is readOnly.
authentication (SnmpUser_authentication)
Specifies the user’s authentication method and password.
class (string)
“SnmpUser” Indicates that this property contains SNMP v3 user configuration.
name (string)
Overrides using the object name as the username. Use this if you want special characters in the username.
oid (string) “.1”
Specifies the current object identifier (OID) for the record.
privacy (SnmpUser_privacy)
Specifies the privacy protcol to use to deliver authentication information for this user.

SnmpUser_authentication

SnmpUser authentication possible properties

Properties:

Name (Type) Default Values Description
password (string)
Specifies the password for the user.
protocol (string) “sha” “sha”, “sha256”, “sha512”, “md5” Authentication protocol. Values other than ‘sha’ or ‘md5’ require BIGIP version 15.1 or above.

SnmpUser_privacy

SnmpUser privacy possible properties

Properties:

Name (Type) Default Values Description
password (string)
Specifies the password for the user.
protocol (string) “aes” “aes”, “aes192”, “aes192c”, “aes256”, “aes256c”, “des” Specifies the encryption protocol. Values ‘aes192’, ‘aes192c’, ‘aes256’, and ‘aes256c’ require BIGIP version 15.1 or above.

SSHD

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
allow (string | array<string>)
“all”, “none” Specifies the list of IP addresses that are allowed to log in to the system. Allow all addresses by using the ‘all’ value or disallow all addresses using the ‘none’ value.
banner (string)
Enables or disabled the display of the banner text field when a user logs in.
ciphers (array<string>)
“3des-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-gcm@openssh.com”, “aes256-gcm@openssh.com”, “arcfour”, “arcfour128”, “arcfour256”, “blowfish-cbc”, “cast128-cbc”, “chacha20-poly1305@openssh.com Specifies the ciphers to be included.
class (string)
“SSHD” Indicates this contains SSH configuration.
inactivityTimeout (integer) 0 [0, 2147483647] Specifies the number of seconds before inactivity causes an SSH session to log out.
kexAlgorithms (array<string>)
“diffie-hellman-group1-sha1”, “diffie-hellman-group14-sha1”, “diffie-hellman-group14-sha256”, “diffie-hellman-group16-sha512”, “diffie-hellman-group18-sha512”, “diffie-hellman-group-exchange-sha1”, “diffie-hellman-group-exchange-sha256”, “ecdh-sha2-nistp256”, “ecdh-sha2-nistp384”, “ecdh-sha2-nistp521”, “curve25519-sha256”, “curve25519-sha256@libssh.org”, “gss-gex-sha1-“, “gss-group1-sha1-“, “gss-group14-sha1-“ Specifies the KexAlgorithms that will be included.
loginGraceTime (integer)
[-infinity, infinity] Specifies the login grace period that will be included. This is in the number of seconds.
MACS (array<string>)
“hmac-sha1”, “hmac-ripemd160”, “hmac-md5”, “hmac-md5-96”, “hmac-sha1-96”, “hmac-sha2-256”, “hmac-sha2-512”, “hmac-md5-etm@openssh.com”, “hmac-md5-96-etm@openssh.com”, “hmac-ripemd160-etm@openssh.com”, “hmac-sha1-etm@openssh.com”, “hmac-sha1-96-etm@openssh.com”, “hmac-sha2-256-etm@openssh.com”, “hmac-sha2-512-etm@openssh.com”, “umac-64@openssh.com”, “umac-128@openssh.com”, “umac-64-etm@openssh.com”, “umac-128-etm@openssh.com Specifies the MACs that will be included.
maxAuthTries (integer)
[-infinity, infinity] Specifies the max auth tries to be included.
maxStartups (string)
Specifies the max startups to include.
protocol (integer)
[1, 2] Specifies the protocol to be included.

SyslogRemoteServer

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“SyslogRemoteServer” Indicates that this property contains Syslog Remote Server Information
host (string)
Specifies the IP address of a remote server to which syslog sends messages.
localIp (string)
Specifies the IP address of the interface syslog binds with in order to log messages to a remote host.
remotePort (integer) 514 [0, 65535] Specifies the port to which the syslog sends messages.

System

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
autoCheck (boolean) true true, false Enables the BIG-IP system to check for and recommend software updates.
autoPhonehome (boolean) true true, false Enables the BIG-IP system to send non-confidential, high-level device information to F5 in order to help determine product usage to optimize product development.
class (string)
“System” Indicates this property contains global system settings
cliInactivityTimeout (integer) 0 [0, 128849018820] Configure automatic logout for idle users in TMSH interactive mode. A setting other than 0 automatically logs a user out after a specified number of seconds, which must be entered in multiples of 60. The default value 0 means that no timeout is set.
consoleInactivityTimeout (integer) 0 [0, 2147483647] Configure automatic logout for idle serial console sessions (command line sessions) in seconds. The default value 0 means that no timeout is set.
guiAuditLog (boolean) false true, false Enables audit logging for the GUI. Only available on TMOS v14+
guiSecurityBanner (boolean) true true, false Specifies whether the system presents on the login screen the text you specify in guiSecurityBannerText. If you disable this option, the system presents an empty frame in the right portion of the login screen.
guiSecurityBannerText (string) “Welcome to the BIG-IP Configuration Utility.\n\nLog in with your username and password using the fields on the left.”
Specifies the text to present on the login screen when the guiSecurityBanner is enabled.
hostname (string) “bigip1” format: hostname Hostname to set for the device. Note: If you set the hostname as part of the Common class, you CANNOT set a hostname in the System class (they are mutually exclusive).
mcpAuditLog (string) “enable” “disable”, “enable”, “verbose”, “all” Enables audit logging for MCP.
mgmtDhcpEnabled (boolean)
true, false Determines if Management DHCP is enabled or not.
passwordPrompt (string) “Password”
Specifies the text to present above the password field on the system’s login screen.
preserveOrigDhcpRoutes (boolean) false true, false Determines if DHCP ManagementRoute objects are preserved.
tmshAuditLog (boolean) true true, false Enables audit logging for tmsh.
usernamePrompt (string) “Username”
Specifies the text to present above the user name field on the system’s login screen.

TrafficControl

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
acceptIpOptions (boolean) false true, false Specifies whether the system accepts IPv4 packets with IP Options.
acceptIpSourceRoute (boolean) false true, false Specifies whether the system accepts IPv4 packets with IP source route options that are destined for TMM. To enable this option, you must also enable the acceptIpOptions option.
allowIpSourceRoute (boolean) false true, false Specifies whether the system allows IPv4 packets with IP source route options enabled to be routed through TMM. To enable this option, you must also enable the acceptIpOptions option.
class (string)
“TrafficControl” Indicates this property contains traffic control configuration
continueMatching (boolean) false true, false Specifies whether the system matches against a less-specific virtual server when the more-specific one is disabled or rejects / drops the packets depending on the value of rejectUnmatched.
maxIcmpRate (integer) 100 [0, 2147483647] Specifies the maximum rate per second at which the system issues ICMP errors.
maxPortFindLinear (integer) 16 [0, 61439] Specifies the maximum of ports to linearly search for outbound connections
maxPortFindRandom (integer) 16 [0, 1024] Specifies the maximum of ports to randomly search for outbound connections
maxRejectRate (integer) 250 [1, 1000] Specifies the maximum rate per second at which the system issues reject packets (TCP RST or ICMP port unreach).
maxRejectRateTimeout (integer) 30 [0, 300] Specifies the time in seconds which the system ignores ICMP port unreach and TCP RST ratelimits on becoming active after a failover.
minPathMtu (integer) 296 [68, 1500] Specifies the minimum packet size that can traverse the path without suffering fragmentation
pathMtuDiscovery (boolean) true true, false Specifies that the system discovers the MTU that it can send over a path without fragmenting TCP packets
portFindThresholdTimeout (integer) 30 [0, 300] Specifies the threshold warning’s timeout which is the time in seconds since the last trigger value was hit and will drop the tuple if not hit.
portFindThresholdTrigger (integer) 8 [1, 12] Specifies the threshold warning’s trigger which is the value of random port attempts when attempting to find an unused outbound port for a connection.
portFindThresholdWarning (boolean) true true, false Specifies if the ephemeral port-exhaustion threshold warning is to be monitored.
rejectUnmatched (boolean) true true, false Specifies, when enabled, that the system returns a TCP RST or ICMP port unreach packet if no virtual servers on the system match the destination address of the incoming packet. When disabled, the system silently drops the unmatched packet.

TrafficGroup

Clustering properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
autoFailbackEnabled (boolean) false true, false Specifies whether the traffic group fails back to the default device.
autoFailbackTime (integer) 60 [0, 300] Specifies the time required to fail back.
class (string)
“TrafficGroup” Indicates that this property contains Traffic Group configuration.
failoverMethod (string) “ha-order” “ha-order” Specifies the method used to decide if the current device needs to failover the traffic-group to another device. If the failover-method is set to ha-order, a list of devices and their respective HA load is used to decide the next one to take over if the current devices fails.
haLoadFactor (integer) 1 [1, 1000] Specifies a number for this traffic group that represents the load this traffic group presents to the system relative to other traffic groups. This allows the failover daemon to load balance the active traffic groups amongst the devices.
haOrder (array<string>)
This list of devices specifies the order in which the devices will become active for the traffic group when a failure occurs. This list may contain zero, one, or more entries up to the number of devices in the failover device group.

Trunk

Network properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“Trunk” Indicates that this property contains Trunk configuration.
distributionHash (string) “dst-mac” “dst-mac”, “src-dst-ipport”, “src-dst-mac” Specifies the basis for the hash that the system uses as the frame distribution algorithm. Choices are ‘dst-mac’ (use the destination MAC addresses), ‘src-dist-mac’ (use the source, destination, and MAC addresses), or ‘src-dst-ipport’ (use the source and destination IP addresses and ports).
interfaces (array<string>)  
Interfaces for the Trunk. The number of interfaces used is recommended to be a power of 2 (for example 2, 4, or 8). Interfaces must be untagged.
lacpEnabled (boolean) false true, false Specifies, when true, that the system supports the link aggregation control protocol (LACP), which monitors the trunk by exchanging control packets over the member links to determine the health of the links.
lacpMode (string) “active” “active”, “passive” Specifies the operation mode for LACP if the lacp option is enabled for the trunk. The values are ‘active’ (specifies the system periodically transmits LACP packets, regardless of the control value of the peer system) and ‘passive’ (specifies the system periodically transmits LACP packets, unless the control value of the peer system is active).
lacpTimeout (string) “long” “long”, “short” Specifies the rate at which the system sends the LACP control packets.
linkSelectPolicy (string) “auto” “auto”, “maximum-bandwidth” Sets the LACP policy that the trunk uses to determine which member link (interface) can handle new traffic.
qinqEthertype (string) “0x8100” regex: ^0x[a-fA-F0-9]{4}$ Specifies the ether-type value used for the packets handled on this trunk when it is a member in a QinQ vlan.
spanningTreeEnabled (boolean) true true, false Enables the spanning tree protocols (STP).

Tunnel

Network properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
autoLastHop (string) “default” “default”, “enabled”, “disabled” Specifies that packets are returned to the MAC address from which they were sent when enabled. The default setting specifies that the system uses the default route to send back the request.
class (string)
“Tunnel” Indicates that this property contains Tunnel configuration.
defaultsFrom (string) “vxlan”
Specifies the existing profile from which the system imports settings for the new profile. Default value is vxlan. Can NOT default from itself.
encapsulationType (string) “vxlan” “vxlan”, “vxlan-gpe” Specifies whether the VXLAN header is formatted according to RFC 7348 (vxlan) or with the Generic Protocol Extension (vxlan-gpe). The default is vxlan.
floodingType (string) “multicast” “none”, “multicast”, “multipoint”, “replicator” Specifies the flooding type to use to transmit multicast, broadcast, and unknown destination frames. The default is multicast.
key (integer) 0 [0, infinity] When applied to a GRE tunnel, this value specifies an optional field in the GRE header, used to authenticate the source of the packet. When applied to a VXLAN or Geneve tunnel, this value specifies the Virtual Network Identifier (VNI). When applied to an NVGRE tunnel, this value specifies the Virtual Subnet Identifier (VSID).
localAddress (string) “any6”
Specifies the IP address of the local endpoint of the tunnel.
mode (string) “bidirectional” “bidirectional”, “inbound”, “outbound” Specifies how the tunnel carries traffic.
mtu (integer) 0 [0, 65535] Specifies the maximum transmission unit of the Tunnel.
port (integer) 4789 [0, 65535] Specifies the local port for receiving VXLAN packets. The default is 4789.
remark (string)
remoteAddress (string) “any6”
Specifies the IP address of the remote endpoint of the tunnel.
secondaryAddress (string) “any6”
Specifies a non-floating IP address for the tunnel, to be used with host-initiated traffic.
trafficGroup (string) “none”
Specifies the traffic group to associate with the tunnel.
transparent (boolean) false true, false Specifies that the tunnel operates in transparent mode. When enabled, you can inspect and manipulate the encapsulated traffic flowing through the BIG-IP system.
tunnelType (string)
“geneve”, “gre”, “tcp-forward”, “vxlan” Specifies the profile that you want to associate with the Tunnel. Note: As of 1.36.0, when creating a VXLAN Tunnel, accept-ip-options in traffic controls will no longer default to true. Instead it will remain the same or be set to the value in the declaration.
typeOfService (string | integer) “preserve” “preserve”, [0, 255] Specifies a value for insertion into the Type of Service octet within the IP header of the encapsulating header of transmitted packets.
usePmtu (boolean) true true, false Enable or disable the Tunnel to use Path MTU information provided by ICMP NeedFrag error messages.

User

System properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
class (string)
“User” Indicates that this property contains user configuration. — Note: This property is available only when userType is NOT ‘root’
forceInitialPasswordChange (boolean) true true, false Determines if a password change will be required on the first user login. — Note: This property is available only when userType is NOT ‘root’
keys (array<string>)
An array of public keys for the user. These will overwrite the /home/username/.ssh/authorized_keys if not root. — Note: This property is available only when userType is NOT ‘root’
newPassword (string)
Password to set for the root user.
oldPassword (string)
Old password for the root user.
partitionAccess (User_partitionAccess)
Access control configuration. — Note: This property is available only when userType is NOT ‘root’
password (string)
Password for the user. — Note: This property is available only when userType is NOT ‘root’
shell (string) “tmsh” “bash”, “tmsh”, “none” Shell for the user. — Note: This property is available only when userType is NOT ‘root’
userType (string)
“regular” The type of user. — Note: This property is available only when userType is NOT ‘root’

User_partitionAccess

User partitionAccess possible properties

Properties:

Name (Type) Default Values Description
all-partitions (User_partitionAccess_all-partitions)
The partition - either ‘Common’ or ‘all-partitions’.
Common (User_partitionAccess_Common)
The partition - either ‘Common’ or ‘all-partitions’.

User_partitionAccess_all-partitions

User_partitionAccess all-partitions possible properties

Properties:

Name (Type) Default Values Description
role (string)
“admin”, “auditor”, “guest”, “manager”, “operator”, “user-manager”, “application-editor”, “certificate-manager”, “irule-manager”, “no-access”, “resource-admin” Role for the user.

User_partitionAccess_Common

User_partitionAccess Common possible properties

Properties:

Name (Type) Default Values Description
role (string)
“admin”, “auditor”, “guest”, “manager”, “operator”, “user-manager”, “application-editor”, “certificate-manager”, “irule-manager”, “no-access”, “resource-admin” Role for the user.

VLAN

Network properties for onboarding a BIG-IP.

Properties:

Name (Type) Default Values Description
autoLastHop (string) “default” “default”, “enabled”, “disabled” When enabled, allows the system to send return traffic to the MAC address that transmitted the request, even if the routing table points to a different network or interface. As a result, the system can send return traffic to clients even when there is no matching route. Settings are default (inherited global setting), enabled, and disabled.
class (string)
“VLAN” Indicates that this property contains VLAN configuration.
cmpHash (string) “default” “default”, “dst-ip”, “src-ip” Specifies how the traffic on the VLAN will be disaggregated.
failsafeAction (string) “failover-restart-tm” “failover”, “failover-restart-tm”, “reboot”, “restart-all” Specifies the action for the system to take when the fail-safe mechanism is triggered
failsafeEnabled (boolean) false true, false Enables a fail-safe mechanism that causes the active cluster to fail over to a redundant cluster when loss of traiffic is detected on a VLAN
failsafeTimeout (integer) 90 [10, 3600] Specifies the number of seconds that an active unit can run without detecting network traffic on this VLAN before starting a failover
interfaces (array<VLAN_interfaces>)
Interfaces for the VLAN.
mtu (integer) 1500 [576, 9198] MTU for the VLAN.
tag (integer)
[1, 4094] Tag for the VLAN.

VLAN_interfaces

VLAN interfaces possible properties when object type

Properties:

Name (Type) Default Values Description
name (string)
Name of the interface.
tagged (boolean)
true, false Whether or not the interface is tagged. Default is true if a VLAN tag is provided, otherwise false.