Appendix A: Schema Reference¶
This page is a reference for the objects you can use in your Declarations for Declarative Onboarding. For more information on BIG-IP objects and terminology, see the BIG-IP documentation at https://support.f5.com/csp/home.
Analytics¶
Global analytics properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “Analytics” | Indicates that this property contains global analytics configuration | |
debugEnabled (boolean) | false | true, false | Enable debug mode. If debug mode is disabled, internal statistics are collected only if interval is set to the default value (300 seconds) |
interval (integer) | 300 | [20, 300] | Analytics data collection interval in seconds. If this interval is different from the default value (300 seconds), internal statistics are not collected unless debugEnabled is set to true. Minimum interval is 20 seconds, maximum interval is 300 seconds. |
offboxEnabled (boolean) | false | true, false | Enables all communication with the offbox application on the global level |
offboxProtocol (string) | “https”, “tcp” | Protocol for communication with offbox analytics application | |
offboxTcpAddresses (array<string>) | Server IP addresses used only if the ‘tcp/https’ protocol is chosen | ||
offboxTcpPort (number) | Server TCP port for the server IP addresses used only if the ‘tcp’ protocol is chosen | ||
sourceId (string) | Unique value to signify the source of data | ||
tenantId (string) | Unique id for the tenant using the analytics backend system |
Authentication¶
Authentication properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “Authentication” | Indicates that this property contains authentication configuration. | |
enabledSourceType (string) | “local” | “radius”, “local”, “tacacs”, “ldap”, “activeDirectory” | Type of remote authentication source to enable for the system. |
fallback (boolean) | false | true, false | Specifies that the system uses the Local authentication method if the remote authentication method is not available. |
ldap (Authentication_ldap) | Remote LDAP authentication info | ||
radius (Authentication_radius) | Remote RADIUS authentication info. | ||
remoteUsersDefaults (Authentication_remoteUsersDefaults) | The default values that the BIG-IP system applies to any user account that is not part of a remotely-stored user group. | ||
tacacs (Authentication_tacacs) | TACACS+ authentication info |
Authentication_ldap¶
Authentication ldap possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
bindDn (string) | Distinguished name of the server account. If server is a Microsoft Windows Active Directory server, the name must be an email address | ||
bindPassword (string) | Password for the server account | ||
bindTimeout (integer) | 30 | [0, 4294967295] | Timeout limit in seconds to bind to remote authentication server |
checkBindPassword (boolean) | false | true, false | Confirms the password for the server account |
checkRemoteRole (boolean) | false | true, false | Verifies a user’s group membership based on the remote-role definition, formatted as *member*of=”group-dn” |
filter (string) | Filter used for authorizing client traffic | ||
groupDn (string) | Group distinguished name for authorizing client traffic | ||
groupMemberAttribute (string) | Group member attribute for authorizing client traffic | ||
idleTimeout (integer) | 3600 | [0, 4294967295] | Connection timeout limit in seconds |
ignoreAuthInfoUnavailable (boolean) | false | true, false | Ignores authentication information if not available |
ignoreUnknownUser (boolean) | false | true, false | Ignores a user that is unknown |
loginAttribute (string) | Logon attribute. If server is a Microsoft Windows Active Directory server, the value must be the account name “samaccountname” | ||
port (integer) | 389 | [0, 65535] | Port number for the LDAP service |
referrals (boolean) | true | true, false | Specifies whether automatic referral chasing should be enabled. This is for BIG-IP 15.1+ |
searchBaseDn (string) | Search base distinguished name | ||
searchScope (string) | “sub” | “base”, “one”, “sub” | Level of remote server’s directory to search for user authentication, either base object, one level, or subtree |
searchTimeout (integer) | 30 | [0, 4294967295] | Search timeout limit in seconds |
servers (array<string>) | IP addresses or hostnames of the remote authentication servers. | ||
ssl (string) | “disabled” | “enabled”, “disabled”, “start-tls” | Enables SSL |
sslCaCert (reference | reference) | SSL certificate issued by a certificate authority | ||
sslCheckPeer (boolean) | false | true, false | Specifies whether the system checks an SSL peer |
sslCiphers (array<string>) | “ECDHE-RSA-AES128-GCM-SHA256”, “ECDHE-RSA-AES128-CBC-SHA”, “ECDHE-RSA-AES128-SHA256”, “ECDHE-RSA-AES256-GCM-SHA384”, “ECDHE-RSA-AES256-CBC-SHA”, “ECDHE-RSA-AES256-SHA384”, “ECDHE-RSA-CHACHA20-POLY1305-SHA256”, “ECDH-RSA-AES128-GCM-SHA256”, “ECDH-RSA-AES128-SHA256”, “ECDH-RSA-AES128-SHA”, “ECDH-RSA-AES256-GCM-SHA384”, “ECDH-RSA-AES256-SHA384”, “ECDH-RSA-AES256-SHA”, “AES128-GCM-SHA256”, “AES128-SHA”, “AES128-SHA256”, “AES256-GCM-SHA384”, “AES256-SHA”, “AES256-SHA256”, “CAMELLIA128-SHA”, “CAMELLIA256-SHA”, “ECDHE-ECDSA-AES128-GCM-SHA256”, “ECDHE-ECDSA-AES128-SHA”, “ECDHE-ECDSA-AES128-SHA256”, “ECDHE-ECDSA-AES256-GCM-SHA384”, “ECDHE-ECDSA-AES256-SHA”, “ECDHE-ECDSA-AES256-SHA384”, “ECDHE-ECDSA-CHACHA20-POLY1305-SHA256”, “ECDH-ECDSA-AES128-GCM-SHA256”, “ECDH-ECDSA-AES128-SHA”, “ECDH-ECDSA-AES128-SHA256”, “ECDH-ECDSA-AES256-GCM-SHA384”, “ECDH-ECDSA-AES256-SHA”, “ECDH-ECDSA-AES256-SHA384”, “DHE-RSA-AES128-GCM-SHA256”, “DHE-RSA-AES128-SHA”, “DHE-RSA-AES128-SHA256”, “DHE-RSA-AES256-GCM-SHA384”, “DHE-RSA-AES256-SHA”, “DHE-RSA-AES256-SHA256”, “DHE-RSA-CAMELLIA128-SHA”, “DHE-RSA-CAMELLIA256-SHA”, “DHE-DSS-AES128-GCM-SHA256”, “DHE-DSS-AES128-SHA”, “DHE-DSS-AES128-SHA256”, “DHE-DSS-AES256-GCM-SHA384”, “DHE-DSS-AES256-SHA”, “DHE-DSS-AES256-SHA256”, “DHE-DSS-CAMELLIA128-SHA”, “DHE-DSS-CAMELLIA256-SHA”, “ADH-AES128-GCM-SHA256”, “ADH-AES128-SHA”, “ADH-AES256-GCM-SHA384”, “ADH-AES256-SHA”, “ECDHE-RSA-DES-CBC3-SHA”, “ECDH-RSA-DES-CBC3-SHA”, “DES-CBC3-SHA”, “ECDHE-ECDSA-DES-CBC3-SHA”, “ECDH-ECDSA-DES-CBC3-SHA”, “DHE-RSA-DES-CBC3-SHA”, “ADH-DES-CBC3-SHA”, “DHE-RSA-DES-CBC-SHA”, “DES-CBC-SHA”, “ADH-DES-CBC-SHA”, “RC4-SHA”, “RC4-MD5”, “ADH-RC4-MD5”, “EXP1024-DES-CBC-SHA”, “EXP1024-RC4-SHA”, “EXP-RC4-MD5”, “EXP-DES-CBC-SHA”, “TLS13-AES128-GCM-SHA256”, “TLS13-AES256-GCM-SHA384”, “TLS13-CHACHA20-POLY1305-SHA256”, “NULL-SHA”, “NULL-MD5” | Specifies SSL ciphers | |
userTemplate (string) | Specifies a user template for the LDAP application to use for authentication. | ||
version (integer) | 3 | [2, 3] | Specifies the version number of the LDAP application. |
Authentication_radius¶
Authentication radius possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
servers (reference) | RADIUS servers settings | ||
serviceType (string) | “default” | “administrative”, “authenticate-only”, “call-check”, “callback-administrative”, “callback-framed”, “callback-login”, “callback-nas-prompt”, “default”, “framed”, “login”, “nas-prompt”, “outbound” | Type of service used for the RADIUS server. |
Authentication_remoteUsersDefaults¶
Authentication remoteUsersDefaults possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
partitionAccess (string) | “all” | “Common”, “all” | Default accessible partitions for remote users. |
role (string) | “no-access” | “acceleration-policy-editor”, “admin”, “application-editor”, “auditor”, “certificate-manager”, “firewall-manager”, “fraud-protection-manager”, “guest”, “irule-manager”, “manager”, “no-access”, “operator”, “resource-admin”, “user-manager”, “web-application-security-administrator”, “web-application-security-editor” | Role for the remote users. |
terminalAccess (string) | “disabled” | “tmsh”, “disabled” | Default terminal access for remote users. |
Authentication_tacacs¶
Authentication tacacs possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
accounting (string) | “send-to-first-server” | “send-to-all-servers”, “send-to-first-server” | Specifies how the system returns accounting information, such as which services users access and how much network resources they consume, to the TACACS+ server. The default setting is Send to first available server. |
authentication (string) | “use-first-server” | “use-all-servers”, “use-first-server” | Specifies the process the system employs when sending authentication requests. The default is Authenticate to first server. |
debug (boolean) | false | true, false | Specifies whether to log Syslog debugging information at the LOG_DEBUG level. We do not recommend enabling this setting for normal use. The default is Disabled. |
encryption (boolean) | true | true, false | Specifies whether to use encryption of TACACS+ packets. The default is Enabled. |
protocol (string) | “lcp”, “ip”, “ipx”, “atalk”, “vines”, “lat”, “xremote”, “tn3270”, “telnet”, “rlogin”, “pad”, “vpdn”, “ftp”, “http”, “deccp”, “osicp”, “unknown” | Specifies the protocol associated with the value specified in Service Name, which is a subset of the associated service being used for client authorization or system accounting. You can use following values: lcp, ip, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, ftp, http, deccp, osicp, and unknown. Note that the majority of TACACS+ implementations are of protocol type ip, so try that first. | |
secret (string) | Type the secret key used to encrypt and decrypt packets sent or received from the server. Do not use the pound sign ( # ) in the secret for TACACS+ servers. | ||
servers (array<string>) | Specifies a list of the IPv4 addresses for servers using the Terminal Access Controller Access System (TACACS)+ protocol with which the system communicates to obtain authorization data. For each address, an alternate TCP port number may be optionally specified by entering the address in the format address:port. If no port number is specified, the default port 49 is used. | ||
service (string) | “slip”, “ppp”, “arap”, “shell”, “tty-daemon”, “connection”, “system”, “firewall” | Specifies the name of the service that the user is requesting to be authorized to use. Identifying what the user is asking to be authorized for, enables the TACACS+ server to behave differently for different types of authorization requests. You can use following values: slip, ppp, arap, shell, tty-daemon, connection, system, and firewall. Specifying this setting is required. Note that the majority of TACACS+ implementations are of service type ppp, so try that first. |
ConfigSync¶
Clustering properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “ConfigSync” | Indicates that this property contains config sync IP configuration. | |
configsyncIp (string) | ConfigSync IP |
DagGlobals¶
Network properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “DagGlobals” | Indicates that this property contains DAG Globals configuration. | |
icmpHash (string) | “icmp” | “icmp”, “ipicmp” | Specifies ICMP hash for ICMP echo request and ICMP echo reply in SW DAG. |
ipv6PrefixLength (integer) | 128 | [0, 128] | Specifies whether SPDAG or IPv6 prefix DAG should be used to disaggregate IPv6 traffic when vlan cmp hash is set to src-ip or dst-ip. |
roundRobinMode (string) | “global” | “global”, “local” | Specifies whether the round robin disaggregator (DAG) on a blade can disaggregate packets to all the TMMs in the system or only to the TMMs local to the blade. |
DbVariables¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “DbVariables” | Indicates that this property contains global db variable configuration. |
Device¶
Top level schema for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
$schema (string) | format: uri | URL of schema against which to validate. Used by validation in your local environment only (via Visual Studio Code, for example) | |
async (boolean) | false | true, false | Tells the API to return a 202 HTTP status before processing is complete. User must then poll for status. |
class (string) | “Device” | Indicates this JSON document is a Device declaration | |
Common (Device_Common) | {“class”:”Tenant”} | Special tenant Common holds objects other tenants can share | |
controls (Device_controls) | Options to control configuration process | ||
Credentials (array<Device_Credentials>) | -, - | Credentials which can be referenced from other parts of the declaration or the remote wrapper. | |
label (string) | |||
result (Device_result) | Status of current request. This is set by the system. | ||
schemaVersion (string) | “1.45.0”, “1.44.0”, “1.43.0”, “1.42.0”, “1.41.0”, “1.40.0”, “1.39.0”, “1.38.0”, “1.37.0”, “1.36.0”, “1.35.0”, “1.34.0”, “1.33.0”, “1.32.0”, “1.31.0”, “1.30.0”, “1.29.0”, “1.28.0”, “1.27.0”, “1.26.0”, “1.25.0”, “1.24.0”, “1.23.0”, “1.22.0”, “1.21.0”, “1.20.0”, “1.19.0”, “1.18.0”, “1.17.0”, “1.16.0”, “1.15.0”, “1.14.0”, “1.13.0”, “1.12.0”, “1.11.1”, “1.11.0”, “1.10.0”, “1.9.0”, “1.8.0”, “1.7.0”, “1.6.1”, “1.6.0”, “1.5.1”, “1.5.0”, “1.4.1”, “1.4.0”, “1.3.0”, “1.2.0”, “1.1.0”, “1.0.0” | Version of BIG-IP Declarative Onboarding schema this declaration uses. | |
webhook (string) | format: uri | URL to post results to |
Device_Common¶
Device Common possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “Tenant” | ||
hostname (string) | format: hostname | Hostname to set for the device. Note: If you set the hostname as part of the System class, you CANNOT set a hostname in the Common class (they are mutually exclusive). |
Device_controls¶
Device controls possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “Controls” | ||
dryRun (boolean) | false | true, false | Boolean that indicates if this declaration will be run as a dry-run. If true, the declaration will NOT make any changes to the system, but will respond with whether or not it would. |
trace (boolean) | false | true, false | If true, create a detailed trace of the configuration process for subsequent analysis (default false). Warning: trace files may contain sensitive configuration data. |
traceResponse (boolean) | false | true, false | If true, the response will contain the trace files. |
userAgent (string) | User Agent information to include in TEEM report. |
Device_Credentials¶
Device Credentials possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
password (string) | regex: ^.{0,254}$ | Password for username account. This is generally not required to configure ‘localhost’ and is not required when you populate tokens | |
tokens (Device_Credentials_tokens) | One or more HTTP headers (each a property, like ‘X-F5-Auth-Token’: ‘ABCABC’) you want to send with queries to the device management service as authentication/authorization tokens | ||
username (string) | regex: ^[^:]{0,254}$ | Username of principal authorized to modify configuration of device (may not include the character ‘:’). NOTE: this is generally not required to configure ‘localhost’ because client authentication and authorization precede invocation of DO. It is also not required for any host if you populate tokens |
Device_result¶
Device result possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “Result” | ||
code (string) | “OK”, “ERROR” | Status code. | |
message (string) | Further detail about the status. |
DeviceCertificate¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
certificate (DeviceCertificate_certificate) | X.509 public-key certificate | ||
class (string) | “DeviceCertificate” | Indicates that this property contains device certificate information | |
privateKey (DeviceCertificate_privateKey) | Private key matching certificate’s public key (optional) | ||
skipDeviceCertificates (boolean) | false | true, false | Specifies whether or not to compare certificate in the declaration against the certificates in the directories. |
updateTrustCerts (boolean) | false | true, false | Specifies whether or not to update the device trust certificates with the new device certificate. |
DeviceCertificate_certificate¶
DeviceCertificate certificate possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
base64 (string) | format: f5base64 | Base64-encoded value (in JSON string) | |
url (string) | format: uri | The URL for a required resource |
DeviceCertificate_privateKey¶
DeviceCertificate privateKey possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
base64 (string) | format: f5base64 | Base64-encoded value (in JSON string) | |
url (string) | format: uri | The URL for a required resource |
DeviceGroup¶
Clustering properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
asmSync (boolean) | false | true, false | Whether or not the device group should sync ASM properties |
autoSync (boolean) | false | true, false | Whether or not the device group should auto sync |
class (string) | “DeviceGroup” | Indicates that this property contains device group configuration. | |
fullLoadOnSync (boolean) | false | true, false | Whether or not the device group should do a full load on sync |
members (array<string>) | Members to add to the device group if they are already in the trust domain | ||
networkFailover (boolean) | false | true, false | Whether or not the device group supports network failover |
owner (string) | Owning device. Config will be pushed from this device. If this is present, device group will only be created if the current device is the owner. If not present, device group will be created if it does not exist | ||
saveOnAutoSync (boolean) | false | true, false | Whether or not the device group should save on auto sync |
type (string) | “sync-failover”, “sync-only” | Type of the device group |
DeviceTrust¶
Clustering properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “DeviceTrust” | Indicates that this property contains device trust configuration. | |
localPassword (string) | The password for the localUsername | ||
localUsername (string) | The username for the local device | ||
remoteHost (string) | The remote hostname or IP address | ||
remotePassword (string) | Password for the remote user in remoteUsername | ||
remoteUsername (string) | An admin user on the remote host |
Disk¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
applicationData (integer) | [0, infinity] | Specifies the size in kilobytes for the application data. This size should be less than the current size. This API is experimental and subject to change. | |
class (string) | “Disk” | Indicates this contains Disk configuration. This API is experimental and subject to change. |
DNS¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “DNS” | Indicates that this property contains DNS configuration. | |
nameServers (array<string>) | IP addresses of name servers to use for DNS. | ||
search (array<string>) | format: hostname | Search domain to use for DNS. |
DNS_Resolver¶
Network properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
answerDefaultZones (boolean) | false | true, false | Specifies whether the resolver answers queries for default zones: localhost, reverse 127.0.0.1, ::1, and AS112 zones. |
cacheSize (integer) | 5767168 | [10, 9437184] | Specifies the maximum cach size in bytes of the DNS Resolver object |
class (string) | “DNS_Resolver” | Indicates that this property contains DNS Resolver configuration. | |
forwardZones (array<DNS_Resolver_forwardZones>) | Forward zones on a DNS Resolver. A given zone name should only use the symbols allowed for a fully qualified domain name (FQDN), namely ASCII letters a through z, digits 0 through 9, hyphen, nad period. For example site.example.com would be a valid zone name. A DNS Resolver configured with a forward zone will forward any queries that resulted in a cache-miss and which also match a configured zone name, to the nameserver specified on the zone. | ||
randomizeQueryNameCase (boolean) | true | true, false | Specifies whether the resolver randomizes the case of query names. |
routeDomain (string) | “0” | Specifies the name of the route domain the resolver uses for outbound traffic. | |
useIpv4 (boolean) | true | true, false | Specifies whether the resolver sends DNS queries to IPv4 |
useIpv6 (boolean) | true | true, false | Specifies whether the resolver sends DNS queries to IPv6 |
useTcp (boolean) | true | true, false | Specifies whether the resolver sends DNS queries over TCP |
useUdp (boolean) | true | true, false | Specifies whether the resolver sends DNS queries over UDP |
DNS_Resolver_forwardZones¶
DNS_Resolver forwardZones possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
name (string) | Name of a forward zone. | ||
nameservers (array<string>) | Specifies the IP address and service port of a recursive nameserver that answers DNS queries when the response cannot be found in the internal DNS resolver cache. Enter each address in the format address:port (IPv4) or addrss.port (IPv6). The port is usually 53. |
DO¶
Schema for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
$schema (string) | format: uri | URL of schema against which to validate. Used by validation in your local environment only (via Visual Studio Code, for example) | |
bigIqSettings (DO_bigIqSettings) | Settings for the management of a BIG-IP which is onboarded via a BIG-IQ. | ||
class (string) | “DO” | Indicates that this is a BIG-IP Declarative Onboarding request | |
declaration (DO_declaration) | Declaration to deploy to targetHost | ||
targetHost (string) | “localhost” | Hostname or IP address of ADC to which request applies (default localhost) | |
targetPassphrase (string) | Passphrase for targetUsername account. This is generally not required to configure ‘localhost’ and is not required when you populate targetTokens | ||
targetPort (integer) | 0 | [0, 65535] | TCP port number of management service on targetHost; default 0 means try common ports |
targetSshKey (DO_targetSshKey) | Private key for use in ssh operations. Corresponding public key must be in the targetUsername’s ~/.ssh/authorized_keys file on the targetHost. This is only used to do initial account creation in environments where that is necessary. If this value is present, BIG-IP DO will look in the declaration for a user matching targetUsername and set its password via ssh. | ||
targetTimeout (integer) | 900 | [1, 900] | Maximum delay allowed while communicating with targetHost device (seconds, default 900) |
targetTokens (string | DO_targetTokens) | One or more HTTP headers (each a property, like ‘X-F5-Auth-Token’: ‘ABCABC’) you want to send with queries to the targetHost management service as authentication/authorization tokens | ||
targetUsername (string) | Username of principal authorized to modify configuration of targetHost (may not include the character ‘:’). NOTE: this is generally not required to configure ‘localhost’ because client authentication and authorization precede invocation of BIG-IP DO. It is also not required for any targetHost if you populate targetTokens |
DO_bigIqSettings¶
DO bigIqSettings possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
accessModuleProperties (DO_bigIqSettings_accessModuleProperties) | Key/value properties for importing access module. If apm module is not listed in provision section of current declaration, BIG-IQ will only discover/import ltm module. | ||
clusterName (string) | Cluster display name on BIG-IQ. | ||
conflictPolicy (string) | “NONE”, “USE_BIGIP”, “USE_BIGIQ”, “KEEP_VERSION” | Conflict policy for shared objects. For Access, a shared import will Accept/USE_BIGIP for all shared and device-specific objects. | |
deployWhenDscChangesPending (boolean) | true, false | Deploy when there are pending DSC changes on BIG-IP. | |
deviceConflictPolicy (string) | “NONE”, “USE_BIGIP”, “USE_BIGIQ”, “KEEP_VERSION” | Conflict policy for device-specific objects. For Access, a device-specific import will Accept/USE_BIGIP for all device-specific objects. If value not provided the value will be the same as conflictPolicy. | |
failImportOnConflict (boolean) | false | true, false | Whether or not to fail import task on conflicts. |
snapshotWorkingConfig (boolean) | false | true, false | Whether or not to snapshot the working configuration for current device before the import. |
statsConfig (DO_bigIqSettings_statsConfig) | Options for configuring http analytics/avr on BIG-IQ. | ||
useBigiqSync (boolean) | true, false | Instead of using the BIG-IP cluster sync to synchronize cluster devices configuration, use BIG-IQ to push changes to cluster devices during deployment. | |
versionedConflictPolicy (string) | “NONE”, “USE_BIGIP”, “USE_BIGIQ”, “KEEP_VERSION” | Conflict policy for version-specific objects. This is used for all the devices for which device specific versionedConflictPolicy is not specified. If value not provided the value will be the same as conflictPolicy. |
DO_bigIqSettings_statsConfig¶
DO_bigIqSettings statsConfig possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
enabled (boolean) | false | true, false | Whether or not to enable collecting statistics for this device |
zone (string) | “default” | User-defined names that associate BIG-IP devices with one or more data collection device (DCD) systems to provide optimal routing for statistics traffic. |
DO_declaration¶
DO declaration possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
$schema (string) | format: uri | URL of schema against which to validate. Used by validation in your local environment only (via Visual Studio Code, for example) | |
async (boolean) | false | true, false | Tells the API to return a 202 HTTP status before processing is complete. User must then poll for status. |
class (string) | “Device” | Indicates this JSON document is a Device declaration | |
Common (DO_declaration_Common) | {“class”:”Tenant”} | Special tenant Common holds objects other tenants can share | |
controls (DO_declaration_controls) | Options to control configuration process | ||
Credentials (array<DO_declaration_Credentials>) | -, - | Credentials which can be referenced from other parts of the declaration or the remote wrapper. | |
label (string) | |||
result (DO_declaration_result) | Status of current request. This is set by the system. | ||
schemaVersion (string) | “1.45.0”, “1.44.0”, “1.43.0”, “1.42.0”, “1.41.0”, “1.40.0”, “1.39.0”, “1.38.0”, “1.37.0”, “1.36.0”, “1.35.0”, “1.34.0”, “1.33.0”, “1.32.0”, “1.31.0”, “1.30.0”, “1.29.0”, “1.28.0”, “1.27.0”, “1.26.0”, “1.25.0”, “1.24.0”, “1.23.0”, “1.22.0”, “1.21.0”, “1.20.0”, “1.19.0”, “1.18.0”, “1.17.0”, “1.16.0”, “1.15.0”, “1.14.0”, “1.13.0”, “1.12.0”, “1.11.1”, “1.11.0”, “1.10.0”, “1.9.0”, “1.8.0”, “1.7.0”, “1.6.1”, “1.6.0”, “1.5.1”, “1.5.0”, “1.4.1”, “1.4.0”, “1.3.0”, “1.2.0”, “1.1.0”, “1.0.0” | Version of BIG-IP Declarative Onboarding schema this declaration uses. | |
webhook (string) | format: uri | URL to post results to |
DO_declaration_Common¶
DO_declaration Common possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “Tenant” | ||
hostname (string) | format: hostname | Hostname to set for the device. Note: If you set the hostname as part of the System class, you CANNOT set a hostname in the Common class (they are mutually exclusive). |
DO_declaration_controls¶
DO_declaration controls possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “Controls” | ||
dryRun (boolean) | false | true, false | Boolean that indicates if this declaration will be run as a dry-run. If true, the declaration will NOT make any changes to the system, but will respond with whether or not it would. |
trace (boolean) | false | true, false | If true, create a detailed trace of the configuration process for subsequent analysis (default false). Warning: trace files may contain sensitive configuration data. |
traceResponse (boolean) | false | true, false | If true, the response will contain the trace files. |
userAgent (string) | User Agent information to include in TEEM report. |
DO_declaration_Credentials¶
DO_declaration Credentials possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
password (string) | regex: ^.{0,254}$ | Password for username account. This is generally not required to configure ‘localhost’ and is not required when you populate tokens | |
tokens (DO_declaration_Credentials_tokens) | One or more HTTP headers (each a property, like ‘X-F5-Auth-Token’: ‘ABCABC’) you want to send with queries to the device management service as authentication/authorization tokens | ||
username (string) | regex: ^[^:]{0,254}$ | Username of principal authorized to modify configuration of device (may not include the character ‘:’). NOTE: this is generally not required to configure ‘localhost’ because client authentication and authorization precede invocation of DO. It is also not required for any host if you populate tokens |
DO_declaration_result¶
DO_declaration result possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “Result” | ||
code (string) | “OK”, “ERROR” | Status code. | |
message (string) | Further detail about the status. |
DO_targetSshKey¶
DO targetSshKey possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
path (string) | Full path to private ssh key. File must be owned by restnoded. |
FailoverMulticast¶
Clustering properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
address (string) | “any6” | IP address to listen on for multicast failover. This address cannot have a CIDR. | |
class (string) | “FailoverMulticast” | Indicates that this property contains multicast failover configuration. | |
interface (string) | “none” | Specifies the interface name used for the failover multicast IP address. Specifying ‘none’ (the default) here disables Failover Multicast on the BIG-IP. | |
port (number) | 0 | Port to listen on for failover heartbeats. |
FailoverUnicast¶
Clustering properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
address (string) | IP address to listen on for failover heartbeats | ||
addressPorts (array<FailoverUnicast_addressPorts>) | An array of address and port objects, that will create multiple failover unicast objects in the BIG-IP device. This array is mutually exclusive from using the other address and port features. Available in BIG-IP DO 1.15 and later. | ||
class (string) | “FailoverUnicast” | Indicates that this property contains failover unicast address configuration. | |
port (number) | Port to listen on for failover heartbeats. The default is 1026. |
FailoverUnicast_addressPorts¶
FailoverUnicast addressPorts possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
address (string) | IP address to listen on for failover heartbeats | ||
port (number) | 1026 | Port to listen on for failover heartbeats |
FirewallAddressList¶
Network properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
addresses (array<string>) | A list of IPv4 and IPv6 addresses and address ranges. You can specify a network with CIDR slash notation. | ||
class (string) | “FirewallAddressList” | ||
fqdns (array<string>) | format: hostname | A list of fully qualified domain names. | |
geo (array<string>) | A list of geographic locations (for example, US:Washington). | ||
label (string) | |||
remark (string) |
FirewallPolicy¶
Network properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “FirewallPolicy” | Indicates that this property contains firewall policy configuration | |
label (string) | |||
remark (string) | |||
rules (array<FirewallPolicy_rules>) | Specifies the list of firewall policy rules |
FirewallPolicy_rules¶
FirewallPolicy rules possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
action (string) | “accept”, “drop”, “accept-decisively”, “reject” | Specifies the action that the firewall rule will take on matching packets | |
destination (FirewallPolicy_rules_destination) | Configures the packet destination to which the network firewall rule applies | ||
label (string) | |||
loggingEnabled (boolean) | false | true, false | Specifies whether the system enables or disables logging for the firewall rule |
name (string) | Specifies the name of the firewall rule | ||
protocol (string) | “any” | “any”, “tcp”, “udp” | Specifies the protocol to which the firewall rule applies |
remark (string) | |||
source (FirewallPolicy_rules_source) | Configures the packet sources to which the network firewall rule applies |
FirewallPolicy_rules_destination¶
FirewallPolicy_rules destination possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
addressLists (array<string>) | Specifies a list of address lists against which the packet will be compared. | ||
portLists (array<string>) | Specifies a list of port lists against which the packet will be compared. |
FirewallPolicy_rules_source¶
FirewallPolicy_rules source possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
addressLists (array<string>) | Specifies a list of address lists against which the packet will be compared. | ||
portLists (array<string>) | Specifies a list of port lists against which the packet will be compared. |
FirewallPortList¶
Network properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “FirewallPortList” | ||
label (string) | |||
ports (array<integer | string>) | [-infinity, infinity] | A list of ports and port ranges (for example, 80, “8080-8090”). | |
remark (string) |
GSLBDataCenter¶
GSLB properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “GSLBDataCenter” | ||
contact (string) | Specifies the name of the administrator or the name of the department that manages the data center | ||
enabled (boolean) | true | true, false | Specifies whether the data center is enabled or disabled |
location (string) | Specifies the location of the data center | ||
proberFallback (string) | “any-available” | “any-available”, “inside-datacenter”, “none”, “outside-datacenter”, “pool” | Specifies the type of prober to use to monitor servers defined in this data center when the preferred type is not available. The default value is any-available |
proberPool (string) | Specifies a prober pool to monitor servers defined in the data center when proberPreferred or proberFallback are a value of pool. | ||
proberPreferred (string) | “inside-datacenter” | “inside-datacenter”, “outside-datacenter”, “pool” | Specifies the type of prober to use to monitor servers defined in this data center. The default value is inside-data-center. Note: Prober pools are not used by the bigip monitor |
remark (string) |
GSLBGlobals¶
GSLB properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “GSLBGlobals” | Indicates that this property contains gslb global settings configuration. | |
general (GSLBGlobals_general) | GSLB general global settings. |
GSLBGlobals_general¶
GSLBGlobals general possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
synchronizationEnabled (boolean) | false | true, false | Specifies if the system is a member of a synchronization group. |
synchronizationGroupName (string) | “default” | Specifies the name of the synchronization group that the system belongs to. | |
synchronizationTimeout (integer) | 180 | [0, 4294967295] | Specifies the number of seconds that the system attempts to sync with the GSLB configuration with a sync group member. |
synchronizationTimeTolerance (integer) | 10 | [0, 600] | Specifies the number of seconds that one system can be out of sync with another in the synchronization group. A value of 0 turns time synchronization off. The values 1-4 are not allowed. |
GSLBMonitor¶
GSLB properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
ciphers (string) | “DEFAULT” | Ciphersuite selection string | |
class (string) | “GSLBMonitor” | ||
clientCertificate (string) | Pointer to client Certificate declaration, for TLS authentication (optional) | ||
debugEnabled (boolean) | false | true, false | When enabled, the monitor sends error messages and additional information to a log file created and labeled specifically for this monitor. The default is false (disabled) |
ignoreDownResponseEnabled (boolean) | false | true, false | Specifies whether the monitor immediately marks an object down when it recieves a down response. If enabled, the monitor ignores the down response for the duration of timeout. The default is false (disabled) |
interval (integer) | 30 | [0, 86399] | Specifies, in seconds, the frequency at which the system issues the monitor check when either the resource is down or the status of the resource is unknown |
label (string) | |||
monitorType (string) | “http”, “https”, “gateway-icmp”, “tcp”, “udp” | Specifies the type of monitor | |
probeAttempts (integer) | 3 | [0, infinity] | Specifies the number of times the BIG-IP system attempts to probe the host server, after which the BIG-IP system considers the host server down or unavailable |
probeInterval (integer) | 1 | [0, infinity] | Specifies the frequency at which the BIG-IP system probes the host server |
probeTimeout (integer) | 5 | [0, 86400] | Specifies the number of seconds after which the system times out the probe request to the system |
receive (string) | “HTTP/1.” | Specifies the text string that the monitor looks for in the returned resource. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only | |
remark (string) | |||
reverseEnabled (boolean) | false | true, false | When enabled, a successful check marks the monitored object down instead of up. You can use the Reverse mode only if you configure both the send and receive options |
send (string) | “HEAD / HTTP/1.0rnrn” | Specifies the text string that the monitor sends to the target object. If you do not specify a value for both the send and receive options, the monitor performs a simple service check and connect only | |
target (string) | “:” | Specifies the IP address and service port of the resource that is the destination of this monitor. Format is ip:port | |
timeout (integer) | 120 | [0, 86400] | Specifies the number of seconds the target has in which to respond to the monitor request |
transparent (boolean) | false | true, false | Enables monitoring of pool members through firewalls. The default value is false (disabled) |
GSLBProberPool¶
GSLB properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “GSLBProberPool” | Indicates that this property contains GSLB Prober Pool configuration | |
enabled (boolean) | true | true, false | Specifies whether this pool is available for conducting probes |
label (string) | |||
lbMode (string) | “global-availability” | “global-availability”, “round-robin” | Specifies the load balancing mode that the system uses to select the members of this pool |
members (array<GSLBProberPool_members>) | Specifies the members of the prober pool | ||
remark (string) |
GSLBProberPool_members¶
GSLBProberPool members possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
enabled (boolean) | true | true, false | Specifies whether the server can be used as a member of a prober pool |
label (string) | |||
remark (string) | |||
server (string) | Specifies the GSLB Server name of the pool member |
GSLBServer¶
GSLB properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
bpsLimit (integer) | 0 | [0, infinity] | Specifies the maximum allowable data throughput rate, in bits per second, for the virtual servers on the server. If the network traffic volume exceeds this limit, the system marks the server as unavailable |
bpsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum Bits Per Second (BPS) option for the virtual servers on the server. The default value is false (disabled) |
class (string) | “GSLBServer” | Indicates that this property contains GSLB server configuration | |
connectionsLimit (integer) | 0 | [0, infinity] | Specifies the number of current connections allowed for the virtual servers on the server. If the current connections exceed this value, the system marks the server as unavailable |
connectionsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum current connections option for the virtual servers on the server. The default value is false (disabled) |
cpuUsageLimit (integer) | 0 | [0, infinity] | Specifies the percent of CPU usage. If percent of CPU usage goes above the limit, the system marks the server as unavailable |
cpuUsageLimitEnabled (boolean) | false | true, false | Enables or disables the CPU Usage limit option for this pool. The default value is false (disabled) |
dataCenter (string) | Specifies the GSLB data center to which the server belongs | ||
devices (array<GSLBServer_devices>) | Specifies the actual device(s) that are represented by this server object | ||
enabled (boolean) | true | true, false | Specifies whether the server is enabled or disabled |
exposeRouteDomainsEnabled (boolean) | false | true, false | Allows virtual servers from all route domains to be auto-discovered. The default setting is false |
label (string) | |||
memoryLimit (integer) | 0 | [0, infinity] | Specifies the available memory in kilobytes required by the virtual servers on the server. If available memory falls below this limit, the system marks the server as unavailable |
memoryLimitEnabled (boolean) | false | true, false | Enables or disables the maximum Bits Per Second (BPS) option for this pool. The default value is false (disabled) |
monitors (array<string>) | Specifies the path and name of the health monitors that the system uses to determine whether it can use this server for load balancing | ||
pathProbeEnabled (boolean) | true | true, false | Specifies whether this BIG-IP device will be used to conduct a path probe before traffic will be delegated to it. The default value is (true) enabled |
ppsLimit (integer) | 0 | [0, infinity] | Specifies the maximum allowable data transfer rate, in packets per second, for the virtual servers on the server. If the network traffic volume exceeds this value, the system marks the server as unavailable |
ppsLimitEnabled (boolean) | false | true, false | Enables or disables the maximum Packets Per Second (PPS) option for the virtual servers on the server. The default value is false (disabled) |
proberFallback (string) | “inherit” | “inherit”, “any-available”, “inside-datacenter”, “none”, “outside-datacenter”, “pool” | Specifies the type of prober to use to monitor servers defined in this data center when the preferred type is not available. The default value is inherit |
proberPool (string) | Specifies the name of a prober pool to use to monitor this server’s resources when either the proberPreferred or proberFallback value is pool | ||
proberPreferred (string) | “inherit” | “inherit”, “inside-datacenter”, “outside-datacenter”, “pool” | Specifies the type of prober to use to monitor servers defined in this data center. The default value is inherit. Note: Prober pools are not used by the bigip monitor |
remark (string) | |||
serverType (string) | “bigip” | “bigip”, “generic-host” | Specifies the server type. The server type determines the metrics that the system can collect from the server |
serviceCheckProbeEnabled (boolean) | true | true, false | Specifies whether this BIG-IP device will be used to conduct a service check probe before traffic will be delegated to it. The default value is (true) enabled |
snmpProbeEnabled (boolean) | true | true, false | Specifies whether this BIG-IP device will be used to conduct a SNMP probe before traffic will be delegated to it. The default value is (true) enabled |
virtualServerDiscoveryMode (string) | “disabled” | “disabled”, “enabled”, “enabled-no-delete” | Specifies virtual server auto-discovery settings. Use ‘enabled’ (add, modify, delete), ‘enabled-no-delete’ (add, modify) or the default ‘disabled’ (manual configuration) |
virtualServers (array<GSLBServer_virtualServers>) | Specifies the virtual server(s) that are resources on this server object |
GSLBServer_devices¶
GSLBServer devices possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
address (string) | format: f5ip | Specifies an external (public) address for the device. If BIG-IP DNS configuration synchronization is enabled and all existing addresses for a device are being replaced, new addresses should be added and synchronized before old addresses are removed, otherwise the changes may fail to synchronize. Alternatively, the address configuration changes can be performed on each BIG-IP DNS system | |
addressTranslation (string) | format: f5ip | Specifies the internal (private) address that corresponds to the external address | |
label (string) | |||
remark (string) |
GSLBServer_virtualServers¶
GSLBServer virtualServers possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
address (string) | format: f5ip | Specifies the IP address for the virtual server | |
addressTranslation (string) | format: f5ip | Specifies the public address that this virtual server translates into when the GSLB provider communicates between the network and the Internet | |
addressTranslationPort (integer) | 0 | [0, 65535] | Specifies the translation port number for the virtual server |
enabled (boolean) | true | true, false | Specifies whether the virtual server is enabled or disabled |
label (string) | |||
monitors (array<string>) | Specifies the health monitors that the system uses to determine whether it can use this linked virtual server for load balancing | ||
name (string) | Specifies the name of the virtual server | ||
port (integer) | 0 | [0, 65535] | Specifies the L4 port for the service (like 443 for HTTPS) |
remark (string) |
HTTPD¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
allow (string | array<string>) | “all” | “all”, “none” | Configures IP addresses for the HTTP clients from which the httpd daemon accepts requests. |
authPamIdleTimeout (integer) | 1200 | [120, 2147483647] | Specifies the number of seconds of inactivity that can elapse before the GUI session is automatically logged out. |
class (string) | “HTTPD” | Configures the HTTP daemon for the system. Important: F5 Networks recommends that users of the Configuration utility exit the utility before changes are made to the system using the httpd component. This is because making changes to the system using this component causes a restart of the httpd daemon. Additionally, restarting the httpd daemon creates the necessity for a restart of the Configuration utility. | |
maxClients (integer) | 10 | [10, 256] | Maximum number of clients allowed to be simultaneously connected. |
sslCiphersuite (array<string>) | ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256 | regex: ^[0-9A-Za-z!:-+.~@$%^&*()_=[]|]+$ | Specifies the ciphers that the system uses. |
sslProtocol (string) | “all -SSLv2 -SSLv3 -TLSv1” | The list of SSL protocols to accept on the management console. A space-separated list of tokens in the format accepted by the Apache mod_ssl SSLProtocol directive. |
License¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
addOnKeys (array<string>) | regex: ^[A-Z]{7}-[A-Z]{7}$ | Add on keys. | |
bigIpPassword (string) | Password for the user in bigIpUsername. Used by BIG-IQ to login to BIG-IP if ‘reachable’ is true. | ||
bigIpUsername (string) | An admin user on the BIG-IP. Used by BIG-IQ to login to BIG-IP if ‘reachable’ is true. | ||
bigIqAuthProvider (string) | Name of auth provider on BIG-IQ. Default is to use TMOS. | ||
bigIqHost (string) | The BIG-IQ hostname or IP address. | ||
bigIqPassword (string) | Password for the user in bigIqUsername. | ||
bigIqPasswordUri (string) | format: uri | URI which will return the password for the user in bigIqUsername. | |
bigIqUsername (string) | An admin user on the BIG-IQ. | ||
chargebackTag (string) | An optional text string which can be used as a charge back tag. | ||
class (string) | “License” | Indicates that this property contains licensing information. | |
hypervisor (string) | Hypervisor which is running the BIG-IP. Required by BIG-IQ if ‘reachable’ is false. | ||
licensePool (string) | Name of the BIG-IQ license pool from which to get a new license. | ||
licenseType (string) | “regKey” | The type of license | |
overwrite (boolean) | false | true, false | Whether or not to overwrite the current license if the device is already licensed. |
reachable (reference) | |||
regKey (string) | regex: ^([A-Z]{5}-[A-Z]{5}-[A-Z]{5}-[A-Z]{5}-[A-Z]{7})|([A-Z][0-9]{4}-[0-9]{5}-[0-9]{5}-[0-9]{5}-[0-9]{7})$ | Registration key. | |
revokeCurrent (boolean) | false | true, false | Whether or not to revoke the current license if the device is already licensed. |
revokeFrom (string | License_revokeFrom) | Current license should be revoked from the pool specified. Either just the name of the pool (if old license is on the same BIG-IQ as in the main License section) or full licensePoolInfo (if old license is on a different BIG-IQ) | ||
skuKeyword1 (string) | skuKeyword1 parameter for subscription licensing. | ||
skuKeyword2 (string) | skuKeyword2 parameter for subscription licensing. | ||
tenant (string) | An optional description for the license. Can be useful in a clustered environment. Requires that reachable is set to false. | ||
unitOfMeasure (string) | “yearly”, “monthly”, “daily”, “hourly” | unitOfMeasure parameter for subscription licensing. |
License_revokeFrom¶
License revokeFrom possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
bigIqAuthProvider (string) | Name of auth provider on BIG-IQ. Default is to use TMOS. | ||
bigIqHost (string) | The BIG-IQ hostname or IP address. | ||
bigIqPassword (string) | Password for the user in bigIqUsername. | ||
bigIqPasswordUri (string) | format: uri | URI which will return the password for the user in bigIqUsername. | |
bigIqUsername (string) | An admin user on the BIG-IQ. | ||
licensePool (string) | Name of the BIG-IQ license pool. | ||
reachable (boolean) | true | true, false | Whether or not BIG-IQ has a route to the BIG-IP device. |
MAC_Masquerade¶
Clustering properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “MAC_Masquerade” | Indicates that this property contains MAC masquerade configuration. | |
source (MAC_Masquerade_source) | MAC address source to use for masquerading. | ||
trafficGroup (string) | “traffic-group-1” | “traffic-group-local-only”, “traffic-group-1” | Traffic group to apply the MAC masquerade to. |
MAC_Masquerade_source¶
MAC_Masquerade source possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
interface (string) | Generate a MAC address from an interface |
ManagementIp¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
address (string) | format: ipWithRequiredPrefix | IP address. | |
class (string) | “ManagementIp” | Indicates this property contains management IP configuration. Note that if you set this you will have to poll for status on the new address. | |
remark (string) |
ManagementIpFirewall¶
Network properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “ManagementIpFirewall” | Indicates this property contains management IP firewall configuration. | |
label (string) | |||
remark (string) | |||
rules (array<ManagementIpFirewall_rules>) | Specifies the list of firewall rules |
ManagementIpFirewall_rules¶
ManagementIpFirewall rules possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
action (string) | “accept”, “drop”, “accept-decisively”, “reject” | Specifies the action that the firewall rule will take on matching packets | |
destination (ManagementIpFirewall_rules_destination) | Configures the packet destination to which the network firewall rule applies | ||
label (string) | |||
loggingEnabled (boolean) | false | true, false | Specifies whether the system enables or disables logging for the firewall rule |
name (string) | Specifies the name of the firewall rule | ||
protocol (string) | “any” | “any”, “tcp”, “udp” | Specifies the protocol to which the firewall rule applies |
remark (string) | |||
source (ManagementIpFirewall_rules_source) | Configures the packet sources to which the network firewall rule applies |
ManagementIpFirewall_rules_destination¶
ManagementIpFirewall_rules destination possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
addressLists (array<string>) | Specifies a list of address lists against which the packet will be compared. | ||
portLists (array<string>) | Specifies a list of port lists against which the packet will be compared. |
ManagementIpFirewall_rules_source¶
ManagementIpFirewall_rules source possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
addressLists (array<string>) | Specifies a list of address lists against which the packet will be compared. | ||
portLists (array<string>) | Specifies a list of port lists against which the packet will be compared. |
ManagementRoute¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “ManagementRoute” | Indicates this property contains management route configuration | |
gw (string) | Gateway for the management route. | ||
mtu (integer) | 0 | [0, 65535] | MTU for the management route. |
network (string) | “default” | IP address/netmask for the management route | |
remark (string) | |||
type (string) | “interface”, “blackhole” | Type of the management route |
MirrorIp¶
Clustering properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “MirrorIp” | Indicates IP addresses to use for connection and persistence mirroring. | |
primaryIp (string) | “any6” | IP of primary mirror. Specify ‘any6’ to disable. | |
secondaryIp (string) | “any6” | IP of secondary mirror. Specify ‘any6’ to disable. |
NetAddressList¶
Network properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
addresses (array<string>) | A list of IPv4 and IPv6 addresses and address ranges. You can specify a network with CIDR slash notation. | ||
class (string) | “NetAddressList” | ||
remark (string) |
NetPortList¶
Network properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “NetPortList” | ||
ports (array<integer | string>) | [-infinity, infinity] | A list of ports and port ranges (for example, 80, “8080-8090”). | |
remark (string) |
NTP¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “NTP” | Indicates that this property contains NTP configuration. | |
servers (array<string>) | IP addresses of servers to use for NTP. | ||
timezone (string) | “UTC” | The timezone to set. |
PasswordPolicy¶
Authentication properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “PasswordPolicy” | Indicates that this property contains password policy configuration. | |
expirationWarningDays (integer) | 7 | [1, 255] | Specifies the number of days prior to password expiration that the system sends a warning message to users. |
lockoutDurationSeconds (integer) | 0 | [0, 999999] | Specifies number of seconds in which to automatically reinstate users after being locked out. 0 means users must be manually reinstated. This is for BIG-IP 15.1+ |
maxDurationDays (integer) | 99999 | [0, 99999] | Specifies the maximum number of days a password is valid. |
maxLoginFailures (integer) | 0 | [0, 65535] | Specifies the number of consecutive unsuccessful login attempts that the system allows before locking out the user. 0 means disabled. |
minDurationDays (integer) | 0 | [0, 255] | Specifies the minimum number of days a password is valid. |
minLength (integer) | 6 | [6, 255] | Specifies the minimum number of characters in a valid password. |
passwordMemory (integer) | 0 | [0, 127] | Specifies the number of former passwords that the BIG-IP system retains to prevent the user from reusing a recent password. |
policyEnforcementEnabled (boolean) | true | true, false | Enables or disables the password policy. |
requiredLowercase (integer) | 0 | [0, 127] | Specifies the number of lowercase alpha characters that must be present in a password for the password to be valid. |
requiredNumeric (integer) | 0 | [0, 127] | Specifies the number of numeric characters that must be present in a password for the password to be valid. |
requiredSpecial (integer) | 0 | [0, 127] | Specifies the number of special characters that must be present in a password for the password to be valid. |
requiredUppercase (integer) | 0 | [0, 127] | Specifies the number of uppercase alpha characters that must be present in a password for the password to be valid. |
Provision¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “Provision” | Indicates that this property contains module provisioning configuration. |
RemoteAuthRole¶
Authentication properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
attribute (string) | Specifies an attribute-value pair that an authentication server supplies to the BIG-IP system to match against entries in /config/bigip/auth/remoterole. The specified pair typically identifies users with access rights in common. This option is required. | ||
class (string) | “RemoteAuthRole” | Indicates that this property contains RemoteAuthRole configuration. | |
console (string | string) | “disabled” | “disabled”, “tmsh”, regex: ^%.+ | Specifes if the remotely-authenticated users have tmsh console access or not. Accepted values are ‘disabled’ and ‘tmsh’. |
lineOrder (integer) | [0, 4294967295] | The BIG-IP only allows one role per user for each partition/tenant. Because some remote servers allow multiple user roles, the BIG-IP uses the lineOrder parameter to choose one of the conflicting roles for the user at login time. In these cases, the system chooses the role with the lowest line-order number. See line order in the BIG-IP documentation for more information and examples. | |
remoteAccess (boolean) | false | true, false | Enables the specified group of remotely-authenticated users, remote access. |
role (string | string) | “no-access” | “admin”, “application-editor”, “auditor”, “certificate-manager”, “firewall-manager”, “fraud-protection-manager”, “guest”, “irule-manager”, “manager”, “no-access”, “operator”, “resource-admin”, “user-manager”, “web-application-security-administrator”, “web-application-security-editor”, regex: ^%.+ | Specifies the role that you want to grant to the specified group of remotely-authenticated users. |
userPartition (string | string) | “Common” | Specifies the BIG-IP partition to which you are assigning access to the specified group of remotely-authenticated users. The default value is Common. This option is required. |
Route¶
Network properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “Route” | Indicates that this property contains Route configuration. | |
gw (string) | format: f5ip | Gateway for the route. | |
localOnly (boolean) | false | true, false | A boolean to indicate if the Route should be added to the LOCAL_ONLY partition. ‘Across Network’ clusters in AWS require this partition to be configured. |
mtu (integer) | [0, 9198] | MTU for the route. | |
network (string) | “default” | IP address/netmask for route | |
target (string) | The VLAN or Tunnel for the Route. |
RouteDomain¶
Network properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
bandWidthControllerPolicy (string) | Specifies the bandwidth controller policy for the route domain. | ||
class (string) | “RouteDomain” | Indicates that this property contains Route Domain configuration. | |
connectionLimit (integer) | 0 | [0, 4294967295] | The connection limit for the route domain. |
enforcedFirewallPolicy (string) | Specifies an enforced firewall policy on the route domain. | ||
flowEvictionPolicy (string) | Specifies a flow eviction policy for the route domain to use. | ||
id (integer) | [0, 65534] | Specifies a unique numeric identifier for the route domain. | |
ipIntelligencePolicy (string) | Specifies an IP intelligence policy for the route domain to use. | ||
parent (string) | Specifies the route domain the system searches when it cannot find a route in the configured domain. | ||
routingProtocols (array<string>) | “BFD”, “BGP”, “IS-IS”, “OSPFv2”, “OSPFv3”, “PIM”, “RIP”, “RIPng” | Specifies routing protocols for the system to use in the route domain. | |
securityNatPolicy (string) | Specifies the security NAT policy for the route domain. | ||
servicePolicy (string) | Specifies the service policy for the route domain. | ||
stagedFirewallPolicy (string) | Specifies a staged firewall policy on the route domain. | ||
strict (boolean) | true | true, false | Determines whether a connection can span route domains. |
vlans (array<string>) | Specifies VLANS for the system to use in the route domain. |
RouteMap¶
Network properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “RouteMap” | Indicates that this property contains route map configuration. | |
entries (array<RouteMap_entries>) | An array that holds action to take when corresponding entries are matched. | ||
routeDomain (string) | “0” | Specifies the name of the route domain used by the route map |
RouteMap_entries¶
RouteMap entries possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
action (string) | “permit”, “deny” | An action to take | |
match (RouteMap_entries_match) | {“ipv4”:{“address”:{},”nextHop”:{}},”ipv6”:{“address”:{},”nextHop”:{}}} | AS path and addresses to match | |
name (integer) | [-infinity, infinity] | Name of the entity |
RouteMap_entries_match¶
RouteMap_entries match possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
asPath (string) | RoutingAsPath to match. Defines a BGP AS path access list. | ||
ipv4 (RouteMap_entries_match_ipv4) | {“address”:{},”nextHop”:{}} | IPv4 to match | |
ipv6 (RouteMap_entries_match_ipv6) | {“address”:{},”nextHop”:{}} | IPv6 to match |
RouteMap_entries_match_ipv4¶
RouteMap_entries_match ipv4 possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
address (RouteMap_entries_match_ipv4_address) | {} | IPv4 addresses to match | |
nextHop (RouteMap_entries_match_ipv4_nextHop) | {} | IPv4 next hops to match |
RouteMap_entries_match_ipv4_address¶
RouteMap_entries_match_ipv4 address possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
prefixList (string) | RoutingPrefixList to match |
RouteMap_entries_match_ipv4_nextHop¶
RouteMap_entries_match_ipv4 nextHop possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
prefixList (string) | RoutingPrefixList to match |
RouteMap_entries_match_ipv6¶
RouteMap_entries_match ipv6 possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
address (RouteMap_entries_match_ipv6_address) | {} | IPv6 addresses to match | |
nextHop (RouteMap_entries_match_ipv6_nextHop) | {} | IPv6 next hops to match |
RouteMap_entries_match_ipv6_address¶
RouteMap_entries_match_ipv6 address possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
prefixList (string) | RoutingPrefixList to match |
RouteMap_entries_match_ipv6_nextHop¶
RouteMap_entries_match_ipv6 nextHop possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
prefixList (string) | RoutingPrefixList to match |
RoutingAccessList¶
Network properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “RoutingAccessList” | Indicates that this property contains routing access list configuration. | |
entries (array<RoutingAccessList_entries>) | An array that holds sources and destinations. | ||
label (string) | |||
remark (string) |
RoutingAccessList_entries¶
RoutingAccessList entries possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
action (string) | “permit”, “deny” | Permit or deny access | |
destination (string) | “::” | format: ipWithOptionalPrefix | IPv4 or IPv6 address or address range. Specify either [address] or [address/prefixlength]. |
exactMatchEnabled (boolean) | false | true, false | Perform exact matching. A single entry with exactMatchEnabled true disallows any entry to have a non-default destination. |
name (integer) | [-infinity, infinity] | Name of the entity identified as an integer | |
source (string) | “::” | format: ipWithOptionalPrefix | IPv4 or IPv6 address or address range. Specify either [address] or [address/prefixlength]. |
RoutingAsPath¶
Network properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “RoutingAsPath” | Indicates that this property contains routing AS path configuration. | |
entries (array<RoutingAsPath_entries>) | An array that holds action and regex objects |
RoutingAsPath_entries¶
RoutingAsPath entries possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
name (integer) | [-infinity, infinity] | Name of the entity | |
regex (string) | A regex string |
RoutingBGP¶
Network properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
addressFamilies (array<RoutingBGP_addressFamilies>) | Address family | ||
class (string) | “RoutingBGP” | Indicates that this property contains Border Gateway Protocol configuration. | |
gracefulRestart (RoutingBGP_gracefulRestart) | {} | Graceful restart | |
holdTime (integer) | 90 | [0, 65535] | Globally set or reset the hold time for all of the neighbors. The holdTime must be either 0 or at least 3 times keepAlive. |
keepAlive (integer) | 30 | [0, 65535] | Globally set or reset the keep alive for all of the neighbors |
localAS (integer) | [1, 4294967295] | Local Autonomous System. After the RoutingBGP has been created this value cannot be modified. | |
neighbors (array<RoutingBGP_neighbors>) | Neighbors | ||
peerGroups (array<RoutingBGP_peerGroups>) | Peer group | ||
routeDomain (string) | “0” | Specifies the name of the route domain used by the routing bgp | |
routerId (string) | “any6” | Manually override current router identifier (peers will reset) |
RoutingBGP_addressFamilies¶
RoutingBGP addressFamilies possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
internetProtocol (string) | “ipv4”, “ipv6”, “all” | Address family. The value ‘all’ sets both ‘ipv4’ and ‘ipv6’ to the ‘all’ values. | |
redistributionList (array<RoutingBGP_addressFamilies_redistributionList>) | Redistribution list |
RoutingBGP_addressFamilies_redistributionList¶
RoutingBGP_addressFamilies redistributionList possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
routeMap (string) | Route map | ||
routingProtocol (string) | “connected”, “isis”, “kernel”, “ospf”, “rip”, “static” | Routing protocol |
RoutingBGP_gracefulRestart¶
RoutingBGP gracefulRestart possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
gracefulResetEnabled (boolean) | false | true, false | Graceful reset capability |
restartTime (integer) | 0 | [0, 3600] | Maximum time needed for neighbor(s) to restart (seconds) |
stalePathTime (integer) | 0 | [0, 3600] | Maximum time to retain stale paths from restarting neighbor(s) (seconds) |
RoutingBGP_neighbors¶
RoutingBGP neighbors possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
address (string) | format: f5ip | Name | |
addressFamilies (array<RoutingBGP_neighbors_addressFamilies>) | Address family | ||
ebgpMultihop (integer) | 1 | [1, 255] | Allow external BGP members not on directly connected networks |
peerGroup (string) | Peer group |
RoutingBGP_neighbors_addressFamilies¶
RoutingBGP_neighbors addressFamilies possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
asOverrideEnabled (boolean) | false | true, false | Enables override AS path. |
internetProtocol (string) | “ipv4”, “ipv6”, “all” | Address family. The value ‘all’ sets both ‘ipv4’ and ‘ipv6’ to the ‘all’ values. |
RoutingBGP_peerGroups¶
RoutingBGP peerGroups possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
addressFamilies (array<RoutingBGP_peerGroups_addressFamilies>) | Address family | ||
name (string) | Name | ||
remoteAS (integer) | 0 | [-infinity, infinity] | Remote Autonomous System |
RoutingBGP_peerGroups_addressFamilies¶
RoutingBGP_peerGroups addressFamilies possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
internetProtocol (string) | “ipv4”, “ipv6” | Address family | |
routeMap (RoutingBGP_peerGroups_addressFamilies_routeMap) | {} | Route maps | |
softReconfigurationInboundEnabled (boolean) | false | true, false | Soft reconfiguration inbound enabled |
RoutingBGP_peerGroups_addressFamilies_routeMap¶
RoutingBGP_peerGroups_addressFamilies routeMap possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
in (string) | Incoming route map | ||
out (string) | Outgoing route map |
RoutingPrefixList¶
Network properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “RoutingPrefixList” | Indicates that this property contains routing prefix list configuration. | |
entries (array<RoutingPrefixList_entries>) | An array that holds action, prefix, and prefixLengthRange. | ||
routeDomain (string) | “0” | Specifies the name of the route domain used |
RoutingPrefixList_entries¶
RoutingPrefixList entries possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
action (string) | “permit”, “deny” | An action to take | |
name (integer) | [-infinity, infinity] | Name of the entity | |
prefix (string) | “::/0” | format: ipWithRequiredPrefix | Address with prefix length [address/prefix length] |
prefixLengthRange (string) | “0” | regex: ^d*:?d*$ | Prefix length range. Examples: Specify ‘1:32’ for greater than or equal to 1 and less than or equal to 32. Specify ‘1:’ for greater than or equal to 1. Specify ‘:32’ for less than or equal to 32. Specify ‘32’ for equal to 32. Must be 0 or greater than the length on the prefix property. |
SecurityAnalytics¶
Security properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
aclRules (SecurityAnalytics_aclRules) | Firewall (ACL) security statistics collection options. | ||
class (string) | “SecurityAnalytics” | Indicates that this property contains SecurityAnalytics configuration. | |
collectAllDosStatsEnabled (boolean) | false | true, false | Specifies whether to enable or disable the collection of all DoS statistics. |
collectDnsStatsEnabled (boolean) | true | true, false | Specifies whether to enable or disable DNS statistics collection. |
collectDosL3StatsEnabled (boolean) | true | true, false | Specifies whether to enable or disable the collection of DoS L3 statistics. |
collectedStatsExternalLoggingEnabled (boolean) | false | true, false | Specifies whether to enable or disable external logging of collected statistics. |
collectedStatsInternalLoggingEnabled (boolean) | false | true, false | Specifies whether to enable or disable internal logging of collected statistics. |
collectFirewallAclStatsEnabled (boolean) | true | true, false | Specifies whther to enable or disable the collection of firewall ACL statistics. |
collectFirewallDropsStatsEnabled (boolean) | true | true, false | Specifies whether to enable or disable the collection of firewall drops statistics. |
collectIpReputationStatsEnabled (boolean) | true | true, false | Specifies whether to enable or disable the collection of IP reputation statistics. |
collectSipStatsEnabled (boolean) | true | true, false | Specifies whether to enable or disable the collection of SIP statistics. |
collectStaleRulesEnabled (boolean) | false | true, false | Specifies whether statistics about all firewall rules should be collected in order to present information regarding rule staleness. |
dns (SecurityAnalytics_dns) | DNS security statistics collection options. | ||
dosL2L4 (SecurityAnalytics_dosL2L4) | Network DoS statistics collection options. | ||
l3L4Errors (SecurityAnalytics_l3L4Errors) | Firewall errors statistics collection options. | ||
publisher (string) | Specifies the external logging publisher used to send statistical data to one or more destinations. | ||
smtpConfig (string) | Specifies the default SMTP configuration used for exporting CSV or PDF security analytics reports. |
SecurityAnalytics_aclRules¶
SecurityAnalytics aclRules possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
collectClientIpEnabled (boolean) | true | true, false | Specifies whether source/client IP address should be collected for ACL rule matching. |
collectClientPortEnabled (boolean) | false | true, false | Specifies whether source/client port should be collected for ACL rule matching. |
collectDestinationIpEnabled (boolean) | true | true, false | Specifies whether the destination IP address should be collected for ACL rule matching. |
collectDestinationPortEnabled (boolean) | true | true, false | Specifies whether the destination port should be collected for ACL rule matching. |
collectServerSideStatsEnabled (boolean) | false | true, false | Specifies whether server side statistics (source address translation information, self IP address and pool member address) should be collected for ACL rule matching. |
SecurityAnalytics_dns¶
SecurityAnalytics dns possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
collectClientIpEnabled (boolean) | true | true, false | Specifies whether source/client IP address should be collected for DNS security. |
collectDestinationIpEnabled (boolean) | true | true, false | Specifies whether the destination IP address should be collected for DNS security. |
SecurityAnalytics_dosL2L4¶
SecurityAnalytics dosL2L4 possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
collectClientIpEnabled (boolean) | true | true, false | Specifies whether source/client IP address should be collected for network layer’s DoS security. |
collectDestinationGeoEnabled (boolean) | true | true, false | Specifies whether the destination geo should be collected for network layer’s DoS security. |
SecurityAnalytics_l3L4Errors¶
SecurityAnalytics l3L4Errors possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
collectClientIpEnabled (boolean) | true | true, false | Specifies whether source/client IP address should be collected for firewall errors. |
collectDestinationIpEnabled (boolean) | true | true, false | Specifies whether the destination IP address should be collected for firewall errors. |
SecurityWaf¶
Security properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
advancedSettings (array<SecurityWaf_advancedSettings | object>) | Specifies WAF advanced settings. | ||
antiVirusProtection (SecurityWaf_antiVirusProtection) | Specifies anti virus protection options. | ||
class (string) | “SecurityWaf” | Indicates that this property contains SecurityWaf configuration. |
SecurityWaf_advancedSettings¶
SecurityWaf advancedSettings possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
name (string) | “ecard_regexp_decimal”, “ecard_regexp_email”, “ecard_regexp_phone”, “icap_uri”, “virus_header_name”, “WhiteHatIP1”, “WhiteHatIP2”, “WhiteHatIP3”, “WhiteHatIP4” | Specifies the name of the setting. | |
value (string) | Specifies the desired value for the setting. |
SecurityWaf_antiVirusProtection¶
SecurityWaf antiVirusProtection possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
guaranteeEnforcementEnabled (boolean) | true | true, false | Specifies whether the system should perform virus checking even if this may slow down the web application. |
hostname (string) | format: hostname | Specifies the server hostname. | |
port (integer) | 1344 | [1, 65535] | Specifies the server port. |
SelfIp¶
Network properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
address (string) | format: f5ip | IP address. | |
allowService (string | array<string>) | “none” | “all”, “none”, “default”, regex: (w+:d+|default) | Which services (ports) to allow on the self IP. Value should be ‘all’, ‘none’, ‘default’, or array of ‘<service:port>’. NOTE: The default value is not recommended and a value of ‘none’ should be used if possible. |
class (string) | “SelfIp” | Indicates that this property contains Self IP configuration. | |
enforcedFirewallPolicy (string) | Specifies an enforced firewall policy on the self IP. | ||
stagedFirewallPolicy (string) | Specifies a staged firewall policy on the self IP. | ||
trafficGroup (string) | “traffic-group-local-only” | “traffic-group-local-only”, “traffic-group-1” | Traffic group for the Self IP. |
vlan (string) | VLAN or Tunnel for the self IP. |
SnmpAgent¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
allowList (array<string>) | format: f5ip | Allowed client IP addresses. | |
class (string) | “SnmpAgent” | Indicates that this property contains basic SNMP agent configuration. | |
contact (string) | The name of the person who administers the SNMP service for this system. | ||
location (string) | The description of this system’s physical location. | ||
snmpV1 (boolean) | true | true, false | Enables snmpd daemon support of snmpV1 queries. |
snmpV2c (boolean) | true | true, false | Enables snmpd daemon support of snmpV2c queries. |
SnmpCommunity¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
access (string) | “ro” | “ro”, “rw” | Whether the user’s access level to the MIB is readOnly. |
class (string) | “SnmpCommunity” | Indicates that this property contains SNMP v1 or v2c community configuration. | |
ipv6 (boolean) | false | true, false | Specifies whether the record applies to IPv6 addresses. |
name (string) | Overrides using the object name as the community name. Use this if you want special characters in the community name. | ||
oid (string) | Specifies the current object identifier (OID) for the record. | ||
source (string) | Specifies the source address for access to the MIB. |
SnmpTrapDestination¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
authentication (SnmpTrapDestination_authentication) | Specifies the user’s authentication method and password. | ||
class (string) | “SnmpTrapDestination” | Indicates that this property contains SNMP trap configuration. | |
community (string) | Specifies the community name for the trap destination. — Note: This property is available only when version is NOT ‘3’ — | ||
destination (string) | Specifies the address for the trap destination. | ||
engineId (string) | Specifies the unique identifier (snmpEngineID) of the remote SNMP protocol engine. | ||
network (string) | “management” | “management”, “other” | Specifies the trap network. The system sends the SNMP trap out the specified network. ‘management’ specifies that the system sends the trap out of the management IP address. ‘other’ specifies that the system sends the trap out of the interface based on the routing tables. |
port (integer) | 162 | [0, 65535] | Specifies the port for the trap destination. |
privacy (SnmpTrapDestination_privacy) | Specifies the privacy protcol to use to deliver authentication information for this user. | ||
securityName (string) | Specifies the user name the system uses to handle SNMP v3 traps. | ||
version (string) | “2c” | “1”, “2c”, “3” | Specifies to which Simple Network Management Protocol (SNMP) version the trap destination applies. |
SnmpTrapDestination_authentication¶
SnmpTrapDestination authentication possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
password (string) | Specifies the password for the user. | ||
protocol (string) | “sha”, “md5”, “sha256” | Authentication protocol. |
SnmpTrapDestination_privacy¶
SnmpTrapDestination privacy possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
password (string) | Specifies the password for the user. | ||
protocol (string) | “aes”, “des”, “aes256” | Specifies the encryption protocol. |
SnmpTrapEvents¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
agentStartStop (boolean) | true | true, false | Indicates whether to send a trap when the SNMP agent starts/stops. |
authentication (boolean) | false | true, false | Indicates whether to send authentication warning traps. |
class (string) | “SnmpTrapEvents” | Indicates that this property contains SNMP trap configuration. | |
device (boolean) | true | true, false | Indicates whether to send device warning traps. |
SnmpUser¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
access (string) | “ro” | “ro”, “rw” | Whether the user’s access level to the MIB is readOnly. |
authentication (SnmpUser_authentication) | Specifies the user’s authentication method and password. | ||
class (string) | “SnmpUser” | Indicates that this property contains SNMP v3 user configuration. | |
name (string) | Overrides using the object name as the username. Use this if you want special characters in the username. | ||
oid (string) | “.1” | Specifies the current object identifier (OID) for the record. | |
privacy (SnmpUser_privacy) | Specifies the privacy protcol to use to deliver authentication information for this user. |
SnmpUser_authentication¶
SnmpUser authentication possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
password (string) | Specifies the password for the user. | ||
protocol (string) | “sha” | “sha”, “sha256”, “sha512”, “md5” | Authentication protocol. Values other than ‘sha’ or ‘md5’ require BIGIP version 15.1 or above. |
SnmpUser_privacy¶
SnmpUser privacy possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
password (string) | Specifies the password for the user. | ||
protocol (string) | “aes” | “aes”, “aes192”, “aes192c”, “aes256”, “aes256c”, “des” | Specifies the encryption protocol. Values ‘aes192’, ‘aes192c’, ‘aes256’, and ‘aes256c’ require BIGIP version 15.1 or above. |
SSHD¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
allow (string | array<string>) | “all”, “none” | Specifies the list of IP addresses that are allowed to log in to the system. Allow all addresses by using the ‘all’ value or disallow all addresses using the ‘none’ value. | |
banner (string) | Enables or disabled the display of the banner text field when a user logs in. | ||
ciphers (array<string>) | “3des-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-gcm@openssh.com”, “aes256-gcm@openssh.com”, “arcfour”, “arcfour128”, “arcfour256”, “blowfish-cbc”, “cast128-cbc”, “chacha20-poly1305@openssh.com” | Specifies the ciphers to be included. | |
class (string) | “SSHD” | Indicates this contains SSH configuration. | |
inactivityTimeout (integer) | 0 | [0, 2147483647] | Specifies the number of seconds before inactivity causes an SSH session to log out. |
kexAlgorithms (array<string>) | “diffie-hellman-group1-sha1”, “diffie-hellman-group14-sha1”, “diffie-hellman-group14-sha256”, “diffie-hellman-group16-sha512”, “diffie-hellman-group18-sha512”, “diffie-hellman-group-exchange-sha1”, “diffie-hellman-group-exchange-sha256”, “ecdh-sha2-nistp256”, “ecdh-sha2-nistp384”, “ecdh-sha2-nistp521”, “curve25519-sha256”, “curve25519-sha256@libssh.org”, “gss-gex-sha1-“, “gss-group1-sha1-“, “gss-group14-sha1-“ | Specifies the KexAlgorithms that will be included. | |
loginGraceTime (integer) | [-infinity, infinity] | Specifies the login grace period that will be included. This is in the number of seconds. | |
MACS (array<string>) | “hmac-sha1”, “hmac-ripemd160”, “hmac-md5”, “hmac-md5-96”, “hmac-sha1-96”, “hmac-sha2-256”, “hmac-sha2-512”, “hmac-md5-etm@openssh.com”, “hmac-md5-96-etm@openssh.com”, “hmac-ripemd160-etm@openssh.com”, “hmac-sha1-etm@openssh.com”, “hmac-sha1-96-etm@openssh.com”, “hmac-sha2-256-etm@openssh.com”, “hmac-sha2-512-etm@openssh.com”, “umac-64@openssh.com”, “umac-128@openssh.com”, “umac-64-etm@openssh.com”, “umac-128-etm@openssh.com” | Specifies the MACs that will be included. | |
maxAuthTries (integer) | [-infinity, infinity] | Specifies the max auth tries to be included. | |
maxStartups (string) | Specifies the max startups to include. | ||
protocol (integer) | [1, 2] | Specifies the protocol to be included. |
SyslogRemoteServer¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “SyslogRemoteServer” | Indicates that this property contains Syslog Remote Server Information | |
host (string) | Specifies the IP address of a remote server to which syslog sends messages. | ||
localIp (string) | Specifies the IP address of the interface syslog binds with in order to log messages to a remote host. | ||
remotePort (integer) | 514 | [0, 65535] | Specifies the port to which the syslog sends messages. |
System¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
autoCheck (boolean) | true | true, false | Enables the BIG-IP system to check for and recommend software updates. |
autoPhonehome (boolean) | true | true, false | Enables the BIG-IP system to send non-confidential, high-level device information to F5 in order to help determine product usage to optimize product development. |
class (string) | “System” | Indicates this property contains global system settings | |
cliInactivityTimeout (integer) | 0 | [0, 128849018820] | Configure automatic logout for idle users in TMSH interactive mode. A setting other than 0 automatically logs a user out after a specified number of seconds, which must be entered in multiples of 60. The default value 0 means that no timeout is set. |
consoleInactivityTimeout (integer) | 0 | [0, 2147483647] | Configure automatic logout for idle serial console sessions (command line sessions) in seconds. The default value 0 means that no timeout is set. |
guiAuditLog (boolean) | false | true, false | Enables audit logging for the GUI. Only available on TMOS v14+ |
guiSecurityBanner (boolean) | true | true, false | Specifies whether the system presents on the login screen the text you specify in guiSecurityBannerText. If you disable this option, the system presents an empty frame in the right portion of the login screen. |
guiSecurityBannerText (string) | “Welcome to the BIG-IP Configuration Utility.\n\nLog in with your username and password using the fields on the left.” | Specifies the text to present on the login screen when the guiSecurityBanner is enabled. | |
hostname (string) | “bigip1” | format: hostname | Hostname to set for the device. Note: If you set the hostname as part of the Common class, you CANNOT set a hostname in the System class (they are mutually exclusive). |
mcpAuditLog (string) | “enable” | “disable”, “enable”, “verbose”, “all” | Enables audit logging for MCP. |
mgmtDhcpEnabled (boolean) | true, false | Determines if Management DHCP is enabled or not. | |
passwordPrompt (string) | “Password” | Specifies the text to present above the password field on the system’s login screen. | |
preserveOrigDhcpRoutes (boolean) | false | true, false | Determines if DHCP ManagementRoute objects are preserved. |
tmshAuditLog (boolean) | true | true, false | Enables audit logging for tmsh. |
usernamePrompt (string) | “Username” | Specifies the text to present above the user name field on the system’s login screen. |
TrafficControl¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
acceptIpOptions (boolean) | false | true, false | Specifies whether the system accepts IPv4 packets with IP Options. |
acceptIpSourceRoute (boolean) | false | true, false | Specifies whether the system accepts IPv4 packets with IP source route options that are destined for TMM. To enable this option, you must also enable the acceptIpOptions option. |
allowIpSourceRoute (boolean) | false | true, false | Specifies whether the system allows IPv4 packets with IP source route options enabled to be routed through TMM. To enable this option, you must also enable the acceptIpOptions option. |
class (string) | “TrafficControl” | Indicates this property contains traffic control configuration | |
continueMatching (boolean) | false | true, false | Specifies whether the system matches against a less-specific virtual server when the more-specific one is disabled or rejects / drops the packets depending on the value of rejectUnmatched. |
maxIcmpRate (integer) | 100 | [0, 2147483647] | Specifies the maximum rate per second at which the system issues ICMP errors. |
maxPortFindLinear (integer) | 16 | [0, 61439] | Specifies the maximum of ports to linearly search for outbound connections |
maxPortFindRandom (integer) | 16 | [0, 1024] | Specifies the maximum of ports to randomly search for outbound connections |
maxRejectRate (integer) | 250 | [1, 1000] | Specifies the maximum rate per second at which the system issues reject packets (TCP RST or ICMP port unreach). |
maxRejectRateTimeout (integer) | 30 | [0, 300] | Specifies the time in seconds which the system ignores ICMP port unreach and TCP RST ratelimits on becoming active after a failover. |
minPathMtu (integer) | 296 | [68, 1500] | Specifies the minimum packet size that can traverse the path without suffering fragmentation |
pathMtuDiscovery (boolean) | true | true, false | Specifies that the system discovers the MTU that it can send over a path without fragmenting TCP packets |
portFindThresholdTimeout (integer) | 30 | [0, 300] | Specifies the threshold warning’s timeout which is the time in seconds since the last trigger value was hit and will drop the tuple if not hit. |
portFindThresholdTrigger (integer) | 8 | [1, 12] | Specifies the threshold warning’s trigger which is the value of random port attempts when attempting to find an unused outbound port for a connection. |
portFindThresholdWarning (boolean) | true | true, false | Specifies if the ephemeral port-exhaustion threshold warning is to be monitored. |
rejectUnmatched (boolean) | true | true, false | Specifies, when enabled, that the system returns a TCP RST or ICMP port unreach packet if no virtual servers on the system match the destination address of the incoming packet. When disabled, the system silently drops the unmatched packet. |
TrafficGroup¶
Clustering properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
autoFailbackEnabled (boolean) | false | true, false | Specifies whether the traffic group fails back to the default device. |
autoFailbackTime (integer) | 60 | [0, 300] | Specifies the time required to fail back. |
class (string) | “TrafficGroup” | Indicates that this property contains Traffic Group configuration. | |
failoverMethod (string) | “ha-order” | “ha-order” | Specifies the method used to decide if the current device needs to failover the traffic-group to another device. If the failover-method is set to ha-order, a list of devices and their respective HA load is used to decide the next one to take over if the current devices fails. |
haLoadFactor (integer) | 1 | [1, 1000] | Specifies a number for this traffic group that represents the load this traffic group presents to the system relative to other traffic groups. This allows the failover daemon to load balance the active traffic groups amongst the devices. |
haOrder (array<string>) | This list of devices specifies the order in which the devices will become active for the traffic group when a failure occurs. This list may contain zero, one, or more entries up to the number of devices in the failover device group. |
Trunk¶
Network properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “Trunk” | Indicates that this property contains Trunk configuration. | |
distributionHash (string) | “dst-mac” | “dst-mac”, “src-dst-ipport”, “src-dst-mac” | Specifies the basis for the hash that the system uses as the frame distribution algorithm. Choices are ‘dst-mac’ (use the destination MAC addresses), ‘src-dist-mac’ (use the source, destination, and MAC addresses), or ‘src-dst-ipport’ (use the source and destination IP addresses and ports). |
interfaces (array<string>) | Interfaces for the Trunk. The number of interfaces used is recommended to be a power of 2 (for example 2, 4, or 8). Interfaces must be untagged. | ||
lacpEnabled (boolean) | false | true, false | Specifies, when true, that the system supports the link aggregation control protocol (LACP), which monitors the trunk by exchanging control packets over the member links to determine the health of the links. |
lacpMode (string) | “active” | “active”, “passive” | Specifies the operation mode for LACP if the lacp option is enabled for the trunk. The values are ‘active’ (specifies the system periodically transmits LACP packets, regardless of the control value of the peer system) and ‘passive’ (specifies the system periodically transmits LACP packets, unless the control value of the peer system is active). |
lacpTimeout (string) | “long” | “long”, “short” | Specifies the rate at which the system sends the LACP control packets. |
linkSelectPolicy (string) | “auto” | “auto”, “maximum-bandwidth” | Sets the LACP policy that the trunk uses to determine which member link (interface) can handle new traffic. |
qinqEthertype (string) | “0x8100” | regex: ^0x[a-fA-F0-9]{4}$ | Specifies the ether-type value used for the packets handled on this trunk when it is a member in a QinQ vlan. |
spanningTreeEnabled (boolean) | true | true, false | Enables the spanning tree protocols (STP). |
Tunnel¶
Network properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
autoLastHop (string) | “default” | “default”, “enabled”, “disabled” | Specifies that packets are returned to the MAC address from which they were sent when enabled. The default setting specifies that the system uses the default route to send back the request. |
class (string) | “Tunnel” | Indicates that this property contains Tunnel configuration. | |
defaultsFrom (string) | “vxlan” | Specifies the existing profile from which the system imports settings for the new profile. Default value is vxlan. Can NOT default from itself. | |
encapsulationType (string) | “vxlan” | “vxlan”, “vxlan-gpe” | Specifies whether the VXLAN header is formatted according to RFC 7348 (vxlan) or with the Generic Protocol Extension (vxlan-gpe). The default is vxlan. |
floodingType (string) | “multicast” | “none”, “multicast”, “multipoint”, “replicator” | Specifies the flooding type to use to transmit multicast, broadcast, and unknown destination frames. The default is multicast. |
key (integer) | 0 | [0, infinity] | When applied to a GRE tunnel, this value specifies an optional field in the GRE header, used to authenticate the source of the packet. When applied to a VXLAN or Geneve tunnel, this value specifies the Virtual Network Identifier (VNI). When applied to an NVGRE tunnel, this value specifies the Virtual Subnet Identifier (VSID). |
localAddress (string) | “any6” | Specifies the IP address of the local endpoint of the tunnel. | |
mode (string) | “bidirectional” | “bidirectional”, “inbound”, “outbound” | Specifies how the tunnel carries traffic. |
mtu (integer) | 0 | [0, 65535] | Specifies the maximum transmission unit of the Tunnel. |
port (integer) | 4789 | [0, 65535] | Specifies the local port for receiving VXLAN packets. The default is 4789. |
remark (string) | |||
remoteAddress (string) | “any6” | Specifies the IP address of the remote endpoint of the tunnel. | |
secondaryAddress (string) | “any6” | Specifies a non-floating IP address for the tunnel, to be used with host-initiated traffic. | |
trafficGroup (string) | “none” | Specifies the traffic group to associate with the tunnel. | |
transparent (boolean) | false | true, false | Specifies that the tunnel operates in transparent mode. When enabled, you can inspect and manipulate the encapsulated traffic flowing through the BIG-IP system. |
tunnelType (string) | “geneve”, “gre”, “tcp-forward”, “vxlan” | Specifies the profile that you want to associate with the Tunnel. Note: As of 1.36.0, when creating a VXLAN Tunnel, accept-ip-options in traffic controls will no longer default to true. Instead it will remain the same or be set to the value in the declaration. | |
typeOfService (string | integer) | “preserve” | “preserve”, [0, 255] | Specifies a value for insertion into the Type of Service octet within the IP header of the encapsulating header of transmitted packets. |
usePmtu (boolean) | true | true, false | Enable or disable the Tunnel to use Path MTU information provided by ICMP NeedFrag error messages. |
User¶
System properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
class (string) | “User” | Indicates that this property contains user configuration. — Note: This property is available only when userType is NOT ‘root’ — | |
forceInitialPasswordChange (boolean) | true | true, false | Determines if a password change will be required on the first user login. — Note: This property is available only when userType is NOT ‘root’ — |
keys (array<string>) | An array of public keys for the user. These will overwrite the /home/username/.ssh/authorized_keys if not root. — Note: This property is available only when userType is NOT ‘root’ — | ||
newPassword (string) | Password to set for the root user. | ||
oldPassword (string) | Old password for the root user. | ||
partitionAccess (User_partitionAccess) | Access control configuration. — Note: This property is available only when userType is NOT ‘root’ — | ||
password (string) | Password for the user. — Note: This property is available only when userType is NOT ‘root’ — | ||
shell (string) | “tmsh” | “bash”, “tmsh”, “none” | Shell for the user. — Note: This property is available only when userType is NOT ‘root’ — |
userType (string) | “regular” | The type of user. — Note: This property is available only when userType is NOT ‘root’ — |
User_partitionAccess¶
User partitionAccess possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
all-partitions (User_partitionAccess_all-partitions) | The partition - either ‘Common’ or ‘all-partitions’. | ||
Common (User_partitionAccess_Common) | The partition - either ‘Common’ or ‘all-partitions’. |
User_partitionAccess_all-partitions¶
User_partitionAccess all-partitions possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
role (string) | “admin”, “auditor”, “guest”, “manager”, “operator”, “user-manager”, “application-editor”, “certificate-manager”, “irule-manager”, “no-access”, “resource-admin” | Role for the user. |
User_partitionAccess_Common¶
User_partitionAccess Common possible properties
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
role (string) | “admin”, “auditor”, “guest”, “manager”, “operator”, “user-manager”, “application-editor”, “certificate-manager”, “irule-manager”, “no-access”, “resource-admin” | Role for the user. |
VLAN¶
Network properties for onboarding a BIG-IP.
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
autoLastHop (string) | “default” | “default”, “enabled”, “disabled” | When enabled, allows the system to send return traffic to the MAC address that transmitted the request, even if the routing table points to a different network or interface. As a result, the system can send return traffic to clients even when there is no matching route. Settings are default (inherited global setting), enabled, and disabled. |
class (string) | “VLAN” | Indicates that this property contains VLAN configuration. | |
cmpHash (string) | “default” | “default”, “dst-ip”, “src-ip” | Specifies how the traffic on the VLAN will be disaggregated. |
failsafeAction (string) | “failover-restart-tm” | “failover”, “failover-restart-tm”, “reboot”, “restart-all” | Specifies the action for the system to take when the fail-safe mechanism is triggered |
failsafeEnabled (boolean) | false | true, false | Enables a fail-safe mechanism that causes the active cluster to fail over to a redundant cluster when loss of traiffic is detected on a VLAN |
failsafeTimeout (integer) | 90 | [10, 3600] | Specifies the number of seconds that an active unit can run without detecting network traffic on this VLAN before starting a failover |
interfaces (array<VLAN_interfaces>) | Interfaces for the VLAN. | ||
mtu (integer) | 1500 | [576, 9198] | MTU for the VLAN. |
tag (integer) | [1, 4094] | Tag for the VLAN. |
VLAN_interfaces¶
VLAN interfaces possible properties when object type
Properties:
Name (Type) | Default | Values | Description |
---|---|---|---|
name (string) | Name of the interface. | ||
tagged (boolean) | true, false | Whether or not the interface is tagged. Default is true if a VLAN tag is provided, otherwise false. |