Manage licensing in disconnected (air-gapped) environments

This guide describes how to manage F5 Insight licensing in disconnected (air-gapped) environments where the system cannot directly access F5 licensing servers.

Overview

In disconnected mode, licensing requires coordination between two separate systems:

  1. F5 Insight (disconnected mode) - Your air-gapped F5 Insight system
  1. Generates telemetry reports through the UI
  2. Verifies license manifests through the UI
  3. No direct internet access
  1. Internet-connected machine - A separate system with internet access
  1. Submits reports to the F5 API using curl
  2. Receives license manifests from F5
  3. Acts as an intermediary between F5 Insight and F5 licensing servers

File transfer moves data between these two systems using approved air-gap methods.

F5 Insight UI - license setup / onboarding activation

In License Setup > Disconnected

  1. Add JWT Token
  1. Paste the JWT token in JWT Token field
  2. click on Generate License Report
  1. Download and Submit Report

  1. Click on Download License Report to download the report

    Intermediary steps to complete:

    1. Transfer report to internet-connected machine
    2. Submit report and get manifest (acknowledgment)
    3. Transfer manifest back to F5 Insight
  1. Upload signed acknowledgement
  1. Choose the transferred Manifest file
  2. Click on Validate and Activate License to complete License setup

F5 Insight UI menu options

In Settings > Licensing, select the more options menu (⋮) to access:

  1. Download Report - Downloads a telemetry report for submission to F5
  2. Verify Report - Uploads a manifest to complete license activation, deactivation, or telemetry

Note

Additional options may vary by version.

Disconnected licensing workflow

  1. Download the telemetry report

    Complete these steps on the F5 Insight (disconnected mode) system:

    1. Log in to the F5 Insight UI.
    2. Go to Settings > Licensing.
    3. Select the more options menu (⋮).
    4. Select Download Report.
    5. Save the file as telemetry-report.json.

    The report contains usage data and system metrics for the observation period.

  2. Transfer the report to an internet-connected machine

    Transfer telemetry-report.json to a separate machine with internet access using one of the following methods:

    • USB drive
    • Secure file transfer
    • Approved air-gap transfer method

  3. Submit the report and get the manifest

    Complete these steps on the internet-connected machine.

    Submit the telemetry report to the F5 API and receive the license manifest:

    curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <JWT_LICENSE_TOKEN>" \
-d @telemetry-report.json \
-o license-manifest.json \
"https://product.apis.f5.com/ee/v1/entitlements/telemetry"

    Parameters:

    • <JWT_LICENSE_TOKEN> — Your F5 license token (JWT format received from F5)
    • @telemetry-report.json — The report downloaded from the F5 Insight UI
    • license-manifest.json — The output file containing the license acknowledgment

    Response format:

    {
"manifest": "<LICENSE_MANIFEST_JWT>"
}

  4. Transfer the manifest back to F5 Insight

    Transfer license-manifest.json back to the F5 Insight system (disconnected mode) using the same air-gap transfer method.

  5. Verify the report by uploading the manifest

    Complete these steps on the F5 Insight (disconnected mode) system:

    1. Log in to the F5 Insight UI.
    2. Go to Settings > Licensing.
    3. Select the more options menu (⋮).
    4. Select Verify Report.
    5. Upload license-manifest.json.

    This completes the license activation, deactivation, or telemetry process. The system validates the manifest and displays:

    • License compliance status
    • Expiration date
    • Licensed features and limits

Complete example

Initial setup

Complete these steps on the F5 Insight (disconnected mode) system:

  1. Go to Settings > Licensing.

  2. Select the more options menu (⋮).

  3. Select Download Report.

  4. Save the file as telemetry-report.json.

  5. Transfer the file to an internet-connected machine.

    Complete these steps on the internet-connected machine:

    # Submit the telemetry report and get the license manifest
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <JWT_LICENSE_TOKEN>" \
-d @telemetry-report.json \
-o license-manifest.json \
"https://product.apis.f5.com/ee/v1/entitlements/telemetry"

# Verify the manifest was received
cat license-manifest.json | jq .

    Complete these steps on the F5 Insight (disconnected mode) system:

  1. Transfer license-manifest.json back to the F5 Insight system.
  2. Go to Settings > Licensing.
  3. Select the more options menu (⋮).
  4. Select Verify Report.
  5. Upload license-manifest.json.
  6. Verify the license status and expiration date.

Periodic renewal (every 30 days)

Repeat the full cycle:

  1. F5 Insight: Select the more options menu > Download Report.
  2. Transfer: Move the report to an internet-connected machine.
  3. Internet-connected machine: Submit the report with curl and save the manifest.
  4. Transfer: Move the manifest back to the F5 Insight system.
  5. F5 Insight: Select the more options menu > Verify Report and upload the manifest.

File descriptions

telemetry-report.json

Generated by: F5 Insight UI (Download Report)
Contains: Usage telemetry data for compliance validation
  • Asset usage statistics
  • Feature consumption metrics
  • Observation time window
  • System metadata
  • JWT format with HMAC-SHA256 signature

license-manifest.json

Received from: F5 API (curl response)
Contains: License acknowledgment and entitlements
  • Expiration date
  • Licensed features and limits
  • Compliance status
  • Telemetry frequency
  • Grace period settings
  • JWT format with RSA-512 signature

curl command fails

Symptoms:

curl: (60) SSL certificate problem
curl: (7) Failed to connect to product.apis.f5.com

Resolution:

  1. Verify internet connectivity on the internet-connected machine.
  2. Check that the firewall allows HTTPS traffic to product.apis.f5.com.
  3. Verify that the license token has not expired.
  4. Use the -v flag for verbose output: curl -v ...

Important notes

  • Timing: Submit telemetry reports before the license expires.
  • Token security: Keep license tokens secure. Do not commit them to version control.
  • File integrity: Verify file checksums after transfers.
  • Grace period: Most licenses have zero days of grace for disconnected mode.
  • Automation: Consider scripting file transfers and curl commands.

License API reference

Endpoint

POST https://product.apis.f5.com/ee/v1/entitlements/telemetry

Headers

  • Content-Type: application/json
  • Authorization: Bearer <JWT_LICENSE_TOKEN>

Request body

{
  "report": "<TELEMETRY_REPORT_JWT>"
}

Or use file input:

curl -d @telemetry-report.json

Response

{
  "manifest": "<LICENSE_MANIFEST_JWT>"
}

Status codes

Code Description
200 OK Success, manifest returned
401 Unauthorized Invalid or expired license token
400 Bad Request Invalid telemetry report format
500 Internal Server Error F5 API error

Example command

curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <JWT_LICENSE_TOKEN>" \
  -d @telemetry-report.json \
  -o license-manifest.json \
  "https://product.apis.f5.com/ee/v1/entitlements/telemetry"