Last updated on: 2024-04-16 20:55:12.

Securing / Hardening F5OS on VELOS

F5OS tenants follow the standard hardening/security best practices that are outlined in the following solution article:

K53108777: Hardening your F5 system

This section will focus on how to harden/secure the F5OS layer of the VELOS chassis.

F5OS Platform Layer Isolation

When looking at management of the VELOS platform, it is important to separate the in-band (data plane) networking from the out-of-band (management) networking. Management of the new F5OS platform layer is completely isolated from in-band data-plane traffic, networking, and VLANs and is managed via the out-of-band management network only. It is purposely isolated so that it is only accessible via the out-of-band management network. In fact, there are no in-band (data-plane) IP addresses assigned to the F5OS layer, only tenants will have in-band (data-plane) IP addresses and access. Tenants also have out-of-band connectivity so they can be managed via the out-of-band network.

This allows customers to run a secure/locked-down out-of-band management network where access is tightly restricted. The diagram below shows the out-of-band management access entering the VELOS chassis through management ports on the system controllers (1/mgmt0 and 2/mgmt0). The external management ports are bridged to an internal out-of-band network that connects to all tenants, chassis partitions and blades within the VELOS chassis.

_images/image140.png

Allow List for F5OS Management

F5OS only allows management access via the out-of-band management interfaces on VELOS, there is no in-band access to the F5OS management layer. Within VELOS there are two layers for F5OS; the system controller layer, and the chassis partition layer. Each of these layers have their own management IP addresses, and access control which can restrict access through the out-of-band network.

Each of the two system controllers has a static IP address assigned, and there is a floating IP address which should be used to access the active system controller. As chassis partitions are deployed, they also have a single IP address which is assigned. Access to those F5OS management interfaces may be restricted to specific IP addresses (both IPv4 and IPv6), subnets (via Prefix Length), as well as protocols - 443 (HTTPS), 80 (HTTP), 8888 (RESTCONF), 161 (SNMP), 7001 (VCONSOLE), and 22 (SSH) with version F5OS-C 1.6.0 and later. An administrator can add one or more Allow List entries via the CLI, webUI (webUI will be added in F5OS-C 1.7.0) or API at the system controller layer and the chassis partition layer to lock down access to specific endpoints.

By default, all ports except for 161 (SNMP) are enabled for access, meaning ports 80, 443, 8888, 7001, and 22 are allowed access. Port 80 is only open to allow a redirect to port 443 in case someone tries to access the webUI over port 80. The webUI itself is not accessible over port 80. Port 161 is typically viewed as un-secure and is therefore not accessible until an allow list entry is created for the endpoint trying to access F5OS using SNMP queries. Ideally SNMPv3 should be utilized to provide additional layers of security on an otherwise un-secure protocol. VCONSOLE access also must be explicitly configured before access to the tenants is possible over port 7001.

To further lock down access you may add an Allow List entry including an IP address and optional prefix for each of the protocols listed above. As an example, if you wanted to restrict API and webUI access to a particular IP address and/or subnet, you can add an Allow List entry for the desired IP or subnet (using the prefix length), specify port 443 and all access from other IP endpoints will be prevented.

The examples below can be applied at either the system controller layer logging in using the floating system controller IP address or pointing to it for API calls, or to any chassis partition using its management IP address when logging in or sending API calls.

Adding Allow List Entries via CLI

If you would like to lock down one of the protocols to either a single IP address or subnet, use the system allowed-ips command. Be sure to commit any changes. The prefix-length parameter is optional. If you omit it, then you will lock down access to a specific IP endpoint, if you add it, you can lock down access to a specific subnet.

syscon-2-active(config)# system allowed-ips allowed-ip snmp config ipv4 address 10.255.0.0 prefix-length 24 port 161
syscon-2-active(config-allowed-ip-snmp)# commit
Commit complete.
syscon-2-active(config-allowed-ip-snmp)#

Currently you can add one IP address/port pair per allowed-ip name with an optional prefix length to specify a CIDR block containing multiple addresses. If you require more than one non-contiguous IP address or subnets, you can add it under another name as seen below.

syscon-2-active(config)# system allowed-ips allowed-ip SNMP-144 config ipv4 address 10.255.0.144 port 161
syscon-2-active(config-allowed-ip-SNMP-144)# commit
Commit complete.
syscon-2-active(config-allowed-ip-SNMP-144)#


syscon-2-active(config)# system allowed-ips allowed-ip SNMP-145 config ipv4 address 10.255.2.145 port 161
syscon-2-active(config-allowed-ip-SNMP-145)# commit
Commit complete.
syscon-2-active(config-allowed-ip-SNMP-145)#

Adding Allow List Entries via API

Below is an example of allowing multiple SNMP endpoints (port 161) to query SNMP on the F5OS platform layer.

POST https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system/f5-allowed-ips:allowed-ips

Within the body of the API call, specific IP address/port, and optional prefix-length combinations can be added under a given name. In the current releases, you are limited to one IP address/port/prefix per name.

{
    "allowed-ip": [
        {
            "name": "SNMP-142",
            "config": {
                "ipv4": {
                    "address": "10.255.0.142",
                    "prefix-length": "32",
                    "port": 161

                }
            }
        },
        {
            "name": "SNMP-143",
            "config": {
                "ipv4": {
                    "address": "10.255.0.143",
                    "prefix-length": "32",
                    "port": 161
                }
            }
        },
        {
            "name": "SNMP-144",
            "config": {
                "ipv4": {
                    "address": "10.255.0.144",
                    "prefix-length": "32",
                    "port": 161
                }
            }
        }
    ]
}

To view the allowed IPs in the API, use the following call.

GET https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system/f5-allowed-ips:allowed-ips

The output will show the previously configured allowed-ips.

{
    "f5-allowed-ips:allowed-ips": {
        "allowed-ip": [
            {
                "name": "SNMP-142",
                "config": {
                    "ipv4": {
                        "address": "10.255.0.142",
                        "prefix-length": "32",
                        "port": 161
                    }
                }
            },
            {
                "name": "SNMP-143",
                "config": {
                    "ipv4": {
                        "address": "10.255.0.143",
                        "prefix-length": "32",
                        "port": 161
                    }
                }
            },
            {
                "name": "SNMP-144",
                "config": {
                    "ipv4": {
                        "address": "10.255.0.144",
                        "prefix-length": "32",
                        "port": 161
                    }
                }
            }
        ]
    }
}

Adding Allow List Entries via webUI (F5OS-C 1.7.0)

You can configure the Allow List in the webUI starting with version F5OS-C 1.7.0 under the System Settings section.

_images/image227.png

Below is an example of allowing any SNMP endpoint at 10.255.0.0 (prefix length of 24) to query the F5OS layer on port 161.

_images/image323.png

Setting F5OS Primary Key

The F5 VELOS system uses a primary key to encrypt highly sensitive passwords/passphrases in the configuration database, such as:

  • Tenant unit keys used for TMOS Secure Vault
  • The F5OS API Service Gateway TLS key
  • Stored iHealth credentials
  • Stored AAA server credentials

The primary key is randomly generated by F5OS during initial installation. You should set the primary key to a known value prior to performing a configuration backup. If you restore a configuration backup on a different VELOS device, e.g. during an RMA replacement, you must first set the primary key passphrase and salt on the destination device to the same value as the source device. If this is not done correctly, the F5OS configuration restoration may appear to succeed but produce failures later when the system attempts to decrypt and use the secured parameters.

You should periodically change the primary key for additional security. If doing so, please note that a configuration backup is tied to the primary key at the time it was generated. If you change the primary key, you cannot restore older configuration backups without first setting the primary key to the previous value, if it is known. More details are provided in the solution article below.

K50135154: Backup and restore the F5OS-C configuration on a VELOS system

To set the primary-key issue the following command in config mode.

syscon-1-active(config)# system aaa primary-key set passphrase
Value for 'passphrase' (<string, min: 6 chars, max: 255 chars>): **************
Value for 'confirm-passphrase' (<string, min: 6 chars, max: 255 chars>): **************
Value for 'salt' (<string, min: 6 chars, max: 255 chars>): **************
Value for 'confirm-salt' (<string, min: 6 chars, max: 255 chars>): **************
response Info: Key migration is initiated. Use 'show system aaa primary-key state status' to get status

syscon-1-active(config)#

You can view the status of the primary-key being set with the show system aaa primary-key state status CLI command.

syscon-1-active# show system aaa primary-key state status
system aaa primary-key state status "IN_PROGRESS        Initiated: Tue Apr  9 19:46:14 2024"
syscon-1-active# show system aaa primary-key state status
system aaa primary-key state status "COMPLETE        Initiated: Tue Apr  9 19:46:14 2024"
syscon-1-active#

Note that the hash key can be used to check and compare the status of the primary-key on both the source and the replacement devices if restoring to a different device. To view the current primary-key hash, issue the following CLI command.

syscon-2-active# show system aaa primary-key
system aaa primary-key state hash sj2GslitH9XY14h/cpY0TJhMWkU+CpvAU9vxxiL4aZcfE6qnSUDU3PWx+lCZO5KrqVzlWu/3mRugCNniNyQhSA==
system aaa primary-key state status NONE
syscon-2-active#

Certificates for Device Management

F5OS supports TLS device certificates and keys to secure connections to the management interface. You can either create a self-signed certificate or load your own certificates and keys into the system. In F5OS-C 1.6.0 an admin can now optionally enter a passphrase with the encrypted private key. More details can be found in the link below.

VELOS Certificate Management Overview

Managing Device Certificates, Keys, CSRs, and CAs via CLI

By default, F5OS uses a self-signed certificate and key for device management. If you would like to create your own private key and self-signed certificate, use the following CLI command:

syscon-2-active(config)# system aaa tls create-self-signed-cert name jim email jim@f5.com city Boston region MA country US organization F5 unit Sales version 1 days-valid 365 key-type encrypted-ecdsa curve-name secp384r1 store-tls true key-passphrase
Value for 'key-passphrase' (<string, min: 6 chars, max: 255 chars>): **************
Value for 'confirm-key-passphrase' (<string, min: 6 chars, max: 255 chars>): **************
syscon-2-active(config)#

The store-tls option when set to true, stores the private key and self-signed certificate in the system instead of returning the values only in the CLI output. If you would prefer to have the keys returned in the CLI output and not stored in the system, then set store-tls false as seen below.

syscon-2-active(config)# system aaa tls create-self-signed-cert name jim email jim@f5.com city Boston region MA country US organization F5 unit Sales version 1 days-valid 365 key-type encrypted-ecdsa curve-name secp384r1 store-tls false key-passphrase
Value for 'key-passphrase' (<string, min: 6 chars, max: 255 chars>): **************
Value for 'confirm-key-passphrase' (<string, min: 6 chars, max: 255 chars>): **************
key-response
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,6EE0AFCBE422562DD8653DA0EA60B3AA

TignlV9B8xZj1Pr9/NZrlwZkjhfa1Md1pksZZ5pCxUXkQBJjj/XN9bve6E9ZwZlw
/mh7Anv46XZikh6PHKIbdtQNTiTfVljpXSD2xn1nAlPjUlE8xg5H1FXEs4KTDjvN
NSDd3lupIH7xq37/3iMyKx2hWyZbMCaSPVMPyt4wBMZ2TucaOx0HEK1YOpjWyPV9
DPF2J5q3srSDd7RAti6hQ3R214y65TT4uPPxcZviz+s=
-----END EC PRIVATE KEY-----

cert-response
-----BEGIN CERTIFICATE-----
MIICDzCCAZUCCQDsONxeyLMipDAKBggqhkjOPQQDAjBxMQwwCgYDVQQDDANqaW0x
CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEPMA0GA1UEBwwGQm9zdG9uMQswCQYD
VQQKDAJGNTEOMAwGA1UECwwFU2FsZXMxGTAXBgkqhkiG9w0BCQEWCmppbUBmNS5j
b20wHhcNMjMwNTA0MTY1NjUwWhcNMjQwNTAzMTY1NjUwWjBxMQwwCgYDVQQDDANq
aW0xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEPMA0GA1UEBwwGQm9zdG9uMQsw
CQYDVQQKDAJGNTEOMAwGA1UECwwFU2FsZXMxGTAXBgkqhkiG9w0BCQEWCmppbUBm
NS5jb20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQa1U/Nlxqj2+8WeXFH9sFtzKx9
i63GXFVPMAJ6B8YvPMPRJWBhMfKFf93LdB6en5t3AGkApRkzCxmNMunknmrLOJqL
apjsUQFznt2ksk0EO3c8+lxe80/dfiJs7e6jWygwCgYIKoZIzj0EAwIDaAAwZQIx
AK91V3pXXWc0grzWu8V9c1Ls8pUESMk/02cHbQ4KpHy9dIM7Urqv4eOz2/7KPHYL
PgIwMeuPVPB3kmata305fN7XGI+vu9bbKU2SUBXV55YRF5qGmyURLZJr8/tMkRlB
Z5lL
-----END CERTIFICATE-----
syscon-2-active(config)#

The management interface will now use the self-signed certificate you just created. You can verify by connecting to the F5OS management interface via a browser and then examining the certificate.

_images/imagecert.png

To create a Certificate Signing Request (CSR) via the CLI use the system aaa tls create-csr command.

syscon-2-active(config)# system aaa tls create-csr name r10900-1.f5demo.net email jim@f5.com city Boston country US organization F5 region MA unit Sales version 1
response
-----BEGIN CERTIFICATE REQUEST-----
MIIBejCCAQECAQEwgYExHDAaBgNVBAMME3IxMDkwMC0xLmY1ZGVtby5uZXQxCzAJ
BgNVBAYTAlVTMQswCQYDVQQIDAJNQTEPMA0GA1UEBwwGQm9zdG9uMQswCQYDVQQK
DAJGNTEOMAwGA1UECwwFU2FsZXMxGTAXBgkqhkiG9w0BCQEWCmppbUBmNS5jb20w
djAQBgcqhkjOPQIBBgUrgQQAIgNiAARZs7Vj5RCTJQUbVe96+OwqaBmKqT7TL9Rs
N2sFWtO8c/ze2fpYxV7yHSFSPQhw40fjmbxHb8O0BHtYIWP0czPTgnHA6l6CD4Q2
qz0vvp8Q/wWtMrEo/lKbLBDKKe4FgvOgADAKBggqhkjOPQQDAgNnADBkAjAC3x6k
Rg3ncd7B2U/7Fcclilv/xgUqVS9eXdkTZSqXiCIz4Ff7pOWwpkqHRBx5iLICMF0C
tpSmmQVOSRYU98q8JJ0HClZ+8eTan2fotaKvYyzYMrge5cl0w6J7dnFZwLdmYA==
-----END CERTIFICATE REQUEST-----
syscon-2-active(config)#

To create a CA bundle via the CLI use the system aaa tls ca-bundle command.

syscon-2-active(config)# system aaa tls ca-bundles ca-bundle ?
Possible completions:
<Reference to configured name of the CA Bundle.>
syscon-2-active(config)#

To create a Client Revocation List (CRL) via the CLI issue the following command.

syscon-2-active(config)# system aaa tls crls crl ?
Possible completions:
<Reference to configured name of the CRL.>
syscon-2-active(config)# system aaa tls crls crl

You can display the current certificate, keys, and passphrases using the CLI command show system aaa tls.

syscon-2-active# show system aaa tls
system aaa tls state certificate Certificate:
                                    Data:
                                        Version: 1 (0x0)
                                        Serial Number:
                                            b9:0d:2d:10:75:4a:53:2f
                                    Signature Algorithm: ecdsa-with-SHA256
                                        Issuer: CN=jim, C=US, ST=MA, L=Boston, O=F5, OU=Sales/emailAddress=jim@f5.com
                                        Validity
                                            Not Before: May  4 16:55:58 2023 GMT
                                            Not After : May  3 16:55:58 2024 GMT
                                        Subject: CN=jim, C=US, ST=MA, L=Boston, O=F5, OU=Sales/emailAddress=jim@f5.com
                                        Subject Public Key Info:
                                            Public Key Algorithm: id-ecPublicKey
                                                Public-Key: (384 bit)
                                                pub:
                                                    04:59:b3:b5:63:e5:10:93:25:05:1b:55:ef:7a:f8:
                                                    ec:2a:68:19:8a:a9:3e:d3:2f:d4:6c:37:6b:05:5a:
                                                    d3:bc:73:fc:de:d9:fa:58:c5:5e:f2:1d:21:52:3d:
                                                    08:70:e3:47:e3:99:bc:47:6f:c3:b4:04:7b:58:21:
                                                    63:f4:73:33:d3:82:71:c0:ea:5e:82:0f:84:36:ab:
                                                    3d:2f:be:9f:10:ff:05:ad:32:b1:28:fe:52:9b:2c:
                                                    10:ca:29:ee:05:82:f3
                                                ASN1 OID: secp384r1
                                                NIST CURVE: P-384
                                    Signature Algorithm: ecdsa-with-SHA256
                                        30:64:02:30:58:3a:be:8d:9e:e0:53:89:12:f2:10:b6:0b:f2:
                                        77:15:cb:eb:7d:55:31:01:70:4e:83:fc:89:f5:f5:e4:1a:4e:
                                        43:81:20:07:4a:0d:e3:72:3a:3e:7c:cb:54:67:b0:1a:02:30:
                                        1c:fe:7c:f1:a5:00:93:77:f2:02:af:82:fc:22:67:ea:35:e7:
                                        0e:9c:b8:90:13:f5:f8:98:f6:07:fe:f9:4b:66:99:32:e9:eb:
                                        92:3d:d2:a2:26:67:c9:01:f9:43:20:a6

system aaa tls state verify-client false
system aaa tls state verify-client-depth 1
syscon-2-active#

Managing Device Certificates, Keys, CSRs, and CAs via webUI

In the F5OS webUI you can manage device certificates for the management interface via the Authentication & Access -> TLS Configuration page. There are options to view the TLS certificates, keys, and details. You may also create self-signed certificates, create certificate signing requests (CSRs), and CA bundles.

_images/imagecert2.png

The screen below shows the options when creating a self-signed certificate.

_images/imagecert3.png

If you choose the Store TLS option of False then the certificate details will be displayed, and you will be given the option to copy them to the clipboard. If you want to store them on the system, then set the Store TLS option to True.

_images/imagecert4.png

You can then use the Show options to display the current certificate, key, and details. Paste the text into the respective text boxes to add a certificate. TLS Key Passphrase is only required if TLS Key is in encrypted format.

_images/imagecert5.png _images/imagecert6.png

You can also create a Certificate Signing Request (CSR) for the self-signed certificate for use when submitting the certificate to the Certificate Authority (CA).

_images/imagecsr1.png

After clicking Save the CSR will appear, and you will be able to Copy to Clipboard so you can submit the signing request.

_images/imagecsr2.png

When you install an SSL certificate on the system, you also install a certificate authority (CA) bundle, which is a file that contains root and intermediate certificates. The combination of these two files completes the SSL chain of trust.

_images/imageca1.png

Managing Device Certificates, Keys, CSRs, and CAs via API

You can view the current certificates, keys and passphrases via the API using the following API call.

GET https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system/aaa/f5-openconfig-aaa-tls:tls

In the response you will notice the certificate, key, and optional passphrase as well as the state.

{
    "f5-openconfig-aaa-tls:tls": {
        "config": {
            "certificate": "-----BEGIN CERTIFICATE-----\nMIICEjCCAZcCCQDJefCyPp7SoTAKBggqhkjOPQQDAjByMQ0wCwYDVQQDDARqaW0y\nMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTUExDzANBgNVBAcMBkJvc3RvbjELMAkG\nA1UECgwCRjUxDjAMBgNVBAsMBVNhbGVzMRkwFwYJKoZIhvcNAQkBFgpqaW1AZjUu\nY29tMB4XDTIzMDIyNDIxMzUzMVoXDTI0MDIyNDIxMzUzMVowcjENMAsGA1UEAwwE\namltMjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1BMQ8wDQYDVQQHDAZCb3N0b24x\nCzAJBgNVBAoMAkY1MQ4wDAYDVQQLDAVTYWxlczEZMBcGCSqGSIb3DQEJARYKamlt\nQGY1LmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IABD/xTNm0QYwn6+2aQRSyCK/a\nEvyvzWwrAHdyXCqdcqXTy8UI2vjDLtMHbxvgSzMBANMGEiKke4LkvYal62M2wXLC\nQOpm6gkC+bGeuphB7nP1sNSk7oAmwBqiEsbSxz0ThTAKBggqhkjOPQQDAgNpADBm\nAjEArYMcvgZJtxY2V6og9XO2WSpIAc0YP4plh0wCFxQyRwLbxscoSKxsmvziiEBx\nHDFFAjEAswbc62BC39emsiGqrRXpcB921h0tJVrQD1OrHBo8zuOabcTgHzhY0LPc\nlGoCR6jQ\n-----END CERTIFICATE-----",
            "key": "$8$LzRR+5tiwtRDLQI2NFQwJ3aVjXDZw8MAmMEvqO/uM9wPHjzq5AEKf8yWMQWIsmspS8GuYWhi\n4UwWBjRnhmuViENZLm5RXjA02Lr42vzHv05skcnnFfCiRL+L8goee8wI+tbI06x4iDnsYhD2\nAAUW1mV8Kb6zAIJ1/AeobAhgY/MvJdVrRpYAY6CWpRQQiCHJbnIsvw82HXqT8fEcKfNeAvLC\nPeLPXJltU89jGlylj899cWUN+CyxTDxko6mvvRaB2MeJSZ5jwnR8bhIubr/hlG1FPlGaOIbm\nP5BYZmhVmFliwQUzlVp+36AxtGG52amLZmudmW5xskOmnhEze5NcbFp8aIF6yUa7AyKE9Rc9\n0kv4W7gNmm2+0YXaMknj1ahTSYESf5sDxN5R6knz0pFf5fF7caun7gmS5Jfqs4OIwVtDjL7J\n2j4rT7hZuwnzIWbUKGu0N9620mWFpF6S9aI2keLzhwYcad1aPMEF6PabEtQPpZMZ9kJVDROe\n5bvf+8pBvNBCtLRCX7+MpKLeFYTzMQ==",
            "passphrase": "$8$4hyAzRD/Wy3WCyocZXv6K4XeM8qDmgfX0CIHtfJYZDY=",
            "verify-client": false,
            "verify-client-depth": 1
        },
        "state": {
            "certificate": "Certificate:\n    Data:\n        Version: 1 (0x0)\n        Serial Number:\n            c9:79:f0:b2:3e:9e:d2:a1\n    Signature Algorithm: ecdsa-with-SHA256\n        Issuer: CN=jim2, C=US, ST=MA, L=Boston, O=F5, OU=Sales/emailAddress=jim@f5.com\n        Validity\n            Not Before: Feb 24 21:35:31 2023 GMT\n            Not After : Feb 24 21:35:31 2024 GMT\n        Subject: CN=jim2, C=US, ST=MA, L=Boston, O=F5, OU=Sales/emailAddress=jim@f5.com\n        Subject Public Key Info:\n            Public Key Algorithm: id-ecPublicKey\n                Public-Key: (384 bit)\n                pub: \n                    04:3f:f1:4c:d9:b4:41:8c:27:eb:ed:9a:41:14:b2:\n                    08:af:da:12:fc:af:cd:6c:2b:00:77:72:5c:2a:9d:\n                    72:a5:d3:cb:c5:08:da:f8:c3:2e:d3:07:6f:1b:e0:\n                    4b:33:01:00:d3:06:12:22:a4:7b:82:e4:bd:86:a5:\n                    eb:63:36:c1:72:c2:40:ea:66:ea:09:02:f9:b1:9e:\n                    ba:98:41:ee:73:f5:b0:d4:a4:ee:80:26:c0:1a:a2:\n                    12:c6:d2:c7:3d:13:85\n                ASN1 OID: secp384r1\n                NIST CURVE: P-384\n    Signature Algorithm: ecdsa-with-SHA256\n         30:66:02:31:00:ad:83:1c:be:06:49:b7:16:36:57:aa:20:f5:\n         73:b6:59:2a:48:01:cd:18:3f:8a:65:87:4c:02:17:14:32:47:\n         02:db:c6:c7:28:48:ac:6c:9a:fc:e2:88:40:71:1c:31:45:02:\n         31:00:b3:06:dc:eb:60:42:df:d7:a6:b2:21:aa:ad:15:e9:70:\n         1f:76:d6:1d:2d:25:5a:d0:0f:53:ab:1c:1a:3c:ce:e3:9a:6d:\n         c4:e0:1f:38:58:d0:b3:dc:94:6a:02:47:a8:d0\n",
            "verify-client": false,
            "verify-client-depth": 1
        }
    }
}

If you would like to upload a certificate, key, and passphrase you can issue the following API PUT command.

PUT https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system/aaa/f5-openconfig-aaa-tls:tls

In the body of the API call enter the following JSON syntax.

{
    "f5-openconfig-aaa-tls:tls": {
        "config": {
            "certificate": "-----BEGIN CERTIFICATE-----\nMIICEjCCAZcCCQDJefCyPp7SoTAKBggqhkjOPQQDAjByMQ0wCwYDVQQDDARqaW0y\nMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTUExDzANBgNVBAcMBkJvc3RvbjELMAkG\nA1UECgwCRjUxDjAMBgNVBAsMBVNhbGVzMRkwFwYJKoZIhvcNAQkBFgpqaW1AZjUu\nY29tMB4XDTIzMDIyNDIxMzUzMVoXDTI0MDIyNDIxMzUzMVowcjENMAsGA1UEAwwE\namltMjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1BMQ8wDQYDVQQHDAZCb3N0b24x\nCzAJBgNVBAoMAkY1MQ4wDAYDVQQLDAVTYWxlczEZMBcGCSqGSIb3DQEJARYKamlt\nQGY1LmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IABD/xTNm0QYwn6+2aQRSyCK/a\nEvyvzWwrAHdyXCqdcqXTy8UI2vjDLtMHbxvgSzMBANMGEiKke4LkvYal62M2wXLC\nQOpm6gkC+bGeuphB7nP1sNSk7oAmwBqiEsbSxz0ThTAKBggqhkjOPQQDAgNpADBm\nAjEArYMcvgZJtxY2V6og9XO2WSpIAc0YP4plh0wCFxQyRwLbxscoSKxsmvziiEBx\nHDFFAjEAswbc62BC39emsiGqrRXpcB921h0tJVrQD1OrHBo8zuOabcTgHzhY0LPc\nlGoCR6jQ\n-----END CERTIFICATE-----",
            "key": "$8$LzRR+5tiwtRDLQI2NFQwJ3aVjXDZw8MAmMEvqO/uM9wPHjzq5AEKf8yWMQWIsmspS8GuYWhi\n4UwWBjRnhmuViENZLm5RXjA02Lr42vzHv05skcnnFfCiRL+L8goee8wI+tbI06x4iDnsYhD2\nAAUW1mV8Kb6zAIJ1/AeobAhgY/MvJdVrRpYAY6CWpRQQiCHJbnIsvw82HXqT8fEcKfNeAvLC\nPeLPXJltU89jGlylj899cWUN+CyxTDxko6mvvRaB2MeJSZ5jwnR8bhIubr/hlG1FPlGaOIbm\nP5BYZmhVmFliwQUzlVp+36AxtGG52amLZmudmW5xskOmnhEze5NcbFp8aIF6yUa7AyKE9Rc9\n0kv4W7gNmm2+0YXaMknj1ahTSYESf5sDxN5R6knz0pFf5fF7caun7gmS5Jfqs4OIwVtDjL7J\n2j4rT7hZuwnzIWbUKGu0N9620mWFpF6S9aI2keLzhwYcad1aPMEF6PabEtQPpZMZ9kJVDROe\n5bvf+8pBvNBCtLRCX7+MpKLeFYTzMQ==",
            "passphrase": "$8$4hyAzRD/Wy3WCyocZXv6K4XeM8qDmgfX0CIHtfJYZDY=",
            "verify-client": false,
            "verify-client-depth": 1
        }
    }
}

Encrypt Management TLS Private Key

Previously, F5OS allowed an admin to import a TLS certificate and key in clear text. In F5OS-C 1.6.0 an admin can now optionally enter a passphrase with the encrypted private key. This is like the BIG-IP functionality defined in the link below.

K14912: Adding and removing encryption from private SSL keys (11.x - 16.x)

Appliance Mode for F5OS

If you would like to prevent root / bash level access to the F5OS layer, you can enable Appliance Mode, which operates in a similar manner as TMOS appliance mode. Both the F5OS-C system controller and chassis partition layers have a setting where appliance mode can be enabled. Enabling Appliance mode will disable the root account, and access to the underlying bash shell is disabled. The admin account to the F5OS CLI is still enabled. This is viewed as a more secure setting as many vulnerabilities can be avoided by not allowing access to the bash shell. In some heavily audited environments, this setting may be mandatory, but it may prevent lower-level debugging from occurring directly in the bash shell. It can be disabled on a temporary basis to do advanced troubleshooting, and then re-enabled when finished.

Enabling Appliance Mode via the CLI

Appliance mode can be enabled or disabled via the CLI using the command system appliance-mode config and entering either enabled or disabled. The command show system appliance-mode will display the current status. Be sure to commit any changes.

syscon-2-active(config)# system appliance-mode config enabled
syscon-2-active(config)# commit
Commit complete.
syscon-2-active(config)#

To display the current status.

syscon-2-active# show system appliance-mode
system appliance-mode state enabled
syscon-2-active#

If you then try to login as root, you will get a permission denied error. You can still login as admin to gain access to the F5OS CLI.

To disable appliance mode.

syscon-2-active(config)# system appliance-mode config disabled
syscon-2-active(config)# commit
Commit complete.
syscon-2-active(config)#

Enabling Appliance Mode via the webUI

Appliance mode can be enabled or disabled via the webUI under the System Settings -> General page in both the system controller webUI and the chassis partition webUI.

_images/image422.png

Enabling Appliance Mode via the API

Appliance mode can be enabled or disabled via the API. To view the current status of appliance mode, use the following API call.

GET https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system/f5-security-appliance-mode:appliance-mode

You will see output like the response below showing the config and state of appliance mode for F5OS.

{
    "f5-security-appliance-mode:appliance-mode": {
        "config": {
            "enabled": false
        },
        "state": {
            "enabled": false
        }
    }
}

To change the mode from disabled to enabled, use the following API call.

PATCH https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system/f5-security-appliance-mode:appliance-mode/f5-security-appliance-mode:config

In the body of the API call add the following:

{
    "f5-security-appliance-mode:config": {
        "f5-security-appliance-mode:enabled": "true"
    }
}

Session Timeouts and Token Lifetime

Idle timeouts were configurable in previous releases, but the configuration only applied to the current session and was not persistent. F5OS-A 1.3.0 added the ability to configure persistent idle timeouts for F5OS for both the CLI and webUI. The F5OS CLI timeout is configured under system settings and is controlled via the idle-timeout option. This will logout idle sessions to the F5OS CLI whether they are logged in from the console or over SSH.

In F5OS-A 1.4.0, a new sshd-idle-timeout option has been added that will control idle-timeouts for both root sessions to the bash shell over SSH, as well as F5OS CLI sessions over SSH. When the idle-timeout and sshd-idle-timeout are both configured, the shorter interval should take precedence. As an example, if the idle-timeout is configured for three minutes, but the sshd-idle-timeout is set to 2 minutes, then an idle connection that is connected over SSH will disconnect in two minutes, which is the shorter of the two configured options. An idle connection to the F5OS CLI over the console will disconnect in three minutes, because the sshd-idle-timeout doesn’t apply to console sessions.

There is one case that is not covered by either of the above idle-timeout settings. When connecting over the console to the bash shell as root, neither of these settings will disconnect an idle session. Only console connections to the F5OS CLI are covered via the idle-timeout setting. An enhancement has been filed, and in the future this case will be addressed. If this is a concern, then appliance mode could be enabled preventing root/bash access to the system.

For the webUI, a token-based timeout is now configurable under the system aaa settings. A restconf-token config lifetime option has been added. Once a client to the webUI has a token, they are allowed to refresh it up to five times. If the token lifetime is set to 1 minute, then a timeout won’t occur until five times that value, or five minutes later. This is because the token refresh has to fail five times before disconnecting the client.

Configuring SSH and CLI Timeouts via CLI

To configure the F5OS CLI timeout via the CLI, use the command system settings config idle-timeout <value-in-seconds>. Be sure to issue a commit to save the changes. In the case below, a CLI session to the F5OS CLI should disconnect after 300 seconds of inactivity. This will apply to connections to the F5OS CLI over both console and SSH.

syscon-2-active(config)# system settings config idle-timeout 300
syscon-2-active(config)# commit
Commit complete.
syscon-2-active(config)#

To configure the SSH timeout via the CLI, use the command system settings config sshd-idle-timeout <value-in-seconds>. This idle-timeout will apply to both bash sessions over SSH, as well as F5OS CLI sessions over SSH. Be sure to issue a commit to save the changes. In the case below, the CLI session should disconnect after 300 seconds of inactivity.

syscon-2-active(config)# system settings config sshd-idle-timeout 300
syscon-2-active(config)# commit
Commit complete.
syscon-2-active(config)#

Both timeout settings can be viewed using the show system settings command.

syscon-2-active# show system settings
system settings state idle-timeout 300
system settings state sshd-idle-timeout 300
system settings gui advisory state disabled
system settings gui advisory state text ""
syscon-2-active#

Configuring SSH and CLI Timeouts via API

To configure the CLI or SSH timeouts via the API, use the PATCH API call below. In the case below, the CLI session should disconnect after 300 seconds of inactivity.

PATCH https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system/f5-system-settings:settings

Below is the payload in the API call above to set the idle-timeout.

{
    "f5-system-settings:settings": {
        "f5-system-settings:config": {
            "f5-system-settings:idle-timeout": 300
        }
    }
}

To view the current idle-timeout settings, issue the following GET API call.

GET https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system/f5-system-settings:settings/config

You’ll see output similar to the example below.

{
    "f5-system-settings:config": {
        "idle-timeout": "40",
        "sshd-idle-timeout": "20"
    }
}

Configuring SSH and CLI Timeouts via webUI

Currently only the HTTPS token lifetime is configurable in the webUI. SSH and CLI timeouts are not currently configurable via the webUI and must be set via CLI or API. To set the Token Lifetime go to the Authentication & Access -> Authentication Settings page in either the system controller or the chassis partition webUI.

_images/imagetoken1.png

Token Lifetime via CLI

As mentioned in the introduction, the webUI and API use token-based authentication and the timeout is based on five token refreshes failing, so the value is essentially five times the configured token lifetime. Use the command system aaa restconf-token config lifetime <value-in-minutes> to set the token lifetime. You may configure the restconf-token lifetime via the CLI. The value is in minutes, and the client can refresh the token five times before it expires. As an example, if the restconf-token lifetime is set to 1 minute, an inactive webUI session will have a token expire after one minute, but it can be refreshed a maximum of five times. This will result in a webUI session or API timing out after 5 minutes.

syscon-2-active(config)# system aaa restconf-token config lifetime 1
syscon-2-active(config)# commit
Commit complete.
syscon-2-active(config)#

To display the current restconf-token lifetime setting, use the command show system aaa*.

syscon-2-active# show system aaa
system aaa restconf-token state lifetime 1
system aaa primary-key state hash sj2GslitH9XYbmW/cpY0TJhMWkU+CpvAU9vqoiL4aZcfE6qnSUDU3PWx+lCZO5KrqVzlWu/3mRugCNniNyQhSA==
system aaa primary-key state status NONE
system aaa authentication f5-aaa-token:state basic enabled
system aaa authentication f5-aaa-clientcert:state cert-auth disabled
system aaa authentication ocsp state override-responder off
system aaa authentication ocsp state response-max-age -1
system aaa authentication ocsp state response-time-skew 300
system aaa authentication ocsp state nonce-request on
system aaa authentication ocsp state disabled
        AUTHORIZED  LAST    TALLY  EXPIRY
USERNAME  KEYS        CHANGE  COUNT  DATE    ROLE
----------------------------------------------------
admin     -           19384   0      -1      admin
root      -           19384   0      -1      root

                    REMOTE
ROLENAME        GID   GID     USERS
-------------------------------------
admin           9000  -       -
operator        9001  -       -
partition_1     9101  -       -
partition_2     9102  -       -
partition_3     9103  -       -
partition_4     9104  -       -
partition_5     9105  -       -
partition_6     9106  -       -
partition_7     9107  -       -
partition_8     9108  -       -
resource-admin  9003  -       -
ts_admin        9100  -       -
user            9002  -       -

system aaa tls state certificate Certificate:
                                    Data:
                                        Version: 1 (0x0)
                                        Serial Number:
                                            b9:0d:2d:10:75:4a:53:2f
                                    Signature Algorithm: ecdsa-with-SHA256
                                        Issuer: CN=jim, C=US, ST=MA, L=Boston, O=F5, OU=Sales/emailAddress=jim@f5.com
                                        Validity
                                            Not Before: May  4 16:55:58 2023 GMT
                                            Not After : May  3 16:55:58 2024 GMT
                                        Subject: CN=jim, C=US, ST=MA, L=Boston, O=F5, OU=Sales/emailAddress=jim@f5.com
                                        Subject Public Key Info:
                                            Public Key Algorithm: id-ecPublicKey
                                                Public-Key: (384 bit)
                                                pub:
                                                    04:59:b3:b5:63:e5:10:93:25:05:1b:55:ef:7a:f8:
                                                    ec:2a:68:19:8a:a9:3e:d3:2f:d4:6c:37:6b:05:5a:
                                                    d3:bc:73:fc:de:d9:fa:58:c5:5e:f2:1d:21:52:3d:
                                                    08:70:e3:47:e3:99:bc:47:6f:c3:b4:04:7b:58:21:
                                                    63:f4:73:33:d3:82:71:c0:ea:5e:82:0f:84:36:ab:
                                                    3d:2f:be:9f:10:ff:05:ad:32:b1:28:fe:52:9b:2c:
                                                    10:ca:29:ee:05:82:f3
                                                ASN1 OID: secp384r1
                                                NIST CURVE: P-384
                                    Signature Algorithm: ecdsa-with-SHA256
                                        30:64:02:30:58:3a:be:8d:9e:e0:53:89:12:f2:10:b6:0b:f2:
                                        77:15:cb:eb:7d:55:31:01:70:4e:83:fc:89:f5:f5:e4:1a:4e:
                                        43:81:20:07:4a:0d:e3:72:3a:3e:7c:cb:54:67:b0:1a:02:30:
                                        1c:fe:7c:f1:a5:00:93:77:f2:02:af:82:fc:22:67:ea:35:e7:
                                        0e:9c:b8:90:13:f5:f8:98:f6:07:fe:f9:4b:66:99:32:e9:eb:
                                        92:3d:d2:a2:26:67:c9:01:f9:43:20:a6

system aaa tls state verify-client false
system aaa tls state verify-client-depth 1
syscon-2-active#

Token Lifetime via webUI

You may configure the restconf-token lifetime via the webUI (new feature added in F5OS-A 1.6.0). The value is in minutes, and the client can refresh the token five times before it expires. As an example, if the token lifetime is set to 1 minute, an inactive webUI session will have a token expire after one minute, but it can be refreshed a maximum of five times. This will result in the webUI session timing out after 5 minutes.

_images/image613.png

Token Lifetime via API

You may configure the restconf-token lifetime via the API. The value is in minutes, and the client can refresh the token five times before it expires. As an example, if the token lifetime is set to 1 minute, an inactive webUI session or API session will have a token expire after one minute, but it can be refreshed a maximum of five times. This will result in the webUI session timing out after 5 minutes.

Use the following API PATCH call to set the restconf-token lifetime, or any other password policy parameter.

PATCH https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system/aaa

In the body of the API call adjust the restconf-token lifetime setting to the desired timeout in minutes. The example below is 10 minutes, and the session will timeout at five times the value of the lifetime setting due to token refresh.

{
    "openconfig-system:aaa": {
        "authentication": {
            "config": {
                "f5-aaa-confd-restconf-token:basic": {
                    "enabled": true
                }
            }
        },
        "f5-aaa-confd-restconf-token:restconf-token": {
            "config": {
                "lifetime": 10
            }
        },
        "f5-openconfig-aaa-password-policy:password-policy": {
            "config": {
                "min-length": 6,
                "required-numeric": 0,
                "required-uppercase": 0,
                "required-lowercase": 0,
                "required-special": 0,
                "required-differences": 8,
                "reject-username": false,
                "apply-to-root": true,
                "retries": 3,
                "max-login-failures": 10,
                "unlock-time": 60,
                "root-lockout": true,
                "root-unlock-time": 60,
                "max-age": 0
            }
        }
    }
}

Disabling Basic Authentication

F5OS utilizes basic authentication (username/password) as well as token-based authentication for both the API and the webUI. Generally, username/password is issued by the client to obtain a token from F5OS, which is then used to make further inquiries or changes. Tokens have a relatively short lifetime for security reasons, and the user is allowed to refresh that token a certain number of times before they are forced to re-authenticate using basic authentication again. Although token-based authentication is supported, basic authentication can still be utilized to access F5OS and make changes by default. A new option was added in F5OS-A 1.3.0 to allow basic authentication to be disabled, except for the means of obtaining a token. Once a token is issued to a client, it will be the only way to make changes via the webUI or the API.

Disabling Basic Auth via the CLI

The default setting for basic auth is enabled, and the current state can be seen by entering the show system aaa command. The line system aaa authentication state basic enabled indicates that basic authentication is still enabled.

syscon-2-active# show system aaa
system aaa restconf-token state lifetime 1
system aaa primary-key state hash sj2GslitH9XYbmW/cpY0TJhMWkU+CpvAU9vqoiL4aZcfE6qnSUDU3PWx+lCZO5KrqVzlWu/3mRugCNniNyQhSA==
system aaa primary-key state status NONE
system aaa authentication f5-aaa-token:state basic enabled
system aaa authentication f5-aaa-clientcert:state cert-auth disabled
system aaa authentication ocsp state override-responder off
system aaa authentication ocsp state response-max-age -1
system aaa authentication ocsp state response-time-skew 300
system aaa authentication ocsp state nonce-request on
system aaa authentication ocsp state disabled
        AUTHORIZED  LAST    TALLY  EXPIRY
USERNAME  KEYS        CHANGE  COUNT  DATE    ROLE
----------------------------------------------------
admin     -           19384   0      -1      admin
root      -           19384   0      -1      root

                    REMOTE
ROLENAME        GID   GID     USERS
-------------------------------------
admin           9000  -       -
operator        9001  -       -
partition_1     9101  -       -
partition_2     9102  -       -
partition_3     9103  -       -
partition_4     9104  -       -
partition_5     9105  -       -
partition_6     9106  -       -
partition_7     9107  -       -
partition_8     9108  -       -
resource-admin  9003  -       -
ts_admin        9100  -       -
user            9002  -       -

system aaa tls state certificate Certificate:
                                    Data:
                                        Version: 1 (0x0)
                                        Serial Number:
                                            b9:0d:2d:10:75:4a:53:2f
                                    Signature Algorithm: ecdsa-with-SHA256
                                        Issuer: CN=jim, C=US, ST=MA, L=Boston, O=F5, OU=Sales/emailAddress=jim@f5.com
                                        Validity
                                            Not Before: May  4 16:55:58 2023 GMT
                                            Not After : May  3 16:55:58 2024 GMT
                                        Subject: CN=jim, C=US, ST=MA, L=Boston, O=F5, OU=Sales/emailAddress=jim@f5.com
                                        Subject Public Key Info:
                                            Public Key Algorithm: id-ecPublicKey
                                                Public-Key: (384 bit)
                                                pub:
                                                    04:59:b3:b5:63:e5:10:93:25:05:1b:55:ef:7a:f8:
                                                    ec:2a:68:19:8a:a9:3e:d3:2f:d4:6c:37:6b:05:5a:
                                                    d3:bc:73:fc:de:d9:fa:58:c5:5e:f2:1d:21:52:3d:
                                                    08:70:e3:47:e3:99:bc:47:6f:c3:b4:04:7b:58:21:
                                                    63:f4:73:33:d3:82:71:c0:ea:5e:82:0f:84:36:ab:
                                                    3d:2f:be:9f:10:ff:05:ad:32:b1:28:fe:52:9b:2c:
                                                    10:ca:29:ee:05:82:f3
                                                ASN1 OID: secp384r1
                                                NIST CURVE: P-384
                                    Signature Algorithm: ecdsa-with-SHA256
                                        30:64:02:30:58:3a:be:8d:9e:e0:53:89:12:f2:10:b6:0b:f2:
                                        77:15:cb:eb:7d:55:31:01:70:4e:83:fc:89:f5:f5:e4:1a:4e:
                                        43:81:20:07:4a:0d:e3:72:3a:3e:7c:cb:54:67:b0:1a:02:30:
                                        1c:fe:7c:f1:a5:00:93:77:f2:02:af:82:fc:22:67:ea:35:e7:
                                        0e:9c:b8:90:13:f5:f8:98:f6:07:fe:f9:4b:66:99:32:e9:eb:
                                        92:3d:d2:a2:26:67:c9:01:f9:43:20:a6

system aaa tls state verify-client false
system aaa tls state verify-client-depth 1
syscon-2-active#

You may disable basic authentication by issuing the cli command system aaa authentication config basic disabled, and then committing the change.

r10900(config)# system aaa authentication config basic disabled
r10900(config)# commit
Commit complete.
r10900(config)#

To re-enable basic authentication, change the state to enabled and commit.

r10900(config)# system aaa authentication config basic enabled
r10900(config)# commit
Commit complete.
r10900(config)#

Disabling Basic Auth via the API

You may enable or disable basic authentication via the API. The default setting for basic authentication is enabled, and the current state can be seen by entering the following API call.

GET https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system/aaa/authentication/config

You should see the returned output below with the basic authentication state set to either true or false.

{`
    "openconfig-system:config": {
        "f5-aaa-confd-restconf-token:basic": {
            "enabled": true
        }
    }
}

Use the following API PATCH call to set the restconf-token:basic setting to true or false, or to adjust any other password policy parameter.

PATCH https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system/aaa

In the body of the API call adjust the restconf-token:basic setting to true or false.

{
    "openconfig-system:aaa": {
        "authentication": {
            "config": {
                "f5-aaa-confd-restconf-token:basic": {
                    "enabled": true
                }
            }
        },
        "f5-aaa-confd-restconf-token:restconf-token": {
            "config": {
                "lifetime": 10
            }
        },
        "f5-openconfig-aaa-password-policy:password-policy": {
            "config": {
                "min-length": 6,
                "required-numeric": 0,
                "required-uppercase": 0,
                "required-lowercase": 0,
                "required-special": 0,
                "required-differences": 8,
                "reject-username": false,
                "apply-to-root": true,
                "retries": 3,
                "max-login-failures": 10,
                "unlock-time": 60,
                "root-lockout": true,
                "root-unlock-time": 60,
                "max-age": 0
            }
        }
    }
}

Disabling Basic Auth via the webUI

Disabling basic authentication via the webUI is a new feature that has been added in F5OS-A 1.4.0. In the webUI go to User Management -> Authentication Settings and you’ll see a drop-down box to enable or disable Basic Authentication.

_images/image513.png

Confirming Basic Auth is Disallowed

With basic authentication enabled (default setting), you can make any API call using username/password (basic auth) authentication. Using the Postman utility this can be demonstrated on any configuration change by setting The Auth Type to Basic Auth, and configuring a username and password as seen below.

_images/imagebasicauth.png

While basic auth is enabled, any API call using username/password will complete successfully. After disabling basic auth, any attempt to access an API endpoint other than the root URI using basic auth will fail with a message similar to the one below indicating access denied.

{
    "ietf-restconf:errors": {
        "error": [
            {
                "error-type": "application",
                "error-tag": "access-denied",
                "error-path": "/openconfig-system:system/aaa",
                "error-message": "access denied"
            }
        ]
    }
}

When basic authentication is enabled, a client will be allowed to obtain an auth token using username/password at any URI. The client can then choose to use the auth token for subsequent requests, or they can continue to use basic auth (username/password) authentication. As an example, the curl command below uses basic auth successfully to the URI endpoint restconf/data/openconfig-system:system/config. In the response you can see the X-Auth-Token header, which contains the auth token that can then be used by the client for subsequent requests:

user1$ curl -i -sku admin:admin -H "Content-Type: application/yang-data+json"  https://10.255.0.132:8888/restconf/data/openconfig-system:system/config
HTTP/1.1 200 OK
Date: Thu, 16 Mar 2023 13:04:38 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2zc-fips-dev
Last-Modified: Thu, 16 Mar 2023 12:50:11 GMT
Cache-Control: private, no-cache, must-revalidate, proxy-revalidate
Etag: "1678-971011-823929"
Content-Type: application/yang-data+json
Pragma: no-cache
X-Auth-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJTZXNzaW9uIElEIjoiYWRtaW4xNjc4OTcxODc4IiwiYXV0aGluZm8iOiJhZG1pbiAxMDAwIDkwMDAgXC90bXAiLCJidWZmZXJ0aW1lbGltaXQiOiI0MDAiLCJleHAiOjE2Nzg5NzMwNzgsImlhdCI6MTY3ODk3MTg3OCwicmVuZXdsaW1pdCI6IjUiLCJ1c2VyaW5mbyI6ImFkbWluIDE3Mi4xOC4xMDUuNDkifQ.RDMaZfL-g60SqUiGXkNkpIGYh2eualim5wTqbr_XSNc
Content-Security-Policy: default-src 'self'; block-all-mixed-content; base-uri 'self'; frame-ancestors 'none';
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Transfer-Encoding: chunked

{
"openconfig-system:config": {
    "hostname": "r10900-1.f5demo.net",
    "login-banner": "This is the Global Solution Architect's VELOS r10900 unit-1 in the Boston Lab. Unauthorized use is prohibited. Please reach out to admin with any questions.",
    "motd-banner": "Welcome to the GSA r10900 Unit 1 in Boston"
}
}

Here is an example of the client issuing the same request with the auth token it received above to the same endpoint. Instead of specifying a user with the -u option, insert the header X-Auth-Token and add the token from the initial response above.

user1$ curl -i -sk -H "Content-Type: application/yang-data+json" -H "X-Auth-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJTZXNzaW9uIElEIjoiYWRtaW4xNjc4OTcxODc4IiwiYXV0aGluZm8iOiJhZG1pbiAxMDAwIDkwMDAgXC90bXAiLCJidWZmZXJ0aW1lbGltaXQiOiI0MDAiLCJleHAiOjE2Nzg5NzMwNzgsImlhdCI6MTY3ODk3MTg3OCwicmVuZXdsaW1pdCI6IjUiLCJ1c2VyaW5mbyI6ImFkbWluIDE3Mi4xOC4xMDUuNDkifQ.RDMaZfL-g60SqUiGXkNkpIGYh2eualim5wTqbr_XSNc" https://10.255.0.132:8888/restconf/data/openconfig-system:system/config
HTTP/1.1 200 OK
Date: Thu, 16 Mar 2023 13:04:53 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2zc-fips-dev
Last-Modified: Thu, 16 Mar 2023 12:50:11 GMT
Cache-Control: private, no-cache, must-revalidate, proxy-revalidate
Etag: "1678-971011-823929"
Content-Type: application/yang-data+json
Pragma: no-cache
Content-Security-Policy: default-src 'self'; block-all-mixed-content; base-uri 'self'; frame-ancestors 'none';
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Transfer-Encoding: chunked

{
"openconfig-system:config": {
    "hostname": "r10900-1.f5demo.net",
    "login-banner": "This is the Global Solution Architect's VELOS r10900 unit-1 in the Boston Lab. Unauthorized use is prohibited. Please reach out to admin with any questions.",
    "motd-banner": "Welcome to the GSA r10900 Unit 1 in Boston"
}
}
user1$

If the same exercise is repeated after basic auth is disabled, then the user will not be able to run the initial request using basic auth (username/password). It will fail to any non-root URI as seen below. The response will contain and access-denied error.

user1$ curl -i -sku admin:admin -H "Content-Type: application/yang-data+json"  https://10.255.0.132:8888/restconf/data/openconfig-system:system/config
HTTP/1.1 403 Forbidden
Date: Thu, 16 Mar 2023 13:09:09 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2zc-fips-dev
Cache-Control: private, no-cache, must-revalidate, proxy-revalidate
Content-Length: 189
Content-Type: application/yang-data+json
Pragma: no-cache
Content-Security-Policy: default-src 'self'; block-all-mixed-content; base-uri 'self'; frame-ancestors 'none';
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

{
"ietf-restconf:errors": {
    "error": [
    {
        "error-type": "application",
        "error-tag": "access-denied",
        "error-message": "access denied"
    }
    ]
}
}
user1$

By changing the URI to use the top-level API endpoint: (:8888/restconf/data) or (:443/api/data), the client will now be able to obtain a token using basic authentication, but the token will be needed for any other API endpoints.

user1$ curl -i -sku admin:admin -H "Content-Type: application/yang-data+json"  https://10.255.0.132:8888/restconf/data/
HTTP/1.1 200 OK
Date: Thu, 16 Mar 2023 13:10:00 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2zc-fips-dev
Last-Modified: Thu, 16 Mar 2023 13:09:04 GMT
Cache-Control: private, no-cache, must-revalidate, proxy-revalidate
Etag: "1678-972144-404510"
Content-Type: application/yang-data+json
Pragma: no-cache
X-Auth-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJTZXNzaW9uIElEIjoiYWRtaW4xNjc4OTcyMjAwIiwiYXV0aGluZm8iOiJhZG1pbiAxMDAwIDkwMDAgXC90bXAiLCJidWZmZXJ0aW1lbGltaXQiOiI0MDAiLCJleHAiOjE2Nzg5NzM0MDAsImlhdCI6MTY3ODk3MjIwMCwicmVuZXdsaW1pdCI6IjUiLCJ1c2VyaW5mbyI6ImFkbWluIDE3Mi4xOC4xMDUuNDkifQ.dyhK90B_rkpQFkZGf1t-c6y2Vm1PbJUyO8IcVAjIefc
Content-Security-Policy: default-src 'self'; block-all-mixed-content; base-uri 'self'; frame-ancestors 'none';
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Transfer-Encoding: chunked

{
"ietf-restconf:data": {
    "openconfig-system:system": {
    "aaa": {
        "authentication": {
        "f5-system-aaa:users": {
            "user": [
            {
                "state": {
                "username": "admin",
                "last-change": "2023-01-23",
                "tally-count": 0,
                "expiry-date": "-1",
                "role": "admin"
                }
            }
            ]
        }
        }
    }
    }
}
}
user1$

Setting Password Policies

You may configure the local password policy to ensure secure passwords are utilized, re-use is minimized, and to limit the amount of failures/retries. Below are some of the settings that can be set.

  • Minimum Password Length - For Minimum Length, specify the minimum number of characters (6 to 255) required for a valid password.
  • Password Required Characters - For Required Characters, specify the minimum number of Numeric, Uppercase, Lowercase, and Special characters that are required in a valid password.
  • New/Old Password Differential - For New/Old Password Differential, specify the number of character changes in the new password that differentiate it from the old password. The default value is 8.
  • Disallow Username - For Disallow Username, set to True to check whether the name of the user in forward or reversed form is contained in the password. The default value is False.
  • Apply Password Policy to Root Account - For Apply Password Policy to Root Account, set to True to use the same password policy for the root account. The default value is True.
  • Maximum Password Retries - For Maximum Password Retries, specify the number of times that a user can try to create an acceptable password. The default value is 3.
  • Maximum Login Attempts - For Maximum Login Attempts, specify the number of times a user can attempt to log in before the account is temporarily suspended. The default value is 10; 0 means no limit.
  • Lockout Duration - For Lockout Duration, specify the duration, in seconds, an account is locked out. The default value is 60.
  • Maximum Password Age - For Max Password Age, specify the number of days after which the password will expire after being changed. 0 means never expires.

Setting Password Policies via CLI

Local Password Policies can be set in the CLI using the system aaa password-policy config command. Adding a question mark after the command will show all the configurable options. Be sure to commit after making any changes.

r10900-2(config)# system aaa password-policy config ?
Possible completions:
apply-to-root          Apply password restrictions to root accounts.
max-age                Number of days after which the user will have to change the password.
max-login-failures     Number of unsuccessful login attempts allowed before lockout.
min-length             Minimum length of a new password.
reject-username        Reject passwords that contain the username.
required-differences   Required number of differences between the old and new passwords.
required-lowercase     Required number of lowercase characters in password.
required-numeric       Required number of numeric digits in password.
required-special       Required number of 'special' characters in password.
required-uppercase     Required number of uppercase character in password.
retries                Number of times to prompt before failing.
root-lockout           Enable lockout of root users.
root-unlock-time       Time (seconds) before the root account is automatically unlocked.
unlock-time            Time (seconds) before a locked account is automatically unlocked.
r10900-2(config)#

Setting Password Policies via webUI

Local Password Policies can be set in the User Management -> Authentication Settings page in the webUI.

_images/passwordpolicy1.png

Setting Password Policies via API

Local Password Policies can be viewed or set via the API using the following API calls. To view the current password policy settings, issue the following GET API call.

GET https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system/aaa/f5-openconfig-aaa-password-policy:password-policy

The JSON output will reflect the current settings.

{
    "f5-openconfig-aaa-password-policy:password-policy": {
        "config": {
            "min-length": 6,
            "required-numeric": 0,
            "required-uppercase": 0,
            "required-lowercase": 0,
            "required-special": 0,
            "required-differences": 8,
            "reject-username": false,
            "apply-to-root": true,
            "retries": 3,
            "max-login-failures": 10,
            "unlock-time": 60,
            "root-lockout": true,
            "root-unlock-time": 60,
            "max-age": 0
        }
    }
}

To change any of the password policy parameters, use the following API GET call.

PATCH https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system/aaa

In the payload of the API call adjust the appropriate parameters under f5-openconfig-aaa-password-policy:password-policy.

{
    "openconfig-system:aaa": {
        "authentication": {
            "config": {
                "f5-aaa-confd-restconf-token:basic": {
                    "enabled": true
                }
            }
        },
        "f5-aaa-confd-restconf-token:restconf-token": {
            "config": {
                "lifetime": 10
            }
        },
        "f5-openconfig-aaa-password-policy:password-policy": {
            "config": {
                "min-length": 6,
                "required-numeric": 0,
                "required-uppercase": 0,
                "required-lowercase": 0,
                "required-special": 0,
                "required-differences": 8,
                "reject-username": false,
                "apply-to-root": true,
                "retries": 3,
                "max-login-failures": 10,
                "unlock-time": 60,
                "root-lockout": true,
                "root-unlock-time": 60,
                "max-age": 0
            }
        }
    }
}

Remote Authentication

The F5OS platform layer supports both local and remote authentication. By default, there are local users enabled for both admin and root access. You will be forced to change passwords for both accounts on initial login. Many users will prefer to configure the F5OS layer to use remote authentication via LDAP, RADIUS, AD, or TACACS+. The F5OS TMOS based tenants maintain their own local or remote authentication, and details are covered in standard TMOS documentation.

Configuring Remote User Authentication and Authorization on TMOS

In versions prior to F5OS-A 1.4.0, F5OS only supported static pre-defined roles which in turn map to specific group IDs. Users created and managed on external LDAP, Active Directory, RADIUS, or TACACS+ servers must have the same group IDs on the external authentication servers as they do within F5OS based systems to allow authentication and authorization to occur. Users created on external LDAP, Active Directory, RADIUS, or TACACS+ servers must be associated with one of these group IDs on the system. The supported F5OS static group IDs and the roles they map to are seen in the table below. User defined roles are not supported in version prior to F5OS-A 1.4.0.

Role Group ID
admin 9000
operator 9001
tenant-console 9100

From a high level the admin role (group ID 9000) is a read/write role with full access to the system to make changes. The operator role (group ID 9001) is a read-only role and is prevented from making any configuration changes. The root role (group ID 0) gives full access to the bash shell, and in some environments this role will be disabled by enabling appliance mode. Note that the root role is not allowed access via remote authentication. The last role is tenant-console (group ID 9100) and this role is used to provide remote access directly to the tenant console as noted here:

Console Access to Tenant via Built-In Terminal Server

The group IDs are typically specified in a user configuration file on the external server (file locations vary on different servers). You can assign these F5 user attributes:

F5-F5OS-UID=1001

F5-F5OS-GID=9000   <-- THIS MUST MATCH /etc/group items

F5-F5OS-HOMEDIR=/tmp  <-- Optional; prevents sshd warning msgs

F5-F5OS-USERINFO=test_user  <-- Optional user info

F5-F5OS-SHELL=/bin/bash    <--  Ignored; always set to /var/lib/controller/f5_confd_cli

Setting F5-F5OS-HOMEDIR=/tmp is a good idea to avoid warning messages from sshd that the directory does not exist. Also, the source address in the TACACS+ configuration is not used by the VELOS system.

If F5-F5OS-UID is not set, it defaults to 1001. If F5-F5OS-GID is not set, it defaults to 0 (disallowed for authentication). The F5-F5OS-USERINFO is a comment field. Essentially, F5-F5OS-GID is the only hard requirement and must coincide with group ID’s user role.

More specific configuration details can be found in the User Management section of the VELOS System Administration Guide.

F5OS User Management

The gidNumber attribute needs to either be on the user or on a group the user is a member of. The gidNumber must be one of those listed (9000, 9001, 9100). [The root role is not externally accessible via remote authentication.]

Currently the role numbers (9000, 9001, 9100) are fixed and hard-coded. The current implementation relies on AD “unix attributes” being installed into the directory. AD groups are not currently queried. The role IDs are fixed. As noted above, the IDs are configurable in F5OS-A 1.4.0, but this is still based on numeric GIDs not group names.

Roles are mutually exclusive. While it is theoretically possible to assign a user to multiple role groups, It is up to the underlying Confd to resolve how the roles present to it are assigned, and it doesn’t always choose the most logical answer. For that reason, you should consider them mutually exclusive and put the user in the role with the least access necessary to do their work. More details, on configuration of F5OS-A 1.3.0 can be found below.

LDAP/AD configuration overview

Changing Group ID Mapping via CLI (F5OS-A 1.4.0 and Later)

F5OS-A 1.4.0 has added the ability to customize the Group ID mapping to the remote authentication server. In previous releases the Group IDs were static, now they can be changed to map to user selectable Group IDs. Below is an example of changing the remote Group ID for the admin account to a custom value of 9200.

r10900-1(config)# system aaa authentication roles role admin config remote-gid 9200
r10900-1(config-role-admin)# commit
Commit complete.
r10900-1(config-role-admin)#

To view the current mappings use the show system aaa authentication roles CLI command.

r10900-1# show system aaa authentication roles
                    REMOTE
ROLENAME        GID   GID     USERS
-------------------------------------
admin           9000  9200    -
operator        9001  -       -
resource-admin  9003  -       -
tenant-console  9100  -       -

r10900-1#

Login Banner / Message of the Day

Some environments require warning or acceptance messages to be displayed to clients connecting to the F5OS layer at initial connection time and/or upon successful login. The F5OS layer supports configurable Message of the Day (MoTD) and Login Banners that are displayed to clients connecting to the F5OS layer via both CLI and the webUI. The MoTD and Login Banner can be configured via CLI, webUI, or API. The Login Banner is displayed at initial connect time and is commonly used to notify users they are connecting to a specific resource, and that they should not connect if they are not authorized. The MoTD is displayed after successful login and may also display some information about the resource the user is connecting to.

Configuring Login Banner / MoTD via CLI

Enter config mode and use the command system config login-banner to configure the login banner via the CLI. You must commit the change afterwards.

syscon-2-active(config)# system config login-banner "This is a restricted resource. Unauthorized access is prohibited. Please disconnect now if you are not authorized."
syscon-2-active(config)# commit
Commit complete.
syscon-2-active(config)#

Enter config mode and use the command system config motd-banner to configure the Message of the Day banner via the CLI. You must commit the change afterwards.

syscon-2-active(config)# system config motd-banner "Welcome to the GSA VELOS Chassis1, do not make any changes to configuration without a ticket."
syscon-2-active(config)# commit
Commit complete.
syscon-2-active(config)#

To display both settings, use the show system state command.

syscon-2-active# show system state
system state hostname velos-chassis1.f5demo.net
system state login-banner This is a restricted resource. Unauthorized access is prohibited. Please disconnect now if you are not authorized.
system state motd-banner Welcome to the GSA VELOS Chassis1, do not make any changes to configuration without a ticket.
system state current-datetime "2023-03-29 22:24:29-04:00"
syscon-2-active#

Configuring Login Banner / MoTD via webUI

You may configure both the Login Banner and the Message of the Day Banner via the webUI on the System Settings -> General page.

_images/image712.png

Configuring Login Banner / MoTD via API

You may configure both the Login Banner and the Message of the Day Banner via the API using the following API calls.

PATCH https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system

In the body of the API call configure the desired message of the day and login banner settings.

{
    "openconfig-system:system": {
        "config": {
            "hostname": "velos-chassis1.f5demo.net",
            "login-banner": "This is the Global Solution Architect's VELOS VELOS Chassis1 in the Boston Lab. Unauthorized use is prohibited. Please reach out to admin with any questions.",
            "motd-banner": "Welcome to the GSA VELOS Chassis 1 in Boston"
        }
    }
}

To view the currently configured MoTD and login banner, issue the following GET API request.

GET https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system/config

The output will contain the current MoTD and login banner configuration.

{
    "openconfig-system:config": {
        "hostname": "velos-chassis1.f5demo.net",
        "login-banner": "This is a restricted resource. Unauthorized access is prohibited. Please disconnect now if you are not authorized.",
        "motd-banner": "Welcome to the GSA VELOS Chassis1, do not make any changes to configuration without a ticket."
    }
}

Display of Login Banner and MoTD

Below is an example of the Login Banner being displayed before the user is prompted for a password during an SSH connection to the F5OS platform layer. After a successful user login, the MoTD is then displayed.

prompt$ ssh -l admin 10.255.0.147
This is a restricted resource. Unauthorized access is prohibited. Please disconnect now if you are not authorized.
admin@10.255.0.147's password:
Last login: Wed Mar 29 22:22:46 2023 from 172.18.105.132
Welcome to the GSA VELOS Chassis1, do not make any changes to configuration without a ticket.
System Time: 2023-03-29 22:31:53 EDT
Welcome to the F5OS System Controller Management CLI
User admin last logged in 2023-03-30T02:31:52.261266+00:00, to controller-2, from 172.18.105.132 using rest-http
admin connected from 172.18.105.132 using ssh on syscon-2-active
syscon-2-active#

Below is an example of the Login Banner being displayed before the user is prompted for a password during a webUI connection to the F5OS platform layer. After a successful user login, the MoTD is then displayed.

_images/image810.png _images/image910.png

SNMPv3

F5OS-A 1.2.0 added support for SNMPv3. Earlier versions of F5OS-A only supported SNMPv1/v2c. SNMPv3 provides a more secure monitoring environment through the use of authenticated access. More details can be found here:

VELOS F5OS-C SNMP Monitoring and Alerting

NTP Authentication

NTP Authentication can be enabled to provide a secure communication channel for Network Time Protocol queries from the F5OS platform layer. To utilize NTP authentication you must first enable NTP authentication and then add keys in order to secure communication to your NTP servers.

Enabling NTP Authentication via CLI

To enable NTP authentication use the system ntp config enable-ntp-auth true command in the CLI, and then commit the change.

syscon-2-active(config)# system ntp config enable-ntp-auth true
syscon-2-active(config)# commit
Commit complete.
syscon-2-active(config)#

Next you’ll need to add keys for NTP Authentication

syscon-2-active(config)# system ntp ntp-keys ntp-key 11 config key-id 11 key-type F5_NTP_AUTH_SHA1 key-value HEX:E27611234BB5E7CDFC8A8ACE55B567FC5CA7C890

The key ID, key type, and key value on this client system must match the server exactly. Lastly, you’ll need to associate the key with an NTP server using the configured key-id above.

syscon-2-active(config)# system ntp servers server 10.255.0.139
syscon-2-active(config-server-10.255.0.139)# config key-id 11
syscon-2-active(config-server-10.255.0.139)#

Enabling NTP Authentication via webUI

To enable NTP authentication in the webUI use the System Settings -> Time Settings page. You’ll need to enable NTP authentication then add the appropriate keys, and then associate those keys with an NTP server.

_images/ntpauth1.png

Enabling NTP Authentication via API

NTP authentication can also be set and viewed using the F5OS API. To view the current NTP setting use the following API call.

GET https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system/ntp

The output will display the current NTP configuration state including authentication and keys.

{
    "openconfig-system:ntp": {
        "config": {
            "enabled": true,
            "enable-ntp-auth": true
        },
        "state": {
            "enabled": true,
            "enable-ntp-auth": true
        },
        "ntp-keys": {
            "ntp-key": [
                {
                    "key-id": 11,
                    "config": {
                        "key-id": 11,
                        "key-type": "f5-system-ntp:F5_NTP_AUTH_SHA1",
                        "key-value": "$8$IIACWGpGPUYzian06FdH5PpH/sbSNQmre6DVsBZ2zxCv6S5vM3cXUkn8NwD0BABSeT3Drnmm\npLCQibKafAFFPg=="
                    },
                    "state": {
                        "key-id": 11,
                        "key-type": "F5_NTP_AUTH_SHA1",
                        "key-value": "$8$IIACWGpGPUYzian06FdH5PpH/sbSNQmre6DVsBZ2zxCv6S5vM3cXUkn8NwD0BABSeT3Drnmm\npLCQibKafAFFPg=="
                    }
                }
            ]
        },
        "servers": {
            "server": [
                {
                    "address": "10.255.0.139",
                    "config": {
                        "address": "10.255.0.139",
                        "port": 123,
                        "version": 4,
                        "association-type": "SERVER",
                        "iburst": false,
                        "prefer": false,
                        "f5-openconfig-system-ntp:key-id": 11
                    },
                    "state": {
                        "address": "10.255.0.139",
                        "port": 123,
                        "version": 4,
                        "association-type": "SERVER",
                        "iburst": false,
                        "prefer": false,
                        "f5-openconfig-system-ntp:key-id": 11,
                        "f5-openconfig-system-ntp:authenticated": false
                    }
                },
                {
                    "address": "time.f5net.com",
                    "config": {
                        "address": "time.f5net.com",
                        "port": 123,
                        "version": 4,
                        "association-type": "SERVER",
                        "iburst": false,
                        "prefer": false
                    },
                    "state": {
                        "address": "time.f5net.com",
                        "port": 123,
                        "version": 4,
                        "association-type": "SERVER",
                        "iburst": false,
                        "prefer": false,
                        "f5-openconfig-system-ntp:authenticated": false
                    }
                }
            ]
        }
    }
}

To enable NTP authentication via the F5OS API use the following API call.

PATCH https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system/ntp

In the body of the API call you can enable NTP authentication, add keys, and associate those keys with an NTP server using the key-id.

{
    "openconfig-system:ntp": {
        "config": {
            "enabled": true,
            "enable-ntp-auth": true
        },
        "ntp-keys": {
            "ntp-key": [
                {
                    "key-id": 11,
                    "config": {
                        "key-id": 11,
                        "key-type": "f5-system-ntp:F5_NTP_AUTH_SHA1",
                        "key-value": "$8$IIACWGpGPUYzian06FdH5PpH/sbSNQmre6DVsBZ2zxCv6S5vM3cXUkn8NwD0BABSeT3Drnmm\npLCQibKafAFFPg=="
                    }
                }
            ]
        },
        "servers": {
            "server": [
                {
                    "address": "10.255.0.139",
                    "config": {
                        "address": "10.255.0.139",
                        "port": 123,
                        "version": 4,
                        "association-type": "SERVER",
                        "iburst": false,
                        "prefer": false,
                        "f5-openconfig-system-ntp:key-id": 11
                    }
                }
            ]
        }
    }
}

Configurable Management Ciphers

F5OS-C 1.6.0 added the ability to display and configure the ciphers used for the management interface of F5OS. The show system security CLI command will display the ssl-ciphersuite for the webUI/httpd management interface. It will also display the ciphers and kexalgorithms for the sshd service. Below is an example of the default settings.

syscon-2-active# show system security
system security services service httpd
state ssl-ciphersuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA
system security services service sshd
state ciphers [ aes128-cbc aes128-ctr aes128-gcm@openssh.com aes256-cbc aes256-ctr aes256-gcm@openssh.com ]
state kexalgorithms [ diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 ]
syscon-2-active#

You can change the ciphers offered by F5OS to clients connecting to the httpd service by using the system security services service httpd config ssl-ciphersuite CLI command, and then choosing the ciphers you would like to enable. Be sure to commit any changes.

syscon-2-active(config)# system security services service httpd config ssl-ciphersuite ?
Description: User specified ssl-ciphersuite.
Possible completions:
<string>[ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES2
56-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-
RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDH
E-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-
RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA]
syscon-2-active(config)#

You can change the ciphers and kexalgorithms offered by F5OS to clients connecting to the sshd service by using the system security services service sshd config ssl-ciphersuite CLI command, and then choosing the ciphers you would like to enable. Be sure to commit any changes.

syscon-2-active(config)# system security services service sshd config ?
Possible completions:
ciphers         User specified ciphers.
kexalgorithms   User specified kexalgorithms.
macs            User specified MACs.
syscon-2-active(config)#

Below are the current options for sshd ciphers, kexalgorithms and macs. You may configure which ciphers F5OS will use for the sshd service by using the system security services service sshd config ciphers command.

  appliance-1(config)# system security services service sshd config ciphers ?
  Description: User specified ciphers.
  Possible completions:
[
[ 3des-cbc blowfish-cbc cast128-cbc arcfour arcfour128 arcfour256 aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com ]
  appliance-1(config)# system security services service sshd config ciphers [ 3des-cbc blowfish-cbc cast128-cbc arcfour arcfour128 arcfour256 aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se ]
  appliance-1(config-service-sshd)# commit
  The following warnings were generated:
  'system security services service sshd': Changing SSH configuration will restart the SSHD service.
  Proceed? [yes,no] yes
  Commit complete.

You may configure which kexalgorithms F5OS will use for the sshd service by using the system security services service sshd config kexalgorithms command.

appliance-1(config)# system security services service sshd config kexalgorithms ?
Description: User specified kexalgorithms.
Possible completions:
[ diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256 curve25519-sha256@libssh.org gss-gex-sha1- gss-group1-sha1- gss-group14-sha1- ]
appliance-1(config)#

You may configure which macs F5OS will use for the sshd service by using the system security services service sshd config macs command.

appliance-1(config)# system security services service sshd config macs ?
Description: User specified MACs.
Possible completions:
[
[ hmac-sha1 mac-sha1-96 hmac-sha2-512 hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-md5 hmac-md5-96 hmac-ripemd160 hmac-ripemd160 hmac-ripemd160@openssh.com umac-64@openssh.com umac-128@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@open
ssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com hmac-ripemd160-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com ]
appliance-1(config)#

Client Certificate Based Auth

Coming in F5OS-A 1.5.0.

iHealth Proxy Server

F5OS supports the ability to capture detailed logs and configuration using the qkView utility. To speed up support case resolution, the qkView can be uploaded directly to F5’s iHealth service, which will give F5 support personnel access to the detailed information to aid problem resolution. In some environments, F5 devices may not have the ability to access the Internet without going through a proxy. The F5OS-A 1.3.0 release added the ability to upload qkViews directly to iHealth through a proxy device.

Adding a Proxy Server via CLI

To add a proxy server for iHealth uploads via the CLI, use the system diagnostics proxy command.

syscon-2-active(config)# system diagnostics proxy config proxy-username myusername proxy-server https://myproxy.com:3128 proxy-password
(<AES encrypted string>): **************
syscon-2-active(config)#

Adding a Proxy Server via webUI

To add a proxy server for iHealth uploads via the webUI, go to the Diagnostics -> iHealth Configuration page.

_images/imageproxy1.png

Adding a Proxy Server via API

To add a proxy server for iHealth uploads via the API, use the following API call.

PATCH https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system/f5-system-diagnostics-qkview:diagnostics/f5-system-diagnostics-proxy:proxy

In the body of the API call add the username, password, and proxy server configuration.

{
    "f5-system-diagnostics-proxy:proxy": {
        "config": {
            "proxy-username": "username2",
            "proxy-password": "$8$8FudCujBpUpoTBaQQw4QaTeyUU8UHdkYAv90Dfx43SA=",
            "proxy-server": "https://myproxy2.demo.f5net"
        }
    }
}

To view the current proxy configuration via the API use the following call.

GET https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system/f5-system-diagnostics-qkview:diagnostics/f5-system-diagnostics-proxy:proxy

The API call should return output similar to what is seen below.

{
    "f5-system-diagnostics-proxy:proxy": {
        "state": {
            "proxy-username": "username",
            "proxy-server": "https://myproxy.demo.f5net"
        },
        "config": {
            "proxy-username": "username",
            "proxy-password": "$8$8FudCujBpUpoTBaQQw4QaTeyUU8UHdkYAv90Dfx43SA=",
            "proxy-server": "https://myproxy.demo.f5net"
        }
    }
}

Audit Logging

F5OS can log all configuration changes and access to the F5OS layer in audit logs. In versions prior to F5OS-C 1.6.0, all access and configuration changes for the system controller layer are logged in one of two separate audit.log files. The files reside in the in one of the following paths in the F5OS filesystem when logged in as root; /var/F5/controller/log/audit.log or /var/log/audit/audit.log. If you are logged into the F5OS CLI as admin, then the actual paths are simplified to log/controller/audit.log and /log/host/audit/audit.log for the system controller layer.

In versions prior to F5OS-C 1.6.0, all access and configuration changes for the chassis partition layer are logged in one of two separate audit.log files. The files reside in the in one of the following paths in the F5OS filesystem when logged in as root on the system controller; /var/F5/partition<ID#>/log/audit.log or /var/log/audit/audit.log. If you are logged into the F5OS CLI as admin, then the actual paths are simplified to log/audit.log and /log/host/audit/audit.log for the system controller layer.

In versions prior to F5OS-C 1.6.0, the audit.log files may only be viewed locally within the F5OS layer, the audit logs cannot be sent to a remote syslog location. F5OS-A 1.6.0 adds the ability to allow audit.log entries to be redirected to a remote syslog location, as well as changing the log format to conform to standard F5OS syslog format of all audit related events. Details on the two different implementations are below.

Viewing Audit Logs via F5OS CLI (F5OS-A 1.6.0 and Later)

Any information related to login/logout or configuration changes are logged in the log/controller/audit.log location. By default, these events are not sent to a configured remote syslog location. If you would like to send informational audit level messages to a remote syslog server, then you must explicitly enable audit events.

First, you must configure the remote syslog destination. As part of that configuration, you will specify the IP address, port, and protocol of the remote syslog server. To send audit.log events to the remote server you must add the command selectors selector AUTHPRIV DEBUG as seen below.

syscon-1-active(config)# system logging remote-servers remote-server 10.255.85.164
syscon-1-active(config-remote-server-10.255.0.139)# config remote-port 514
syscon-1-active(config-remote-server-10.255.0.139)# config proto udp
syscon-1-active(config-remote-server-10.255.0.139)# selectors selector LOCAL0 INFORMATIONAL
syscon-1-active(config-remote-server-10.255.0.139)# selectors selector AUTHPRIV DEBUG
syscon-1-active(config-remote-server-10.255.0.139)# commit
Commit complete.
syscon-1-active(config-remote-server-10.255.0.139)#

Then, you can control the level of events that will be logged to the local audit.log file by configuring the audit-service sw-component. By default all audit events will be logged, but you can turn down the level of events

syscon-1-active(config)# do show running-config system logging sw-components sw-component audit-service
system logging sw-components sw-component audit-service
config name audit-service
config description "Audit message handling service"
config severity INFORMATIONAL
!

The formatting of audit logs provides the date/time in UTC, the account and ID who performed the action, the type of event, the asset affected, the type of access, and success or failure of the request. Separate log entries provide details on user access (login/login failures) information such as IP address and port and whether access was granted or not.

Viewing Audit Logs via F5OS CLI

Most audit events go to the log/controller/audit.log location, while a few others such as CLI login failures are logged to log/host/audit/audit.log in the current F5OS releases. In the F5OS CLI, the paths are simplified so that you don’t have to know the underlying directory structure. You can use the file list path command to see the files inside the log/controller/ directory; use the tab complete to see the options. You may choose either the log/controller directory or the log/host/audit directory. Note the audit.log file.

syscon-1-active# file list path log/
Possible completions:
confd/  controller/  host/
syscon-1-active# file list path log/controller/
entries {
    name afu-cookie
    date Wed Jul 12 20:22:09 UTC 2023
    size 33B
}
entries {
    name audit.log
    date Wed Aug 23 18:38:05 UTC 2023
    size 7.0MB
}
entries {
    name audit.log.1
    date Wed Jul 12 19:39:02 UTC 2023
    size 11MB
}
entries {
    name audit.log.2.gz
    date Mon May 22 21:23:01 UTC 2023
    size 512KB
}
entries {
    name audit.log.3.gz
    date Tue May  2 21:30:59 UTC 2023
    size 498KB
}
entries {
    name audit.log.4.gz
    date Fri Apr  7 18:53:58 UTC 2023
    size 512KB
}
entries {
    name audit.log.5.gz
    date Thu Apr  6 17:26:46 UTC 2023
    size 507KB
}
entries {
    name cc-confd
    date Wed Aug  2 23:17:42 UTC 2023
    size 1.2MB
}
entries {
    name cc-confd-hal
    date Wed Jul 12 20:21:45 UTC 2023
    size 0B
}
entries {
    name cc-confd-health
    date Wed Aug 23 18:38:03 UTC 2023
    size 74MB
}
entries {
    name cc-confd-health-diag-agent
    date Wed Jul 12 20:21:46 UTC 2023
    size 0B
}
entries {
    name cc-confd-init
    date Wed Jul 12 20:21:44 UTC 2023
    size 228KB
}
entries {
    name cc-upgrade.dbg
    date Wed Jul 12 20:22:04 UTC 2023
    size 149KB
}
entries {
    name chassis-manager
    date Sun Aug 13 02:48:15 UTC 2023
    size 76MB
}
entries {
    name chassis-manager.1
    date Mon Feb 27 01:46:02 UTC 2023
    size 101MB
}
entries {
    name confd
    date Thu Jan 26 22:00:08 UTC 2023
    size 0B
}
entries {
    name confd_go_standby
    date Wed Feb  1 19:40:21 UTC 2023
    size 128B
}
entries {
    name confd_image_remove
    date Wed Jul 12 19:59:42 UTC 2023
    size 142KB
}
entries {
    name config-object-manager
    date Wed Jul 12 20:21:50 UTC 2023
    size 55MB
}
entries {
    name config-object-manager-hal
    date Wed Jul 12 20:21:45 UTC 2023
    size 0B
}
entries {
    name events/
    date Wed Aug  2 23:18:00 UTC 2023
    size 4.0KB
}
entries {
    name ha
    date Tue Aug 22 21:47:05 UTC 2023
    size 29MB
}
entries {
    name ha-hal
    date Wed Jul 12 20:21:53 UTC 2023
    size 0B
}
entries {
    name ha.1
    date Tue Mar 14 13:02:02 UTC 2023
    size 101MB
}
entries {
    name host-config
    date Wed Aug 23 18:38:02 UTC 2023
    size 23MB
}
entries {
    name host-config-hal
    date Wed Jul 12 20:21:48 UTC 2023
    size 0B
}
entries {
    name host-config.1
    date Fri Aug 18 05:03:04 UTC 2023
    size 101MB
}
entries {
    name host-config.2.gz
    date Fri Jul 14 08:29:04 UTC 2023
    size 2.8MB
}
entries {
    name host-config.3.gz
    date Sun Jun 18 00:08:04 UTC 2023
    size 2.8MB
}
entries {
    name host-config.4.gz
    date Tue May 16 09:18:04 UTC 2023
    size 2.8MB
}
entries {
    name host-config.5.gz
    date Tue Apr 11 00:16:04 UTC 2023
    size 2.9MB
}
entries {
    name http_error_log
    date Wed Jul 12 20:21:54 UTC 2023
    size 9.5KB
}
entries {
    name httpd/
    date Sun May  7 18:26:04 UTC 2023
    size 4.0KB
}
entries {
    name image-server
    date Mon Aug 21 16:27:13 UTC 2023
    size 1.9MB
}
entries {
    name image-server-dhcp
    date Wed Aug 23 18:34:48 UTC 2023
    size 6.9MB
}
entries {
    name image-server-hal
    date Wed Jul 12 20:21:54 UTC 2023
    size 0B
}
entries {
    name image-server-httpd
    date Thu Jan 26 22:00:12 UTC 2023
    size 0B
}
entries {
    name image-server-monitor
    date Mon Aug 21 16:27:13 UTC 2023
    size 36KB
}
entries {
    name lcd.log
    date Wed Jul 12 20:07:03 UTC 2023
    size 416KB
}
entries {
    name logrotate.log
    date Wed Aug 23 18:38:01 UTC 2023
    size 2.2MB
}
entries {
    name logrotate.log.1
    date Wed Aug 23 12:17:01 UTC 2023
    size 5.1MB
}
entries {
    name logrotate.log.2.gz
    date Tue Aug 22 21:29:01 UTC 2023
    size 35KB
}
entries {
    name partition-agent
    date Wed Aug  2 23:17:43 UTC 2023
    size 2.2MB
}
entries {
    name partition-software-manager
    date Wed Aug 23 18:38:07 UTC 2023
    size 31MB
}
entries {
    name partition-software-manager.1
    date Tue Aug 22 11:46:03 UTC 2023
    size 101MB
}
entries {
    name partition-software-manager.2.gz
    date Fri Aug 18 07:09:04 UTC 2023
    size 3.9MB
}
entries {
    name partition-software-manager.3.gz
    date Mon Aug 14 02:32:03 UTC 2023
    size 3.9MB
}
entries {
    name partition-software-manager.4.gz
    date Wed Aug  9 21:56:03 UTC 2023
    size 3.9MB
}
entries {
    name partition-software-manager.5.gz
    date Sat Aug  5 17:21:04 UTC 2023
    size 3.8MB
}
entries {
    name partition-update
    date Wed Aug 23 18:34:45 UTC 2023
    size 35MB
}
entries {
    name partition-update.1
    date Sat Jul  1 17:53:02 UTC 2023
    size 101MB
}
entries {
    name pel_log
    date Wed Aug 23 18:34:49 UTC 2023
    size 69MB
}
entries {
    name reprogram_chassis_network
    date Wed Jul 12 20:22:05 UTC 2023
    size 50KB
}
entries {
    name rsyslogd_init.log
    date Wed Aug 23 18:34:30 UTC 2023
    size 97KB
}
entries {
    name run/
    date Wed Jul 12 20:21:45 UTC 2023
    size 4.0KB
}
entries {
    name sshd.terminal-server
    date Wed Jul 12 20:22:13 UTC 2023
    size 5.7KB
}
entries {
    name switchd
    date Wed Aug  2 23:17:42 UTC 2023
    size 7.5MB
}
entries {
    name switchd-hal
    date Wed Jul 12 20:21:46 UTC 2023
    size 0B
}
entries {
    name system-update
    date Wed Jul 12 20:12:46 UTC 2023
    size 26KB
}
entries {
    name terminal-server.default
    date Wed Aug  2 23:17:41 UTC 2023
    size 141KB
}
entries {
    name tftp.log
    date Wed Jul 12 20:31:43 UTC 2023
    size 977B
}
entries {
    name vcc-confd-go-standby-hal.102476
    date Wed Feb  1 19:40:21 UTC 2023
    size 0B
}
entries {
    name vcc-confd-go-standby-hal.97587
    date Mon Jan 30 18:49:00 UTC 2023
    size 0B
}
entries {
    name velos.log
    date Wed Aug 23 18:34:24 UTC 2023
    size 148MB
}
entries {
    name velos.log.1
    date Tue May  2 16:11:57 UTC 2023
    size 513MB
}
syscon-1-active#

To view the contents of the audit.log file, use the command file show path /log/controller/audit.log. This will show the entire log file from the beginning but may not be the best way to troubleshoot a recent event. You can append | more to the command to go through the file in pages.

syscon-1-active# file show log/controller/audit.log | more
2023-07-12T15:39:16.116053-04:00 controller-1 audit-service[8]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/0" cmd="external token authentication succeeded via rest from 172.18.105.146:0 with http, member of groups: admin session-id:admin1689190708".
2023-07-12T15:39:16.119912-04:00 controller-1 audit-service[8]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/0" cmd="logged in via rest from 172.18.105.146:0 with http using externalvalidation authentication".
2023-07-12T15:39:16.127755-04:00 controller-1 audit-service[8]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/16891639" cmd="created new session via rest from 172.18.105.146:0 with http".
2023-07-12T15:39:16.130932-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/16891639" cmd="RESTCONF: request with http: GET /restconf//data/openconfig-system:system/f5-system-redundancy:redundancy HTTP/1.1".
2023-07-12T15:39:16.218346-04:00 controller-1 audit-service[8]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/0" cmd="external token authentication succeeded via rest from 172.18.105.146:0 with http, member of groups: admin session-id:admin1689190708".
2023-07-12T15:39:16.221913-04:00 controller-1 audit-service[8]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/0" cmd="logged in via rest from 172.18.105.146:0 with http using externalvalidation authentication".
2023-07-12T15:39:16.244875-04:00 controller-1 audit-service[8]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/16891641" cmd="created new session via rest from 172.18.105.146:0 with http".
2023-07-12T15:39:16.248800-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/16891641" cmd="RESTCONF: request with http: GET /restconf// HTTP/1.1".
2023-07-12T15:39:16.253615-04:00 controller-1 audit-service[8]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/16891641" cmd="terminated session (reason: normal)".
2023-07-12T15:39:16.261907-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/16891641" cmd="RESTCONF: response with http: HTTP/1.1 /restconf// 200 duration 205219 us".
2023-07-12T15:39:16.266997-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/16891639" cmd="RESTCONF: response with http: HTTP/1.1 /restconf//data/openconfig-system:system/f5-system-redundancy:redundancy 200 duration 283532 us".
2023-07-12T15:39:16.271005-04:00 controller-1 audit-service[8]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/16891639" cmd="terminated session (reason: normal)".
2023-07-12T15:39:17.538995-04:00 controller-1 audit-service[8]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/0" cmd="external token authentication succeeded via rest from 172.18.105.146:0 with http, member of groups: admin session-id:admin1689190708".
2023-07-12T15:39:17.543055-04:00 controller-1 audit-service[8]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/0" cmd="logged in via rest from 172.18.105.146:0 with http using externalvalidation authentication".
2023-07-12T15:39:17.550559-04:00 controller-1 audit-

There are options to manipulate the output of the file. Add | ? to the command to see the options available to manipulate the file output.

syscon-1-active# file show log/controller/audit.log | ?
Possible completions:
append    Append output text to a file
begin     Begin with the line that matches
count     Count the number of lines in the output
exclude   Exclude lines that match
include   Include lines that match
linnum    Enumerate lines in the output
more      Paginate output
nomore    Suppress pagination
save      Save output text to a file
until     End with the line that matches
syscon-1-active# file show log/controller/audit.log |

There are other file options that allow the user to tail the log file using file tail -f for a live tail or file tail -n <number of lines> to view a specific number of the most recent lines.

syscon-1-active# file tail -f log/controller/audit.log
2023-08-23T14:42:45.935724-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI aborted".
2023-08-23T14:43:34.069068-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI 'file show log/controller/audit.log | |'".
2023-08-23T14:43:37.917156-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI done".
2023-08-23T14:43:53.082404-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI 'file tail -f /log/controller/audit.log'".
2023-08-23T14:43:53.232138-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI done".
2023-08-23T14:44:08.501123-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI 'file tail -f /log/controller/audit.log'".
2023-08-23T14:44:08.534215-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI done".
2023-08-23T14:44:23.639199-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI 'file show /log/controller/audit.log'".
2023-08-23T14:44:23.676737-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI done".
2023-08-23T14:44:45.535136-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI 'file tail -f log/controller/audit.log'".

Below is an example of tailing the last 20 lines of the audit.log.

syscon-1-active# file tail -n 20 log/controller/audit.log
2023-08-23T14:34:24.310736-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI 'commit'".
2023-08-23T14:34:56.335916-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI 'do show running-config system logging sw-components sw-component audit-service'".
2023-08-23T14:34:56.349423-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI done".
2023-08-23T14:37:35.759037-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI 'exit'".
2023-08-23T14:37:35.764733-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI done".
2023-08-23T14:38:05.691301-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI 'file list path log/controller/'".
2023-08-23T14:38:07.742916-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI done".
2023-08-23T14:41:01.594309-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI 'file show log/controller/audit.log | more'".
2023-08-23T14:42:45.935724-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI aborted".
2023-08-23T14:43:34.069068-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI 'file show log/controller/audit.log | |'".
2023-08-23T14:43:37.917156-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI done".
2023-08-23T14:43:53.082404-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI 'file tail -f /log/controller/audit.log'".
2023-08-23T14:43:53.232138-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI done".
2023-08-23T14:44:08.501123-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI 'file tail -f /log/controller/audit.log'".
2023-08-23T14:44:08.534215-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI done".
2023-08-23T14:44:23.639199-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI 'file show /log/controller/audit.log'".
2023-08-23T14:44:23.676737-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI done".
2023-08-23T14:44:45.535136-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI 'file tail -f log/controller/audit.log'".
2023-08-23T14:45:08.714615-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI done".
2023-08-23T14:45:15.503353-04:00 controller-1 audit-service[8]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22379288" cmd="CLI 'file tail -n 20 log/controller/audit.log'".
syscon-1-active#

Within the bash shell if you are logged in as root, the path for the logging is different; /var/F5/controller/log. Note that older audit.log files are gzipped and rotated.

[root@controller-1(velos-chassis1.f5demo.net) ~]# ls -al /var/F5/controller/log/
total 1660524
drwxr-xr-x.  5 root admin      4096 Aug 23 08:17 .
drwxr-xr-x. 42 root root       4096 Jul 12 16:18 ..
-rw-r--r--.  1 root root         33 Jul 12 16:22 afu-cookie
-rw-r--r--.  1 root root    7284136 Aug 23 14:48 audit.log
-rw-r--r--.  1 root root   10497945 Jul 12 15:39 audit.log.1
-rw-r--r--.  1 root root     523988 May 22 17:23 audit.log.2.gz
-rw-r--r--.  1 root root     509551 May  2 17:30 audit.log.3.gz
-rw-r--r--.  1 root root     523266 Apr  7 14:53 audit.log.4.gz
-rw-r--r--.  1 root root     518826 Apr  6 13:26 audit.log.5.gz
-rw-r--r--.  1 root root    1205241 Aug  2 19:17 cc-confd
-rw-r--r--.  1 root root          0 Jul 12 16:21 cc-confd-hal
-rw-r--r--.  1 root root   76585515 Aug 23 14:50 cc-confd-health
-rw-r--r--.  1 root root          0 Jul 12 16:21 cc-confd-health-diag-agent
-rw-r--r--.  1 root root     232487 Jul 12 16:21 cc-confd-init
-rw-r--r--.  1 root root     151721 Jul 12 16:22 cc-upgrade.dbg
-rw-r--r--.  1 root root   79548584 Aug 12 22:48 chassis-manager
-rw-r--r--.  1 root root  104871484 Feb 26 20:46 chassis-manager.1
-rw-------.  1 root root          0 Jan 26  2023 confd
-rw-r--r--.  1 root root        128 Feb  1  2023 confd_go_standby
-rw-r--r--.  1 root root     144673 Jul 12 15:59 confd_image_remove
-rw-r--r--.  1 root root   57388358 Jul 12 16:21 config-object-manager
-rw-r--r--.  1 root root          0 Jul 12 16:21 config-object-manager-hal
drwxr-xr-x.  3 root root       4096 Aug  2 19:18 events
-rw-r--r--.  1 root root   29851294 Aug 22 17:47 ha
-rw-r--r--.  1 root root  104858514 Mar 14 09:02 ha.1
-rw-r--r--.  1 root root          0 Jul 12 16:21 ha-hal
-rw-r--r--.  1 root root   23173914 Aug 23 14:50 host-config
-rw-r--r--.  1 root root  104859854 Aug 18 01:03 host-config.1
-rw-r--r--.  1 root root    2847624 Jul 14 04:29 host-config.2.gz
-rw-r--r--.  1 root root    2900382 Jun 17 20:08 host-config.3.gz
-rw-r--r--.  1 root root    2895659 May 16 05:18 host-config.4.gz
-rw-r--r--.  1 root root    2968617 Apr 10 20:16 host-config.5.gz
-rw-r--r--.  1 root root          0 Jul 12 16:21 host-config-hal
drwxr-xr-x.  2 root root       4096 May  7 14:26 httpd
-rw-r--r--.  1 root root       9632 Jul 12 16:21 http_error_log
-rw-r--r--.  1 root root    1973541 Aug 21 12:27 image-server
-rw-r--r--.  1 root root    7147228 Aug 23 14:44 image-server-dhcp
-rw-r--r--.  1 root root          0 Jul 12 16:21 image-server-hal
-rw-r--r--.  1 root root          0 Jan 26  2023 image-server-httpd
-rw-r--r--.  1 root root      36310 Aug 21 12:27 image-server-monitor
-rw-r--r--.  1 root root     425076 Jul 12 16:07 lcd.log
-rw-r--r--.  1 root root    2325778 Aug 23 14:50 logrotate.log
-rw-r--r--.  1 root root    5244230 Aug 23 08:17 logrotate.log.1
-rw-r--r--.  1 root root      34979 Aug 22 17:29 logrotate.log.2.gz
-rw-r--r--.  1 root root    2252844 Aug  2 19:17 partition-agent
-rw-r--r--.  1 root root   32388160 Aug 23 14:50 partition-software-manager
-rw-r--r--.  1 root root  104866813 Aug 22 07:46 partition-software-manager.1
-rw-r--r--.  1 root root    4004398 Aug 18 03:09 partition-software-manager.2.gz
-rw-r--r--.  1 root root    4004370 Aug 13 22:32 partition-software-manager.3.gz
-rw-r--r--.  1 root root    4001982 Aug  9 17:56 partition-software-manager.4.gz
-rw-r--r--.  1 root root    3952042 Aug  5 13:21 partition-software-manager.5.gz
-rw-r--r--.  1 root root   36115660 Aug 23 14:49 partition-update
-rw-r--r--.  1 root root  104859587 Jul  1 13:53 partition-update.1
-rw-r--r--.  1 root root   72268655 Aug 23 14:49 pel_log
-rw-r--r--.  1 root root      50325 Jul 12 16:22 reprogram_chassis_network
-rw-r--r--.  1 root root      98627 Aug 23 14:34 rsyslogd_init.log
drwxr-xr-x.  2 root root       4096 Jul 12 16:21 run
-rw-r--r--.  1 root root       5737 Jul 12 16:22 sshd.terminal-server
-rw-r--r--.  1 root root    7775788 Aug  2 19:17 switchd
-rw-r--r--.  1 root root          0 Jul 12 16:21 switchd-hal
-rw-r--r--.  1 root root      25772 Jul 12 16:12 system-update
-rw-r--r--.  1 root root     144138 Aug  2 19:17 terminal-server.default
-rw-r--r--.  1 root root        977 Jul 12 16:31 tftp.log
-rw-r--r--.  1 root root          0 Feb  1  2023 vcc-confd-go-standby-hal.102476
-rw-r--r--.  1 root root          0 Jan 30  2023 vcc-confd-go-standby-hal.97587
-rw-r--r--.  1 root root  154851081 Aug 23 14:46 velos.log
-rw-r--r--.  1 root root  536871152 May  2 12:11 velos.log.1
[root@controller-1(velos-chassis1.f5demo.net) ~]#

Viewing Logs from the webUI

In the current F5OS releases, you cannot view the F5OS audit.log file directly from the webUI, although you can download it from the webUI. To view the audit.log, you can use the CLI or API, or download the files and then view. To download log files from the webUI, go to the System Settings -> File Utilities page. Here there are various logs directories you can download files from. You have the option to Export files to a remote HTTPS server, or Download the files directly to your client machine through the browser.

_images/image109.png

If you want to download the main audit.log, select the directory /log/controller.

_images/image1114.png

Viewing Audit Logs via F5OS CLI

Example Audit Logging for Login, Logout, Login Failure, and Account Lockout

Below are examples seen on a remote syslog server for various login, logout, login failure, and account lockout events for F5OS. These examples are based on F5OS-C 1.6.0 or later.

Login Audit Logs

Below is an example of a client logging into the F5OS webUI. Note that the logs identify which user has logged in as well as what IP address they have logged in from.

2023-08-23T18:15:51.435131-04:00 controller-1 external-authenticator:  pam_unix(password-auth:session): session opened for user admin by (uid=0)
2023-08-23T18:15:51.461896-04:00 controller-1 external-authenticator:  pam_unix(password-auth:session): session closed for user admin
2023-08-23T18:15:51.614165-04:00 controller-1 audit-service[8]:  priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/0" cmd="external authentication succeeded via rest from 172.18.105.188:0 with http, member of groups: admin session-id:admin1692828951".
2023-08-23T18:15:51.616976-04:00 controller-1 audit-service[8]:  priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/0" cmd="logged in via rest from 172.18.105.188:0 with http using external authentication".
2023-08-23T18:15:51.622308-04:00 controller-1 audit-service[8]:  priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/22488445" cmd="created new session via rest from 172.18.105.188:0 with http".
2023-08-23T18:15:51.625067-04:00 controller-1 audit-service[8]:  priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22488445" cmd="RESTCONF: request with http: GET /restconf// HTTP/1.1".
2023-08-23T18:15:51.627694-04:00 controller-1 audit-service[8]:  priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/22488445" cmd="terminated session (reason: normal)".
2023-08-23T18:15:51.630328-04:00 controller-1 audit-service[8]:  priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22488445" cmd="RESTCONF: response with http: HTTP/1.1 /restconf// 200 duration 284517 us".
2023-08-23T18:15:51.814562-04:00 controller-1 audit-service[8]:  priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/0" cmd="external token authentication succeeded via rest from 172.18.105.188:0 with http, member of groups: admin session-id:admin1692828951".
2023-08-23T18:15:51.820628-04:00 controller-1 audit-service[8]:  priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/0" cmd="logged in via rest from 172.18.105.188:0 with http using externalvalidation authentication".
2023-08-23T18:15:51.831604-04:00 controller-1 audit-service[8]:  priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/22488453" cmd="created new session via rest from 172.18.105.188:0 with http".
2023-08-23T18:15:51.835919-04:00 controller-1 audit-service[8]:  priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22488453" cmd="RESTCONF: request with http: GET /restconf//data/openconfig-system:system/f5-system-licensing:licensing HTTP/1.1".
2023-08-23T18:15:51.965080-04:00 controller-1 audit-service[8]:  priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22488453" cmd="RESTCONF: response with http: HTTP/1.1 /restconf//data/openconfig-system:system/f5-system-licensing:licensing 200 duration 261382 us".
2023-08-23T18:15:51.992819-04:00 controller-1 audit-service[8]:  priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/22488453" cmd="terminated session (reason: normal)".

Below is an example of a client logging into the F5OS CLI. Note that the logs identify which user has logged in as well as what IP address they have logged in from.

2023-01-06T17:06:57.717699-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/15001237" cmd="assigned to groups: admin".
2023-01-06T17:06:57.717714-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/15001237" cmd="created new session via cli from 172.18.104.40:61769 with ssh".
2023-01-06T17:06:57.728956-05:00 appliance-1 audit-service[12]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/15001237" cmd="CLI 'show system state hostname'".
2023-01-06T17:06:57.730238-05:00 appliance-1 audit-service[12]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/15001237" cmd="CLI done".
2023-01-06T17:06:57.732901-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/15001237" cmd="terminated session (reason: normal)".
2023-01-06T17:06:57.775152-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/15001242" cmd="assigned to groups: admin".
2023-01-06T17:06:57.775243-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/15001242" cmd="created new session via cli from 172.18.104.40:61769 with ssh".

Below is an example of a client authentication to the F5OS REST API. Note that the logs identify which user has accessed the API as well as what IP address they have sent the request from.

2023-08-23T18:20:29.802066-04:00 controller-1 external-authenticator:  pam_unix(password-auth:session): session opened for user admin by (uid=0)
2023-08-23T18:20:29.826675-04:00 controller-1 external-authenticator:  pam_unix(password-auth:session): session closed for user admin
2023-08-23T18:20:29.964792-04:00 controller-1 audit-service[8]:  priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/0" cmd="external authentication succeeded via rest from 172.18.105.188:0 with http, member of groups: admin session-id:admin1692829229".
2023-08-23T18:20:29.967513-04:00 controller-1 audit-service[8]:  priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/0" cmd="logged in via rest from 172.18.105.188:0 with http using external authentication".
2023-08-23T18:20:29.973108-04:00 controller-1 audit-service[8]:  priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/22490815" cmd="created new session via rest from 172.18.105.188:0 with http".
2023-08-23T18:20:29.976046-04:00 controller-1 audit-service[8]:  priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22490815" cmd="RESTCONF: request with http: GET /restconf/data/openconfig-system:system/aaa HTTP/1.1".
2023-08-23T18:20:30.214489-04:00 controller-1 audit-service[8]:  priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22490815" cmd="RESTCONF: response with http: HTTP/1.1 /restconf/data/openconfig-system:system/aaa 200 duration 516052 us".
2023-08-23T18:20:30.221196-04:00 controller-1 audit-service[8]:  priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/22490815" cmd="terminated session (reason: normal)".

Logout Audit Logs

Below is an example of a client logging out of the F5OS CLI. Note that the logs identify which user has logged out as well as what IP address they have logged out from.

2023-08-23T18:23:18.543593-04:00 controller-1 audit-service[8]:  priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/22491444" cmd="CLI 'logout'".
2023-08-23T18:23:18.747115-04:00 controller-1 audit-service[8]:  priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/22491444" cmd="terminated session (reason: normal)".
2023-08-23T18:23:18.769546-04:00 controller-1 sshd[125181]:  pam_unix(sshd:session): session closed for user admin
2023-08-23T18:23:28.528444-04:00 controller-1 HOST-audit/audit.log:  type=USER_LOGOUT msg=audit(1692829398.745:236): pid=125181 uid=0 auid=1000 ses=247494 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/0 res=success'

Account Lockout Audit Logs

To capture all events related to account lockout, you will need to configure F5OS to send both standard syslog events as well as host audit log events to a remote server. This is because some of the audit events related to account lockout are captured before the F5OS layer in the host/audit.log and by default that log is not sent remotely.

To forward the contents of the host audit logs add config files file audit/audit.log to the system logging host-logs configuration as seen below.

syscon-1-active# show running-config system logging host-logs
system logging host-logs
config remote-forwarding enabled
config remote-forwarding include-standby
config selectors selector AUTHPRIV DEBUG
config files file audit/audit.log
!
syscon-1-active#

In addition, you’ll want to ensure that selectors selector AUTHPRIV INFORMATIONAL is added to the system logging remote-servers configuration for your configured syslog location.

syscon-1-active# show running-config system logging remote-servers
system logging remote-servers remote-server 10.255.85.164
config remote-port 514
config proto udp
selectors selector LOCAL0 INFORMATIONAL
selectors selector AUTHPRIV INFORMATIONAL
!
syscon-1-active#

Below is remote syslog example of a client logging into the F5OS CLI and entering an invalid password multiple times, resulting in an account lockout event. The configured password-policy for max-login-failures has been set to two, meaning once the client issues two invalid passwords the account will be temporarily locked for the unlock-time of sixty seconds.

syscon-1-active# show running-config system aaa password-policy
system aaa password-policy config min-length 6
system aaa password-policy config required-numeric 0
system aaa password-policy config required-uppercase 0
system aaa password-policy config required-lowercase 0
system aaa password-policy config required-special 0
system aaa password-policy config max-letter-repeat 3
system aaa password-policy config max-sequence-repeat 0
system aaa password-policy config max-class-repeat 0
system aaa password-policy config required-differences 8
system aaa password-policy config reject-username false
system aaa password-policy config apply-to-root true
system aaa password-policy config retries 3
system aaa password-policy config max-login-failures 2
system aaa password-policy config unlock-time 60
system aaa password-policy config root-lockout true
system aaa password-policy config root-unlock-time 60
system aaa password-policy config max-age 0
syscon-1-active#

In the logs below, a local user testuser has entered two consecutive bad passwords resulting in a temporary lock of the account.

2023-02-21T12:23:10.495053-05:00 appliance-1 unix_chkpwd[45741]:  password check failed for user (testuser)
2023-02-21T12:23:10.495481-05:00 appliance-1 sshd[45026]:  pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.18.105.83  user=testuser
2023-02-21T12:23:18.298137-05:00 appliance-1 unix_chkpwd[46717]:  password check failed for user (testuser)
2023-02-21T12:23:18.298942-05:00 appliance-1 sshd[45026]:  pam_faillock(sshd:auth): Consecutive login failures for user testuser account temporarily locked
2023-02-21T12:23:20.223386-05:00 appliance-1 sshd[46957]:  pam_unix(sshd:session): session opened for user root by (uid=0)
2023-02-21T12:23:20.274338-05:00 appliance-1 sshd[46957]:  pam_unix(sshd:session): session closed for user root
2023-02-21T12:23:20.416710-05:00 appliance-1 HOST-audit/audit.log:  type=RESP_ACCT_UNLOCK_TIMED msg=audit(1677000190.495:250): pid=45026 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam_faillock uid=1003  exe="/usr/sbin/sshd" hostname=172.18.105.83 addr=172.18.105.83 terminal=ssh res=success'
2023-02-21T12:23:20.416724-05:00 appliance-1 HOST-audit/audit.log:  type=ANOM_LOGIN_FAILURES msg=audit(1677000198.297:251): pid=45026 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam_faillock uid=1003  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
2023-02-21T12:23:20.416727-05:00 appliance-1 HOST-audit/audit.log:  type=RESP_ACCT_LOCK msg=audit(1677000198.297:252): pid=45026 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam_faillock uid=1003  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'

Example Audit Logging of Configuration Changes

Below is an example audit log of the user jim-test entering config mode via the CLI and then changing the description for interface 20.0 and then committing the change.

2023-01-06T17:44:16.790917-05:00 appliance-1 audit-service[12]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="jim-test/15056017" cmd="CLI 'config'".
2023-01-06T17:44:16.791664-05:00 appliance-1 audit-service[12]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="jim-test/15056017" cmd="CLI done".
2023-01-06T17:44:54.864806-05:00 appliance-1 audit-service[12]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="jim-test/15056017" cmd="CLI 'interfaces interface 20.0 config description "This is a test"'".
2023-01-06T17:44:54.864822-05:00 appliance-1 audit-service[12]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="jim-test/15056017" cmd="CLI done".
2023-01-06T17:44:59.392050-05:00 appliance-1 audit-service[12]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="jim-test/15056017" cmd="CLI 'commit'".
2023-01-06T17:44:59.412077-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000005 msg="audit modify" ctx="CLI" user="jim-test/15056017" path="/interfaces/interface{20.0}".
2023-01-06T17:44:59.412156-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000006 msg="audit value set" ctx="CLI" user="jim-test/15056017" path="/interfaces/interface{20.0}/config/description" value="This is a test".
2023-01-06T17:44:59.413541-05:00 appliance-1 audit-service[12]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="jim-test/15056017" cmd="CLI done".

Example Audit Logging of webUI Changes

Below is an example audit log of the user jim-test using the webUI and then changing the VLAN membership for interface 20.0 and then committing the change.

2023-01-06T17:50:43.011201-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="jim-test/0" cmd="external token authentication succeeded via rest from 172.18.104.40:0 with http, member of groups: admin session-id:jim-test1673045408".
2023-01-06T17:50:43.011215-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="jim-test/0" cmd="logged in via rest from 172.18.104.40:0 with http using externalvalidation authentication".
2023-01-06T17:50:43.014087-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="jim-test/15065552" cmd="assigned to groups: admin".
2023-01-06T17:50:43.014185-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="jim-test/15065552" cmd="created new session via rest from 172.18.104.40:0 with http".
2023-01-06T17:50:43.014470-05:00 appliance-1 audit-service[12]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="jim-test/15065552" cmd="RESTCONF: request with http: GET /restconf/ HTTP/1.1".
2023-01-06T17:50:43.015325-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="jim-test/15065552" cmd="terminated session (reason: normal)".
2023-01-06T17:50:43.016496-05:00 appliance-1 audit-service[12]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="jim-test/15065552" cmd="RESTCONF: response with http: HTTP/1.1 /restconf/ 200 duration 42906 ms".
2023-01-06T17:50:46.109658-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="jim-test/0" cmd="external token authentication succeeded via rest from 172.18.104.40:0 with http, member of groups: admin session-id:jim-test1673045408".
2023-01-06T17:50:46.110048-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="jim-test/0" cmd="logged in via rest from 172.18.104.40:0 with http using externalvalidation authentication".
2023-01-06T17:50:46.110850-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="jim-test/15065637" cmd="assigned to groups: admin".
2023-01-06T17:50:46.110956-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="jim-test/15065637" cmd="created new session via rest from 172.18.104.40:0 with http".
2023-01-06T17:50:46.111225-05:00 appliance-1 audit-service[12]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="jim-test/15065637" cmd="RESTCONF: request with http: PUT /restconf/data/openconfig-interfaces:interfaces/interface=19.0/openconfig-if-ethernet:ethernet/openconfig-vlan:switched-vlan HTTP/1.1".
2023-01-06T17:50:46.146634-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000005 msg="audit modify" ctx="REST" user="jim-test/15065637" path="/interfaces/interface{19.0}".
2023-01-06T17:50:46.146728-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000003 msg="audit create" ctx="REST" user="jim-test/15065637" path="/interfaces/interface{19.0}/ethernet/switched-vlan/config/trunk-vlans{503}".
2023-01-06T17:50:46.147281-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="jim-test/15065637" cmd="terminated session (reason: normal)".
2023-01-06T17:50:46.148887-05:00 appliance-1 audit-service[12]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="jim-test/15065637" cmd="RESTCONF: response with http: HTTP/1.1 /restconf/data/openconfig-interfaces:interfaces/interface=19.0/openconfig-if-ethernet:ethernet/openconfig-vlan:switched-vlan 204 duration 69082 ms".
2023-01-06T17:50:46.207531-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="jim-test/0" cmd="external token authentication succeeded via rest from 172.18.104.40:0 with http, member of groups: admin session-id:jim-test1673045408".
2023-01-06T17:50:46.207564-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="jim-test/0" cmd="logged in via rest from 172.18.104.40:0 with http using externalvalidation authentication".
2023-01-06T17:50:46.208310-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="jim-test/15065642" cmd="assigned to groups: admin".
2023-01-06T17:50:46.208414-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="jim-test/15065642" cmd="created new session via rest from 172.18.104.40:0 with http".
2023-01-06T17:50:46.208908-05:00 appliance-1 audit-service[12]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="jim-test/15065642" cmd="RESTCONF: request with http: GET /restconf/data/openconfig-interfaces:interfaces HTTP/1.1".
2023-01-06T17:50:46.404290-05:00 appliance-1 audit-service[12]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="jim-test/15065642" cmd="RESTCONF: response with http: HTTP/1.1 /restconf/data/openconfig-interfaces:interfaces 200 duration 227159 ms".
2023-01-06T17:50:46.404731-05:00 appliance-1 audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="jim-test/15065642" cmd="terminated session (reason: normal)".

Example Audit Logging of API Changes

Below is an example audit log of the user admin using the API and then adding a new VLAN to the configuration. In F5OS release prior to F5OS-A 1.4.0 API audit logs captured configuration changes but did not log the full configuration payload.

2023-02-17T17:28:10.290541-05:00 appliance-1 audit-service[11]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/3104052" cmd="created new session via rest from 172.18.104.20:0 with http".
2023-02-17T17:28:10.290769-05:00 appliance-1 audit-service[11]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/3104052" cmd="RESTCONF: request with http: PATCH /restconf/data/openconfig-vlan:vlans HTTP/1.1".
2023-02-17T17:28:10.308174-05:00 appliance-1 audit-service[11]: priority="Notice" version=1.0 msgid=0x1f03000000000003 msg="audit create" ctx="REST" user="admin/3104052" path="/vlans/vlan{600}".
2023-02-17T17:28:10.308217-05:00 appliance-1 audit-service[11]: priority="Notice" version=1.0 msgid=0x1f03000000000006 msg="audit value set" ctx="REST" user="admin/3104052" path="/vlans/vlan{600}/vlan-id" value="600".
2023-02-17T17:28:10.308280-05:00 appliance-1 audit-service[11]: priority="Notice" version=1.0 msgid=0x1f03000000000006 msg="audit value set" ctx="REST" user="admin/3104052" path="/vlans/vlan{600}/config/vlan-id" value="600".
2023-02-17T17:28:10.308319-05:00 appliance-1 audit-service[11]: priority="Notice" version=1.0 msgid=0x1f03000000000006 msg="audit value set" ctx="REST" user="admin/3104052" path="/vlans/vlan{600}/config/name" value="TEST600-VLAN".
2023-02-17T17:28:10.308819-05:00 appliance-1 audit-service[11]: priority="Notice" version=1.0 msgid=0x1f03000000000002 msg="audit" user="admin/3104052" cmd="terminated session (reason: normal)".
2023-02-17T17:28:10.310149-05:00 appliance-1 audit-service[11]: priority="Info" version=1.0 msgid=0x1f03000000000001 msg="audit" user="admin/3104052" cmd="RESTCONF: response with http: HTTP/1.1 /restconf/data/openconfig-vlan:vlans 204 duration 57569 ms".

Downloading Audit Logs via CLI

Audit logs can be sent to a remote server as outlined above, but they can also be downloaded from the system if needed. Before transferring a file using the CLI, use the file list command to see the contents of the directory and ensure the file is there. There are two audit.log locations: log/system/audit.log where most of the audit.log events are logged, and log/host/audit/audit.log where some lower-level events are logged.

The path below is the main audit.log.

r10900-1# file list path log/system/audit.log
entries {
    name audit.log
    date Sat Feb 25 21:38:45 UTC 2023
    size 11MB
}
r10900-1#

The path below is for lower level audit log events like account lockouts.

r10900-1# file list path log/host/audit/audit.log
entries {
    name audit.log
    date Thu Feb 23 05:05:14 UTC 2023
    size 50MB
}
r10900-1#

To export copies of these files off the system you can use the file export command to transfer the file to a remote HTTPS server, or to a remote server using SFTP, or SCP. Below is an example of transferring the log/system/audit.log to a remote HTTPS server:

r10900-1# file export local-file log/system/audit.log remote-host 10.255.0.142 remote-file /upload/upload.php username corpuser insecure
Value for 'password' (<string>): ********
result File transfer is initiated.(log/system/audit.log)
r10900-1#

To check on status of the export use the file transfer-status command:

r10900-1# file transfer-status
result
S.No.|Operation  |Protocol|Local File Path                                             |Remote Host         |Remote File Path                                            |Status            |Time
1    |Export file|HTTPS   |log/system/audit.log                                        |10.255.0.142        |/upload/upload.php                                          |         Completed|Sat Feb 25 16:46:28 2023

r10900-1#

You may also transfer from the CLI using SCP or SFTP protocols. Below is an example using SCP:

r10900-1# file export local-file log/system/audit.log remote-host 10.255.0.142 protocol scp insecure remote-file r109001-audit.log username root
Value for 'password' (<string>): *******
result File transfer is initiated.(log/system/audit.log)
r10900-1#

The file transfer-status command will show the upload of the SCP transfer as well as HTTPS or SFTP:

r10900-1# file transfer-status
result
S.No.|Operation  |Protocol|Local File Path                                             |Remote Host         |Remote File Path                                            |Status            |Time
1    |Export file|HTTPS   |log/system/audit.log                                        |10.255.0.142        |/upload/upload.php                                          |         Completed|Sat Feb 25 16:46:28 2023
2    |Export file|SCP     |log/system/audit.log                                        |10.255.0.142        |r109001-audit.log                                           |         Completed|Sat Feb 25 16:50:06 2023

r10900-1#

Downloading Audit Logs via API

To copy the audit.log files from the appliance to a remote https server use the following API call, you can change the local-file path depending on which audit.log you want to export. Below is an API POST call to export the log/system/audit.log to a remote server.

POST https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/f5-utils-file-transfer:file/export

The JSON body of the API call should contain the following syntax.

{
    "f5-utils-file-transfer:insecure": "",
    "f5-utils-file-transfer:protocol": "https",
    "f5-utils-file-transfer:username": "corpuser",
    "f5-utils-file-transfer:password": "password",
    "f5-utils-file-transfer:remote-host": "10.255.0.142",
    "f5-utils-file-transfer:remote-file": "/upload/upload.php",
    "f5-utils-file-transfer:local-file": "log/system/audit.log"
}

You can then check on the status of the export via the following API call:

POST https://{{velos_chassis1_system_controller_ip}}:8888/api/data/f5-utils-file-transfer:file/transfer-status

In the response the latest file transfer status will be displayed.

{
    "f5-utils-file-transfer:output": {
        "result": "\nS.No.|Operation  |Protocol|Local File Path                                             |Remote Host         |Remote File Path                                            |Status            |Time                \n1    |Export file|HTTPS   |log/system/audit.log                                        |10.255.0.142        |/upload/upload.php                                          |         Completed|Sat Feb 25 17:06:00 2023\n2    |Export file|SCP     |log/system/audit.log                                        |10.255.0.142        |r109001-audit.log                                           |         Completed|Sat Feb 25 16:50:06 2023\n"
    }
}

Downloading Audit Logs via webUI

You can download either of the audit.log files from the System -> File Utilities page in the webUI. In the drop-down menu for the Base Directory select log/host, and then you can select the audit directory as seen below.

_images/imageaudit1.png

Inside the audit directory you can then select the audit.log and then either Download to copy the file to your local machine via the browser or select Export to copy to a remote HTTPS server.

_images/imageaudit2.png

You can also select the log/system path to download the system audit.log.

_images/imageaudit3.png