F5 BIG-IP load balancer discovery using API
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2023 11:38 AM
We are just starting out with application service mapping and have a few questions.
We have a F5 load balancer pool as our entry point. When the service mapping discovery runs, we get an SSH error, which can most of the time be ignored.
We have SNMP v3 configured as well as API access with a service account on the F5 clusters. My service mapping logs are throwing errors in the check for http to https iRule connection section of the pattern.
My question is, do the API access rules cover this error? I am able to look at iRules using postman with my service account using
- https://" get_attr {"managementIP"}"/mgmt/tm/ltm/"get_attr {"irule"}
How can I verify I have what I need? The reason I am questioning this is because the F5 discovery document states:
If there are iRules or SNMP community credentials are not enough for discovering outgoing connections, configure SSH credentials on Now Platform.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2023 08:42 AM
We are also facing this issue while Service Mapping one of our Service and it is getting stuck on F5 Load Balancer, did you get the solution for this?
We even got the SSH Account created via TACACS but it is not getting authenticated when trying to validate the credential.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2024 11:05 PM
I am also facing issues with this specifically with the API credentials has this been resolved?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2024 06:44 AM
I have made some progress with this. Before I go into details, I have found that OVER ALL, SSH has been more successful than API. We are actually now using SNMP, SSH, and API. After debugging my service maps, I found that the F5 BigIP LTM pattern wasn't discovering our data. The regular expression that was used for extracting uris, pools, and rules were not parsing the correct data or any data at all. I have spent time reconfiguring the regular expression to be able to successfully extract that data. It isn't perfect yet, I am still working on the connections aspect of the pattern.
I haven't been able to find any official documentation around patterns and what they are attempting to perform, so some of it is trial and error and seeing what works for our environment. I would love to understand what the rule for “parse ips and ports from rules based on node definition” is trying to do. Working with my network team, they are not entirely sure either as 99.9% of the rules are DNS names, not ports, in our instance.
My network team has also stated that this pattern is not very current with F5 software and the format of the information they are expecting is not the same. My advice is throw this pattern in debug mode and add your URL entry point and go step by step with it. Most of the pattern is just pulling in configuration data and parsing it from a file using regular expression. You will clearly see what is working and what isn’t.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2024 06:49 AM
Hi @Preston_83
Refer the below, Might be helpful.
https://docs.cloud.f5.com/docs/how-to/app-security/apiep-discovery-control
https://www.servicenow.com/community/itom-forum/how-to-discover-f5-bigip-ltm/m-p/960788
Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
Thanks
AJ
Linkedin Profile:- https://www.linkedin.com/in/ajay-kumar-66a91385/
