Big-Ip Command Line v94

BIG-IP Command Line Interface Guide
version 9.4
MAN-0236-00
Product Version
This manual applies to version 9.4 of the BIG-IP® product family.
Publication Date
This guide was published on December 28, 2006.
Legal Notices
Copyright
Copyright 1996-2006, F5 Networks, Inc. All rights reserved.
F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5
assumes no responsibility for the use of this information, nor any infringement of patents or other rights of
third parties which may result from its use. No license is granted by implication or otherwise under any
patent, copyright, or other intellectual property right of F5 except as specifically described by applicable
iControl user licenses. F5 reserves the right to change specifications at any time without notice.
Trademarks
F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, iControl, Internet Control Architecture, IP Application
Switch, iRules, OneConnect, Packet Velocity, SYN Check, Control Your World, ZoneRunner, uRoam,
FirePass, TrafficShield, Swan, WANJet, WebAccelerator, and TMOS are registered trademarks or
trademarks, and Ask F5 is a service mark, of F5 Networks, Inc. in the U.S. and certain other countries. All
other trademarks mentioned in this document are the property of their respective owners. F5 Networks'
trademarks may not be used in connection with any product or service except as permitted in writing by
F5.
Patents
This product protected by U.S. Patents 6,311,278; 6,374,300; 6,473,802; 6,970,933. Other patents pending.
Export Regulation Notice

This product may include cryptographic software. Under the Export Administration Act, the United States
government may consider it a criminal offense to export this product from the United States.
RF Interference Warning
This is a Class A product. In a domestic environment this product may cause radio interference, in which
case the user may be required to take adequate measures.
FCC Compliance
This equipment has been tested and found to comply with the limits for a Class A digital device pursuant
to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful
interference when the equipment is operated in a commercial environment. This unit generates, uses, and
can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual,
may cause harmful interference to radio communications. Operation of this equipment in a residential area
is likely to cause harmful interference, in which case the user, at his own expense, will be required to take
whatever measures may be required to correct the interference.
Any modifications to this device, unless expressly approved by the manufacturer, can void the user's
authority to operate this equipment under part 15 of the FCC rules.
Canadian Regulatory Compliance

This class A digital apparatus complies with Canadian I CES-003.
BIG-IP® Command-Line Interface Guide i

Standards Compliance
This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to
Information Technology products at the time of manufacture.
Acknowledgments
This product includes software developed by the University of California, Berkeley and its contributors.
This product includes software developed by the Computer Systems Engineering Group at the Lawrence
Berkeley Laboratory.
This product includes software developed by the NetBSD Foundation, Inc. and its contributors.
This product includes software developed by Christopher G. Demetriou for the NetBSD Project.
This product includes software developed by Adam Glass.
This product includes software developed by Christian E. Hopps.
This product includes software developed by Dean Huxley.
This product includes software developed by John Kohl.
This product includes software developed by Paul Kranenburg.
This product includes software developed by Terrence R. Lambert.
This product includes software developed by Philip A. Nelson.
This product includes software developed by Herb Peyerl.
This product includes software developed by Jochen Pohl for the NetBSD Project.
This product includes software developed by Chris Provenzano.
This product includes software developed by Theo de Raadt.
This product includes software developed by David Muir Sharnoff.
This product includes software developed by SigmaSoft, Th. Lockert.
This product includes software developed for the NetBSD Project by Jason R. Thorpe.
This product includes software developed by Jason R. Thorpe for And Communications,
http://www.and.com.
This product includes software developed for the NetBSD Project by Frank Van der Linden.
This product includes software developed for the NetBSD Project by John M. Vinopal.
This product includes software developed by Christos Zoulas.
This product includes software developed by Charles Hannum.
This product includes software developed by Charles Hannum, by the University of Vermont and State
Agricultural College and Garrett A. Wollman, by William F. Jolitz, and by the University of California,
Berkeley, Lawrence Berkeley Laboratory, and its contributors.
This product includes software developed by the University of Vermont and State Agricultural College and
Garrett A. Wollman.
In the following statement, "This software" refers to the Mitsumi CD-ROM driver: This software was
developed by Holger Veit and Brian Moore for use with "386BSD" and similar operating systems.
"Similar operating systems" includes mainly non-profit oriented systems for research and education,
including but not restricted to "NetBSD," "FreeBSD," "Mach" (by CMU).
In the following statement, "This software" refers to the parallel port driver: This software is a component
of "386BSD" developed by William F. Jolitz, TeleMuse.
This product includes software developed by the Apache Group for use in the Apache HTTP server
project(http://www.apache.org/).
This product includes software developed by Darren Reed. (© 1993-1998 by Darren Reed).
This product includes software licensed from Richard H. Porter under the GNU Library General Public
License (© 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.
This product includes the standard version of Perl software licensed under the Perl Artistic License (©
1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current
standard version of Perl at http://www.perl.com.
ii
Table of Contents
Table of Contents
1
Introducing BIG-IP System Commands
Introducing the BIG-IP system .....................................................................................................1-1
Overview of the BIG-IP system command line interface .............................................1-2
About this guide ..............................................................................................................................1-4
Additional information ..........................................................................................................1-5
Stylistic conventions ..............................................................................................................1-5
Finding help and technical support resources ..........................................................................1-8
2
Understanding the bigpipe Utility
Introducing the bigpipe utility ......................................................................................................2-1
Using the bigpipe shell ...................................................................................................................2-1
Controlling the bigpipe shell ...............................................................................................2-2
Using the bigpipe shell command history and editing feature .....................................2-2
Using the bigpipe shell command completion feature ..................................................2-2
Using the bigpipe shell command continuation feature ................................................2-2
Customizing the bigpipe shell ..............................................................................................2-3
Using the bigpipe shell escape feature ..............................................................................2-4
bigpipe command summary ..........................................................................................................2-4
3
Managing the BIG-IP Network Components
Configuring the BIG-IP network components .........................................................................3-1
Performing network management tasks ....................................................................................3-1
Implementing packet filtering ..............................................................................................3-1
Configuring routing ...............................................................................................................3-2
Implementing the trunk algorithm on FFP-supported platforms ................................3-2
4
Managing the BIG-IP System
Introducing BIG-IP system management ....................................................................................4-1
Understanding BIG-IP system management tools ...................................................................4-2
Using system management tools at the BIG-IP system prompt ..................................4-2
Using the bigpipe utility ........................................................................................................4-3
Editing files to configure the BIG-IP system ....................................................................4-3
Performing BIG-IP system management tasks ..........................................................................4-5
Configuring the MGMT port ...............................................................................................4-5
Creating and managing administrative partitions ............................................................4-5
Managing user accounts ........................................................................................................4-9
Configuring failover for redundant systems ................................................................. 4-11
Displaying protocol statistics ........................................................................................... 4-12
Using the bigstart utility .................................................................................................... 4-12
Working with the bigtop utility ....................................................................................... 4-14
Working with the bigdb database ................................................................................... 4-15
Managing the Log File System .......................................................................................... 4-17
Removing and returning items to service ..................................................................... 4-19
Viewing the currently-defined system objects ............................................................. 4-20
Viewing and modifying system configuration files ....................................................... 4-20
Viewing system licenses ..................................................................................................... 4-21
BIG-IP® Command Line Interface Guide v

Table of Contents
5
Managing Local Application Traffic
Performing local traffic management tasks ...............................................................................5-1
Setting up load balancing ...............................................................................................................5-2
Managing traffic types ............................................................................................................5-2
Configuring manual resumption of pool members and nodes ....................................5-3
Configuring clone pools .......................................................................................................5-3
Configuring a last hop pool .................................................................................................5-3
Implementing SNATs ............................................................................................................5-4
Controlling HTTP traffic ...............................................................................................................5-5
Configuring HTTP compression .........................................................................................5-5
Redirecting HTTP requests .................................................................................................5-5
Rewriting HTTP redirections ..............................................................................................5-5
Inserting and erasing HTTP headers .................................................................................5-6
Enabling or disabling cookie encryption ...........................................................................5-6
Enabling or disabling SYN cookie support .......................................................................5-7
Configuring the HTTP Class profile ..................................................................................5-7
Unchunking and rechunking HTTP response data .........................................................5-8
Implementing HTTP and TCP optimization profiles ...............................................................5-8
Authenticating application traffic .................................................................................................5-9
Generating SSL certificates ..................................................................................................5-9
Generating CA certificates ..................................................................................................5-9
Creating client certificates ................................................................................................ 5-10
Creating a certificate for a web site ............................................................................... 5-11
Working with certificate revocation .............................................................................. 5-11
Associating keys and certificates with SSL profiles ..................................................... 5-12
Performing other certificate-related tasks .................................................................... 5-12
Configuring remote server authentication ................................................................... 5-13
Implementing persistence ........................................................................................................... 5-15
Implementing session persistence ................................................................................... 5-15
Implementing connection persistence ............................................................................ 5-15
Enhancing the performance of the BIG-IP system ................................................................ 5-17
Setting Link QoS and IP ToS levels on packets ........................................................... 5-17
Setting idle timeout values ................................................................................................ 5-17
Implementing rate shaping ................................................................................................ 5-18
Managing health and performance monitors ......................................................................... 5-18
Creating custom monitors ............................................................................................... 5-18
Associating monitors with pools or nodes ................................................................... 5-18
Monitoring services ............................................................................................................ 5-19
Configuring a monitor for manual resume ................................................................... 5-19
Implementing iRules ..................................................................................................................... 5-21
A
bigpipe Command Reference
Introduction to command syntax ...............................................................................................A-1
Using the keyword, all .........................................................................................................A-1
Identifying command types .................................................................................................A-1
Basic definitions .....................................................................................................................A-2
Alphabetical listing of commands ...............................................................................................A-3
arp ......................................................................................................................................................A-4
auth crldp .........................................................................................................................................A-7
auth ldap ...........................................................................................................................................A-9
auth radius .....................................................................................................................................A-14
auth ssl cc ldap ..............................................................................................................................A-17
vi
Table of Contents
auth ssl ocsp ..................................................................................................................................A-21

auth tacacs .....................................................................................................................................A-23
bigpipe shell ...................................................................................................................................A-26
class .................................................................................................................................................A-28
config ...............................................................................................................................................A-32
conn .................................................................................................................................................A-35
crldp server ...................................................................................................................................A-37
daemon ...........................................................................................................................................A-39
db .....................................................................................................................................................A-41
dns ...................................................................................................................................................A-42
exit ...................................................................................................................................................A-43
f5adduser ........................................................................................................................................A-44
failover ............................................................................................................................................A-46
fastL4 ...............................................................................................................................................A-47
fasthttp ............................................................................................................................................A-48
ftp .....................................................................................................................................................A-49
global ...............................................................................................................................................A-50
ha table ...........................................................................................................................................A-51
hardware ........................................................................................................................................A-53
help ..................................................................................................................................................A-54
http ..................................................................................................................................................A-55
icmp .................................................................................................................................................A-56
interface ..........................................................................................................................................A-57
ip ......................................................................................................................................................A-61
list ....................................................................................................................................................A-62
load ..................................................................................................................................................A-63
mcp ..................................................................................................................................................A-64
memory ..........................................................................................................................................A-65
merge ..............................................................................................................................................A-66
mgmt ...............................................................................................................................................A-67
mgmt route ....................................................................................................................................A-69
mirror .............................................................................................................................................A-71
monitor ..........................................................................................................................................A-73
nat ....................................................................................................................................................A-85
ndp ...................................................................................................................................................A-88
node ................................................................................................................................................A-90
ocsp responder .............................................................................................................................A-93
oneconnect ....................................................................................................................................A-97
packet filter ....................................................................................................................................A-98
partition ....................................................................................................................................... A-104
persist .......................................................................................................................................... A-106
platform ....................................................................................................................................... A-108
pool .............................................................................................................................................. A-110
profile ........................................................................................................................................... A-116
profile auth ................................................................................................................................. A-117
profile clientssl ........................................................................................................................... A-122
profile dns ................................................................................................................................... A-130
profile fasthttp ........................................................................................................................... A-132
profile fastl4 ................................................................................................................................ A-137
profile ftp .................................................................................................................................... A-142
profile http .................................................................................................................................. A-144
profile httpclass ......................................................................................................................... A-154
profile oneconnect .................................................................................................................... A-157
profile persist ............................................................................................................................. A-160
profile serverssl ......................................................................................................................... A-166
profile stats ................................................................................................................................. A-174
BIG-IP® Command Line Interface Guide vii

Table of Contents
profile stream ............................................................................................................................. A-176

profile tcp .................................................................................................................................... A-178
profile udp ................................................................................................................................... A-184
pva ................................................................................................................................................ A-186
radius server .............................................................................................................................. A-187
rate class ..................................................................................................................................... A-189
route ............................................................................................................................................ A-192
rule ............................................................................................................................................... A-194
save ............................................................................................................................................... A-196
self ................................................................................................................................................. A-197
self allow ...................................................................................................................................... A-199
shell .............................................................................................................................................. A-201
snat ............................................................................................................................................... A-203
snat translation .......................................................................................................................... A-205
snatpool ....................................................................................................................................... A-207
ssl .................................................................................................................................................. A-209
stop ............................................................................................................................................... A-210
stp ................................................................................................................................................. A-211
stp instance ................................................................................................................................. A-214
stream .......................................................................................................................................... A-217
sys-icheck .................................................................................................................................... A-218
sys-reset ...................................................................................................................................... A-219
tcp ................................................................................................................................................. A-220
tmm .............................................................................................................................................. A-221
trunk ............................................................................................................................................. A-222
udp ................................................................................................................................................ A-225
unit ................................................................................................................................................ A-226
user ............................................................................................................................................... A-227
version ......................................................................................................................................... A-230
virtual ........................................................................................................................................... A-231
virtual address ............................................................................................................................ A-236
vlan ............................................................................................................................................... A-239
vlangroup ..................................................................................................................................... A-243
Glossary
Index
viii
1
• Introducing the BIG-IP system
• About this guide
• Finding help and technical support resources

Introducing the BIG-IP system

The BIG-IP® system is a port-based, multilayer switch that supports virtual
local area network (VLAN) technology. Because hosts within a VLAN can
communicate at the data-link layer (Layer 2), a BIG-IP system reduces the
need for routers and IP routing on the network. This in turn reduces
equipment costs and boosts overall network performance. At the same time,
the multilayer capabilities of the BIG-IP system enable the system to
process traffic at other OSI layers. The BIG-IP system can perform IP
routing at Layer 3, as well as manage TCP, UDP, and other application
traffic at Layers 4 through 7. The following modules provide comprehensive
traffic management and security for many traffic types. The modules are
fully integrated to provide efficient solutions to meet any network, traffic
management, and security needs.
◆ BIG-IP® Local Traffic Manager
The BIG-IP system includes local traffic management features that help
make the most of network resources. Using the powerful Configuration
utility, you can customize the way that the BIG-IP system processes
specific types of protocol and application traffic. By using features such
as virtual servers, pools, and profiles, you ensure that traffic passing
through the BIG-IP system is processed quickly and efficiently, while
meeting all of your security needs. For more information, see the
Configuration Guide for BIG-IP® Local Traffic Management.
◆ BIG-IP® Global Traffic Manager
The Global Traffic Manager provides intelligent traffic management to
your globally available network resources. Through the Global Traffic
Manager, you can select from an array of load balancing modes, ensuring
that your clients access the most responsive and robust resources at any
given time. In addition, the Global Traffic Manager provides extensive
monitoring capabilities so the health of any given resource is always
available. For more information, see the Configuration Guide for
BIG-IP® Global Traffic Management.
◆ BIG-IP® Link Controller
The Link Controller seamlessly monitors availability and performance of
multiple WAN connections to intelligently manage bi-directional traffic
flows to a site, providing fault tolerant, optimized Internet access
regardless of connection type or provider. The Link Controller ensures
that traffic is always sent over the best available link to maximize user
performance and minimize bandwidth cost to a data center. For more
information, see the Configuration Guide for BIG-IP® Link Controller.
◆ BIG-IP®Application Security Manager

The Application Security Manager provides web application protection
from application-layer attacks. The Application Security Manager
protects Web applications from both generalized and targeted application
layer attacks including buffer overflow, SQL injection, cross-site
scripting, and parameter tampering. For more information, see the
Configuration Guide for BIG-IP® Application Security Management.
BIG-IP® Command Line Interface Guide 1-1

Chapter 1
Overview of the BIG-IP system command line interface

The BIG-IP system, a powerful combination of hardware and software
elements, is designed to meet your traffic management needs in the most
efficient, scalable, reliable, and secure way possible. Although the primary
tool for managing the BIG-IP system is the browser-based Configuration
utility, there are other tools available that are command-line-based. That is,
there are commands and utilities that you can either type at the BIG-IP
system prompt, or use within scripts such as iRulesTM.
While some of these utilities and commands are provided as part of the
BIG-IP system, others are industry-standard tools that you can use to further
enhance the power of the BIG-IP system.
Understanding command line utilities and tools

There are several command line utilities and tools that you can use to
manage the BIG-IP system:
◆ The config utility
You use the config utility to define the IP address, network mask, and
gateway for the management (MGMT) port, when you initially set up
your BIG-IP system.
◆ The bigpipe utility
The bigpipe utility is a set of commands that you can use to configure
elements of the BIG-IP system such as VLANs, load balancing pools,
and virtual servers. Using bigpipe commands, you can manage the
BIG-IP system and the BIG-IP network components, and control local
application traffic to suit your exact needs.
◆ The bigtop utility
The bigtop utility is a command that provides statistical monitoring, and
displays connections and throughput. You can set a refresh interval and
specify a sort order for this statistical information.
◆ The bigstart command
With the bigstart command, you can start, stop, restart, and check the
status of various daemons, such as snmpd.
◆ The gencert utility
You can use the gencert utility to generate a key, a temporary certificate
and a certificate signing request file. You then submit the request file to a
certificate authority to obtain an SSL certificate.
The industry-standard tools that you can also use to manage the BIG-IP
system are:
◆ The Syslog-ng utility
The Syslog-ng utility is a Linux operating system daemon that tracks
system events and stores them in log files. This utility can track not only
Linux system events, but BIG-IP system events, too. The system stores
the Syslog-ng configuration file in the /etc/Syslog-ng.conf directory and
stores the log output in the files in the /var/log directory.
1-2
◆ The Tools Command Language (Tcl) programming language

The Tools Command Language (Tcl) programming language is an
industry-standard programming language that you can use to create
BIG-IP system iRules. iRules are scripts you can write to direct and
manipulate the way that the BIG-IP system manages application traffic.
◆ The OpenSSL utility
A component of the industry-standard OpenSSL toolkit, the OpenSSL
utility is a set of commands that perform various cryptographic functions,
such as generating SSL certificates and keys.
For more information

This guide provides information about a subset of the commands that you
can use to manage the BIG-IP system. You can find additional information
about the command line interface in the following locations:
◆ Online man pages
The BIG-IP product includes a complete set of online man pages for the
commands that make up the bigpipe utility.
You can access the online man pages for bigpipe commands in one of
two ways:
• From the BIG-IP system prompt, type man followed by the
command name. You must use underscores between the words in the
command name. For example:
man stp_instance
• From the bigpipe shell prompt, use the command name followed by
help. Do not use underscores between the words in the command
name. For example:
bp> auth crldp help
◆ The Linux Syslog-ng man page
This man page is included with the standard set of Linux operating
system man pages.
◆ User-supplied third-party Tcl reference books
Various third-party reference books on the Tcl programming language
are available. You can use these books when you write iRules for
managing local application traffic.

Chapter 1
About this guide

Before you use this guide, we recommend that you run the Setup utility on
the BIG-IP system to configure basic network and system elements such as
static and floating self IP addresses, interfaces, and VLANs, to name a few.
After running the Setup utility, you can further customize your system by
using the Configuration utility to create local traffic management objects
such as virtual servers, load balancing pools, and profiles.
Finally, you can return to this guide when you want to adjust the elements
you have configured, or to add additional ones as your needs change.
Before you continue adjusting or customizing your BIG-IP system
configuration, complete these tasks:
• Choose a configuration tool.
• Familiarize yourself with additional resources such as product guides and
online help.
• Review the stylistic conventions that appear in this chapter.
This guide is written for use by system administrators who prefer to

configure the BIG-IP system using the command line interface, instead of
the Configuration utility. This guide includes instructions for handling
specific tasks, but it does not include instructions for configuring every
aspect of the system.
Chapter 2, Understanding the bigpipe Utility, describes the bigpipe utility
and the new bigpipe shell. It also includes a list of bigpipe commands.
Chapter 3, Managing the BIG-IP Network Components, describes how to
configure the BIG-IP network components and perform network
management tasks, such as working with trunks, routing, and packet
filtering, using the command line interface.
Chapter 4, Managing the BIG-IP System, describes the system management
tools that are available for configuring the BIG-IP system. It describes how
to use the command line interface to perform system management tasks,
such as configuring the management port, creating and managing
administrative partitions, and managing user accounts.
Chapter 5, Managing Local Application Traffic, describes how to use the
command line interface to perform local traffic management tasks, such as
managing traffic, configuring pools, pool members, and nodes, and
implementing persistence and rate shaping.
This guide also contains information about each bigpipe command,
including limited examples for usage of each command in Appendix A,
bigpipe Command Reference.
For complete instructions for configuring the BIG-IP system, see the online
help, the Configuration Guide for BIG-IP® Local Traffic Management,
and the Configuration Guide for BIG-IP® Global Traffic Management.
1-4
Additional information
In addition to this guide, you can use the following printed documents that
are included with the BIG-IP system to help you configure the system.
◆ Configuration Worksheet
Use this worksheet to plan the basic configuration of your BIG-IP
system.
◆ BIG-IP Quick Start Instructions
Use the basic configuration steps in this pamphlet to get the BIG-IP
system up and running in the network.
The following guides are available in PDF format from the CD-ROM
provided with the BIG-IP system. These guides are also available from the
first web page you see when you log in to the administrative web server on
the BIG-IP system.
Tip
This BIG-IP Command Line Interface Guide assumes that you have read
the following guides for important concepts and information.
◆ Platform Guide
This guide contains information about the BIG-IP hardware, including
important environmental warnings.
◆ Installation, Licensing, and Upgrades for BIG-IP® Systems
This guide provides detailed information about installing upgrades to the
BIG-IP system. It also provides information about licensing the BIG-IP
system software, and connecting the system to a management
workstation or network.
◆ Configuration Guide for BIG-IP® Local Traffic Management
This guide contains the information you need for configuring the BIG-IP
system to manage local network traffic. With this guide, you can perform
tasks such as creating virtual servers and load balancing pools,
configuring application and persistence profiles, implementing health
monitors, and setting up remote authentication.
◆ BIG-IP® Network and System Management Guide
This guide contains the information you need to configure and maintain
the network and system-related components of the BIG-IP system. With
this guide, you can perform tasks such as configuring VLANs, assigning
self IP addresses, creating administrative user accounts, and managing a
redundant system.
Stylistic conventions
To help you easily identify and understand important information, all of our
documentation uses the stylistic conventions described here.

Chapter 1
Using the configuration examples

All examples in this document use only private class IP addresses. When
you set up the configurations we describe, you must use valid IP addresses
suitable to your own network in place of our sample addresses.
Identifying new terms

To help you identify sections where a term is defined, the term itself is
shown in bold italic text. For example, a floating IP address is an IP address
assigned to a VLAN and shared between two computer systems.
Identifying references to objects, names, and commands

We apply bold formatting to a variety of items to help you easily pick them
out of a block of text. These items include web addresses, IP addresses,
utility names, and portions of commands, such as variables and keywords.
For example, with the bp> self <ip_address> show command, you can
specify a specific self IP address to show by specifying an IP address for the
<ip_address> variable.
Identifying references to other documents

We use italic text to denote a reference to another document. In references
where we provide the name of a book as well as a specific chapter or section
in the book, we show the book name in bold, italic text, and the chapter or
section name in italic text to help quickly differentiate the two. For example,
you can find information about SNMP traps in Appendix A of the BIG-IP
Network and System Management Guide.
Identifying command syntax

We show complete commands in bold Courier text. In this guide, we include
the corresponding screen prompt when the command is shown in a figure
that depicts an entire command line screen. We also include the
corresponding screen prompt when the command is used in the bigpipe
shell. For example, this command shows the configuration of the specified
pool name:
bp> self <ip_address> show
For more information about the bigpipe shell see Using the bigpipe shell, on
page 2-1.
Note that we do not include the corresponding screen prompt when a
command is used at the BIG-IP system prompt. For example, this command
configures the network address for the system:
config
1-6
Table 1.1 explains additional special conventions used in command line

syntax.
Item in text Description
\ Indicates that the command continues on the following line, and

that users should type the entire command without typing a line
break.
< > Identifies a user-defined parameter. For example, if the command

has <your name>, type in your name, but do not include the
brackets.
| Separates parts of a command.
[] Indicates that syntax inside the brackets is optional.
... Indicates that you can type a series of items.
::= Indicates the options that you can use.
Table 1.1 Command line syntax conventions

Chapter 1
Finding help and technical support resources

You can find additional technical documentation and product information in
the following locations:
◆ Online help for local traffic management
The Configuration utility has online help for each screen. The online help
contains descriptions of each control and setting on the screen. Click the
Help tab in the left navigation pane to view the online help for a screen.
◆ Welcome screen in the Configuration utility
The Welcome screen in the Configuration utility contains links to many
useful web sites and resources, including:
• The Ask F5SM Technical Support web site
• The F5 Solution Center
• The F5 DevCentral web site
• Plug-ins, SNMP MIBs, and SSH clients
• User documentation
◆ F5 Networks Technical Support web site
The F5 Networks Technical Support web site, http://tech.f5.com,
provides the latest documentation for the product, including:
• Release notes for the BIG-IP system, current and past
• Updates for guides (in PDF format)
• Technical notes
• Answers to frequently asked questions
• The Ask F5SM natural language question and answer engine.
To access this site, you need to register at http://tech.f5.com.
1-8
2
• Introducing the bigpipe utility
• Using the bigpipe shell
• bigpipe command summary

Introducing the bigpipe utility

The BIG-IP system includes a tool known as the bigpipe utility. The
bigpipe utility consists of an extensive set of commands that you can use to
manage the BIG-IP system. Using these commands, you can configure
system features such as user accounts, backup and recovery files, redundant
systems, and more. You can also set up network elements such as routes,
self IP addresses, and VLANs, and you can configure the BIG-IP system to
manage local traffic passing through the system.
The commands that the bigpipe utility contains serve as an alternative to the
Configuration utility, which is the browser-based BIG-IP system and
network management tool. For information on using the Configuration
utility, see these documents:
• BIG-IP Network and System Management Guide
• Configuration Guide for BIG-IP Local Traffic Management
• BIG-IP Local Traffic Manager: Implementations
You can type bigpipe utility commands in either of two ways:

• You can type the command sequence bigpipe <command> <options> at
the BIG-IP system prompt (such as BIG-IP>). For example, you can
display all BIG-IP system user accounts by typing this command
sequence at the BIG-IP system prompt:
bigpipe user show
• You can invoke the bigpipe shell and type a command sequence at the
bigpipe shell prompt (bp>). For example, you can display all BIG-IP
system user accounts by typing this command sequence at the bigpipe
shell prompt:
bp> user show
For information on invoking the bigpipe shell, see Using the bigpipe shell,
following.
Using the bigpipe shell

The bigpipe utility includes an interactive shell that eases the task of typing
bigpipe commands. You can invoke this shell by typing the bigpipe shell
command at a BIG-IP system prompt.
Typing the bigpipe shell command displays the prompt bp>. At this
prompt, you can type any bigpipe command sequence, using the syntax
described in Appendix A, bigpipe Command Reference.
The bigpipe shell includes several features, designed to optimize your use
of the bigpipe utility. The following sections describe these features.

Chapter 2
Controlling the bigpipe shell

You use the bigpipe shell command to control the shell. For example, the
bigpipe shell command invokes the bigpipe shell. If you include the
prompt <string> option, the bigpipe shell command customizes the shell
prompt. For more information, see Customizing the bigpipe shell, on page
2-3.
Furthermore, the shell itself has its own set of subcommands that you can
use:
• exit
Use this command to exit the bigpipe shell.
• quit
Use this command to exit the bigpipe shell (same as the exit command).
• stop
Use this command to discontinue command continuation. For more
information, see Using the bigpipe shell command completion feature,
following.
Using the bigpipe shell command history and editing feature

When you are using the bigpipe shell, the shell saves any commands that
you previously typed, until you exit the shell. You can access and edit
previous commands used on the BIG-IP system since the last reboot in the
reverse order of use by pressing the up arrow key.
Using the bigpipe shell command completion feature

At any point while typing or editing a command, you can press the Tab key,
and the bigpipe shell completes the word you are currently typing. If the
command has only one option, the shell fills in the remainder of the word
with that option. If the command has more than one option, you can press
the Tab key a second time to list all available options. If the shell displays
nothing after you press Tab, no options exist to complete the word.
Unlike other shell features, command completion works not only from
inside the bigpipe shell, but also from the BIG-IP system prompt.
Using the bigpipe shell command continuation feature

If you type any command using an unbalanced opening brace, the bigpipe
shell stores the command entered up to that point. The shell stores any
subsequent commands in a similar way until you type a command that
closes all open braces, or you type the stop command.
2-2
For example, suppose you type the auth radius command, with an opening
brace, but no closing brace:
bp> auth radius rad-1 {
The shell does nothing and presents an empty prompt for continuing:
bp>
At this point, you can continue to type more options for the auth radius
command:
debug enable
retries 4
The shell continues to gather the syntax for the command. When finished
typing, you can either type a command containing a closing brace ( } ), in
which case the shell runs the full command sequence that you typed, or you
can type:
stop
This discards the stored command sequence, without running the command.
Note
An opening brace that starts a continuation does not have to be the last
character on the line. Also, you can specify more than one brace on a single
line.
Customizing the bigpipe shell

You can customize the bigpipe shell by changing the default prompt (bp>)
to a prompt of your choice.
To customize the bigpipe shell prompt

At the bp> prompt, type the shell command with the prompt option and the
text for the new prompt:
bp> shell prompt <string>
The prompt option sets the shell's prompt to the given string value.
For example, when you type
bp> shell prompt BIG-IP>
the system changes the shell prompt to:

BIG-IP>

Chapter 2
Using the bigpipe shell escape feature

The bigpipe shell does not directly support Linux® commands. You can
type Linux commands by either exiting the bigpipe shell (returning to the
BIG-IP system prompt) or by using the bigpipe shell escape feature. The
shell escape is simply an exclamation point, followed by the Linux
command itself. For example:
bp> !ls
You can disable this feature by typing the following command at the BIG-IP
system prompt:
bigpipe shell -s
bigpipe command summary

The bigpipe utility contains an extensive set of commands that you can use
to configure the BIG-IP system. Table 2.1 provides a list of these
commands, along with a description of the action the command invokes.
Command Description
arp Creates static ARP addresses, and lists static and dynamic ARP addresses
auth crldp Configures a Certificate Revocation List Distribution Point (CRLDP) configuration object for
managing certificate revocation.
auth ldap Configures an LDAP configuration object for implementing remote LDAP-based client
authentication.
auth radius Configures a Remote Access Dialup Service (RADIUS) configuration object for implementing
remote RADIUS-based client authentication.
auth ssl cc ldap Configures an SSL client certificate LDAP configuration object for implementing remote
SSL-based LDAP client authorization.
auth ssl ocsp Configures an SSL OCSP configuration object for managing remote certificate revocation
based on the Online Certificate Revocation Protocol (OCSP).
auth tacacs Configures a TACACS+ configuration object for implementing remote TACACS+-based client
authentication.
class Configures classes on the BIG-IP system.
config Synchronizes the /config/bigip.conf between the two BIG-IP units in a redundant system.
conn Sets idle timeout for, displays, and deletes active connections on the BIG-IP system.
crldp server Creates a Certificate Revocation List Distribution Point (CRDLP) server object for
implementing a CRLDP authentication module.
Table 2.1 The bigpipe utility commands
2-4
Command Description
daemon Tunes the high availability functionality that is built into system services (also known as
daemons).
db Displays or modifies bigdbTM database entries.
dns Displays and resets global statistics for the DNS profile on the BIG-IP system.
exit Exits the bigpipe shell.
failover Sets the BIG-IP system as active or standby.
fastL4 Displays and resets statistics for the Fast L4 profile on the BIG-IP system.
fasthttp Displays and resets global statistics for the Fast HTTP profile on the BIG-IP system.
ftp Displays and resets global statistics for the FTP profile on the BIG-IP system.
global Sets global variable definitions.
ha table Displays the settings for high availability on a system.
hardware Displays the baud rate of the system hardware.
help Displays online help for bigpipe command syntax.
http Manages HTTP statistics.
icmp Manages ICMP statistics.
interface Sets options on individual interfaces.
ip Manages IP statistics.
list When the default Read partition is All, this command displays all objects the user has
permission to see. When you specify a Read partition, this command displays all objects the
user has permission to see, and all objects that are not in partitions.
load Loads the BIG-IP system configuration and resets.
mcp Displays the Master Control Program (MCP) state.
memory Manages memory statistics.
merge Loads the specified configuration file without resetting the current configuration.
mgmt Specifies network settings for the management interface (MGMT).
mgmt route Specifies route settings for the management interface (MGMT).
mirror Copies traffic from any port or set of ports to a single, separate port.
monitor Defines a health check monitor.

Chapter 2
Command Description
nat Defines external network address translations for nodes.
ndp Manages IPv6 neighbor discovery
node Defines node property settings.
ocsp responder Configures Online Certificate System Protocol (OCSP) responder objects.
oneconnect Configures a OneConnectTM profile.
packet filter Configures packet filter rules and trusted allow lists.
partition Configures partitions for implementing access control for the BIG-IP system administrative
users.
persist Configures a session persistence mode on a specific pool or node, for client requests.
platform Displays platform information.
pool Defines load balancing pools.
profile Displays profile settings, resets statistics, or deletes a profile.
profile auth Configures a type of authentication profile.
profile clientssl Configures a Client SSL type of profile.
profile dns Configures a domain name service (DNS) profile.
profile fasthttp Configures a Fast HTTP type of profile.
profile fastl4 Configures a Fast Layer 4 type of profile.
profile ftp Configures an FTP type of profile.
profile http Configures an HTTP type of profile.
profile httpclass Configures an HTTP Class type of profile.
profile oneconnect Configures a OneConnectTM type of profile.
profile persist Configures a session persistence profile.
profile serverssl Configures a Server SSL type of profile.
profile stats Configures a Statistics type of profile.
profile stream Configures a Stream type of profile.
profile tcp Configures a TCP type of profile.
2-6
Command Description
profile udp Configures a UDP type of profile.
pva Configures Packet Velocity® ASIC.
quit Exits the bigpipe shell.
radius server Configures a RADIUS server object for RADIUS authentication.
rate class Configures a rate class.
route Configures routes for the BIG-IP system traffic.
rule Defines traffic-management iRules.
save Writes the current configuration to a file.
self Assigns a self IP address for a VLAN.
self allow Configures the default allow list for all self IP addresses on the BIG-IP system.
shell Starts the bigpipe utility shell.
snat Defines and sets options for SNAT (Secure NAT).
snat translation Configures an explicit SNAT translation address.
snatpool Configures a SNAT pool.
ssl Displays or modifies SSL statistics.
stop Discontinues command continuation.
stp Implements one of the spanning tree protocols.
stp instance Configures an STP configuration instance.
stream Displays or resets global stream statistics for the BIG-IP system.
tcp Manages TCP statistics for the system.
tmm Manages the TMM service.
trunk Configures a trunk, with link aggregation.
udp Manages UDP statistics for the system.
unit Displays the unit number assigned to a particular BIG-IP system.
user Configures administrative user accounts on the BIG-IP system.
version Displays the bigpipe utility version number.

Chapter 2
Command Description
virtual Defines virtual servers, virtual server mappings, and virtual server properties.
virtual address Configures virtual addresses.
vlan Defines VLANs, VLAN mappings, and VLAN properties.
vlangroup Defines VLAN groups.
2-8
3
• Configuring the BIG-IP network components
• Performing network management tasks

Configuring the BIG-IP network components

Before you configure a BIG-IP system to manage local application traffic,
you must use the Setup utility to configure the BIG-IP network components.
The BIG-IP network components are:
• Interfaces
• Routes
• Self IP addresses
• Packet Filters
• Trunks (802.3ad Link Aggregation)
• Spanning Tree Protocol (STP)
• VLANs and VLAN groups
• ARP
Once you have configured the BIG-IP network components using the Setup
utility, you can customize the configuration of those components. The
bigpipe utility that is provided with the BIG-IP system includes a number of
commands designed to help you customize the configuration of the BIG-IP
network components. For details on these commands, see the corresponding
online man pages or Appendix A, bigpipe Command Reference.
Performing network management tasks

The following sections of this chapter describe some of the network
management tasks that you can perform on the BIG-IP system using the
bigpipe utility.
Implementing packet filtering

Packet filters provide a level of access control by filtering packets from a
client based on criteria that you specify. You can specify these criteria by
configuring the general properties of a packet filter, and by creating a packet
filter rule.
To implement packet filtering

Enable packet filtering using the bigpipe packet filter command.
When using this command, you can specify a packet filter rule to provide
access control, rate shaping, or logging.

Chapter 3
Configuring routing
When you add routes for the switch interfaces, including the management
port, you must configure them. You can also remove routes from the system.
To add and configure routes

Use the bigpipe route command, specifying a list of route keys and a
resource (gateway IP address, pool name, VLAN name, or reject). For more
information, see the route online man page.
To remove routes
Use this command to remove routes:
bp> route (<route key list> | all | inet | inet6) delete
Implementing the trunk algorithm on FFP-supported platforms

On fast filtering process (FFP)-supported platforms, you can configure the
bigbd configuration key, trunk.internal.ffp to affect the algorithm that the
BIG-IP system uses for internal trunk distribution. The following platforms
are FFP-supported: D62, D63, D63a, D68, D84, and D88.
The trunk.internal.ffp key has values of enable and disable. The default
value is enable. When enabled, internal trunk distribution operates based on
source and destination TCP ports.
If you disable trunk.internal.ffp, the internal trunk distribution operates
according to the bigdbTM configuration key, trunk.internal.distribution.
The trunk.internal.distribution key has the following values:
◆ srcdestip
Select Source/Destination IP address to have the system base the hash on
the combined MAC addresses of the source and the destination.
◆ srcdestmac
Select Source/Destination MAC address to have the system base the hash
on the combined MAC addresses of the source and the destination.
◆ destmac
Select Destination MAC address to have the system base the hash on the
MAC address of the destination.
The default value is srcdestip.
To set the trunk.internal.distribution key using the default value of the
key, use the following syntax:
bp> db trunk.internal.distribution srcdestip
3-2
4
• Introducing BIG-IP system management
• Understanding BIG-IP system management tools
• Performing BIG-IP system management tasks

Introducing BIG-IP system management

The BIG-IP system includes several command line tools that you can use to
perform routine system management tasks such as creating and managing
administrative user accounts, displaying traffic statistics, and managing
BIG-IP units in a redundant system configuration.
With these tools, you can manage many parts of the system:
• The management port
• BIG-IP host name and IP address
• Global system properties
• High Availability
• User configuration archives
• System services (for example, SSH and HTTP)
• SNMP
• Logging
• qkview and tcpdump (diagnostic tools)
• Serial console
• Real-time statistics
For information on configuring the BIG-IP system to control local

application traffic, see the Configuration Guide for BIG-IP Local Traffic
Management.

Chapter 4
Understanding BIG-IP system management tools

You can manage the BIG-IP system using a number of system management
tools and commands at the BIG-IP system prompt, using the bigpipe utility
from within the new bigpipe shell, and by editing certain files using a text
editor.
Using system management tools at the BIG-IP system prompt

Table 4.1 lists and describes the tools you can use to manage the BIG-IP
system from the BIG-IP system prompt. To use these tools, you must have
access to the BIG-IP system prompt.
By default, only the Root account has access to the BIG-IP system prompt.
When you assign Terminal Access to the account of a user who is also
assigned the Administrator role, that user can access the BIG-IP system
prompt. For information on user accounts, see Managing user accounts, on
page 4-9, and the BIG-IP Network and System Management Guide.
BIG-IP system
Commands Description
bigstart Restarts the SNMP agent bigsnmpd.
bigtop Displays real-time statistics.
config Configures the IP address, network mask, and gateway

on the management (MGMT) port. Use this command
at the BIG-IP system prompt prior to licensing the
BIG-IP system, and do not confuse it with the bigpipe
config command or the BIG-IP Configuration utility.
halt Shuts down the BIG-IP software application.
hostname Displays the name you have given to the BIG-IP

system.
printdb Prints the values of one or more entries in the bigdbTM

database.
reboot Reboots the BIG-IP system.
ssh and scp Access command line interfaces on other SSH-enabled

devices, and copy files to or from a BIG-IP system.
Table 4.1 BIG-IP system commands
4-2
BIG-IP system
Commands Description
sys-icheck Identifies any unintended modifications to BIG-IP

system files. Note that a hot fix (patch) is an intended
modification that will not be identified by the sys-icheck
command.
sys-reset Runs the sys-icheck command, and if there are no

system integrity issues, returns the system to the
factory default state. Note that if you have applied hot
fixes (patches) to your system, for sys-reset to run, you
must specify an override option.
The override options are:
-w Use this option to report Warn issues, as well as
the default, Error issues.
-i Use this option to report Info and Warn issues, as
well as the default, Error issues.
Table 4.1 BIG-IP system commands
Using the bigpipe utility

You can also use the bigpipe utility to manage the BIG-IP system. You
access the bigpipe utility by typing the following command at the BIG-IP
system prompt:
bigpipe shell
The commands you can use within the bigpipe shell to manage the BIG-IP
system are listed in Appendix A, bigpipe Command Reference. You can also
access a list and description of these commands by typing the following
command at the bigpipe shell prompt:
bp> help
For help with a specific command, access the online man page for that
command from the bigpipe shell prompt by typing the command name
followed by help. For example, to get help on the pool command, type this
command:
bp> pool help
Editing files to configure the BIG-IP system

In addition to the tasks that you can perform with the BIG-IP utilities and
commands, there are tasks that you perform by directly editing certain files
with your favorite text editor. Table 4.2 lists these tasks and the system

Chapter 4
configuration files you edit to perform them. For more information on

system configuration files, see Viewing and modifying system configuration
files, on page 4-20.
Other BIG-IP system maintenance tasks File Name
Specify whether to send an SNMP trap based on a /etc/alertd/alert.conf

regular expression.
Edit this script to automatically perform one or more /config/failover/active

maintenance tasks on a unit of a redundant system
that has recently switched to active mode.
Edit this script to automatically perform one or more /config/failover/standby

maintenance tasks on a unit of a redundant system
that has recently switched to standby mode.
Table 4.2 Other BIG-IP system maintenance tasks
4-4
Performing BIG-IP system management tasks

The following sections describe some of the system management tasks that
you can perform on the BIG-IP system.
Configuring the MGMT port

Before you license the BIG-IP system, you must configure the management
port (MGMT). You do this by running the mgmt command.
When you initially run the mgmt command, you assign an IP address to the
management port. You can also specify a netmask for the IP address, using
the netmask keyword. For example:
bp> mgmt 10.10.10.1 netmask 255.255.255.0
This command sequence assigns the IP address 10.10.10.1 with a netmask

of 255.255.255.0 to the management interface.
Creating and managing administrative partitions

An important part of managing the BIG-IP system is configuring the system
to control user access to various BIG-IP system objects. Examples of
BIG-IP system objects that users typically want to access are: virtual
servers, load balancing pools, health monitors, SNATs, and user accounts.
If you have the Administrator role assigned to your BIG-IP system user
account, you can control other users’ access to objects by using a feature
known as administrative partitions. A partition is a logical container that
you create, containing a defined set of BIG-IP system objects. When a
specific set of objects resides in a partition, you can give certain users the
authority to view and manage the objects in that partition only, rather than
all objects on the BIG-IP system. This feature provides a finer granularity of
control.
By default, the BIG-IP system contains one partition named Common.
Objects that can be created in a partition and that exist by default after you
install the system and run the Setup utility, automatically reside in partition
Common. Examples are the internal and external VLANs, their self IP
addresses, and the admin user account. If you do not create additional
partitions, the following two situations occur:
◆ All users have access to every object on the system. The users’ access
roles determine whether they can create, modify, delete, or simply view
the objects.
◆ Objects on the BIG-IP system are not subject to object referencing
restrictions. However, note that when you have more than one partition
you cannot reference objects that are in different user-created partitions.
For example, a virtual server in partition Common can reference any

Chapter 4
load balancing pool that is also in partition Common. For detailed

information on object referencing with respect to partitions, see the
BIG-IP Network and System Management Guide.
Note
By default, the Administrator user account does not have Terminal Access.
To allow the Administrator user account to access the bigpipe shell
command line, you must enable Terminal Access for that account using the
Configuration utility.
Creating a partition
You can create one or more administrative partitions on the BIG-IP system
using the bigpipe partition command. Only users with the Administrator
user role can create a partition.
To create an administrative partition

Use the following command syntax to create an administrative partition:
bp> partition <partition_name> description <string>
For example, you can create a partition called my_app_partition, using this
command:
bp> partition my_app_partition description "This partition is a
repository for my_app objects."
Tip
The bigpipe shell syntax requires quotation marks around a string that
includes spaces.
Changing the current partition

When you create a user account on the BIG-IP system, you give the user
access to one or more partitions on the system. Giving the user access to a
partition means that the user can view objects in the partition, or, depending
on their user role, perform specific administrative tasks related to objects in
that partition. A user who has permission to simply view objects in a
partition has Read access to that partition. A user who has permission to
create, modify, or delete objects in a partition has Write access to that
partition.
Note
For information on user accounts, see Managing user accounts, on page

4-9, and the BIG-IP Network and System Management Guide.
4-6
What is the current partition?

Although a user account might grant a user permission to access multiple
partitions, a user can access only one partition at a time. This partition is
known as the user’s current partition. When a user logs in, the system
determines the default current partition (usually partition Common) based
on the user’s login account. If the user’s account grants permission to access
more than one partition, the user can change the current partition, and can
also change the default current partition.
Different users on the BIG-IP system can have different current partitions at
any given time. For example, the current partition for user psmith might be
Common, while the current partition for user tjones might be partition_b.
Setting the current partition

When a user creates a system object, that object resides in the partition that
is the user’s current partition at the time the object is created. Therefore,
users who have access to more than one partition need a way to set the
partition that they want to manage or view at any given time. For example, if
your user account grants you Write access to all partitions on the system,
and you want to create a virtual server in partition_b, you must first set
partition_b to be your current partition.
The command you use to set the current partition depends on whether you
want to view or modify the objects in that partition. To set the current
partition when you want to create, modify, or delete an object in that
partition, use the Write partition argument with the bigpipe shell
command. For example, if you want to create a monitor in partition_a, use
the following command to set the current Write partition to partition_a, and
then create the monitor:
shell write partition partition_a
To set a partition in which to simply view objects, use the bigpipe shell
Read partition command. For example, if you want to view the monitors
that reside in partition_a, use the following command to set the current
Read partition to partition_a:
shell read partition partition_a
Users with Write access to only one partition do not need to use the bigpipe
shell write partition command. The one partition to which the user has
access is always the user’s current partition. For example, if your user
account gives you the user role of Manager for partition_a only (as
opposed to all partitions), then you cannot set a partition to manage. Your
login session establishes partition_a as the partition to which you have
Write access. As with all user accounts that have a user role other than No
Access, you can still view objects in partition Common, but with a
Manager role, combined with access to a single partition, you cannot use
the bigpipe shell write partition command to set a partition in which to
manage objects.

Chapter 4
To set a partition for object management

To set a partition when you have Write access to more than one partition on
the BIG-IP system, use this command before you manage the object:
bp> shell write partition <partition_name>
To set a partition for object viewing

To set a partition when you have Read access to more than one partition on
the BIG-IP system, use this command:
bp> shell read partition <partition_name>
To set a default partition

To set a partition to be the default partition when you have Read and Write
access to more than one partition on the BIG-IP system, use this command:
bp> shell partition <partition_name>
Writing to the current partition

When using bigpipe commands, you can globally modify or delete objects
of a specified type only when all objects of that type reside in a single
partition. In other words, when you use the keyword, all, with an object
type, the action you are performing applies only to objects of the specified
type in the current Write partition.
For example, suppose your system has three partitions, Common,
partition_a, and partition_b. In this case, your user account grants you
Write access to all partitions on the system, and your default current
partition is Common.
To reset the statistics for all pools on the system:

1. Log in to the system.
Because your default Write partition is Common, you are logged in
to Common.
2. To reset the statistics for all pools that reside in Common use this
command:
bp> pools all stats reset
The statistics for all the pools in Common are reset.

3. Change the current partition to partition_a using this command:
bp> shell write partition partition_a
The current partition is set to partition_a.

4. To reset the statistics for all pools that reside in partition_a use this
command:
The statistics for all the pools in partition_a are reset.
4-8
5. Change the current partition to partition_b using this command:

bp> shell write partition partition_b
The current partition is set to partition_b.

6. To reset the statistics for all pools that reside in partition_b use this
command:
The statistics for all the pools in partition_b are reset.
Managing user accounts

You can create user accounts on the BIG-IP system using the bigpipe user
command, if you are assigned the Administrator role. When you create a
user account, you assign the account a name, a user role, and a partition that
the user can access. It is the user role, combined with the user’s partition
access, that determines a user’s type and scope of access to BIG-IP system
objects.
It is important to note that a user account, which is a BIG-IP system object
itself, also resides in a partition. For example, suppose user admin sets his
current partition to partition_a, and then creates the user account psmith,
giving psmith access to partition_b as one of the psmith account
properties.
In this case, user psmith can access partition_b, but the psmith account
itself resides in partition_a, because partition_a is the current partition for
user admin. Thus, the partition in which the psmith user account resides
has no relationship to the partition access that user admin assigned to the
psmith account.
To create a local BIG-IP system user account

To create a user account on the BIG-IP system, use this command syntax:
bp> user <user_name> role <user_role> in (<partition_name> | \
all)
Note
For information on creating and managing BIG-IP system user accounts,

including those that are stored on a remote authentication server, see the
Tip
You can also create user accounts using the f5adduser command at the
BIG-IP system prompt. For information about the f5adduser command, log
in to Ask F5 and search for solution SOL5561.

Chapter 4
Changing user accounts

Users who are assigned the Administrator role, can modify or delete user
accounts on the BIG-IP system using the bigpipe user command. It is
important to remember that a user’s type and scope of access to the BIG-IP
system objects is determined by a combination of the user’s role, the user’s
partition access, and whether or not the user has terminal access. If a user is
logged in to the system at the time that you change their role, they may
receive Access Denied error messages. For example, if the user was
previously assigned the Administrator role with the ability to create pools,
but you assign the user a new role of Operator without that ability, the
system prevents the user from using the bigpipe pool command to create a
pool.
WARNING
The Administrator role provides access to the BIG-IP system prompt. If a
user, who is assigned the Administrator role, is logged in when you change
his role to another role without access to the BIG-IP system prompt, the
user can still run commands at the BIG-IP system prompt until he logs out
of the system. The same is true when you delete a user account. If a user,
who is assigned the Administrator role, is logged in when you delete the
user account, that user can still run commands at the BIG-IP system prompt
until he or she logs out of the system.
Remote user access

User accounts are either stored locally or on remote authentication servers.
The access permissions for a user account that is stored on a remote
authentication server are either based on the default authorization properties,
or are stored in a special, duplicate account on the BIG-IP system.
Remote-server user accounts based on the default authorization properties
appear together on the BIG-IP system as a single user account named Other
External Users.
If your user account is an Other External Users account, and you are
logged in to the BIG-IP system, when a user with the Administrator role
changes the default user role, your connection to the system is closed
immediately. You can log in to the BIG-IP system again, and you will have
access to the system based on the new default user account.
For more information, see the Managing remote user accounts and
Configuring authorization for remote accounts sections of the BIG-IP
Network and System Management Guide.
4 - 10
Configuring failover for redundant systems

When you set up a redundant system configuration, there are two command
line tasks in particular that are worth emphasizing. These tasks are:
• Setting failover for BIG-IP system daemons
• Editing scripts that perform automatic maintenance tasks after failover
For background information on configuring a redundant system, see the
Setting failover for BIG-IP system services

You can use the bigpipe daemon command to define the action that you
want the BIG-IP system to take when certain system services fail. Table 4.3
lists these services.
Daemon Definition
bigd Controls health monitoring.
mcpd Manages the configuration data on a BIG-IP system.
sod Controls failover for redundant systems.
tmm Performs most traffic management for the BIG-IP system.
bcm56xxd When the heartbeat of a system service fails, can restart the
system service or take no action based on how the BIG-IP
system is configured.
Table 4.3 BIG-IP system services with failover settings
Configuring user-defined scripts for failover tasks

You might want the system to perform some maintenance tasks on either the
active or the standby system, or both, immediately after failover has
occurred. To configure the BIG-IP system to automatically perform these
tasks, you can use a text editor to manually edit two scripts called active and
standby. You can find these files on the BIG-IP system in the
/config/failover directory.
The purpose of these scripts is to automatically run short, non-persistent
system maintenance tasks after failover. For example, you can edit the
active script to read the ARP table on the newly-active unit, to remove an
erroneous entry that might appear as a result of failover.
Important
Two additional scripts, called f5active and f5standby, are located in the
directory /usr/lib/failover. Do not edit these scripts unless an F5 Networks
customer service representative instructs you to do so.
BIG-IP® Command Line Interface Guide 4 - 11

Chapter 4
Displaying protocol statistics

You can use the bigpipe utility to display statistics for various types of
network traffic. You can use the following commands at the bigpipe shell
prompt to display protocol-related statistics:
• fastl4
• fasthttp
• ftp
• http
• icmp
• ip
• oneconnect
• ssl
• stream
• tcp
• udp
You can also display global statistics using this command:
bp> global
Using the bigstart utility

You can use the bigstart utility not only to start or stop the BIG-IP system,
but also to restart the MCPD process or view the status of one or more
system processes (daemons). Note that before you restart the MCPD service,
you should run the bigpipe load command to ensure that the restart utilizes
the most current configuration data. The bigstart status command provides
informational messages about each process, including whether the process is
running, not running, or waiting for another process to run.
To restart the MCPD service

1. At the bigpipe shell prompt, run the bigpipe load command:
bp> load
2. Access the BIG-IP system prompt.
3. Run the bigstart command.
Tip
If you have root privileges, you can run the bigstart and bigtop utilities from
within the bigpipe shell by entering an exclamation point (!) before the
command. For example, to run the bigstart command, enter the command at
the bigpipe shell prompt, as follows: bp> !bigstart.
4 - 12
To view status of all daemons

2. Run the bigstart status command.
Figure 4.1, shows sample output of the bigstart status command.
Note
If you use the bigstart status command on a hardware platform that

supports clustered multi-processing, the command shows a separate status
for each instance of the tmm service that is running.
alertd down, waiting for mcpd running

bcm56xxd run (pid 3816) 14 seconds, 1 start
big3d run (pid 3818) 14 seconds, 1 start
bigd down, waiting for mcpd running
bigdbd run (pid 3857) 14 seconds, 1 start
chmand run (pid 3860) 14 seconds, 1 start
cssd down, waiting for mcpd running
eventd down, waiting for mcpd running
fpdd run (pid 3887) 14 seconds, 1 start
gtmd down, not licensed
lacpd down, waiting for mcpd running
mcpd run (pid 3895) 14 seconds, 1 start
pvac down, not licensed
radvd down, not configured
rmonsnmpd down, delaying 5 seconds
snmpd run (pid 3922) 14 seconds, 1 start
sod run (pid 3924) 14 seconds, 1 start
statsd down, waiting for mcpd running
stpd run (pid 3928) 14 seconds, 1 start
subsnmpd down, waiting for mcpd running
syscalld run (pid 3960) 14 seconds, 1 start
tamd down, waiting for mcpd running
tmm run (pid 3968) 14 seconds, 1 start
tmrouted down, waiting for mcpd running
tomcat4 down, waiting for mcpd running
zebosd down, waiting for mcpd running
Figure 4.1 Sample output from the bigstart status command

Chapter 4
Working with the bigtop utility

The bigtop™ utility is a real-time statistics display utility. The display
shows the date and time of the latest reboot, and lists activity in bits, bytes,
or packets. The bigtop utility accepts options you use to customize the
display of information. For example, you can set the interval at which the
data is refreshed, and you can specify a sort order. The bigtop utility
displays the statistics as shown in Figure 4.2.
| bits since | bits in prior | current

| Nov 28 18:47:50 | 3 seconds | time
BIG-IP ACTIVE |---In----Out---Conn-|---In----Out---Conn-| 00:31:59
227.19.162.82 1.1G 29.6G 145 1.6K 0 0
virtual ip:port |---In----Out---Conn-|---In----Out---Conn-|-Nodes Up--

217.87.185.5:80 1.0G 27.4G 139.6K 1.6K 0 0 2
217.87.185.5:20 47.5M 2.1G 3.1K 0 0 0 2
217.87.185.5:20 10.2M 11.5M 2.6K 0 0 0 2
NODE ip:port |---In----Out---Conn-|---In----Out---Conn-|--State----

129.186.40.17:80 960.6M 27.4G 69.8K 672 0 0 UP
129.186.40.17:20 47.4M 2.1G 3.1K 0 0 0 UP
129.186.40.18:80 105.3M 189.0K 69.8K 1.0K 0 0 UP
129.186.40.17.21 9.4M 11.1M 1.3K 0 0 0 UP
129.186.40.18:21 700.8K 414.7K 1.3K 0 0 0 UP
129.186.40.18:20 352 320 1 0 0 0 UP
Figure 4.2 The bigtop screen display
Using bigtop command options

The syntax for the bigtop command that is used at the BIG-IP system
prompt, is as follows:
bigtop [options...]
Table 4.4 lists and describes the options you can use with the bigtop
command.
Option Description
-bytes Displays counts in bytes (the default is bits).
-conn Sorts by connection count (the default is to sort by byte count).
-delay <value> Sets the interval at which data is refreshed (the default is four
seconds).
-delta Sorts by count since last sample (the default is to sort by total
count).
-help Displays bigtop help.
-nodes <value> Sets the number of nodes to print (the default is to print all
nodes).
Table 4.4 bigtop command options
4 - 14
Option Description
-nosort Disables sorting.
-once Prints the information once and exits.
-pkts Displays the counts in packets (the default is bits).
-scroll Disables full-screen mode.
-virtuals Sets the number of virtual servers to print (the default is to

<value> print all virtual servers).
Table 4.4 bigtop command options
Using runtime commands in bigtop

Unless you specified the -once option, the bigtop utility continually updates
the display at the rate indicated by the -delay option. You can also use the
following runtime options at any time:
• The u option cycles through the display modes: bits, bytes, and packets.
• The q option quits the bigtop utility.
Exiting the bigtop utility

To exit the bigtop utility, simply type q.
Working with the bigdb database

The bigdb™ database holds certain configuration information for the
BIG-IP system. Most BIG-IP system utilities use the configuration stored in
the bigdb database. You can load configuration information into this bigdb
database.
Setting values for bigdb variables

Using the bigpipe db command, you can view a bigdb variable, set a new
value for a variable, or reset a variable to the default value.
To view the value of a bigdb variable

Within the bigpipe shell, use this command to view the value of a bigdb
variable:
bp> db [<key>] [show]
If you do not specify a key name, the system displays all bigdb variables.

Chapter 4
To set the value of a bigdb variable

Within the bigpipe shell, use this command to set a variable to a specific
value:
bp> db <key> <value>
Within the bigpipe shell, use this command to set a variable to the default
value:
bp> db <key> reset
To set the value of a bigdb attribute

You can modify the values of the attributes that are associated with a bigdb
variable using this command:
bp> db <key> <new value>
The attributes associated with a bigdb variable are:

• Variable name (key)
The name for the variable (key). An example is
Bigip.Failover.ActiveMode.
• Value
The value associated with variable. The system stores this value as a
string.
• Default value
The value that the system uses when the variable is otherwise undefined.
• Type
The data type that the system uses to constrain and validate the value.
Types are not case-sensitive and can be any of the following: string,
integer (for signed integer), unsigned_integer, ipaddress, or enum.
• Realm
An attribute indicating where a value is relevant (not case-sensitive).
Allowed values are: Local or Common. The system persists both Local
and Common variables, and transfers Common variables to a peer
during config sync operations.
• Minimum value
The minimum value for variables of type integer and unsigned_integer.
This is the shortest length for strings.
• Maximum value
The maximum value for variables of type integer and unsigned_integer.
This is the maximum length for strings.
• Enumerated value
A list of values allowed. The first character is a delimiter for items.
Printing bigdb variables

You can print the values of any bigdb variable and its attributes, using the
db <key> command.
4 - 16
Managing the Log File System

The BIG-IP system supports logging using the Syslog-ng utility. The system
generates logs automatically, and saves them in user-specified files. These
logs contain all changes made to the BIG-IP system configuration, such as
those made with the bigpipe virtual command, or other bigpipe commands,
as well as all critical events that occur in the system.
Note
You can configure the Syslog-ng utility to send mail or activate pager
notification based on the priority of a logged event.
The Syslog-ng log files track system events based on information defined in
the /etc/syslog-ng/Syslog-ng.conf file. You can view the log files in a
standard text editor, or with the less file page utility.
Table 4.5 shows sample Syslog-ng messages for events that are specific to
the BIG-IP system. For information about the format of Syslog-ng
messages, see RFC 3164.
Sample message Description
bigd: node 192.168.1.1 monitor status up The 192.168.1.1 node address was successfully pinged by the
BIG-IP system.
kernel: security: port denial A client was denied access to a specific port. The client is
207.17.112.254:4379 -> 192.168.1.1:23 identified as coming from 207.17.112.254:4379, and the
destination node is 192.168.1.1:23.
Table 4.5 Sample Syslog-ng messages
Changing the size of the log file

When you initially boot the BIG-IP system, the system allocates a finite
amount of disk space for storing the log file. The advantage to having a
finite size for the log file is that the file cannot increase to the point where it
adversely affects other facilities that are running on the system in the same
partition.
The default amount of disk space that the BIG-IP system allocates for the
log file is 7 gigabytes (Gb). In most cases, this default size of 7 Gb is
sufficient. However, you can allocate additional disk space, or decrease the
disk space, for the log file if necessary. The minimum amount of disk space
that you can specify for the log file is 1 Gb. The maximum amount of disk
space that you can specify is 10 Gb.
You adjust the amount of disk space that the system allocates for the log file
by using a command line script at the BIG-IP system prompt called
resize-logFS. When you use the resize-logFS script, the system prompts
you for information, and validates that:

Chapter 4
• The amount of disk space you specify falls within the valid range of 1 to
10 gigabytes.
• The BIG-IP system has enough disk space to allocate the requested
amount.
WARNING
Before using the resize-logFS script, it is imperative that you stop the
BIG-IP system, or put the system into a safe condition such as standby
mode.
To change the size of the log file

2. Stop the BIG-IP system or put the system into a safe condition such
as standby mode using the bigstart stop command.
3. Type the following command:
resize-logFS
This command prompts you for the desired file size in gigabytes.
4. At the prompt, type an integer.
The minimum allowed value is 1, and the maximum allowed value
is 10.
A prompt appears that allows you to confirm the specified file size.
5. Type Y.
A message appears, notifying you of the need for the BIG-IP system
to perform a reboot, followed by a prompt, which allows you to
permit the reboot operation.
Note: Prior to rebooting, the BIG-IP system verifies that the integer
you typed in step 3 is within the allowed range, and checks to ensure
that enough disk space exists for the specified size.
6. Type Y.
A confirmation prompt appears.
7. Type Y.
The system displays messages indicating that the reboot operation is
about to occur.
8. Wait for the reboot operation to finish.
When the system becomes available again, the newly-specified disk
space for the log file will be in effect.
If, at any time during the resize-logFS operation, you decide to exit the
script, no reboot occurs, and the amount of allocated disk space remains as
is.
WARNING
Do not delete the files: /shared/.LoopbackLogFS and
/shared/LogFS_README, because this action deletes all of your log files.
4 - 18
Removing and returning items to service

Once you have completed the initial configuration on the BIG-IP system,
you may want to temporarily remove specific items from service for
maintenance purposes. For example, if a specific network server needs to be
upgraded, you may want to disable the nodes associated with that server,
and then enable them once you finish installing the new hardware and bring
the server back online.
If you specifically disable the nodes associated with the server, the BIG-IP
system allows the node to go down only after all the current connections are
complete. During this time, the BIG-IP system does not attempt to send new
connections to the node. Although the BIG-IP system monitoring features
would eventually determine that the nodes associated with the server are
down, specifically removing the nodes from service can prevent
interruptions on long duration client connections.
You can remove the entire BIG-IP system from service, or you can remove
the following individual items from service:
• Virtual servers
• Virtual addresses
• Virtual ports
• Nodes
• Pool members
Removing individual virtual servers and virtual addresses from service

The BIG-IP system also supports taking only selected virtual servers, and
virtual addresses out of service, rather than removing the BIG-IP system
itself from service. Each bigpipe command that defines virtual servers and
their components supports enable and disable keywords, which allow you
to remove or return the elements from service.
When you remove a virtual address from service, it affects all virtual servers
associated with the virtual address.
Enabling and disabling virtual servers and virtual addresses

The bigpipe virtual command allows you to enable or disable individual
virtual servers, as well as virtual addresses.
To enable or disable a virtual server

To enable or disable a virtual server, use the appropriate command syntax:
bp> virtual <virtual addr>:<virtual port> enable | disable
To enable or disable a virtual address, use the appropriate command syntax:

bp> virtual address <virtual addr> enable | disable

Chapter 4
Removing individual nodes from service

You can remove an individual node from service, or return an individual
node to service from the bigpipe shell command line.
To remove an individual node from service, use the following command:
bp> node <node addr>:<node port> down
To return an individual node to service, use this command:

bp> node <node addr>:<node port> up
Viewing the currently-defined system objects

When used with the show parameter, bigpipe commands typically display
currently configured elements. For example, the bigpipe virtual show
command displays all currently defined virtual servers, and the bigpipe
node command displays all nodes currently included in virtual server
mappings.
Viewing and modifying system configuration files

The BIG-IP system contains several configuration files that store essential
information. You can use your favorite text editor to view or modify these
files. Modifying a configuration file is sometimes necessary when there is
no browser-based or command line interface to configure a feature. Table
4.6 lists the configuration files on the BIG-IP system.
Important
After you edit bigip.conf or bigip_base.conf and before you restart the
MCPD service, you must run the bigpipe load command to ensure that the
MCPD service uses the current configuration data.
File Description
alert.conf Stores definitions of SNMP traps (system default alerts).
user_alert.conf Stores definitions of SNMP traps (user-defined alerts).
/config/bigip.conf Stores all configuration objects for managing local application traffic, such as
virtual servers, load balancing pools, profiles, and SNATs.
Note that after you edit bigip.conf, and before you restart the MCPD service, you
must run the bigpipe load command.
/config/bigip_base.conf Stores BIG-IP self IP addresses and VLAN and interface configurations.
Note that after you edit bigip_base.conf, and before you restart the MCPD
service, you must run the bigpipe load command.
Table 4.6 BIG-IP system configuration files
4 - 20
File Description
/config/bigip.license Stores authorization information for the BIG-IP system.
/etc/bigconf.conf Stores the user preferences for the Configuration utility.
/config/bigconfig/openssl.conf Holds the configuration information for how the SSL library interacts with
browsers, and how key information is generated.
/config/user.db Holds various configuration information. This file is known as the bigdb database.
/config/bigconfig/httpd.conf Holds configuration information for the web server.
/config/bigconfig/users The web server password file. Contains the user names and passwords of the
people permitted to access whatever is provided by the webserver.
/etc/hosts Stores the hosts table for the BIG-IP system.
/etc/hosts.allow Stores the IP addresses of workstations that are allowed to make administrative
shell connections to the BIG-IP system.
/etc/hosts.deny Stores the IP addresses of workstations that are not allowed to make
administrative shell connections to the BIG-IP system.
/etc/rateclass.conf Stores rate class definitions.
/etc/ipfwrate.conf Stores IP filter settings for filters that also use rate classes.
/etc/snmpd.conf Stores SNMP configuration settings.
/etc/snmptrap.conf Stores SNMP trap configuration settings.
/config/ssh Contains the SSH configuration and key files.
/etc/sshd_config This is the configuration file for the secure shell server (SSH). It contains all the
access information for people trying to get into the system by using SSH.
/config/routes Contains static route information.
Table 4.6 BIG-IP system configuration files
Viewing system licenses

You can view the licenses installed on your system using the find_keys
command at the BIG-IP system prompt.
To view the license keys and their locations, use this command:
find_keys
To view license keys without showing the location of the files that contain
the keys, use this command:
find_keys -q

Chapter 4
4 - 22
5
• Performing local traffic management tasks
• Setting up load balancing
• Controlling HTTP traffic
• Implementing HTTP and TCP optimization profiles
• Authenticating application traffic
• Implementing persistence
• Enhancing the performance of the BIG-IP system
• Managing health and performance monitors
• Implementing iRules
Performing local traffic management tasks

There are many tasks that you can perform to customize the way that the
BIG-IP system manages local network traffic. You can set up load balancing
and configure the way that the BIG-IP system manages a variety of types of
network traffic, including:
• HTTP
• FTP
• Layer 4
• TCP
• UDP
• Client SSL
• Server SSL
You can use profiles to manage network traffic. For more information on
profiles, see the profile online man page, as well as the man page for each
profile type.
You can also authenticate application traffic, implement session and
connection persistence, enhance the performance of the BIG-IP system, and
monitor the system.
The primary command line tool that you use to perform these tasks is the
bigpipe utility. When managing SSL traffic, however, you can use the
OpenSSL, genkey, genconf, and gencert utilities at the BIG-IP system
prompt to generate SSL certificates and keys.
For a list of the bigpipe commands related to local traffic management, see
the corresponding online man pages and Appendix A, bigpipe Command
Reference.

Chapter 5
Setting up load balancing

Once you configure the BIG-IP network components, you can use the
bigpipe utility to set up a basic, local traffic management system by
implementing a profile, a load balancing pool, and a virtual server.
To set up a basic load balancing configuration

1. Decide what types of traffic you want the BIG-IP system to manage,
as well as whether you want to implement session persistence,
connection persistence, and remote authentication.
2. For each decision in step 1, decide whether you want to use the
corresponding default profile that the BIG-IP system provides, or
whether you want to create a custom profile.
3. Access the bigpipe shell.
4. If you want to create custom profiles, use the profile command,
specifying the appropriate type of profile as an argument.
If you do not want to create custom profiles, skip this step.
5. Create one or more load balancing pools, using the pool command.
6. Create a virtual server, using the virtual command, and assign to it
any profiles and pools that you created. If you are using default
profiles, some of those profiles might already be assigned to the
virtual server by default.
Managing traffic types

To manage a particular type of network traffic, such as HTTP traffic, you
can modify the default, system-supplied profile of that type to create a
custom profile (recommended). Make sure that you save the custom profile
with a new name. We recommend that you do not save a modified,
system-supplied profile, without renaming it. After creating a new profile,
you must assign the profile to a virtual server.
To manage a specific type of network traffic

1. From the bigpipe shell, create a profile for a specific type of traffic,
such as SSL. For example, you can manage client-side SSL traffic
by using the command profile clientssl and specifying its
arguments.
2. Assign the profile to a virtual server, using the virtual command.
Optionally, you can write an iRule that includes various commands, which
dynamically modify profile settings. For more information, see the
5-2
Configuring manual resumption of pool members and nodes

When a monitor detects that a pool member or node is available, the BIG-IP
system, by default, marks that pool member or node as being in an up state.
You can change this behavior, however, so that the system does not
automatically mark the pool member or node as being up when a monitor
detects that the pool member or node has become available. Instead, the
system puts the pool member or node in a special waiting manual resume
state, and creates a log entry in the /var/log/ltm directory. A sample log
entry is:
Node 10.10.10.10 monitor status up awaiting man resume
After the system makes the log entry, it waits for you to manually specify
the pool member or node as being up.
Configuring clone pools

Clone pools are designed for intrusion detection. You can implement clone
pools by configuring a virtual server. A clone pool receives all of the same
traffic as the normal pool. You therefore use clone pools to copy traffic to
intrusion detection systems.
To configure a clone pool

2. Use the virtual command, to create or modify a virtual server,
specifying a value for the clone pool argument.
Configuring a last hop pool

By default, the Auto Last Hop feature is enabled on the BIG-IP system. If
you want to disable that feature and instead explicitly define a last hop
router, you can create a last hop pool and assign it to a virtual server.
To configure a last hop pool

2. Use the pool command to create a last hop pool that contains the
router inside addresses.
3. Use the lasthop pool argument with the virtual command to assign
the last hop pool to a virtual server.
If you have not assigned an SSL profile to the virtual server, use the profile
argument with the virtual command to assign the profile to the virtual
server.

Chapter 5
Implementing SNATs
There are two basic ways to create a SNAT. You can either directly assign a
translation address to one or more original IP addresses, or you can create a
SNAT pool and then assign the SNAT pool to the original IP addresses. In
the latter case, the BIG-IP system automatically selects a translation address
from the assigned SNAT pool.
Note that you can assign these types of mappings from within an iRule.
To map a single translation address to an original address

2. Designate an IP address as a translation address, using the snat
translation command.
3. Map the translation address to one or more original IP addresses,
using the snat command or the rule command.
To map a SNAT pool to an original address

2. Create a pool of translation addresses (that is, SNAT pool), using
the snatpool command.
3. Map the SNAT pool to one or more original IP addresses, using
either the snat command or the rule command.
5-4
Controlling HTTP traffic

You can configure the BIG-IP system to control HTTP traffic by
configuring HTTP compression, redirecting HTTP requests, rewriting
HTTP redirections, inserting and erasing HTTP headers, enabling or
disabling cookie encryption and SYN cookie support, configuring the HTTP
class profile, and unchunking and rechunking HTTP response data.
Configuring HTTP compression

To configure the BIG-IP system to compress HTTP server responses, you
access the bigpipe shell and use the profile and virtual commands.
To configure HTTP compression

2. Configure the compression-related settings of an HTTP profile,
using the profile http command.
3. Assign the HTTP profile to a virtual server, using the virtual
command.
Redirecting HTTP requests

You can redirect HTTP requests by configuring an HTTP profile and
specifying a fallback host within the profile.
To redirect HTTP requests

2. Using the profile http command, create or modify an HTTP profile,
specifying a value for the fallback argument. You can specify either
a URI or the default fallback host, or you can specify that you want
no HTTP redirection.
3. Verify that the HTTP profile you created or modified is assigned to
a virtual server.
Rewriting HTTP redirections

You can rewrite HTTP redirections by configuring an HTTP profile and
specifying that you want the BIG-IP system to rewrite certain HTTP
redirections. For more information, see the Rewriting HTTP redirections
section of the Configuration Guide for BIG-IP® Local Traffic
Management.

Chapter 5
To rewrite HTTP redirections

specifying a value for the redirect rewrite argument.
For example, to create a profile that only rewrites URIs matching
the originally requested URI (minus an optional training slash), use
the following syntax:
profile http myHTTPprofile { redirect rewrite matching }

a virtual server.
Inserting and erasing HTTP headers

You can insert headers into HTTP requests or remove headers from HTTP
requests by configuring an HTTP or Fast HTTP profile.
To insert or erase HTTP headers

specifying a value for either the header insert, header erase, or
insert xforwarded for options.
3. Verify that the HTTP or Fast HTTP profile you created or modified
is assigned to a virtual server.
Tip
You can also manipulate HTTP headers by configuring a Fast HTTP profile
from the bigpipe shell, using the profile fasthttp command.
Enabling or disabling cookie encryption

You can enable or disable cookie encryption from the bigpipe shell by
configuring two options of the profile http command.
To enable or disable cookie encryption

specifying a value for the encrypt cookie and cookie secret
options.
a virtual server.
5-6
Enabling or disabling SYN cookie support

To manage Denial-of-Service (DoS) attacks, you can enable or disable SYN
cookie support by configuring the SYN cookie option on a Fast L4 profile
from the bigpipe shell.
◆ If the BIG-IP system includes Packet Velocity® ASIC (PVA), use the
profile fastL4 command, specifying the hardware syncookie (enable |
disable | default) option. Also, based on your requirements, set the
following variables of the db command:
• pva.SynCookies.Full.ConnectionThreshold (default: 500000)
• pva.SynCookies.Assist.ConnectionThreshold (default: 500000)
• pva.SynCookies.ClientWindow (default: 0)
Note that the hardware syncookie feature is currently available on the
D84 and D88 platforms only. Setting the hardware syncookie feature on
a platform other than the D84 and D88 platforms, has no effect. Also, if
you set the software syncookie feature on the D84 and D88 systems
without setting the hardware syncookie feature, the SYN cookie
protection is handled by the software only.
◆ If the BIG-IP system does not include Packet Velocity® ASIC (PVA),
use the profile fastL4 command, specifying the software syncookie
(enable | disable | default) option.
Configuring the HTTP Class profile

The BIG-IP system includes a type of profile called an HTTP Class profile.
You can use an HTTP Class profile to classify HTTP traffic based on
criteria that you specify. When you classify traffic, you forward traffic to a
destination based on an examination of traffic headers or content. For more
information, see the Configuration Guide for BIG-IP® Local Traffic
Management.
If the BIG-IP system includes the Application Security Manager (ASM) or
WebAccelerator module, you can configure the system to send HTTP traffic
to that module before sending the traffic to its final destination. For
example, you can use an HTTP Class profile to instruct a virtual server to
send traffic through ASM before forwarding the traffic to a load balancing
pool. For more information, see the Configuration Guide for BIG-IP®
Application Security Management, and the Administrator Guide for the
BIG-IP® WebAccelerator Module.

Chapter 5
Unchunking and rechunking HTTP response data

If you want to unchunk a chunked HTTP response for the purpose of
inspecting the content, you can enable unchunking by configuring an HTTP
profile.
To configure HTTP response chunking

2. Using the profile http command, create or modify an HTTP profile
and specify the response argument.
3. Make sure that you have assigned the HTTP profile to a virtual
server, using the virtual command.
Implementing HTTP and TCP optimization profiles

In addition to the default http and tcp profiles, the BIG-IP system includes
other HTTP- and TCP-type profiles that you can use to optimize HTTP and
TCP traffic. These profiles are:
• http-wan-optimized-compression
• http-lan-optimized-caching
• http-wan-optimized-compression-caching
• tcp-lan-optimized
• tcp-wan-optimized
You can implement any of these profiles as is, by assigning the profile to a
virtual server, or you can customize the profile to suit your needs.
To customize an optimization profile

2. Use either the profile http or profile tcp command, specifying one
of the profile names in the above list.
For example, to implement a customized profile for TCP LAN
traffic, use the following command, specifying only the options with
values that you want to modify. Note that the tcp argument
represents the type of profile, and the tcp-lan-optimized argument
is the name of the profile you are customizing:
bp> profile tcp tcp-lan-optimized <options>
3. Assign the customized profile to a virtual server, using the profile

argument with the virtual command.
5-8
Authenticating application traffic

You can configure the BIG-IP system to authenticate application traffic. To
do this you configure the system to generate certificates, create certificate
revocation lists (CRLs), revoke certificates, and associate keys and
certificates using the SSL profile. You can also perform other
certificate-related tasks and configure remote server authentication.
Generating SSL certificates

When you want the BIG-IP system to manage SSL traffic (that is,
authenticate, decrypt, and encrypt SSL traffic), you must generate SSL
certificates that the BIG-IP system can use as part of the authentication
process.
To generate SSL certificates from the BIG-IP system prompt, you can use
the gencert and OpenSSL utilities. You can generate keys, certificate
signing request files, certificate authority (CA) certificates that are trusted
for client authentication, client certificates, certificates for web sites, and
certificate revocation lists (CRLs). You can also perform a number of other
certificate-related tasks.
Generating CA certificates
To obtain a valid certificate, you must have a private key. You can use the
gencert utility to generate a key, a temporary certificate, and a certificate
signing request file that you can submit to a certificate authority (CA).
Note
When you change any of the gencert utility defaults, you must include a key
size. For example, to change the name of the organization for which you are
requesting a certificate, use the following syntax:
gencert -o NewCompanyName 1024
To generate a CA certificate
2. Run the gencert utility.
The following files are created and saved in the SSL directory:
• ssl.csr is the certificate signing request file.
• ssl.key contains the key.

Chapter 5
Creating client certificates

For client-side authentication between a client and a BIG-IP system, you can
create a certificate for that client.
To create a client certificate

2. Generate a client key. For example:
openssl genrsa -rand .rand -out auser1.key 1024
3. Generate a client certificate request, using the previously-generated

key. For example:
openssl req -new -out auser1.req -key auser1.key
4. Generate a client certificate with or without the LDAP CRL

distribution point. Note that you must use OpenSSL 0.9.8.x or
newer to generate certificates with embedded distribution points that
are dirname-based addresses. (dirname is a utility that strips off the
trailing part of a file name, and the result is the path name of the
directory that contains the file.)
In the following example, the certificate is named auser1.crt.
• To generate the client certificate with the LDAP CRL distribution
point, use the openssl x509 command, as in the following
example:
openssl x509 -req -in auser1.req -out auser1.crt \
-CAkey bigmirror-ca.key -CA bigmirror-ca.crt \
-days 300 -CAcreateserial -CAserial serial \
-extensions crl_ext -extfile bigmirror-ca.ext
• To generate the client certificate without the LDAP CRL

distribution point, use the openssl x509 command, as in the
following example:
openssl x509 -req -in auser1.req -out auser1.crt \
-CAkey bigmirror-ca.key -CA bigmirror-ca.crt \
-days 300 -CAcreateserial -CAserial serial
5. Create a PKCS12 file using the above key and certificate pairs.
For example:
openssl pkcs12 -export -in auser1.crt -inkey \
auser1.key -out auser1.p12 -name "auser1 pkcs12"
5 - 10
Creating a certificate for a web site

For server-side authentication between a web site and a BIG-IP system, you
can create a certificate for that web site.
To create a certificate for a web site

2. Create a key. For example:
openssl genrsa -rand .rand -out www.test.net.key 1024
3. Generate a certificate request using the key that you generated in

step 1. For example:
openssl req -new -key www.test.net.key -out \
www.test.net.req
4. Using the request that you generated in step 2, generate a certificate

named for the web site.
• If you want to generate the certificate with the LDAP CRL
following example:
openssl x509 -req -in www.test.net.req -out \
www.test.net.crt -CAkey bigmirror-ca.key -CA \
bigmirror-ca.crt -days 300 -CAcreateserial \
-CAserial serial -extensions crl_ext \
-extfile bigmirror-ca.ext
• If you want to generate the certificate without the LDAP CRL

following example:
openssl x509 -req -in www.test.net.req \
-out www.test.net.crt -CAkey bigmirror-ca.key -CA
bigmirror-ca.crt -days 300 -CAcreateserial \
-CAserial serial
Working with certificate revocation

You can use the OpenSSL utility to create a certificate revocation list
(CRL). The BIG-IP system checks a CRL to see if a client or server
certificate being presented for authentication has been revoked.
You can also use the utility to revoke a certificate.
To create a certificate revocation list

1. From the BIG-IP system prompt, create a configuration file for the
serial or index option.
For example:
echo -e \
'default_ca=ca\n[ca]\ndatabase=index.txt\nserial=serial'
> bigmirror-ca.config

Chapter 5
2. From the BIG-IP system prompt, generate a CRL that expires in

thirty days. For example:
openssl ca -config bigmirror-ca.config -gencrl -crldays \
30 -keyfile bigmirror-ca.key -cert bigmirror-ca.crt \
-out bigmirror-ca.crl
To revoke a certificate
Revoke a client certificate, using the openssl command from the BIG-IP
system prompt. For example, to revoke the client certificate auser1.crt:
openssl ca -config bigmirror-ca.config -keyfile \
bigmirror-ca.key -cert bigmirror-ca.crt -revoke auser1.crt
Note
When you are using the CRLDP authentication module, you must ensure
that the CRLs are stored in a remote LDAP database, and in ASN.1 DER
format (Abstract Syntax Notation.1 Distinguished Encoding Rules).
Associating keys and certificates with SSL profiles

You can associate a key and a certificate with an SSL profile by using the
profile command from the bigpipe shell and specifying the key and
certificate file names as arguments. For more information, see the online
man page for the profile command.
Performing other certificate-related tasks

There are a number of other SSL-certificate-related tasks that you can
perform, using the OpenSSL utility. You access this utility from the BIG-IP
system prompt.
To verify a certificate
Use this command to verify a certificate:
openssl verify -CAfile bigmirror-ca.crt www.test.net.crt
To view a CRL
Use this command to view a CRL:
openssl crl -in bigmirror-ca.crl -text -noout
To view certificate information

Use this command to view certificate information:
openssl x509 -in www.test.net.crt -text -noout
5 - 12
To convert a certificate to PEM format

Use this command to convert a certificate from PKCS12 (.P12 or.PFX)
format to PEM format:
openssl pkcs12 -in auser1.p12 -out auser1.pem
To add a password to an RSA key

Use this command to add a password to an RSA key:
openssl rsa -in auser1.key -out auser1-enc.key -des3 \
-passout pass:secret
To strip a password from an RSA key

Use this command to strip a password from an RSA key:
openssl rsa -in auser1-enc.key -out auser1.key \
-passin pass:secret
Configuring remote server authentication

You can configure the BIG-IP system to use a remote server for
authenticating application traffic. The types of remote servers that you can
use to authenticate network traffic are:
• CRLDP servers
• LDAP servers
• RADIUS servers
• TACACS+ servers
• SSL Client Certificate LDAP servers
• SSL OCSP responders
You must create an authentication configuration object and an

authentication profile for the type of remote server you want to use. For
example, to use an LDAP server, you must create an LDAP configuration
object and an LDAP authentication profile. You access the bigpipe shell
and use the auth ldap command to create an authentication configuration
object. You use the profile and virtual commands to create an
authentication profile.
If the remote server you want to use is a RADIUS server, an SSL OCSP
responder, or a CRLDP server, you must create an additional object known
as a server object. You access the bigpipe shell and use the ocsp responder
or radius server command to create the server object.

Chapter 5
To configure the BIG-IP system for remote authentication

2. Create an authentication configuration object of the appropriate
type, using one of the following commands:
• auth crldp
• auth ldap
• auth radius
• auth ssl cc ldap
• auth ssl ocsp
• auth tacacs
3. Create an authentication profile of the same type as the
configuration object, using the profile command and specifying the
configuration object name as one of the profile settings.
4. If the remote authentication server is an SSL OCSP responder, a
RADIUS server, or a CRLDP server, create the appropriate server
object.
• For an SSL OCSP responder, create an SSL OCSP responder
object, using the ocsp responder command.
• For a RADIUS server, create a RADIUS server object, using the
radius server command.
• For a CRLDP server, create a CRLDP server object, using the
crldp server command.
5. Associate the authentication profile with a virtual server, using the
virtual command.
5 - 14
Implementing persistence
You can configure the BIG-IP system to implement both session and
connection persistence.
Implementing session persistence

To implement session persistence for connections passing through a virtual
server, access the bigpipe shell and use the profile and virtual commands.
You can implement these types of session persistence:
• Cookie
• Destination Address Affinity
• Microsoft Remote Desktop Protocol (MSRDP)
• Hash
• Session Initiation Protocol (SIP)
• Source Address Affinity
• SSL
• Universal
To configure session persistence

2. Create a persistence profile, using the profile command, that
corresponds to the type of persistence you want to implement.
3. Assign the persistence profile to a virtual server, using the persist
and fallback persist arguments with the virtual command.
Implementing connection persistence

To implement connection persistence, you can add Keep-Alive headers into
HTTP /1.0 headers where none exist. (By default, HTTP/1.1 connections
include Keep-Alive support.) You can also enable a feature known as
connection pooling, which keeps server-side connections open for re-use by
other client requests. You enable Keep-Alive support and connection
pooling by creating or modifying an HTTP or Fast HTTP profile, as well as
a OneConnect profile.

Chapter 5
To add Keep-Alive headers into HTTP requests

2. To ensure that HTTP connections stay open, use the profile http
command and specify the oneconnect transformations argument.
This ensures that the BIG-IP system inserts a
Connection:Keep-Alive header into any HTTP /1.0 request that
does not already contain one.
3. Make sure that you have assigned the HTTP or Fast HTTP profile to
a virtual server, using the virtual command.
To enable connection pooling

2. Using the profile oneconnect command, configure a profile for
connection pooling.
3. Assign the profile to a virtual server, using the profile argument
with the virtual command.
Tip
You can also configure connection persistence settings by configuring a
Fast HTTP profile, using the profile fasthttp command at the bigpipe shell
prompt.
5 - 16
Enhancing the performance of the BIG-IP system

You can enhance the performance of the BIG-IP system by setting Quality
of Service (QoS) and Type of Service (ToS) levels on packets, setting idle
timeout values, and implementing rate shaping.
Setting Link QoS and IP ToS levels on packets

You can use the bigpipe utility to set QoS and ToS levels on packets. You
can do this not only for all traffic targeted to a load balancing pool, but also
for specific types of traffic, such as Layer 4, TCP, and UDP traffic.
To set QoS and ToS levels

1. Decide whether you want to set QoS and ToS levels for traffic
targeted for an entire pool or for specific types of traffic, or both.
• If you want to set the QoS and ToS levels for an entire pool,
access the bigpipe shell and use the pool command with one or
more of the following arguments: link qos to client, link qos to
server, ip tos to client, and ip tos to server.
• If you want to set the QoS and ToS levels for certain types of
traffic, access the bigpipe shell and use the profile command to
create or modify a Fast L4, TCP, or UDP profile.
2. Verify that the pool or the profile that you created or modified is
assigned to a virtual server. To do this, use the following syntax:
bp> virtual <virtual server name> list
Setting idle timeout values

You can use the bigpipe utility to set timeout values for Layer 4, HTTP,
TCP, or UDP connections that remain idle. You do this by creating or
modifying a Fast L4, Fast HTTP, TCP, or UDP profile.
To set idle timeout values

1. Create or modify a Fast L4, Fast HTTP, TCP, or UDP profile, by
accessing the bigpipe shell and using the profile command.
2. Specify the idle timeout argument to set a timeout value.
3. Verify that the profile you created or modified is assigned to a
virtual server.

Chapter 5
Implementing rate shaping

To implement rate shaping, you must create a rate class, and then assign the
rate class to a virtual server or a packet filter rule.
To implement rate shaping

2. Create one or more rate classes, using the rate class command.
3. Assign the rate classes to a virtual server or a packet filter rule,
using either the virtual command or the packet filter command.
Managing health and performance monitors

You can monitor the health and performance of your BIG-IP system using
either pre-configured monitors or custom monitors that you create.
Creating custom monitors

You can create a custom monitor to monitor the health and performance of a
node or of the servers that make up your load balancing pool. To do this,
you access the bigpipe shell and use the monitor command. For more
information, see the online man page and Appendix A, bigpipe Command
Reference.
Associating monitors with pools or nodes

To associate a monitor with a load balancing pool or a node, you create the
pool or node, and then associate a monitor with the pool or node.
To associate a monitor with a pool or node

2. Do one of the following:
• Create a load balancing pool using the pool command.
• Create a node using the node command.
3. Do one of the following:
• If you created a load balancing pool, configure the pool with the
pool monitor all command, specifying the name of the monitor
that you want to use to monitor the pool members. Note that you
can use this command to assign the same monitor to all pool
members; however, the monitor that you assign to a pool member
must reside either in the current Write partition, or in partition
5 - 18
Common. Alternatively, you can assign different monitors to

individual pool members, as long as the monitor you assign to the
pool member resides in the current Write partition, or in partition
Common.
• If you created a node, configure a node with the node monitor
command, specifying the name of the monitor that you want to
use to monitor the node.
4. If you created a load balancing pool, assign the pool to a virtual
server, using the virtual pool command.
Monitoring services
You can monitor RPC, SMB, and JDBC services from the BIG-IP system
prompt.
Checking the health of RPC services

To check the health of remote procedure call (RCP) services, you can use
the industry standard rpcinfo command. Use -t to check tcp mode or -u to
check udp mode.
rpcinfo -n <port> -t|-u <ipaddr> <program> [<version>]
Retrieving a list of SMB services

To retrieve a list of services that use the server message block (SMB)
protocol, you can use the industry standard smbclient command from the
BIG-IP system prompt.
Monitoring JDBC connections with a database

You can specify the number of times to monitor a JDBC connection with a
database from the bigpipe shell using the monitor <monitor name> '{
count "0" }' command. You use the default count of 0, to keep connections
forever. You use a count greater than 0, to keep the connection for the
specified number of uses, and then close the connection.
In the following example, the Oracle monitor is closed after every use.
bp> monitor <monitor_key> '{ count "1" }'
In the following example, the Oracle monitor is closed after 100 uses.
bp> monitor <monitor_key> '{ count "100" }'
Configuring a monitor for manual resume

To configure the manual resume feature, you access the bigpipe shell and
use the monitor command with the manual resume option, changing the
value from no (the default value) to yes.

Chapter 5
To configure the manual resume option

For an existing custom monitor, from the bigpipe shell, use the monitor
command with the manual resume option, as follows:
bp> monitor <custom_monitor_name> manual resume yes
Once a pool member or node that was previously down becomes available,
you can then manually set the pool member or node to an up state, using the
pool or node command.
Manually setting pool member or node status

After you configure the manual resume option on a monitor, and assign the
monitor to a pool member or a node, you can then set the pool member or
node status to up whenever that pool member or node becomes available.
To manually mark one or all pool members as up

From the bigpipe shell, using the following pool command syntax, you can
manually mark as up either one pool member, or all members of a pool.
Note that you can mark multiple pool members as up only when the pool
members reside in the current Write partition, or in partition Common.
bp> pool <pool_name> member <member_ip_address> up
bp> pool <pool_name> member all up
To manually mark one or all nodes as up

From the bigpipe shell, using the following node command syntax, you can
manually mark as up either one node, or all nodes. Note that you can mark
multiple nodes as up only when the nodes reside in the current Write
partition, or in partition Common.
bp> node <node_ip_address> up
bp> node all up
Important
If a user with permission to manage objects in partition Common disables a
monitor that is designated as the default monitor for nodes (such as the icmp
monitor), this affects all nodes on the system. Ensure that the default
monitor for nodes always resides in partition Common.
5 - 20
Implementing iRules
The iRulesTM feature is powerful and flexible, and it significantly enhances
your ability to customize the BIG-IP system. An iRule can reference any
object, regardless of the partition in which the referenced object resides. For
example, an iRule that resides in partition_a can contain a pool statement
that specifies a pool residing in partition_b. For more information about
iRules, see http://devcentral.f5.com.
To implement an iRule
Write a script using the industry-standard Tools Command Language (Tcl)
and the commands that the BIG-IP system provides as Tcl extensions. For
more information, see the list of BIG-IP system extensions to Tcl and
disabled Tcl commands in Appendix B, Disabled Tcl Commands of the
2. Create an iRule using the rule command. You must include the
name of the Tcl script and the script itself as arguments for the
command.
3. Assign the iRule to a virtual server, using the virtual command in
one of the following ways:
• To associate multiple iRules with a virtual server, use this syntax:
bp> virtual <virtual_server_name> rule <iRule1_name> \
<iRule2_name> ...
• To remove the assignment of an iRule from a virtual server, use

this syntax:
bp> virtual <virtual_server_name> rule none
• To remove the iRule assignments from multiple virtual servers,

use the following syntax. Note that you can remove the iRule
assignments only from virtual servers that reside in the current
Write partition or in partition Common.
bp> virtual all rule none
• To associate an existing iRule with multiple virtual servers, use

the following syntax. Note that you can associate an iRule only
with virtual servers that reside in the current Write partition or in
partition Common.
bp> virtual all rule <iRule_name>
Important: In this case, the iRule becomes the only iRule that is
associated with each virtual server in the current Write partition.
Because this command overwrites all previous iRule
assignments, we do not recommend use of this command.

Chapter 5
5 - 22
A
• Introduction to command syntax
• Alphabetical listing of commands

Introduction to command syntax

This appendix contains the command syntax for specific BIG-IP system
commands, and each bigpipe command. Use the BIG-IP system commands
at the BIG-IP system prompt. Use the bigpipe commands at the bigpipe
shell prompt: bp>.
You can find additional information about command syntax in the online
man pages. The BIG-IP product includes a complete set of online man pages
for the commands that make up the bigpipe utility. You can access the
online man pages for bigpipe commands in one of two ways:
• From the BIG-IP system prompt, type man followed by the command
name. You must use underscores between the words in the command
name. For example:
man stp_instance
• From the bigpipe shell prompt, use the command name followed by
help. Do not use underscores between the words in the command name.
For example:
bp> auth crldp help
Using the keyword, all

When using bigpipe commands, you can globally modify or delete objects
of a specified type only when all objects of that type reside in a single
partition. In other words, it is important to note that when you use the
keyword, all, with an object type, the action you are performing applies only
to objects of the specified type in the current Write partition. For more
information about partitions, see the Understanding partitions and user
accounts in the BIG-IP® Network and System Management Guide.
Identifying command types

In the See also sections of this appendix, commands are followed by an
industry-standard identifying number. The types that are listed in this
appendix include:
• User commands, which are identified by (1), for example:
arp(1)
• System management commands, which are identified by (8), for
example:
sys-reset(8)
BIG-IP® Command Line Interface Guide A-1

Appendix A
Basic definitions
The following are basic definitions that apply to bigpipe commands.
<if name> ::= mgmt | <number> . <number>
<ip addr> ::= <IPv4 address> | <IPv6 address> | <node address screen name> | \
<host name> | any | any6 | *
<ip mask> ::= <IPv4 netmask> | <IPv6 netmask> | none
<mac addr> ::= <six hexadecimal numbers separated by colons>
<member> ::= <IPv4 address> : <service> | <IPv6 address> . <service>
<name> ::= <letter> <letters, numbers, periods, hyphens, underscores>
<network ip> ::= (<ip addr> [mask <ip mask> | (prefixlen | /) <number>] | \
default [inet | inet6])
<number> ::= <digit> ... | <digits> . <digits> (K | M | G)
<protocol> ::= <number> | <name> | any | *
<service> ::= <number> | <name> | any | *
<string> ::= <any set of characters, surrounded by double quotes if includes spaces,
braces, or reserved words>
Any of these commands may be followed by <name list>. This indicates a

list of the specified items, separated by spaces.
A-2
Alphabetical listing of commands

The following list includes specific BIG-IP system commands and all of the
bigpipe commands.

Appendix A
arp
Manages static and dynamic Address Resolution Protocol (ARP) entries in
the routing table. Also provides the ability to display and delete static and
dynamic route mappings between IP addresses and MAC addresses, or a list
of IP addresses.
Syntax
Use this command to create, modify, display, or delete entries in the
ARP cache.
Create/Modify
arp <arp key list> {}
arp (<arp key list> | all) [{] <arp arg list> [}]
<arp key> :=
<ip addr>
(dynamic | static)
<arp arg> ::=
(<mac addr> | none)
Display
arp (<arp key list> | all) list [all]
arp (<arp key list> | all) [show [all]]
arp (<arp key list> | all) ip addr [show]
arp (<arp key list> | all) mac addr [show]
arp (<arp key list> | all) type [show]
Delete
arp (<arp key list> | all) delete
Description
You can use the arp command to create static ARP entries for IPv4
addresses to link-layer addresses, such as ethernet MAC addresses. In
addition to creating static ARP entries, you can view and delete static and
dynamic ARP entries. You can also use the db command to configure how
the system handles ARP entries for dynamic timeout, maximum dynamic
entries, add reciprocal, and maximum retries. For more information, see db,
on page A-41, or the db online man page.
A-4
Examples
Creates an ARP mapping of the IP address 10.10.10.20 to the MAC address
00:0b:09:88:00:9a:
arp 10.10.10.20 00:0b:09:88:00:9a
Displays all ARP entries for the system:

arp show
Displays all dynamic ARP entries for the system:

arp dynamic show
Displays all static ARP entries for the system:

arp list
Displays the ARP entry for the IP address 10.10.10.20:

arp 10.10.10.20 show
Deletes the ARP entry for the IP address 10.10.10.20:

arp 10.10.10.20 delete
Deletes all static ARP entries for the system:

arp static delete
Deletes all ARP entries for the system:

arp all delete
Options
You can use these options with the arp command:
◆ ip addr
Specifies the IP address, for which you want to create an ARP entry, in
one of four formats:
• IPv4 address in dotted-quad notation, for example, 10.10.10.1
• IPv6 address, for example, 1080::8:800:200C:417A
• host name, for example, www.f5.com
• node screen name, for example, node1
◆ ip addr list
Specifies a list of IP addresses separated by a single space. For example,
this list contains three IP addresses: 10.10.10.20 10.10.10.21
10.10.10.22.
◆ dynamic
Specifies that the IP address for which you want to create an ARP entry
is dynamic. A dynamic IP address is a temporary IP address.
◆ static
Specifies that the IP address for which you want to create an ARP entry
is static and does not change.

Appendix A
◆ mac addr
Specifies a 6-byte ethernet address in non case-sensitive hexadecimal
colon notation, for example, 00:0b:09:88:00:9a. You must specify a
MAC address when you create an ARP entry.
See also
db(1), ndp(1), bigpipe(1)
A-6
auth crldp
Configures a Certificate Revocation List Distribution Point (CRLDP)
configuration object for implementing CRLDP to manage certificate
revocation.
Syntax
Use this command to create, modify, display, or delete a CRLDP
configuration object.
Create/Modify
Important
If you are assigned a user role that allows you to create objects, and you are
assigned access to all partitions, then before you create an object in a
specific partition, you must use the bigpipe shell command to set your Write
partition to the partition in which you want to create the object. For more
information, see the Configuring Administrative Partitions and Managing
User Accounts chapters in the BIG-IP® Network and System Management
Guide.
auth crldp <auth crldp key list> {}

auth crldp (<auth crldp key list> | all) [{] <auth crldp arg list> [}]
<auth crldp key> ::=
<name>
<auth crldp arg> ::=
conn timeout (<number> | immediate | indefinite)
servers (<crldp server key list> | none) [add |delete]
update interval <number>
use issuer (enable | disable)
Display
auth crldp [<auth crldp key list> | all] [show [all]]
auth crldp [<auth crldp key list> | all] list [all]
auth crldp [<auth crldp key list> | all] conn timeout [show]
auth crldp [<auth crldp key list> | all] name [show]
auth crldp [<auth crldp key list> | all] partition [show]
auth crldp [<auth crldp key list> | all] servers [show]
auth crldp [<auth crldp key list> | all] update interval [show]
auth crldp [<auth crldp key list> | all] use issuer [show]
Delete
auth crldp (<auth crldp key list> | all) delete

Appendix A
Description
CRLDP authentication is a mechanism for checking certificate revocation
status for client connections passing through the BIG-IP system. This
module is useful when your authentication data is stored on a remote
CRLDP server. You configure a CRLDP authentication module by defining
a CRLDP server (using the crldp server command), creating a CRLDP
configuration object (using the auth crldp command) and assigning
CRLDP servers to the object, creating a CRLDP profile (using the profile
auth command) and assigning the CRLDP configuration object to the
profile, and assigning the CRLDP profile to a virtual server.
Examples
Creates a configuration object called my_auth_crldp:
auth crldp my_auth_crldp {}
Deletes the configuration object named my_auth_crldp:

auth crldp my_auth_crldp delete
Options
You can use these options with the auth crldp command:
• CRLDP servers
Specifies the CRLDP server that you want to either assign to or remove
from the CRLDP configuration object.
• Connection timeout
Specifies the number of seconds before the connection times out. The
default is 15 seconds.
• Update interval
Specifies an update interval for CRL distribution points. The update
interval for distribution points ensures that CRL status is checked at
regular intervals, regardless of the CRL timeout value. This helps to
prevent CRL information from becoming outdated before the BIG-IP
system checks the status of a certificate. The default is zero, which
indicates an internal default value is active.
• Use Issuer
Indicates whether the CRL distribution point should be extracted from
the certificate of the client certificate issuer. The default is disable.
See also
profile auth(1), bigpipe(1)
A-8
auth ldap
Configures an LDAP configuration object for implementing remote
LDAP-based client authentication.
Syntax
Use this command to create, modify, display, or delete an LDAP
Create/Modify
Important
Guide.
auth ldap <auth ldap key list> {}

auth ldap (<auth ldap key list> | all) [{] <auth ldap arg list> [}]
<auth ldap key list> ::=
<name>
<auth ldap arg> ::=
bind dn (<string> | none)
bind pw (<string> | none)
bind timeout <number>
check host attr (enable | disable)
debug (enable | disable)
filter (<string> | none)
group dn (<string> | none)
group member attr (<string> | none)
idle timeout <number>
ignore authinfo unavail (enable | disable)
login attr (<string> | none)
scope (base | one | sub)
search base dn (<string> | none)
search timeout <number>
servers (<string list> | none) [add | delete]
service (<service> | none)
ssl (enable | disable)
ssl ca cert file (<string> | none)
ssl check peer (enable | disable)

Appendix A
ssl ciphers (<string> | none)

ssl client cert (<string> | none)
ssl client key (<string> | none)
user template (<string> | none)
version <number>
warnings (enable | disable)
Display
auth ldap [<auth ldap key list> | all] [show [all]]
auth ldap [<auth ldap key list> | all] list [all]
auth ldap [<auth ldap key list> | all] bind dn [show]
auth ldap [<auth ldap key list> | all] bind pw [show]
auth ldap [<auth ldap key list> | all] bind timeout [show]
auth ldap [<auth ldap key list> | all] check host attr [show]
auth ldap [<auth ldap key list> | all] debug [show]
auth ldap [<auth ldap key list> | all] filter [show]
auth ldap [<auth ldap key list> | all] group dn [show]
auth ldap [<auth ldap key list> | all] group member attr [show]
auth ldap [<auth ldap key list> | all] idle timeout [show]
auth ldap [<auth ldap key list> | all] ignore authinfo unavail [show]
auth ldap [<auth ldap key list> | all] login attr [show]
auth ldap [<auth ldap key list> | all] name [show]
auth ldap [<auth ldap key list> | all] partition [show]
auth ldap [<auth ldap key list> | all] scope [show]
auth ldap [<auth ldap key list> | all] search base dn [show]
auth ldap [<auth ldap key list> | all] search timeout [show]
auth ldap [<auth ldap key list> | all] servers [show]
auth ldap [<auth ldap key list> | all] service [show]
auth ldap [<auth ldap key list> | all] ssl [show]
auth ldap [<auth ldap key list> | all] ssl ca cert file [show]
auth ldap [<auth ldap key list> | all] ssl check peer [show]
auth ldap [<auth ldap key list> | all] ssl ciphers [show]
auth ldap [<auth ldap key list> | all] ssl client cert [show]
auth ldap [<auth ldap key list> | all] ssl client key [show]
auth ldap [<auth ldap key list> | all] user template [show]
auth ldap [<auth ldap key list> | all] version [show]
auth ldap [<auth ldap key list> | all] warnings [show]
Delete
auth ldap (<auth ldap key list> | all) delete
A - 10
Description
LDAP authentication is a mechanism for authenticating or authorizing client
connections passing through the system. LDAP authentication is useful
when your authentication or authorization data is stored on a remote LDAP
server or a Microsoft® Windows Active Directory server, and you want the
client credentials to be based on basic HTTP authentication (that is, user
name and password). You configure an LDAP authentication module by
creating an LDAP configuration object, creating an LDAP profile, and
assigning the profile and a default iRuleTM to the virtual server.
Examples
Creates a configuration object called my_auth_ldap:
auth ldap my_auth_ldap
Deletes the configuration object named my_auth_ldap:

auth ldap my_auth_ldap delete
Options
You can use these options with the auth ldap command:
• bind dn
Specifies the distinguished name of an account to which to bind, in order
to perform searches. This search account is a read-only account used to
do searches. The admin account can be used as the search account. If no
admin DN is specified, then no bind is attempted. This setting is only
required when a site does not allow anonymous searches. If the remote
server is a Microsoft Windows Active Directory server, the distinguished
name must be in the form of an email address. Possible values are a
user-specified string, and none.
• bind pw
Specifies the password for the search account created on the LDAP
server. This setting is required if you use a bind DN. Possible values are
a user-specified string, and none.
• bind timeout
Specifies a bind timeout limit, in seconds. The default is 30 seconds.
• check host attr
Confirms the password for the bind distinguished name. This setting is
optional. The default is disable.
• debug
Enables or disables Syslog-ng debugging information at LOG DEBUG
level. Not recommended for normal use. The default is disable.
• filter
Specifies a filter. This setting is used for authorizing client traffic.
Possible values are a user-specified string, and none.
BIG-IP® Command Line Interface Guide A - 11

Appendix A
• group dn
Specifies the group distinguished name. This setting is used for
authorizing client traffic. Possible values are a user-specified string, and
none.
• group member attr
Specifies a group member attribute. This setting is used for authorizing
client traffic. Possible values are a user-specified string, and none.
• idle timeout
Specifies the idle timeout, in seconds, for connections. The default is
3600 seconds.
• ignore authinfo unavail
Ignores the authentication information if it is not available. The default is
disable.
• login attr
Specifies a login attribute. Normally, the value for this setting is uid;
however, if the server is a Microsoft Windows Active Directory server,
the value must be the account name SAMACCOUNTNAME (non
case-sensitive). Possible values are a user-specified string, and none.
• scope
Specifies the scope. Possible values are: base, one, and sub. The default
is sub.
• search base dn
Specifies the search base distinguished name. You must specify a search
base distinguished name when you create an LDAP configuration object.
• search timeout
Specifies the search timeout, in seconds. The default is 30 seconds.
• servers
Specifies the LDAP servers that the system must use to obtain
authentication information. You must specify a server when you create
an LDAP configuration object.
• service
Specifies the port number for the LDAP service. Port 389 is typically
used for non-SSL and port 636 is used for an SSL-enabled LDAP
service. Possible values are a service name, and none.
• ssl
Enables or disables SSL. The default is disable. Note that when enabled,
the system changes the service port number from 389 to 636.
• ssl ca cert file
Specifies the name of an SSL CA certificate. Possible values are: none
and specify full path.
• ssl check peer
Checks an SSL peer. The default is disable.
• ssl ciphers
Specifies SSL ciphers. Possible values are a user-specified string, and
none.
A - 12
• ssl client cert

Specifies the name of an SSL client certificate. Possible values are a
• ssl client key
Specifies the name of an SSL client key. Possible values are a
• version
Specifies the version number of the LDAP application. The default value
is 3.
• warnings
Enables or disables warning messages. The default is enable.
See also

Appendix A
auth radius
Configures a RADIUS configuration object for implementing remote
RADIUS-based client authentication.
Syntax
Use this command to create, modify, display, or delete a RADIUS
authentication configuration object.
Create/Modify
Important
Guide.
auth radius <auth radius key list> {}

auth radius (<auth radius key list> | all) [{] <auth radius arg list> [}]
<auth radius key> ::=
<name>
<auth radius arg> ::=
accounting bug (enable | disable)
client (<string> | none)
retries <number>
servers (<radius server key list> | none) [add | delete]
Display
auth radius [<auth radius key list> | all] [show [all]]
auth radius [<auth radius key list> | all] list [all]
auth radius [<auth radius key list> | all] accounting bug [show]
auth radius [<auth radius key list> | all] client [show]
auth radius [<auth radius key list> | all] debug [show]
auth radius [<auth radius key list> | all] name [show]
auth radius [<auth radius key list> | all] partition [show]
auth radius [<auth radius key list> | all] retries [show]
auth radius [<auth radius key list> | all] servers [show]
A - 14
Delete
auth radius (<auth radius key list> | all) delete
Description
By creating a RADIUS configuration object, a RADIUS profile, and one or
more RADIUS server objects, you can implement the RADIUS
authentication module as the mechanism for authenticating client
connections passing through the traffic management system. You use this
module when your authentication data is stored on a remote RADIUS
server. In this case, client credentials are based on basic HTTP
authentication (that is, user name and password). You can use this
configuration object in conjunction with a RADIUS profile and a RADIUS
server object.
To use these commands, you must first create a RADIUS server object using
the radius command.
Examples
Creates a RADIUS configuration object named my_auth_radius:
auth radius my_auth_radius {}
Displays all auth radius configuration objects:

auth radius all
Deletes the auth radius configuration object named my_auth_radius:

auth radius my_auth_radius delete
Options
You can use these options with the auth radius command:
• accounting bug
Enables or disables validation of the accounting response vector. This
option should be necessary only on older servers. The default is disable.
• client
Sends a NAS-Identifier RADIUS attribute with string bar. If you do not
specify a value for the Client ID setting, the PAM service type is used
instead. You can disable this feature by specifying a blank client ID.
Possible values are a user-specified string and none.
• debug
Enables or disables Syslog-ng debugging information at LOG DEBUG
level. Not recommended for normal use. The default is disable.
• retries
Specifies the number of authentication retries that the LTM system
allows before authentication fails. The default value is 3.

Appendix A
• servers
Lists the IP addresses of the RADIUS servers that LTM uses to obtain
authentication data. Note that for each server listed, you must create a
corresponding RADIUS server object. A RADIUS server object specifies
the server name, port number, RADIUS secret, and timeout value.
Possible values are a user-specified list of IP addresses and none.
See also
profile auth(1), radius(1), bigpipe(1)
A - 16
auth ssl cc ldap

Configures an SSL client certificate configuration object for remote
SSL-based LDAP authorization.
Syntax
Use this command to create, modify, display, or delete an SSL
certificate-based LDAP configuration object.
Create/Modify
Important
Guide.
auth ssl cc ldap <auth ssl cc ldap key list> {}

auth ssl cc ldap (<auth ssl cc ldap key list> | all) [{] <auth ssl cc ldap arg list> [}]
<auth ssl cc ldap key> ::=
<name>
<auth ssl cc ldap arg> ::=
admin dn (<string> | none)
admin pw (<string> | none)
cache size <number>
cache timeout (<number> | immediate | indefinite)
certmap base (<string> | none)
certmap key (<string> | none)
certmap use serial (enable | disable)
group base (<string> | none)
group key (<string> | none)
group member key (<string> | none)
role key (<string> | none)
search (user | certmap | cert)
secure (enable | disable)
user base (<string> | none)
user class (<string> | none)
user key (<string> | none)
valid groups (<string list> | none) [add | delete]
valid roles (<string list> | none) [add | delete]

Appendix A
Display
auth ssl cc ldap [<auth ssl cc ldap key list> | all] [show [all]]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] list [all]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] admin dn [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] admin pw [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] cache size [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] cache timeout [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] certmap base [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] certmap key [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] certmap use serial [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] group base [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] group key [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] group member key [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] name [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] partition [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] role key [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] search [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] secure [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] servers [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] user base [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] user class [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] user key [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] valid groups [show]
auth ssl cc ldap [<auth ssl cc ldap key list> | all] valid roles [show]
Delete
auth ssl cc ldap (<auth ssl cc ldap key list> | all) delete
Description
You can use the auth ssl cc ldap command to configure SSL client
certificate-based remote LDAP authorization for client traffic passing
through the traffic management system.
Options
You can use these options with the auth ssl c ldap command:
◆ admin dn
Specifies the distinguished name of an account to which to bind, in order
to perform searches. This search account is a read-only account used to
do searches. The admin account can also be used as the search account. If
no admin DN is specified, then no bind is attempted. This parameter is
required only when an LDAP database does not allow anonymous
searches. Possible values are a user-specified string, and none.
A - 18
◆ admin pw
Specifies the password for the admin account. See admin dn above.
◆ cache size <number>
Specifies the maximum size, in bytes, allowed for the SSL session cache.
Setting this value to 0 disallows SSL session caching. The default value
is 20000 bytes (that is 20KB).
◆ cache timeout <number> | immediate | indefinite
Specifies the number of usable lifetime seconds of negotiable SSL
session IDs. When this time expires, a client must negotiate a new
session. Allowed values are: <number>, immediate, and indefinite.
The default value is 300 seconds.
◆ certmap base
Specifies the search base for the subtree used by the certmap search
method. A typical search base is: ou=people,dc=company,dc=com.
◆ certmap key
Specifies the name of the certificate map found in the LDAP database.
Used by the certmap search method. Possible values are a user-specified
string, and none.
◆ certmap use serial
Enables or disables the use of the client certificate's subject or serial
number (in conjunction with the certificate's issuer) when trying to match
an entry in the certificate map subtree. A setting of enable uses the serial
number. A setting of disable uses the subject. The default is disable.
◆ group base
Specifies the search base for the subtree used by group searches. This
parameter is only used when specifying the valid groups option. The
typical search base would be similar to:
ou=groups,dc=company,dc=com. Possible values are a user-specified
string, and none.
◆ group key
Specifies the name of the attribute in the LDAP database that specifies
the group name in the group subtree. An example of a typical key is cn
(common name for the group). Possible values are a user-specified
string, and none.
◆ group member key
Specifies the name of the attribute in the LDAP database that specifies
members (DNs) of a group. A typical key would be member. Possible
values are a user-specified string, and none.
◆ role key
Specifies the name of the attribute in the LDAP database that specifies a
user's authorization roles. This key is used only with the valid roles
option. A typical role key might be authorizationRole. Possible values
are a user-specified string, and none.

Appendix A
◆ search
Specifies the type of LDAP search that is performed based on the client's
certificate. Possible values are:
• user: Searches for a user based on the common name found in the
certificate.
• cert: Searches for the exact certificate.
• certmap: Searches for a user by matching the certificate issuer and
the certificate serial number or certificate.
The default is user.
◆ secure
Enables or disables an attempt to use secure LDAP (LDAP over SSL).
The alternative to using secure LDAP is to use insecure (clear text)
LDAP. Secure LDAP is a consideration when the connection between
the BIG-IP system and the LDAP server cannot be trusted. The default is
disable.
◆ servers
Specifies a list of LDAP servers you want to search. Possible values are a
user-specified list of servers, and none. You must specify a server when
you create an SSL client certificate configuration object.
◆ user base
Specifies the search base for the subtree used by the user and cert search
methods. A typical search base is: ou=people,dc=company,dc=com.
Possible values are a user-specified string, and none. You must specify a
user base when you create an SSL client certificate configuration object.
◆ user class
Specifies the object class in the LDAP database to which the user must
belong in order to be authenticated.
◆ user key
Specifies the key that denotes a user ID in the LDAP database (for
example, the common key for the user field is uid). Possible values are a
user-specified string, and none. You must always specify a user key
when you create an SSL client certificate configuration object.
◆ valid groups
Specifies a space-delimited list specifying the names of groups that the
client must belong to in order to be authorized (matches against the group
key in the group subtree). The client only needs to be a member of one of
the groups in the list. Possible values are a user-specified string, or none.
◆ valid roles
Specifies a space-delimited list specifying the valid roles that clients
must have in order to be authorized. Possible values are a user-specified
string, and none.
See also
A - 20
auth ssl ocsp

Configures an OCSP configuration object for implementing remote
OCSP-based client authentication.
Syntax
Use this command to create, display, modify, or delete an OCSP
Create/Modify
Important
Guide.
auth ssl ocsp <auth ssl ocsp key list> {}

auth ssl ocsp (<auth ssl ocsp key list> | all) [{] <auth ssl ocsp arg list> [}]
<auth ssl ocsp key> ::=
<name>
<auth ssl ocsp arg> ::=
responders (<ocsp responder key list> | none) [add | delete]
Display
auth ssl ocsp [<auth ssl ocsp key list> | all] [show]
auth ssl ocsp [<auth ssl ocsp key list> | all] list [all]
auth ssl ocsp [<auth ssl ocsp key list> | all] name [show]
auth ssl ocsp [<auth ssl ocsp key list> | all] partition [show]
auth ssl ocsp [<auth ssl ocsp key list> | all] responders [show]
Delete
auth ssl ocsp (<auth ssl ocsp key list> | all) delete

Appendix A
Description
Online Certificate Status Protocol (OCSP) is an industry-standard protocol
that offers an alternative to a certificate revocation list (CRL) when using
public-key technology. A CRL is a list of revoked client certificates, which
a server system can check during the process of verifying a client certificate.
To use these commands, you must first create an OCSP responder object
using the ocsp responder command.
Options
You can use the responders option with the auth ssl ocsp command. The
responders option specifies a list of OCSP responders that you configured
using the ocsp responder command.
See also
profile auth(1), ocsp responder(1), bigpipe(1)
A - 22
auth tacacs
Configure a TACACS+ configuration object for implementing remote
TACACS+-based client authentication.
Syntax
Use this command to create, modify, display, or delete a TACACS+
Create/ Modify
Important
Guide.
auth tacacs <auth tacacs key list> {}

auth tacacs (<auth tacacs key list> | all) [{] <auth tacacs arg list> [}]
<auth tacacs key> ::=
<name>
<auth tacacs arg> ::=
acct all (enable | disable)
encrypt (enable | disable)
first hit (enable | disable)
protocol (<string> | none)
secret (<string> | none)
service (<string> | none)
Display
auth tacacs [<auth tacacs key list> | all] [show [all]]
auth tacacs [<auth tacacs key list> | all] list [all]
auth tacacs [<auth tacacs key list> | all] acct all [show]
auth tacacs [<auth tacacs key list> | all] debug [show]
auth tacacs [<auth tacacs key list> | all] encrypt [show]
auth tacacs [<auth tacacs key list> | all] first hit [show]
auth tacacs [<auth tacacs key list> | all] name [show]
auth tacacs [<auth tacacs key list> | all] partition [show]
auth tacacs [<auth tacacs key list> | all] protocol [show]

Appendix A
auth tacacs [<auth tacacs key list> | all] secret [show]

auth tacacs [<auth tacacs key list> | all] servers [show]
auth tacacs [<auth tacacs key list> | all] service [show]
Delete
auth tacacs (<name list> | all) delete
Description
Using a TACACS+ configuration object and profile, you can implement the
TACACS+ authentication module as the mechanism for authenticating
client connections passing through an LTM system. You use this module
when your authentication data is stored on a remote TACACS+ server. In
this case, client credentials are based on basic HTTP authentication (that is,
user name and password). You configure a TACACS+ authentication
module by creating a TACACS+ configuration object, creating a TACACS+
profile, and assigning the profile to a virtual server.
Examples
Enables encryption for TACACS+ packets:
auth tacacs encrypt
Provides the ability to send accounting start and stop packets to all servers:
auth tacacs myauth2 myauth3 acct all enable
Options
You can use these options with the auth tacacs command:
◆ acct all
If multiple TACACS+ servers are defined and PAM session accounting
is enabled, sends accounting start and stop packets to the first available
server or to all servers. Possible values are:
• enable: Sends to first available server.
• disable: Sends to all servers.
The default is disable.
◆ debug
Enables Syslog-ng debugging information at LOG DEBUG level. Not
recommended for normal use. The default is disable.
◆ encrypt
Enables or disables encryption of TACACS+ packets. Recommended for
normal use. The default is enable.
◆ first hit
Confirms the secret key supplied for the Secret setting. This setting is
required. The default is disable.
A - 24
◆ protocol
Specifies the TACACS++ server's listening device as port, such as lcp.
◆ secret
Sets the secret key used to encrypt and decrypt packets sent or received
from the server. This setting is required. Possible values are a
user-specified string and none.
◆ servers
Specifies a host name or IP address for the TACACS++ server. This
setting is required. Possible values are a user-specified string, and none.
You must specify a server when you create a TACACS+ configuration
object.
◆ service
Specifies the TACACS++ server's listening device, such as ppp. Possible
values are a user-specified string, and none.
See also
profile auth(1), profile http(1), bigpipe(1), shell(1)

Appendix A
bigpipe shell
When typed at the BIG-IP system prompt, starts the bigpipe utility in its
shell mode, and configures the shell.
Modify
bigpipe shell
bigpipe shell [{] <shell arg list> [}]
<shell arg> ::=
partition <partition key>
prompt <string>
read partition (<partition key> | all)
write partition <partition key>
Display
bigpipe shell prompt [show]
bigpipe shell read partition [show]
bigpipe shell write partition [show]
Description
When typed at the BIG-IP system prompt, the bigpipe shell command starts
the bigpipe utility in its shell mode and presents a prompt at which you can
type bigpipe commands. You can also use the bigpipe shell command from
the BIG-IP system prompt to configure the shell.
Examples
From the BIG-IP system prompt, starts the bigpipe utility in its shell mode
and presents a prompt at which you can type bigpipe commands:
bigpipe shell
Customizes the bigpipe shell prompt to display as F5:

bigpipe shell prompt F5
For users with access to all partitions, changes the partition to which you
have Write access to partition application1:
bigpipe shell write partition application1
have Read and Write access to partition application2:
bigpipe shell partition application2
A - 26
Options
You can use these options with the bigpipe shell command:
• prompt
Specifies a string to use for the bigpipe shell prompt. The default prompt
is bp>.
• read partition
Changes the partition to which you have Read access to the partition you
specify. This option is only available to users with access to all partitions.
• write partition
Changes the partition to which you have Write access to the partition you
• partition
Changes the partition to which you have Read and Write access to the
partition you specify. This option is only available to users with access to
all partitions.
See also
partition(1), bigpipe(1)

Appendix A
class
Creates, modifies, displays, or deletes classes.
Syntax
Use this command to configure classes.
Create/Modify
Important
Guide.
class <class key list> {}

class (<class key list> | all) [{] <class arg list> [}]
<class key list> ::=
<name>
<class arg list> ::=
filename (<file name> | none)
mode (read | rw)
type (ip | string | value)
(<IP class item list> | none) [add | delete]
(<number list> | none) [add | delete]
(<string list> | none) [add | delete]
<IP class item> ::=
host <ip addr> | network <ip addr>
Display
class [<class key list> | all] [show [all]]
class [<class key list> | all] list [all]
class [<class key list> | all] filename [show]
class [<class key list> | all] ip [show]
class [<class key list> | all] mode [show]
class [<class key list> | all] name [show]
class [<class key list> | all] partition [show]
class [<class key list> | all] string [show]
class [<class key list> | all] type [show]
class [<class key list> | all] value [show]
A - 28
Delete
class [<class key list> | all] delete
Description
Classes are lists of data that you define and use with iRules operators. The
system includes a number of predefined lists that you can use. They are:
• AOL Network
• Image Extensions
• Non-routable addresses (private)
The above lists are located in the file /config/profile_base.conf. The load
command loads these lists; however, unless the lists are modified, the load
command does not save the lists to the bigip.conf file.
Classes are either internal or external. Internal classes are stored in the
bigip.conf file. External classes are stored in external files that you define.
Note that external classes can be very large, which is one reason why these
classes are saved to external files. For example, a phone company may store
a list of thousands of phone numbers in an external class.
Internal classes can be one of three types of lists, an ip class item list, string
list, or number list. Strings must be surrounded by quotation marks.
Numbers can be either positive or negative.
External classes are lists that specify:
• A file name where the list is saved.
• The type is indicated by a list of ip addresses, strings, or values.
• A permission mode that defines access to the class as either read or rw
(read/write).
You can update the external class file by issuing the list or save commands.
Note
When you use the class command at the BIG-IP system prompt, you must
use escape characters around the strings in the syntax to stop the UNIX or
Linux system from interpreting the string literally.
Example
Creates an internal class named MyNewClass that contains a single IP
address:
class MyNewClass host 10.0.0.0
Creates an internal class named MyNewClass2 that contains a list of three

network addresses: 192.1.1.0/24, 192.2.1.1, and 10.0.0.5/24:
class MyNewClass2 network 192.1.1.0 mask 255.255.255.0 host
192.2.1.1 network 10.0.0.5/24

Appendix A
Creates an internal class named AnotherNewClass that contains a list of

four values:
class AnotherNewClass 111 222 333 444
Modifies the internal class named AnotherNewClass by adding the value

555:
class AnotherNewClass 555 add
Creates an internal class named ThirdNewClass that contains a list of

strings:
class ThirdNewClass "aaaa" "bbbb" "cccccc" "dd"
Modifies the internal class named ThirdNewClass by deleting the member

aaaa from the list of strings:
class ThirdNewClass "aaaa" delete
Creates an external class named MyExternalClass that contains IP

addresses that are stored in the MyOtherNewClass.cls file. The external
class has Read and Write permissions assigned to it:
class MyExternalClass type ip filename MyOtherNewClass.cls mode
rw
Displays the file name where the class list information is stored:
class MyExternalClass filename show
Options
You can use these options with the class command:
◆ filename
Specifies the path and file name that contains the list of data defined by
the external class.
◆ mode (read | rw)
Specifies a permission mode for the external class. Valid values are
read and rw (read/write).
◆ name
Specifies a unique string identifying the class.
◆ partition
Displays the partition within which the internal or external class
resides.
◆ type (ip | string | value)
Specifies the type of data you want to add to, modify, display, or delete
from an external class. This setting is required for external classes.
Specify the type by including a list of strings, values, or IP addresses.
Strings must be surrounded by quotation marks. Values (numbers) can be
either positive or negative. IP addresses can be in any of the following
four formats:
• network <ip addr> mask < ip mask>
A - 30
• network <ip addr> prefixlen <number>

• network <ip addr> / <number>
• host <ip addr>
◆ <IP class item list>, <string list>, <number list>
Specifies the data you want to add to, modify, display, or delete from an
internal class. This setting is required for internal classes. Strings must
be surrounded by quotation marks. Numbers can be either positive or
negative.
See also
rule(1), bigpipe(1)

Appendix A
config
Manages the BIG-IP system user configuration sets.
Syntax
Use this command to manage or display configuration data.
Modify
config show <file.ucs>
config [support] save <file.ucs> [passphrase [<string>]]
config install [all] <file.ucs> [passphrase [<string>]] [excludes <file.ucs>]
config sync min
config sync pull
config sync [all]
config check [all]
Display
config sync show
Description
The config command manages user configuration sets. A user configuration
set (UCS) is the set of all configuration files that a user may edit to
configure a BIG-IP system. A UCS file is an archive that contains all the
configuration files in a UCS.
The config command allows you to save the BIG-IP system configuration to
a UCS file, install the configuration from a UCS file, or synchronize the
configuration with the other BIG-IP system in a redundant pair.
Examples
Saves <file.ucs>, overwriting all configuration files, including
/config/bigip.conf:
config [support] save <file.ucs> [passphrase [<string>]]
Unpacks and installs myconfiguration.ucs, overwriting all configuration

files, including /config/bigip.conf:
config install myconfiguration.ucs>
Displays the status of the configuration synchronization system and the date
and time the last configuration change was made:
config sync show
A - 32
Unpacks and installs <file.ucs>, overwriting all configuration files,

including /config/bigip.conf:
config install <file.ucs>
Copies a UCS file, without the license file, from one system to another:
config install all <file.ucs> [passphrase [<string>]] \
[excludes <file.ucs>]
Note that when copying the UCS file, the above command:
• Checks to see if a license file exists and if so, checks whether the file is
valid. If no license file exists or the license file is not valid, the bigpipe
utility exits.
• Sets the system host name according to the host name in the UCS file.
• Saves the current configuration to the location /var/local/ucs/cs
backup.ucs.
• Installs the configuration from the UCS file onto the system, excluding
the license file.
Saves the currently running configuration to /config/bigip.conf. Copies

/config/bigip.conf to the other BIG-IP system in a redundant pair, and loads
/config/bigip.conf on the other BIG-IP system:
config sync min
Creates a temporary UCS file and transfers it to the other BIG-IP system.
Installs the UCS file on the other BIG-IP system:
config sync all
Runs a syntax check on the configuration files in the configuration

synchronization system:
config check all
Use the following command to pull the configuration from the peer device
and install it on the local device. This command saves the UCS file on the
remote peer, then transfers the UCS file to the local system, and installs it on
the local system. This command provides the ability to synchronize the
configuration from the local device without having to log into the peer
device to push the configuration back:
config sync pull
Options
You can use these options with the config command:
• save
Saves the password protected configuration file that has a .ucs file
extension.
• install
Installs the specified UCS file, overwriting the existing UCS file.

Appendix A
• sync
Saves the current configuration and copies it to the other unit in the
redundant system.
• <file.ucs>
Specifies the name of a UCS file that you want to install or save.
See also
bigpipe(1)
A - 34
conn
Sets idle timeout for, displays, and deletes active connections on the BIG-IP
system.
Syntax
Use this command to set the idle timeout for, display, or delete active
connections on the BIG-IP system.
Create/Modify
conn (<conn key list> | all) [{] <conn arg list> [}]
<conn key> ::=
[client (<ip addr> | <member>)] [server (<ip addr> | <member>)] \
[(any | mirror | local)] [protocol <protocol>] [age <number>]
<conn arg> ::=
idle timeout <number>
Display
conn (<conn key list> | all) [show [all]]
conn (<conn key list> | all) age [show]
conn (<conn key list> | all) client [show]
conn (<conn key list> | all) idle timeout [show]
conn (<conn key list> | all) protocol [show]
conn (<conn key list> | all) server [show]
Delete
conn (<conn key list> | all) delete
Description
The connection command displays the current connections on the BIG-IP
system, sets the idle timeout for a connection, or deletes the connection.
<protocol> may be specified by number or name (http, or 80).
If no port or service is specified, all connections with the client-side source
matching just the IP address are deleted. If no address is given, all
connections including mirrored connections are deleted.
Examples
Shows basic connection information for all connections:
conn all show

Appendix A
Shows verbose connection information for all connections:

conn all show all
Shows idle timeout connection information for all connections:

conn all idle timeout show
See also
bigpipe(1)
A - 36
crldp server
Creates a Certificate Revocation List Distribution Point (CRDLP) server
object for implementing a CRLDP authentication module.
Syntax
Use this command to create, modify, display, or delete a CRLDP server
object.
Create/Modify
Important
Guide.
crldp server <crldp server key list> {}

crldp server (<crldp server key list> | all) [{] <crldp server arg list> [}]
<crldp server key> ::=
<name>
<crldp server arg> ::=
server (<string> | none)
base dn (<string> | none)
reverse dn (enable | disable)
Display
crldp server [<crldp server key list> | all] [show [all]]
crldp server [<crldp server key list> | all] list [all]
crldp server [<crldp server key list> | all] name [show]
crldp server [<crldp server key list> | all] partition [show]
crldp server [<crldp server key list> | all] server [show]
crldp server [<crldp server key list> | all] service [show]
crldp server [<crldp server key list> | all] base dn [show]
crldp server [<crldp server key list> | all] reverse dn [show]
Delete
crldp server (<crldp server key list> | all) delete

Appendix A
Description
CRLDP authentication is a mechanism for checking certificate revocation
status for client connections passing through the BIG-IP system. This
module is useful when your authentication data is stored on a remote
CRLDP server. You configure a CRLDP authentication module by defining
a CRLDP server (using the crldp server command), creating a CRLDP
configuration object (using the auth crldp command), creating a CRLDP
profile (using the profile auth command), and assigning the profile to the
virtual server.
Examples
Creates a CRLDP server named my_crldp_server:
crldp server my_auth_crldp {}
Deletes the CRLDP server named my_crldp_server:

crldp server my_crldp_server delete
Options
You can use these options with the crldp server command:
• Server
Specifies an IP address for the CRLDP server. This setting is required.
• Service
Specifies the port for CRLDP authentication traffic. The default service
is 389.
• Base DN
Specifies the LDAP base directory name for certificates that specify the
CRL distribution point in directory name (dirName) format. Used when
the value of the X509v3 attribute crlDistributionPoints is of type
dirName. In this case, the BIG-IP system attempts to match the value of
the crlDistributionPoints attribute to the Base DN value. An example
of a Base DN value is cn=lxxx,dc=f5,dc=com.
• Reverse DN
Specifies in which order the system is to attempt to match the Base DN
value to the value of the X509v3 attribute crlDistributionPoints. When
enabled, the system matches the base DN from left to right, or from the
beginning of the DN string, to accommodate dirName strings in
certificates such as C=US,ST=WA,L=SEA,OU=F5,CN=xxx. The
default value is disable.
See also
auth crldp(1), profile auth(1), bigpipe(1)
A - 38
daemon
Tunes the high availability functionality that is built into daemons.
Syntax
Use this command to modify or display daemons.
Modify
daemon <daemon key list> {}
daemon (<daemon key list> | all) [{] <daemon arg list> [}]
<daemon key> ::=
<name>
<daemon arg> ::=
(enable | disable)
heartbeat monitor (enable | disable)
heartbeat monitor (reboot | restart | failover | failover restart | go active | \
no action | restart all |failover restart tm)
heartbeat monitor redundant (reboot | restart | failover | failover restart | \
go active | no action | restart all | failover restart tm)
heartbeat monitor stand alone (reboot | restart | failover | failover restart | \
go active | no action | restart all | failover restart tm)
proc not run action (reboot | restart | failover | failover restart | go active | \
no action | restart all | failover restart tm)
running (enable | disable)
running timeout <number>
Display
daemon [<daemon key list> | all] [show [all]]
daemon [<daemon key list> | all] list [all]
daemon [<daemon key list> | all] heartbeat monitor [show]
daemon [<daemon key list> | all] heartbeat monitor redundant [show]
daemon [<daemon key list> | all] heartbeat monitor stand alone [show]
daemon [<daemon key list> | all] name [show]
daemon [<daemon key list> | all] proc not run action [show]
daemon [<daemon key list> | all] running [show]
daemon [<daemon key list> | all] running timeout [show]
Description
These commands provide the ability to fine tune the daemons that provide
high availability functionality.

Appendix A
Examples
Enables the system to fail over and reboot due to lack of a detected heartbeat
from the sod daemon:
daemon sod heartbeat monitor enable
Options
You can use these options with the daemon command:
• heartbeat monitor
Enables or disables the heartbeat on the specified daemon, or performs an
action. Typically, if a daemon does not periodically touch its heartbeat
location, it is restarted automatically. This command allows you to
disable automatic restart. The daemons that supply a heartbeat are: tmm,
mcpd, bigd, sod, and bcm56xxd. The default is enable.
Specify the action the daemon should take if no heartbeat is detected.
Possible values are reboot, restart, failover, failover restart, go active
no action, restart all, and failover restart tm. The default is restart.
• heartbeat monitor redundant
Specify the action the daemon should take if no heartbeat is detected on
the redundant heartbeat monitor. Possible values are reboot, restart,
failover, failover restart, go active no action, restart all, and failover
restart tm. The default is restart.
• heartbeat monitor stand alone
Specify the action the daemon should take if no heartbeat is detected on a
standalone heartbeat monitor. Possible values are reboot, restart,
failover, failover restart, go active no action, restart all, and failover
restart tm. The default is restart.
• proc not run action
Specify the action the daemon should take if a configured traffic or
system management action is not run. Possible values are reboot,
restart, failover, failover restart, go active no action, restart all, and
failover restart tm. The default is failover.
• running
Enables or disables actions configured for the traffic management and
system management daemons. You can use this feature to disable the
action a daemon takes during failover. For example, when you want to
stop a daemon and you do not want the unit to failover, you can issue the
running disable command for the daemon. The default is disable.
• running timeout
Specify the length of time you want disabled actions to remain disabled.
The default is 10 seconds.
See also
ha table(1), bigpipe(1)
A - 40
db
Displays or modifies bigdbTM database entries.
Syntax
Use this command to modify or display configuration database entries.
Modify
db <db key list> {}
db (<db key list> | all) [{] <db arg list> [}]
<db key> ::= <name>
<db arg> ::= <string>
db (<db key list> | all) reset
Display
db (<db key list> | all) [show [all]]
db (<db key list> | all) list [all]
Description
The db command allows you to modify and retrieve the data that is stored in
the bigdb configuration database.
Examples
Resets each database entry and setting to its default:
db all reset
Options
Use these options with the db command:
• name
The name of the database entry that you want to modify or display.
• string
The value that you want to assign to the database entry that you are
modifying. When you are modifying a configuration database entry, this
value is required.
See also
bigpipe(1)

Appendix A
dns
Displays and resets global statistics for the DNS profile on the BIG-IP
system.
Syntax
Use this command to display or reset global statistics for the DNS profile.
Modify
dns stats reset
Display
dns [show [all]]
Examples
The following commands display the global statistics for the DNS profile:
dns
dns show
See also
profile dns(1)
A - 42
exit
Exits the bigpipe shell.
Syntax
Use this command to exit the bigpipe shell.
Usage
exit
Description
Use this command at the bigpipe shell prompt to exit the shell and return to
the BIG-IP system prompt.
Example
When you are finished running commands at the bigpipe shell prompt, type
exit to return to the system prompt and exit the shell.
bp> exit
See also
bigpipe(1)

Appendix A
f5adduser
Adds local user accounts to the BIG-IP system.
Syntax
Use this command at the BIG-IP system prompt to add one or more local
users.
Create
f5adduser [-r <role name>|<role number>] [-n] [-s] -p <partition name> <username> ...
Description
You can use this command at the BIG-IP system prompt to add one or more
local users.
Examples
Adds a user account with the role of manager and access to all partitions for
Jim Smith:
f5adduser -r manager jsmith
Options
You can use these options with the f5adduser command at the BIG-IP
system prompt:
• -r
Specifies the role you are assigning to the user. You can use either the
role name or the numerical equivalent as shown below. The default role
is guest.
Role Name Role Number
administrator 0
manager 200
app editor 300
operator 400
guest 700
policy editor 800
Table A.1 User roles
A - 44
• -n
Indicates no password for the user account. If you indicate no password,
the user cannot log in until an administrator creates a password for the
account. If you do not use this option, you are prompted to enter a
password, and then to confirm that password.
• -s
If you are creating a user account with the role of administrator, the
user is given bash shell access. If you are creating a user account with a
role other than administrator, the user is given access to the bigpipe
shell.
• -p
Specify a partition name. If you do not specify a partition, the user
account is valid in all partitions.
See also
user(1)

Appendix A
failover
Displays or changes failover state in a redundant system.
Syntax
Use this command to modify or display the failover state of a redundant
system.
Modify
failover (standby | failback)
Display
failover [show [all]]
Description
Switches the unit to be the standby unit in a redundant configuration. This
command should be used with care, and is provided only for special
situations. The unit automatically switches between active and standby
modes, without operator intervention.
Examples
Causes the system to go into the standby state, forcing the other unit in the
redundant system to become active:
failover standby
Restores an active-active configuration after a failure:

failover failback
Options
You can use these options with the failover command:
• standby
Specifies that the active system should failover to a standby state,
causing the standby system to become active.
• failover
Initiates failback for an active-active system.
See also
bigpipe(1)
A - 46
fastL4
Displays and resets statistics for the Fast Layer 4 profile on the BIG-IP
system.
Syntax
Use this command to display and reset statistics for the Fast Layer 4 profile.
Modify
fastl4 stats reset
Display
fastl4 [show [all]]
Description
Display detailed Fast Layer 4 profile statistics. These statistics include
connectivity statistics, errors generated, and SYN cookies used.
Examples
The following commands display statistics for the Fast Layer 4 profile:
fastl4
fastl4 show
Resets all statistics for the Fast Layer 4 profile on the system:
fastl4 stats reset
See also
profile fastl4 (1)

Appendix A
fasthttp
Displays and resets global statistics for the Fast HTTP profile on the BIG-IP
system.
Syntax
Use this command to display and reset statistics for the Fast HTTP profile.
Modify
fasthttp stats reset
Display
fasthttp [show [all]]
Description
Use this command to display and reset global statistics for the Fast HTTP
profile.
Examples
The following commands display the global statistics for the Fast HTTP
profile:
fasthttp
fasthttp show
Resets all statistics for the Fast HTTP profile on the system:
fasthttp stats reset
See also
profile fasthttp (1)
A - 48
ftp
Displays and resets global statistics for the FTP profile on the BIG-IP
system.
Syntax
Use this command to display and reset the statistics for the FTP profile.
Modify
ftp stats reset
Display
ftp [show [all]]
Description
You can use the ftp command to display and reset global statistics for the
FTP profile.
Examples
The following commands display the global statistics for the FTP profile:
ftp
ftp show
Resets all statistics for the FTP profile on the system.

ftp stats reset
See also
profile ftp (1)

Appendix A
global
Displays and resets global statistics for the BIG-IP system.
Syntax
Use this command to display or reset global statistics for the system.
Display
global [stats [show [all]]]
Delete
global stats reset
Description
Display and reset global system statistics. These statistics include client
side, server side, PVA connections, TMM cycles, denials, CPU usage
memory, packets, authorization, and OneConnectTM information.
Examples
Displays all global statistics.
global stats show
Resets all global statistics.

global stats reset
See also
bigpipe(1)
A - 50
ha table
Displays the settings for high availability on a system.
Syntax
Use this command to display high availability settings.
Display
<ha table key> ::=
peer
ha table [<ha table key list> | all] [show [all]]
ha table [<ha table key list> | all] list [all]
Description
Displays high availability settings for the system. These settings include
daemon settings and failover settings.
Examples
Displays all peer settings:
ha table peer
Displays all daemon and failover settings:

ha table show
Columns
The HA table consists of several columns including Feature, Key, Action,
En, Act, Proc, Time, and Data.
• Feature
Displays the high availability feature.
• Key
Displays the specific instance of the feature, for example which daemon's
heartbeat is represented.
• Action
Displays the action that should be taken when the Act (take action)
column is yes.
• En
Indicates whether the feature is enabled.
• Act
Indicates that you should take action. For example, if the VLAN failsafe
functionality determined that the VLAN had failed, it would set the field
to yes which would cause the daemon to reboot the BIG-IP system.

Appendix A
• Proc
Indicates the process that is exclusively responsible for creating and
writing to this row in the HA table.
• Time
The meaning of this column varies depending on the feature associated
with it. Typically, this value is a timeout value. For example, the sod
daemon heartbeat time is set to 20 (seconds). That means that if sod does
not increment its heartbeat in 20 seconds, the BIG-IP system reboots.
• Data
The meaning of this column also varies depending on the feature. For
daemon heartbeats, for example, this value shows the daemon
incrementing the value of its heartbeat.
See also
daemon(1), bigpipe(1)
A - 52
hardware
Displays information about the system hardware.
Syntax
Use this command to display the baud rate of the system hardware.
Display
hardware {}
hardware [{] <hardware arg list>
<hardware arg> ::=
baud rate <number>
hardware [show [all]]
hardware list [all]
hardware baud rate [show]
Description
You can use the hardware command to display the baud rate of the system
hardware.
Examples
The following three commands display the baud rate of the system
hardware:
hardware
hardware show
hardware baud rate
See also
bigpipe(1)

Appendix A
help
Displays online help for bigpipe command syntax.
Syntax
Use this command to display the online man page for a bigpipe command.
Display
<command> help
Description
Use this command to access the online man page for the specified
command.
Example
Displays the online man page for the specified command:
vlan help
See also
bigpipe(1)
A - 54
http
Displays or resets HTTP statistics on the BIG-IP system.
Syntax
Use this command to display or reset HTTP statistics.
Modify
http stats reset
Display
http [show [all]]
Description
Display and reset HTTP statistics. The statistics you can view are standard
HTTP statistics, including requests, responses, Set-Cookie header insertions,
and OneConnect idle connections.
You can also view compression statistics (in bytes), such as the following:
total, image, HTML, JS, XML, SGML, plain text, video, audio, and octet.
Examples
Displays all HTTP statistics including compression statistics:
http show all
Resets all HTTP statistics to zero:

http stats reset
See also
profile http(1), bigpipe(1)

Appendix A
icmp
Displays and resets ICMP statistics.
Syntax
Use this command to display or reset ICMP statistics.
Modify
icmp stats reset
Display
icmp [show [all]]]
Description
Display and reset ICMP statistics. The statistics you can view are standard
ICMP statics, including ICMPv4 packets and errors, and ICMPv6 packets
and errors.
Examples
Displays all ICMP statics including compression statistics:
icmp show all
Resets all ICMP statistics to zero:

icmp stats reset
See also
monitor(1), bigpipe(1)
A - 56
interface
Configures the parameters of interfaces.
Syntax
Use this command to modify or display interface settings.
Modify
interface <interface key list> {}
interface (<interface key list> | all) [{] <if arg list> [}]
<interface key> ::=
<if name>
<interface arg> ::=
prefer (sfp | fixed)
media fixed (auto | 10baseT half | 10baseT full | 100baseTX half | 100baseTX full |\
1000baseT half | 1000baseT full | 1000baseSX full | 1000baseLX full | \
10GbaseT full | 10GbaseSR full | 10GbaseLR full | 10GbaseER full)
media sfp (auto | 10baseT half | 10baseT full | 100baseTX half | 100baseTX full | \
(enable | disable)
pause (rx tx |rx | tx | tx rx | none)
link type (p2p | shared | auto)
edge port (true | false)
auto edge (enable | disable)
stp (enable | disable)
stp reset
media (auto | 10baseT half | 10baseT full | 100baseTX half | 100baseTX full | \
interface (<interface key list> | all) stats reset
Display
interface [<<interface key list> | all] [show [all]]
interface [<<interface key list> | all] list [all]
interface [<<interface key list> | all] auto edge [show]
interface [<<interface key list> | all] edge port [show]
interface [<<interface key list> | all] enabled [show]
interface [<<interface key list> | all] errors [show]
interface [<<interface key list> | all] link type [show]
interface [<<interface key list> | all] name [show]
interface [<<interface key list> | all] prefer [show]

Appendix A
interface [<<interface key list> | all] media [show]

interface [<<interface key list> | all] media fixed [show]
interface [<<interface key list> | all] media options [show]
interface [<<interface key list> | all] media options sfp [show]
interface [<<interface key list> | all] media sfp [show]
interface [<<interface key list> | all] pause [show]
interface [<<interface key list> | all] stats [show]
interface [<<interface key list> | all] stp [show]
Description
This command displays and sets media options, duplex mode, and status for
an interface. In addition, this command provides the ability to set
per-interface spanning tree parameters such as link type, edge port status,
automatic edge port detection, and also whether the interface participates in
the spanning tree configuration.
Examples
Enables the interface named 1.1:
interface 1.1 enable
Disables the interface named 1.1:

interface 1.1 disable
Disables STP on the interfaces named 1.1, 1.2, and 1.3:

interface 1.1 1.2 1.3 stp disable
Enables auto edge detection for STP on the interfaces named 1.1, 1.2, and
1.3:
interface 1.1 1.2 1.3 auto edge enable
Sets the edge port attribute for STP on the interfaces named 1.1, 1.2, and
1.3:
interface 1.1 1.2 1.3 edge port true
Options
You can use these options with the interface command:
• auto edge
When automatic edge port detection is enabled on an interface, the
system monitors the interface for incoming STP, RSTP, or MSTP
packets. If no such packets are received for a sufficient period of time
(about three seconds), the interface is automatically given edge port
status. When automatic edge port detection is disabled on an interface,
the system never gives the interface edge port status automatically. By
default, automatic edge port detection is enabled on all interfaces. Any
STP setting set on a per-interface basis applies to all spanning tree
instances. The default is enable.
A - 58
• edge port
Possible values are true and false. The default is true.
• enable | disable
Enables or disables the named interface.
• errors
Displays the error statistics for an interface.
• <interface key list>
Specifies a list of interface names, separated by a space.
• <if name>
Specifies an interface name, for example 3.1, where 3 is the physical slot
number holding the network interface hardware and 1 is the physical port
number of that interface on that hardware. Another example is mgmt, the
name given to the management interface.
• link type
The spanning tree system includes important optimizations that can only
be used on point-to-point links. That is, on links which connect just two
bridges. If these optimizations are used on shared links, incorrect or
unstable behavior may result. By default, the implementation assumes
that full-duplex links are point-to-point and that half-duplex links are
shared. Possible values are p2p, shared, and auto. The default is auto.
• media
Specifies a media type for the specified interface. The options are: auto,
10baseT half, 10baseT full, 100baseTX half, 100baseTX full,
1000baseT half, 1000baseT full, 1000baseSX full, 1000baseLX full,
10GbaseT full, 10GbaseSR full, 10GbaseLR full, and 10GbaseER
full. Note that you use this option only with a non-combo port.
• media fixed
full. Note that you use this option only with a combo port to specify the
media type for the fixed interface.
• media options
Displays all media types that are available for the specified interface.
• media options sfp
Displays all media types that are available for the specified SFP
interface.
• media sfp
full. Note that you use this option only with a combo port to specify the
media type for the SFP interface.
• pause
Possible values are rx, rx tx, tx, tx rx, and none. The default is tx rx.

Appendix A
• prefer
Indicates which side of a combo port the interface uses. The options are
fixed and SFP. The default is fixed.
If you use the prefer option, use the media option to specify a media
type for the interface. Note that for an SFP-only interface, the prefer
option is ignored and you must use either the media or media sfp option
to set the media type for the interface.
• stp
Enables or disables STP. If you disable STP, no STP, RSTP, or MSTP
packets are transmitted or received on the interface or trunk, and
spanning tree has no control over forwarding or learning on the port or
the trunk. The default is enable.
• stp reset
Resets STP.
See also
mirror(1), stp(1), vlan(1), vlangroup(1), bigpipe(1)
A - 60
ip
Manages IP statistics on the BIG-IP system.
Syntax
Use this command to display or delete IP statistics on the BIG-IP system.
Display
ip [stats [show [all]]]
Delete
ip stats reset
Description
Display and reset IP statistics. The statistics you can view are standard IP
statistics, including IPv4 and IPv6 packets, fragments, fragments
reassembled, and errors.
Examples
Displays all IP statistics for the system:
ip show all
Resets all IP statistics to zero:

ip stats reset
See also
bigpipe(1)

Appendix A
list
Displays all objects the user has permission to see. Depending on the user’s
Read partition, all objects that are not in partitions and all objects in partition
Common may also display.
Syntax
Use this command to display objects based on your Read partition setting.
Display
[base] list [all]
Description
When the default Read partition is All, this command displays all objects the
user has permission to see. When you specify a Read partition, this
command displays all objects the user has permission to see in the current
partition, all objects that are not in partitions, and all objects in partition
Common.
Options
You can use these options with the list command:
• base
Displays the configuration of the BIG-IP network components including
MGMT port address, MGMT route, internal and external VLANs,
VLAN groups, self-IP addresses, and self allow values.
• all
Displays the complete configuration.
See also
bigpipe(1)
A - 62
load
Resets all of the BIG-IP system settings and loads the configuration of the
BIG-IP network components and high-level configuration data.
Syntax
Use this command to reset all of the BIG-IP system settings and load the
configuration of the BIG-IP network components and high-level
configuration data.
Usage
[base] load [<file> | - ]
Description
You can also use the load command to replace the currently-running
configuration with a new configuration. The configuration loads after you
enter <CTRL-D>. For example, the following sequence of commands loads
the configuration from the standard input device and defines a pool named
test:
b load -
pool test { member 10.1.1.108:80 }
<CTRL-D>
Important
Prior to restarting the MCPD service, you must run the load command.
Options
Use these options with the load command:
• base
Loads the configuration of the BIG-IP network components from
/config/bigip_base.conf.
• -
The BIG-IP system loads configuration commands from the standard
input device after loading the configuration of the BIG-IP network
components.

Appendix A
mcp
Displays the Master Control Program (MCP) state.
Syntax
Use this command to display the state of the MCP.
Display
mcp [show [all]]
Delete
mcp stats reset
Note
This command is not currently implemented.
Description
Displays the state of the MCP, whether running or inactive.
Examples
Displays the state of the MCP:
mcp show all
See also
bigpipe(1)
A - 64
memory
Displays memory usage statistics.
Syntax
Use this command to display memory statistics.
Display
memory [show [all]]
memory list [all]
memory stats [show]
Delete
memory stats reset
Note
This command is not currently implemented.
Description
Display detailed memory usage statistics. These statistics include total
memory available, total memory used, and how the memory is currently
allocated to objects, the size of the objects, and the maximum memory that
can be allocated to a specified object.
Examples
Displays all memory usage information:
memory show all
See also
bigpipe(1)

Appendix A
merge
Loads the specified configuration file without resetting the current
configuration.
Syntax
Use this command to load the specified configuration file without resetting
the current configuration.
Usage
merge (<file> | -)
Description
The merge command loads the specified configuration file without resetting
the current configuration. This is in contrast to the load command, which
removes the loaded configuration and loads the specified configuration file
at startup.
Options
You can use these options with the merge command:
• <file>
Specifies the file that you want to load without resetting the current
configuration.
• -
Specifies that the BIG-IP system should load configuration commands
from the standard input device after loading the configuration of the
BIG-IP network components.
A - 66
mgmt
Specifies network settings for the management interface (MGMT).
Syntax
Use this command to create or delete settings for the management interface.
Create/Modify
mgmt <mgmt key list> {}
mgmt (<mgmt key list> | all) {} [{] <mgmt arg list> [}]
<mgmt key> ::=
(<ip addr> | none)
<mgmt arg> ::=
netmask (<ip mask> | none)
Display
mgmt [<mgmt key list> | all] [show [all]]
mgmt [<mgmt key list> | all] list [all]
mgmt [<mgmt key list> | all] addr [show]
mgmt [<mgmt key list> | all] netmask [show]
Delete
mgmt (<ip addr list> | all) delete
Description
Specifies network settings for the management interface. The management
interface is available on all switch platforms and is designed for
management purposes. You can access the web-based Configuration utility
and command line configuration utility through the management port. You
cannot use the management interface in traffic management VLANs. You
can only configure one IP address on the management interface.
Note
After you make any changes with this command, you should issue the
following command to save the changes to the bigip_base.conf file:
bigpipe base save
Examples
Creates the IP address 10.10.10.1 on the management interface:
mgmt 10.10.10.1

Appendix A
Creates the IP address 10.10.10.1 with a netmask of 255.255.255.0 on the

management interface:
mgmt 10.10.10.1 netmask 255.255.255.0
Options
You can use these options with the mgmt command:
◆ <ip addr list>
Specifies the IP address in one of four formats:
• IPv6 address, for example, 1080::8:800:200C:417A.
• node screen name, for example, node1.
◆ netmask <IP mask>
Specifies the netmask for the management interface IP address.
See also
route(1), bigpipe(1), mgmt route(1)
A - 68
mgmt route
Specifies route settings for the management interface (MGMT).
Syntax
Use this command to create, display, or delete route settings for the
management interface.
Create/Modify
mgmt route <mgmt route key list> {}
mgmt route (<mgmt route key list> | all) [{] <mgmt route arg list> [}]
<mgmt route key> ::=
(<ip addr> [mask <ip mask> | (prefixlen | /) <number>] |
default [inet | inet6])
<mgmt route arg> ::=
(mgmt | reject)
gateway (<ip addr> | none)
mtu <number>
Display
mgmt route [<mgmt route key list> | all] [show [all]]
mgmt route [<mgmt route key list> | all] list [all]
mgmt route [<mgmt route key list> | all] dest [show]
mgmt route [<mgmt route key list> | all] type [show]
mgmt route [<mgmt route key list> | all] gateway [show]
mgmt route [<mgmt route key list> | all] mtu [show]
Delete
mgmt route (<mgmt route key list> | all) delete
Description
Specifies route settings for the management interface. You must configure a
route on the management interface if you want to access the management
network on the system by connecting from another network. The
management interface is available on all switch platforms. It is designed for
management purposes. All upgrades should be installed through the
management port. You can access the web-based Configuration utility and
command line configuration utility through the management interface. You
cannot include the management interface in traffic management VLANs.

Appendix A
Examples
Creates the gateway IP address 10.10.10.254 on the management interface:
mgmt route gateway 10.10.10.254
Creates the IP address 10.10.10.1 with a netmask of 255.255.255.0 on the

management interface:
mgmt route 10.10.10.1 netmask 255.255.255.0
Options
You can use these options with the mgmt route command:
◆ ip addr
Specifies the IP address in one of four formats:
• IPv6 address, for example, 1080::8:800:200C:417A.
• node screen name, for example, node1.
◆ mask <IP mask>
Specifies the netmask for the management interface IP address.
See also
mgmt(1), bigpipe(1), route(1)
A - 70
mirror
Configures interface (port) mirroring.
Syntax
Use this command to create, modify, display, or delete interface mirroring.
Create/Modify
mirror <mirror key list> {}
mirror (<mirror key list> | all) [{] <mirror arg list> [}]
<mirror key> ::=
<if name>
<mirror arg> ::=
interfaces (<interface key list> | none) [add | delete]
Display
mirror [<mirror key list> | all] [show [all]]
mirror [<mirror key list> | all] list [all]
mirror [<mirror key list> | all] name [show]
mirror [<mirror key list> | all] interfaces [show]
Delete
mirror (<mirror key list> | all) delete
Description
Use the mirror command to create, display, and delete port mirroring on
given interfaces. You can mirror traffic from many ports to one port. The
mirror-to port is dedicated to mirroring and cannot be a VLAN or a trunk
member.
Examples
Creates a port mirror, 1.1, that includes interfaces 1.2, 1.3, 1.4. Traffic from
the interfaces 1.2, 1.3, and 1.4 is mirrored to the interface 1.1:
mirror 1.1 interfaces 1.2 1.3 1.4
Adds interfaces 1.2, 1.3, 1.4 to the existing port mirror 1.1:
mirror 1.1 interface 1.2 1.3 1.4 add

Appendix A
Options
You can use these options with the mirror command:
• add
Adds interfaces to an existing port mirror.
Important
Be aware that if you do not use add, the list of interfaces you specify
replaces the existing interfaces on the port mirror.
• all
Provides the ability to apply a command to all existing port mirrors.
• delete
Deletes interfaces from an existing port mirror. The list of interfaces you
specify is deleted from the port mirror.
• <interface key>
Specifies an interface name, for example 3.1.
• <key list>
Provides the ability to apply a command to a list of existing port mirrors.
See also
interface(1), bigpipe(1)
A - 72
monitor
Creates, modifies, and deletes monitor instances or templates.
Syntax
Use this command to create, modify, display, or delete monitor instances or
monitors.
Create/Modify
Important
partition to the partition in which you want to create the object. We
recommend that you create a monitor in the same partition in which the
object that it monitors resides. For more information, see the Configuring
Administrative Partitions and Managing User Accounts chapters in the
BIG-IP® Network and System Management Guide.
monitor <monitor key list> {}

monitor (<monitor key list> | all) [{] <monitor arg list> [}]
<monitor key> ::=
<name>
<monitor arg> ::=
defaults from <name>
(enable | disable)
accounting node <string>
accounting port <string>
agent <string>
agent type <string>
args <string>
base <string>
call id <string>
cert <string>
cipherlist <string>
cmd <string>
compatibility <string>
community <string>
count <string>
cpu coefficient <string>
cpu threshold <string>
database <string>
debug <string>

Appendix A
dest (<ip addr> | <node>)

disk coefficient <string>
disk threshold <string>
domain <string>
fault <string>
filename <string>
filter <string>
folder <string>
framed addr <string>
get <string>
gwm addr <string>
gwm interval <string>
gwm protocol <string>
gwm service <string>
instance (<monitor instance list> | noe) [add | delete]
interval <number>
is read only
mandatoryattrs <string>
manual resume
mem coefficient <string>
mem threshold <string>
method <string>
metrics <string>
mode <string>
namespace <string>
newsgroup <string>
param name <string>
param type <string>
param value <string>
password <string>
post <string>
program <string>
protocol <string>
recv <string>
recvcolumn <string>
recvdrain <string>
recvrow <string>
return type <string>
return value <string>
reverse
run <string>
secret <string>
security <string>
send <string>
A - 74
sendpackets <string>
server <string>
server id <string>
service <string>
session id <string>
snmp version <string>
timeout (<number> | immediate | indefinite)
timeoutpackets <string>
transparent
urlpath <string>
username <string>
version <string>
<name> <string>
<monitor instance> ::=
<monitor key list> [{] <monitor instance arg list> [}]
<monitor instance key> ::=
(<ip addr> | <node>)
<monitor instance arg> ::=
(enable | disable)
WARNING
Do not disable default monitors.
Display
monitor [<monitor key list> | all] [show [all]]
monitor [<monitor key list> | all] list [all]
monitor [<monitor key list> | all] name [show]
monitor [<monitor key list> | all] defaults from [show]
monitor [<monitor key list> | all] interval [show]
monitor [<monitor key list> | all] timeout [show]
monitor [<monitor key list> | all] dest [show]
monitor [<monitor key list> | all] reverse [show]
monitor [<monitor key list> | all] transparent [show]
monitor [<monitor key list> | all] manual resume [show]
monitor [<monitor key list> | all] enabled [show]
monitor [<monitor key list> | all] flags [show]
monitor [<monitor key list> | all] partition [show]
monitor [<monitor key list> | all] instance [show]
monitor [<monitor key list> | all] accounting node [show]
monitor [<monitor key list> | all] accounting port [show]
monitor [<monitor key list> | all] agent [show]
monitor [<monitor key list> | all] agent type [show]
monitor [<monitor key list> | all] args [show]
monitor [<monitor key list> | all] base [show]

Appendix A
monitor [<monitor key list> | all] call id [show]

monitor [<monitor key list> | all] cert [show]
monitor [<monitor key list> | all] cipherlist [show]
monitor [<monitor key list> | all] cmd [show]
monitor [<monitor key list> | all] compatibility [show]
monitor [<monitor key list> | all] community [show]
monitor [<monitor key list> | all] count [show]
monitor [<monitor key list> | all] cpu coefficient [show]
monitor [<monitor key list> | all] cpu threshold [show]
monitor [<monitor key list> | all] database [show]
monitor [<monitor key list> | all] debug [show]
monitor [<monitor key list> | all] disk coefficient [show]
monitor [<monitor key list> | all] disk threshold [show]
monitor [<monitor key list> | all] domain [show]
monitor [<monitor key list> | all] fault [show]
monitor [<monitor key list> | all] filename [show]
monitor [<monitor key list> | all] filter [show]
monitor [<monitor key list> | all] folder [show]
monitor [<monitor key list> | all] framed addr [show]
monitor [<monitor key list> | all] get [show]
monitor [<monitor key list> | all] gwm addr [show]
monitor [<monitor key list> | all] gwm interval [show]
monitor [<monitor key list> | all] gwm protocol [show]
monitor [<monitor key list> | all] gwm service [show]
monitor [<monitor key list> | all] mandatoryattrs [show]
monitor [<monitor key list> | all] mem coefficient [show]
monitor [<monitor key list> | all] mem threshold [show]
monitor [<monitor key list> | all] method [show]
monitor [<monitor key list> | all] metrics [show]
monitor [<monitor key list> | all] mode [show]
monitor [<monitor key list> | all] namespace [show]
monitor [<monitor key list> | all] newsgroup [show]
monitor [<monitor key list> | all] param name [show]
monitor [<monitor key list> | all] param type [show]
monitor [<monitor key list> | all] param value [show]
monitor [<monitor key list> | all] partition [show]
monitor [<monitor key list> | all] password [show]
monitor [<monitor key list> | all] post [show]
monitor [<monitor key list> | all] program [show]
monitor [<monitor key list> | all] protocol [show]
monitor [<monitor key list> | all] recv [show]
monitor [<monitor key list> | all] recvcolumn [show]
monitor [<monitor key list> | all] recvdrain [show]
monitor [<monitor key list> | all] recvrow [show]
A - 76
monitor [<monitor key list> | all] return type [show]

monitor [<monitor key list> | all] return value [show]
monitor [<monitor key list> | all] run [show]
monitor [<monitor key list> | all] secret [show]
monitor [<monitor key list> | all] security [show]
monitor [<monitor key list> | all] sendpackets [show]
monitor [<monitor key list> | all] send [show]
monitor [<monitor key list> | all] server [show]
monitor [<monitor key list> | all] server id [show]
monitor [<monitor key list> | all] service [show]
monitor [<monitor key list> | all] session id [show]
monitor [<monitor key list> | all] snmp version [show]
monitor [<monitor key list> | all] timeoutpackets [show]
monitor [<monitor key list> | all] urlpath [show]
monitor [<monitor key list> | all] username [show]
monitor [<monitor key list> | all] version [show]
monitor [<monitor key list> | all] <name> [show]
monitor [<monitor key list> | all] is read only show
Delete
monitor (<monitor key list> | all) delete
Description
Monitors verify connections on pool members and nodes. A monitor can be
either a health monitor or a performance monitor, designed to check the
status of a pool, pool member, or node on an ongoing basis, at a set interval.
If a pool member or node being checked does not respond within a specified
timeout period, or the status of a pool member, or node indicates that
performance is degraded, the system can redirect the traffic to another pool
member or node. Some monitors are included as part of the system, while
other monitors are user-created. Monitors that the system provides are called
pre-configured monitors. User-created monitors are called custom
monitors.
The task of implementing a monitor varies depending on whether you are
using a pre-configured monitor or creating a custom monitor. If you want to
implement a pre-configured monitor, you need only associate the monitor
with a pool, pool member, or node. If you want to implement a custom
monitor, you must first create the custom monitor, and then associate it with
a pool, pool member, or node.
Note
To view the man page for the monitor command, you must enter man
monitor at the BIG-IP system prompt.

Appendix A
Pre-configured monitors
The following monitors are pre-configured monitors:
• gateway icmp
• http
• https
• https 443
• icmp
• real server
• snmp dca
• tcp
• tcp echo
• tcp half open
Examples
This procedure describes how to create a custom HTTP monitor.
1. Log in to the command line.
2. View the variables for the default monitors, by typing the following
command:
monitor list all |more
3. Find a default monitor on which you want to base the new monitor
and make a note of the settings that you want to change.
For example, if you want to define a new monitor that is based on
the default HTTP monitor, view the default HTTP monitor.
The default HTTP monitor appears as follows:

monitorroot http {
defaults from
interval 5
timeout 16
dest *:*
password
recv
send GET /
username
}
A - 78
From the configuration statement of the default HTTP monitor, the

following settings are available:
defaults from none
interval 5
timeout 16
dest *.*
password
recv
send GET /
username
Important: The values for the password, recv, send, and username
settings are contained in quotation marks. If you want to change
these values, you must place the new values in quotation marks.
4. Define the new monitor, using the following command syntax:
monitor <name> '{ defaults from <monitor> <setting>
<value>... }'>
5. Replace name with the name you want to use for the new monitor.
6. Replace monitor with the name of the default monitor on which
you want to base the new monitor.
7. Replace setting and value with the name and value of each setting
you want to change.
For example, if you want to create a monitor named
myhttpmonitor that has an interval of 30, a timeout of 91, and a
send string of GET /test.html, you would type the following
command:
bigpipe monitor myhttpmonitor '{ defaults from http
interval 30 timeout 91 send GET /test.html }'
If you decide to change the timeout for the monitor to 121, you
would type the following command:
bigpipe monitor myhttpmonitor '{ interval 121 }'
8. Save the new monitor, by typing the following command:

bigpipe save
For more information about configuring monitors, see the Configuration

Guide for BIG-IP® Local Traffic Management.
Options
You can use these options with the monitor command:
◆ defaults from
Specifies the monitor that you want to use as the parent monitor. Your
new monitor inherits all settings and values from the parent monitor
specified. The new monitor will have the default settings of the monitor
you specify, but you can change any of the settings. This option is
required.
◆ agent
Specifies an agent for use with Real Server, SNMP Base, and WMI
monitors only.

Appendix A
◆ agent type
Specifies the SNMP DCA agent type. This is the type of agent running
on the server that you are monitoring with an SNMP DCA monitor.
◆ args
Specifies any required command line arguments used by external
monitors.
◆ base
Specifies a base name, used by LDAP.
◆ cert
Provides the ability to supply a certificate file to be presented to the
server by an HTTPS monitor. The default is null, that is, no certificate is
supplied. If you want a certificate to be presented to the server, you must
provide the full path to the certificate file in this parameter.
◆ cipherlist
Changes the cipher list that the HTTPS monitor uses, from the default.
The default cipherlist used is: DEFAULT:+SHA:+3DES:+kEDH. The
default cipher list is located in the file base_monitors.conf.
◆ cmd
Specifies a command associated with metrics and metric values. Applies
to Real Server and WMI monitors.
◆ community
Specifies an SNMP community name. Applies to SNMP DCA monitors
only. The default value is Public.
◆ compatibility
Sets the SSL options to ALL for an HTTPS monitor. You can enable or
disable this option.
◆ cpu coefficient
Specifies an SNMP DCA CPU Coefficient. This is a CPU value used for
calculating a ratio weight.
◆ cpu threshold
Specifies an SNMP DCA CPU threshold. This is the highest disk
threshold value allowed, used in calculating a ratio weight.
◆ database
Specifies a database name, used by SQL. This is the name of the data
source on the node being pinged, for example, sales or hr.
◆ debug
Determines whether or not debug mode is provided by the monitor.
If the value is yes, the monitor redirects its stderr output to the file
/var/log/<service> <ip addr>.<port>.log, and additional debug
information is directed to stderr.
◆ dest
Specifies a destination IP address. You can also set this to a node name.
◆ disk coefficient
Specifies an SNMP DCA Disk coefficient. This is a disk value used for
calculating a ratio weight.
A - 80
◆ disk threshold
Specifies an SNMP DCA Disk threshold. This is the highest disk
◆ domain
Specifies a domain name, for SMTP monitors only.
◆ fault
For a SOAP monitor, fault is a Boolean operator specifying whether to
check for a SOAP fault. Valid values are (0, 1). When the fault parameter
is specified as a value of 1, the monitor expects the successful execution
it is monitoring to include a returned fault. This is useful to test for
situations when a fault is expected. This tests only for the existence of a
SOAP fault. Any other server error codes signal a failure of the monitor.
◆ filter
Specifies a filter name, used by LDAP.
◆ folder
Specifies a folder name, used by IMAP.
◆ get
Gets a specified string.
◆ interval
Monitor’s interval time in seconds. The default is 0.
◆ mem coefficient
Specifies an SNMP DCA Memory coefficient. This is a memory value
used for calculating a ratio weight.
◆ mem threshold
Specifies an SNMP DCA Memory threshold. This is the highest disk
◆ method
Specifies a method specification such as GET or POST. Applies to Real
Server, SOAP, and WMI monitors only.
◆ metrics
Specifies metrics that you want to monitor, such as CPU percentage or
memory usage. Applies to Real Server and WMI monitors only.
◆ mode
Sets the mode of the monitor. For example, an acceptable setting for this
value is passive for an FTP monitor, or udp or tcp for a SIP monitor.
◆ name
Specifies the monitor name.
◆ namespace
Specifies the namespace associated with the given web service for a
SOAP monitor.
◆ newsgroup
Specifies a newsgroup name, for NNTP monitors only.

Appendix A
◆ param name
If the method has a parameter, specify the name of that parameter for the
SOAP monitor.
◆ param type
Specifies the basic type associated with the given parameter name in a
SOAP monitor. Valid values are (long, int, string, bool).
◆ param value
Specifies the value of the given parameter for the SOAP monitor.
◆ partition
Displays the partition within which the monitor resides.
◆ password
Specifies the password for the specified user name.
◆ post
Specifies a WMI and Real Server post field.
◆ protocol
Specifies the protocol to use for a SOAP monitor. Valid values are http
or https.
◆ recv
This is an optional parameter, containing the value expected back for a
particular row and column of the table retrieved by the send parameter,
for example, Smith. The expected data must be of a database type that
converts directly to a Java String (for example, VARCHAR). If no value
is specified for this parameter, the returned data is not checked for any
specific value and, as long as no discernible errors occurred (for
example, data was received), the service is considered to be up.
◆ recvcolumn
This option is meaningful only if the recv option is specified. It contains
the column in the returned table in which the recv value is expected.
◆ recvrow
This option is meaningful only if the recv option is specified. It contains
the row in the returned table in which the recv value is expected.
◆ return type
If a return type is to be tested, specifies the basic type of the return
parameter. Valid values are:
• bool (Boolean)
• char
• double
• float
• int (integer)
• long
• short
• string
A - 82
◆ return value
For the SOAP monitor. If a return name is specified, this is the value to
use for comparison to yield a successful service check.
◆ reverse
Checks a monitor recv string reverse mode.
◆ run
Runs a path name.
◆ secret
Specifies a secret or shared secret, used by RADIUS.
◆ security
Valid values are:
• ssl: This value requests that LDAP over SSL be used.
• tls: This value requests that TLS be used.
• none: This value (or a null value or any value that does not equal one
of the above) invokes no special security. The monitor runs as the
previous LDAP pinger was run.
◆ send
You can use this parameter with TCP, HTTP, and HTTPS ECVs, as well
as the SQL monitor. Since this may have special characters, it may
require that it be enclosed with single quotation marks. If this value is
null, then a valid connection suffices to determine that the service is up.
In this case, the recv, recvrow, and recvcolumn options are not needed,
and will be ignored even if not null.
◆ sendpackets
Specifies the number of packets to send when using the UDP monitor.
◆ snmp version
Specifies the SNMP version.
◆ timeout
Monitor’s timeout in seconds. You can also set the timeout to immediate
or indefinite. The default is 0.
◆ timeoutpackets
Specifies the timeout in seconds for receiving UDP packets.
◆ transparent
Specifies a monitor for transparent devices. In this mode, the node with
which the monitor is associated is pinged through to the destination node.
◆ urlpath
For a SOAP monitor, supplies a URL path.
◆ username
Specifies a user name for services with password security. For LDAP
monitors only, this is a distinguished name, that is, LDAP-format user
name.

Appendix A
See also
monitorroot(1), node(1), pool(1), bigpipe(1)
A - 84
nat
Configures network address translation (NAT).
Syntax
Use this command to create, modify, display, or delete a NAT.
Create/Modify
nat <nat key list> {}
nat (<nat key list> | all) [{] <nat arg list> [}]
<nat key> ::=
(<ip addr> | none)
<ip addr> to <ip addr>
(<ip addr> | none) map <ip addr>
<nat arg> ::=
orig addr (<ip addr> | none)
(enable | disable)
arp (enable | disable)
unit <number>
<ip addr>
map <ip addr>
vlans (<vlan key list> | none | all) (enable | disable)
nat [<nat key list> | all] stats reset
Display
nat [<nat key list> | all] [show [all]]
nat [<nat key list> | all] list [all]
nat [<nat key list> | all] orig addr [show]
nat [<nat key list> | all] trans addr [show]
nat [<nat key list> | all] enabled [show]
nat [<nat key list> | all] arp [show]
nat [<nat key list> | all] unit [show]
nat [<nat key list> | all] stats [show]
nat [<nat key list> | all] to [show]
nat [<nat key list> | all] map [show]
nat [<nat key list> | all] vlans [show]
Delete
nat (<nat key list> | all) delete

Appendix A
Description
A network address translation (NAT) defines a bi-directional mapping
between an originating IP address, orig addr, and a translated IP address,
trans addr.
A primary reason for defining a NAT is to allow one of the servers in the
server array behind the traffic management system to initiate
communication with a computer in front of, or external to the system.
Examples
The node behind the system with the IP address 10.0.140.100 has a presence
in front of the BIG-IP system as IP address 11.0.0.100:
nat 10.0.140.100 to 11.0.0.100
Permanently deletes the NAT from the system configuration:

nat 10.0.140.100 delete
Additional Restrictions
The nat command has the following additional restrictions:
• A virtual server cannot use the IP address defined in the <trans addr>
parameter.
• A NAT cannot use a BIG-IP system's IP address.
• A NAT cannot use an originating or translated IP address defined for and
used by a SNAT or another NAT.
• You must delete a NAT before you can redefine it.
Options
You can use these options with the nat command:
• arp
Enables or disables Address Resolution Protocol (ARP).
• <ip addr> to <ip addr> or <ip addr> map <ip addr>
Specifies the IP address that is translated or mapped, and the IP address
to which it is translated or mapped. One of these settings is required
when creating a NAT.
• orig addr
Specifies the IP address from which traffic is being initiated.
• trans addr
Specifies the IP address that <orig addr> is translated to by the traffic
management system.
• vlans
Specifies the name of an existing VLAN on which access to the NAT is
enabled or disabled. A NAT is accessible on all VLANs by default.
A - 86
• unit
Specifies a unit ID, currently 1 or 2 for the redundant system. The default
unit ID is set to 1.
See also
snat(1), snat translation(1), bigpipe(1)

Appendix A
ndp
Manages IPv6 neighbor discovery.
Syntax
Use this command to create, display, and delete IPv6 neighbor discovery.
Create/Modify
ndp <ndp key list> {}
ndp (<ndp key list> | all) [{]}<ndp arg list> {]}
<ndp key> :=
<ip addr>
(static | dynamic)
<ndp arg> :=
(<mac addr> | none)
Display
ndp (<ndp key list> | all) [show [all]]
ndp (<ndp key list> | all) list [all]
ndp (<ndp key list> | all) ip addr [show]
ndp (<ndp key list> | all) type [show]
ndp (<ndp key list> | all) mac addr [show]
Delete
ndp (<ndp key list> | all) delete
Description
The ndp command provides the ability to display and modify the
IPv6-to-Ethernet address translation tables used by the IPv6 neighbor
discovery protocol.
Examples
Maps the IPv6 address fec0:f515::c001 to the MAC address
00:0B:DB:3F:F6:57:
ndp fec0:f515::c001 00:0B:DB:3F:F6:57
Shows all static and dynamic IPv6 address-to-MAC address mapping:

ndp all show
A - 88
Options
You can use these options with the ndp command:
• <ip addr>
Specifies the IPv6 address to be mapped to the MAC address. For
example, fec0:f515::c001.
• <mac addr>
Specifies a 6-byte ethernet address in non case-sensitive hexadecimal
colon notation. For example, 00:0b:09:88:00:9a. This option is required.
• static
Displays static IPv6 address-to-MAC address mapping.
• dynamic
Displays dynamic IPv6 address-to-MAC address mapping.
• all
Displays all static and dynamic IPv6 address-to-MAC address mapping.
See also
arp(1), bigpipe(1)

Appendix A
node
Creates, modifies, or displays node addresses and services.
Syntax
Use this command to create, modify, or display node addresses and services.
Create/Modify
Important
Guide.
node <node key list> {}

node (<node key list> | all) [{] <node arg list> [}]
<node key> ::=
(<ip addr> | none)
<node arg> ::=
dynamic ratio <number>
limit <number>
monitor (default | <monitor key> | <monitor key> and <monitor key> \
[ and <monitor key> ...] | min <number> of <monitor key list>)
ratio <number>
session (enable | disable)
(up | down)
screen (<name> | none)
node [<node key list> | all] stats reset
Display
node [<node key list> | all] [show [all]]
node [<node key list> | all] list [all]
node [<node key list> | all] addr [show]
node [<node key list> | all] dynamic ratio [show]
node [<node key list> | all] limit [show]
node [<node key list> | all] monitor [show]
node [<node key list> | all] monitor state [show]
node [<node key list> | all] partition [show]
node [<node key list> | all] ratio [show]
node [<node key list> | all] screen [show]
A - 90
node [<node key list> | all] session [show]

node [<node key list> | all] stats [show]
Delete
node [<node key list> | all] delete
Description
Displays information about nodes, and sets attributes of nodes and node IP
addresses.
Examples
Displays information for all nodes in the system configuration:
node all show
Lists all nodes:

node all list
Removes all monitor associations from all nodes:

node all monitor none
Removes the default node monitor from all nodes. This command does not
remove monitors that have been explicitly assigned to nodes:
node * monitor none
Removes all monitor associations from the node 10.10.10.15:

node 10.10.10.15 monitor none
Options
You can use these options with the node command:
• dynamic ratio
Sets the dynamic ratio number for the node. Used for dynamic ratio load
balancing. The ratio weights are based on continuous monitoring of the
servers and are therefore continually changing. Dynamic Ratio load
balancing may currently be implemented on RealNetworks RealServer
platforms, on Windows platforms equipped with Windows Management
Instrumentation (WMI), or on a server equipped with either the UC
Davis SNMP agent or Windows 2000 Server SNMP agent.
• limit
Specifies the maximum number of connections allowed for the node or
node address.
• monitor
Specifies the name of the monitor that you want to associate with the
node.
• partition
Displays the partition in which the node resides.

Appendix A
• ratio
Specifies the fixed ratio value used for a node during ratio load
balancing.
• screen <name> | none
Specifies the given name of the node, if any.
• session
Displays the current connections for the specified node.
• up | down
Marks the node up or down.
See also
pool(1), monitor(1), bigpipe(1)
A - 92
ocsp responder
Configures Online Certificate System Protocol (OCSP) responder objects.
Syntax
Use the command to create, modify, display, or delete an OCSP responder
object.
Create/Modify
Important
Guide.
ocsp responder <ocsp responder key list> {}

ocsp responder (<ocsp responder key list> | all) [{] <ocsp arg list> [}]
<ocsp responder key> ::=
<name>
<ocsp responder arg> ::=
ca file (<file name> | none)
ca path (<file name> | none)
certid digest (sha1 | md5)
certs (enable | disable)
chain (enable | disable)
check certs (enable | disable)
explicit (enable | disable)
ignore aia (enable | disable)
intern (enable | disable)
sig verify (enable | disable)
sign key (<file name> | none)
sign key pass phrase (<string> | none)
sign other (<file name> | none)
sign digest (sha1 | md5)
signer (<file name> | none)
status age <number>
trust other (enable | disable)
url (<string> | none)
va file (<file name> | none)
validity period <number>

Appendix A
verify (enable | disable)

verify cert (enable | disable)
verify other (<string> | none)
Display
ocsp responder [<ocsp responder key list> | all] [show [all]]
ocsp responder [<ocsp responder key list> | all] list [all]
ocsp responder [<ocsp responder key list> | all] ca file [show]
ocsp responder [<ocsp responder key list> | all] ca path [show]
ocsp responder [<ocsp responder key list> | all] certid digest [show]
ocsp responder [<ocsp responder key list> | all] certs [show]
ocsp responder [<ocsp responder key list> | all] chain [show]
ocsp responder [<ocsp responder key list> | all] check certs [show]
ocsp responder [<ocsp responder key list> | all] explicit [show]
ocsp responder [<ocsp responder key list> | all] ignore aia [show]
ocsp responder [<ocsp responder key list> | all] name [show]
ocsp responder [<ocsp responder key list> | all] intern [show]
ocsp responder [<ocsp responder key list> | all] partition [show]
ocsp responder [<ocsp responder key list> | all] sig verify [show]
ocsp responder [<ocsp responder key list> | all] sign digest [show]
ocsp responder [<ocsp responder key list> | all] sign key [show]
ocsp responder [<ocsp responder key list> | all] sign key pass phrase [show]
ocsp responder [<ocsp responder key list> | all] sign other [show]
ocsp responder [<ocsp responder key list> | all] signer [show]
ocsp responder [<ocsp responder key list> | all] status age [show]
ocsp responder [<ocsp responder key list> | all] trust other [show]
ocsp responder [<ocsp responder key list> | all] url [show]
ocsp responder [<ocsp responder key list> | all] va file [show]
ocsp responder [<ocsp responder key list> | all] validity period [show]
ocsp responder [<ocsp responder key list> | all] verify [show]
ocsp responder [<ocsp responder key list> | all] verify cert [show]
ocsp responder [<ocsp responder key list> | all] verify other [show]
Delete
ocsp responder (<ocsp responder key list> | all) delete
Description
To implement the SSL OCSP authentication module, you must create the
following objects: one or more OCSP responder objects, an SSL OCSP
configuration object, and an SSL OCSP profile.
A - 94
Options
You can use these options with the ocsp responder command:
• ca file
Specifies the name of the file containing trusted CA certificates used to
verify the signature on the OCSP response.
• ca path
Specifies the name of the path containing trusted CA certificates used to
verify the signature on the OCSP response.
• certid digest
Specifies a specific algorithm identifier, either sha1 or md5. sha1 is
newer and provides more security with a 160 bit hash length. md5 is
older and has only a 128 bit hash length. The default is sha1. The cert ID
is part of the OCSP protocol. The OCSP client (in this case, the BIG-IP
system) calculates the cert ID using a hash of the Issuer and serial
number for the certificate that it’s trying to verify.
• certs
Enables or disables the addition of certificates to an OCSP request. The
default is enable.
• chain
Constructs a chain from certificates in the OCSP response. The default is
enable.
• check certs
Makes additional checks to see if the signer's certificate is authorized to
provide the necessary status information. Used for testing purposes only.
The default is enable.
• explicit
Specifies that the LTM system explicitly trust that the OCSP response
signer's certificate is authorized for OCSP response signing. If the
signer's certificate does not contain the OCSP signing extension,
specification of this setting causes a response to be untrusted. The default
is enable.
• ignore aia
Causes the system to ignore the URL contained in the certificate's AIA
fields, and to always use the URL specified by the responder instead. The
default is disable.
• intern
Causes the system to ignore certificates contained in an OCSP response
when searching for the signer's certificate. To use this setting, the signer's
certificate must be specified with either the Verify Other or VA File
setting. The default is enable.
• sig verify
Checks the signature on the OCSP response. Used for testing purposes
only. The default is enable.
• sign key
Used to sign an OCSP request.
• sign key pass phrase
Used to encrypt the sign key.

Appendix A
• sign other
Adds a list of additional certificates to an OCSP request.
• sign digest
Specifies the algorithm for signing the request, using the signing
certificate and key. This parameter has no meaning if request signing is
not in effect (that is, both the request signing certificate and request
signing key parameters are empty). This parameter is required only when
request signing is in effect. The default is sha1.
• signer
Specifies a certificate used to sign an OCSP request. If the certificate is
specified but the key is not specified, then the private key is read from
the same file as the certificate. If neither the certificate nor the key is
specified, then the request is not signed. If the certificate is not specified
and the key is specified, then the configuration is considered to be
invalid.
• status age
The default is 0.
• trust other
Instructs the LTM system to trust the certificates specified with the
Verify Other setting. The default is disable.
• url
Specifies the URL used to contact the OCSP service on the responder.
When creating an OCSP responder object, you must specify a URL.
• va file
Specifies the name of the file containing explicitly-trusted responder
certificates. This parameter is needed in the event that the responder is
not covered by the certificates already loaded into the responder's CA
store.
• validity period
Specifies the number of seconds used to specify an acceptable error
range. This setting is used when the OCSP responder clock and a client
clock are not synchronized, which could cause a certificate status check
to fail. This value must be a positive number. The default is 300 seconds.
• verify
Enables or disables verification of an OCSP response signature or the
nonce values. Used for debugging purposes only. The default is enable.
• verify cert
• verify other
Specifies the name of the file used to search for an OCSP response
signing certificate when the certificate has been omitted from the
response.
See also
auth ssl ocsp(1), profile auth(1), bigpipe(1)
A - 96
oneconnect
Displays or resets OneConnectTM statistics for the BIG-IP system.
Syntax
Use this command to display or reset OneConnectTM statistics for the
BIG-IP system.
Display
oneconnect [show [all]]
Modify
oneconnect stats reset
Description
The OneConnect feature optimizes the use of network connections by
keeping server-side connections open and pooling them for re-use. You can
use the oneconnect command to display or reset OneConnectTM statistics for
the BIG-IP system.
See also
profile(1), profile oneconnect(1), bigpipe(1)

Appendix A
packet filter
Configures packet filter rules and trusted allow lists.
Syntax
Use this command to create, modify, display, or delete packet filtering.
Create/Modify
Use this syntax to create or modify packet filter rules:
packet filter (<packet filter key list> | all) [{] <packet filter arg list> [}]
<packet filter key> ::=
<name>
<packet filter arg> ::=
order <number>
action (none | accept | discard | reject | continue)
vlan (<vlan key> | none)
log (enable | disable)
rate class (<rate class key> | none)
filter (<rule>)
packet filter [<packet filter key list> | all] stats reset
Use this syntax to modify the packet filter’s allow trusted lists:
packet filter {}
packet filter [{] <packet filter arg list> [}]
<packet filter arg> ::=
allow trusted <allow trusted>
<allow trusted> ::=
[{] <allow trusted arg list> [}]
<allow trusted arg> ::=
addresses (<ip addr list> | none) [add | delete]
vlans (<vlan key list> | none) [add | delete]
macs (<mac addr list> | none) [add | delete]
packet filter <packet filter key list> {}
Display
packet filter [show [all]]
packet filter list [all]
packet filter allow trusted [show]
Use this syntax to display allow trusted lists:

packet filter allow trusted vlans [show]
packet filter allow trusted macs [show]
packet filter allow trusted addresses [show]
A - 98
Use this syntax to display packet filter rules:

packet filter [<packet filter key list> | all] [show [all]]
packet filter [<packet filter key list> | all] list [all]
packet filter [<packet filter key list> | all] action [show]
packet filter [<packet filter key list> | all] filter [show]
packet filter [<packet filter key list> | all] log [show]
packet filter [<packet filter key list> | all] order [show]
packet filter [<packet filter key list> | all] rate class [show]
packet filter [<packet filter key list> | all] vlan [show]
Delete
packet filter [<packet filter key list> | all] delete
Description
Provides the ability to create a layer of security for the traffic management
system using packet filter rules or trusted allow lists.
The BIG-IP system packet filters are based on the Berkeley Software Design
Packet Filter (BPF) architecture. Packet filter rules are composed of four
mandatory attributes and three optional attributes. The mandatory attributes
are name, order, action, and filter. The optional attributes are vlan, log,
and rate class. The filter attribute you choose defines the BPF script to
match for the rule.
Trusted allow lists are lists of IP addresses, MAC addresses, and VLANs
that you want to allow to bypass the packet filter.
Important
You must enable the packet filter flag using the Configuration utility, for any
packet filter configuration to work. By default, the packet filter flag is
disabled.
Trusted allow list example

Create a trusted allow list that allows anything listed to bypass the packet
filter.
packet filter allow trusted {
vlan internal1 internal2
mac 00:02:3F:3E:2F:FE}
In this example, you have an administrative laptop that you want to have
unrestricted access to the traffic management system. This is a laptop, and
therefore it might have a different IP address from time to time. One way to
solve the problem is to add a trusted MAC address. A trusted MAC address
is a MAC address that passes MAC address-based authentication.

Appendix A
This trusted allow list example shows the laptop MAC address as
00:02:3F:3E:2F:FE. Now the laptop can access the traffic management
system regardless of what address it boots with or to which VLAN it is
connected, as long as it is on the same physical segment as the traffic
management system.
Also in this example, the traffic management system is configured with a
basic firewall for the internal network. This example shows a way to filter
incoming traffic, and allow outgoing traffic to be unrestricted. To do this,
you add trusted VLANs that represent all traffic that originated on the
internal network.
Note
Another way to do this is to allow trusted IP addresses instead, for example,

192.168.26.0/24.
Packet filter rules examples

You can create a set of rules that specify what incoming traffic to accept and
how to accept it. See the examples following.
Example 1: Block spoofed addresses

This example prevents private IP addresses from being accepted on a public
VLAN. This is a way of ensuring that no one can spoof private IP addresses
through the external VLAN of the system. In this example, the system logs
when this happens.
packet filter spoof_blocker {
order 5
action discard
vlan external
log enable
filter {( src net 172.19.255.0/24 )}
}
Example 2: Allow restricted management access

You can allow restricted SSH and HTTPS access to the traffic management
system for management purposes, and keep a log of that access. However,
note that this is not the same management access you can get through the
management port/interface (MGMT); that interface is not affected by any
packet filter configuration and if that is the only way you want to allow
access to your system, this configuration is not necessary.
In the first rule, shown on the next page, SSH is allowed access from a
single fixed-address administrative workstation, and each access is logged.
In the subsequent rule, web-based Configuration utility access is allowed
from two fixed-address administrative workstations, however, access is not
logged.
A - 100
packet filter management_ssh {

order 10
action accept
log enable
filter {( proto TCP ) and ( src host 172.19.254.10 ) and ( dst port 22 )} }
packet filter management_gui {
order 15
action accept
filter {( proto TCP ) and ( src host 172.19.254.2 or src host 172.19.254.10 ) and \
( dst port 443)}
}
Example 3: Allow access to all virtual servers

In this final example, you can verify that all of the virtual servers in your
configuration are reachable from the public network. This is critical if you
have decided to use a default-deny policy. A default-deny policy restricts
Internet access to everything that is not explicitly permitted. This example
also shows how to rate shape all traffic to the virtual server IP address with a
default rate class (that can be overridden by individual virtual servers or
iRules later).
Note
This example has a single virtual server IP, and it does not matter what
interface the traffic is destined for. If you want to be more specific, you
could specify each service port, as well (for example, HTTP, FTP, Telnet,
and so on).
packet filter virtuals {

order 20
action accept
vlan external
rate class root
filter {( dst host 172.19.254.80 )}
}
Options
You can use these options with the packet filter command to create packet
filter rules:
◆ action
Specifies the action that the packet filter rule should take. The values for
action are: accept, discard, reject, continue, and none. There is no
default; you must specify a value when you create a packet filter rule.

Appendix A
◆ filter
Specifies the BPF expression to match. The filter is mandatory, however
you can leave it empty. If empty, the packet filter rule matches all
packets.
◆ log
Enables or disables packet filter logging. If you omit this value, no
logging is performed.
◆ order
Specifies a sort order. The values for the sort order are all integers
between 0 and 999, inclusive. No two rules may have the same sort
order.
There is a single, global list of rules. Each rule in the list has a relative
integer sort-order. The rule with the lowest sort-order value is always
evaluated first, the rule with the highest sort-order value is always
evaluated last, and all other rules are evaluated in-between in order based
on ascent of their sort-order value.
For example, if there are five rules, numbered 500, 100, 300, 200, 201;
the rule evaluation order is 100, 200, 201, 300, 500.
Each packet to be filtered is compared against the list of rules in
sequence, starting with the first. Evaluation of the rule list stops on the
first match that has an action of accept, discard, or reject. A match on a
rule with an action of none does not stop further evaluation of the rule
list; the statistics count is updated and a log is generated if the rule
indicates it, but otherwise rule processing continues with the next rule in
the list.
Rules should be sequenced for effect and efficiency by the user;
generally this means:
• More specific rules should be evaluated first, and thus have the lowest
sort-orders.
• One expression with multiple criteria is likely to evaluate more
efficiently than multiple expressions each with a single criterion.
This is a required setting.
◆ rate class
Specifies the name of a rate class. The value for the rate class association
is the name of any existing rate class. If omitted, no rate filter is applied.
◆ vlan
Specifies the VLAN to which the packet filter rule should apply. The
value for this option is any VLAN name currently in existence. If you
omit this value, the rule applies to all VLANs.
You can use these options with the packet filter command to create trusted
allow lists:
◆ addresses
Specifies a list of source IP addresses. Any traffic matching a source IP
in the list is automatically allowed. This simplifies configuration of the
packet filter to allow trusted internal traffic to be passed from VLAN to
A - 102
VLAN without a filter rule, including out to the Internet. Processing of

traffic by this option occurs before rule list evaluation, making it
impossible to override this option and mask out (block) certain types of
traffic with a packet filter rule. This option is empty by default.
◆ macs
Specifies a list of MAC addresses. The system allows any traffic
matching a MAC address in the source address list. This simplifies
configuration of the packet filter to allow trusted internal traffic to be
passed from VLAN to VLAN without a filter rule, including out to the
Internet. Processing of traffic by this option occurs before rule list
evaluation, making it impossible to override this option and mask out
(block) certain types of traffic with a packet filter rule. This option is
empty by default.
◆ vlans
Specifies a list of ingress VLANs. Any traffic matching received on a
VLAN in the ingress VLAN list is automatically allowed. This simplifies
configuration of the packet filter to allow trusted internal traffic to be
passed from VLAN to VLAN without a filter rule, including out to the
Internet. Processing of traffic by this option occurs before rule list
evaluation, making it impossible to override this option and mask out
(block) certain types of traffic with a packet filter rule. This option is
empty by default.
See also
rate class(1), virtual(1), vlan(1), vlangroup(1), bigpipe(1)

Appendix A
partition
Creates, modifies, and deletes administrative partitions that implement
access control for the BIG-IP system users.
Syntax
Use this command to create, modify, and delete administrative partitions
that implement access control for the BIG-IP system users. To use this
command, the Administrator user role must be assigned to your user
account.
Create/Modify
partition <partition key list> {}
partition (<partition key list> | all) [{] <partition agr list> [}]
<partition key> ::=
<name>
<partition arg> ::=
description (<string> | none)
Display
partition (<partition key list> | all] [show [all]]
partition (<partition key list> | all] list [all]
partition (<partition key list> | all] name [show]
partition (<partition key list> | all] description [show]
Delete
partition (<partition key list> | all) delete
Description
An administrative partition is a logical container that you create, containing
a defined set of BIG-IP system objects, such as virtual servers, pools, and
profiles. When a specific set of objects resides in a partition, you can then
give certain users the authority to view and manage the objects in that
partition only, rather than to all objects on the BIG-IP system. This gives a
finer degree of administrative control.
Options
You can use the description option with the partition command. The
description option specifies a description of the partition, for example, This
partition contains local traffic management objects for managing
HTTP traffic.
A - 104
See also
user(1), bigpipe(1)

Appendix A
persist
Displays or deletes persistence records.
Syntax
Use this command to display or delete persistence records. For information
on configuring session persistence for a virtual server, see profile persist, on
page A-160.
Display
persist [<persist key list> | all] [show [all]]
<persist key> :=
pool <pool key> virtual <virtual key> node (<ip addr> | <node>) \
mode (none | source addr | dest addr | cookie | msrdp | ssl | sip | universal | \
hash) key (<string> | none) client (<ip addr> | none)
Delete
persist [<persist key list> | all] delete
Description
Specify the persistence records that you want to display or delete. If you
specify a parameter for persist key, you must specify a mode and no other
parameter than mode.
Examples
Displays all persistence records with a mode of source addr:
persist mode source addr
Displays all persistence records persisting to node 11.12.13.10:80:

persist node 11.12.13.10:80 show
Options
You can use the following options with this command.
• node
Indicates the node with which the client session should remain persistent.
• pool
Indicates the pool member with which the client session should remain
persistent.
The definition of each of the following options explains the type of

persistence records you can view or delete using the persist command.
A - 106
• cookie
Cookie persistence uses an HTTP cookie stored on a client's computer to
allow the client to connect to the same server previously visited at a web
site.
• dest addr
Also known as sticky persistence, destination address affinity persistence
supports TCP and UDP protocols, and directs session requests to the
same server based solely on the destination IP address of a packet.
• hash
Hash persistence is based on an existing iRule.
• msrdp
MSRDP persistence provides an efficient way of load balancing traffic
and maintaining persistent sessions between Windows clients and servers
that are running the Microsoft Terminal Services service. The
recommended scenario for enabling MSRDP persistence feature is to
create a load balancing pool that consists of members running Windows
.NET Server 2003, Enterprise Edition, or later, where all members
belong to a Windows cluster and participate in a Windows session
directory.
• sip
SIP Call-ID persistence is available for server pools. You can configure
Call-ID persistence for proxy servers that receive Session Initiation
Protocol (SIP) messages sent through UDP.
• source addr
Also known as simple persistence, source address affinity persistence
same server based solely on the source IP address of a packet.
• ssl
SSL persistence is a type of persistence that tracks non-terminated SSL
sessions, using the SSL session ID. Even when the client's IP address
changes, the system still recognizes the connection as being persistent
based on the session ID. Note that the term, non-terminated SSL
sessions, refers to sessions in which the system does not perform the
tasks of SSL certificate authentication and encryption/re-encryption.
• universal
Universal persistence allows you to write an expression that defines what
to persist on in a packet. The expression, written using the same
expression syntax that you use in iRules, defines some sequence of bytes
to use as a session identifier.
See also
profile persist(1), virtual(1), bigpipe(1)

Appendix A
platform
Displays platform information.
Syntax
Use this command to display information about the BIG-IP platform.
Display
platform [show [all]]
platform list [all]
platform base mac [show]
platform bios rev [show]
Description
Display platform statistics such as CPU fan speed and temperature, chassis
temperature, and power supply status.
Examples
This command:
platform show all
Displays the following information:

PLATFORM INFORMATION -
Type
Chassis serial number and part number
Switch board serial number and part number
Host board serial number and part number
Annunciator board serial number and part number
BIOS Rev
base MAC
CPU temp and fan speed
CHASSIS TEMPERATURE
CHASSIS FAN status
POWER SUPPLY status
This command:
platform base mac [show]
Displays the following information:

PLATFORM - base mac: 00:01:D7:2C:9F:40
A - 108
See also
bigpipe(1)

Appendix A
pool
Configures load balancing pools on the traffic management system.
Syntax
Use this command to create, modify, display, or delete a load balancing
pool.
Create/Modify
Important
Guide.
pool <pool key list> {}

pool <pool key list>[{] <pool arg list> [}]
<pool key>::=
<name>
<pool arg> ::=
lb method (round robin | member ratio | member least conn | member observed | \
member predictive | ratio | least conn | fastest | observed | predictive | \
dynamic ratio | fastest app resp | least sessions | member dynamic ratio | \
l3 addr | rr | node ratio)
action on svcdown (none | reset | drop | reselect)
min up members <number>
min up members (enable | disable)
min up members (reboot | restart all | failover)
min active members <number>
unit <number>
snat (enable | disable)
nat (enable | disable)
ip tos to client (<number> | pass)
ip tos to server (<number> | pass)
link qos to client (<number> | pass)
link qos to server (<number> | pass)
slow ramp time <number>
monitor all (none | <monitor key> | <monitor key> and <monitor key> \
[and <monitor key> ...] | min <number> of <monitor key list>)
members (<pool member list> | none) [add | delete]
A - 110
<pool member> ::=

<pool member key list> [{] <pool member arg list> [}]
<pool member key> ::=
<node>
<pool member arg> ::=
limit <number>
ratio <number>
weight <number>
priority <number>
dynamic ratio <number>
(up | down)
session (enable | disable)
monitor (default | <monitor key> | <monitor key> and <monitor key> \
[and <monitor key> ...] | min <number> of <monitor key list>)
pool (<pool key list> | all) stats reset
Display
pool [<pool key list> | all] [show [all]]
pool [<pool key list> | all] list [all]
pool (<pool key list> | all) name show
pool [<pool key list> | all] lb method [show]
pool [<pool key list> | all] action on svcdown [show]
pool [<pool key list> | all] min up members [show]
pool [<pool key list> | all] min active members [show]
pool [<pool key list> | all] unit [show]
pool [<pool key list> | all] snat [show]
pool [<pool key list> | all] nat [show]
pool [<pool key list> | all] ip tos to client [show]
pool [<pool key list> | all] ip tos to server [show]
pool [<pool key list> | all] link qos to client [show]
pool [<pool key list> | all] link qos to server [show]
pool [<pool key list> | all] slow ramp time [show]
pool [<pool key list> | all] monitor all [show]
pool [<pool key list> | all] partition [show]
pool [<pool key list> | all] members [show]
pool [<pool key list> | all] stats [show]
Delete
pool (<pool key list> | all) delete

Appendix A
Description
The pool command creates, deletes, modifies, and displays the pool
definitions on the traffic management system. Pools group the member
servers together to use a common load balancing algorithm.
Examples
Creates a pool with two members 10.2.3.11, and 10.2.3.12, where both
members use the round robin load balancing method, and the default HTTP
monitor checks for member availability:
pool mypool {
monitor all http
member 10.2.3.11:http
member 10.2.3.12:http
}
Deletes the pool mypool: (Note that all references to a pool must be
removed before a pool may be deleted.)
pool mypool delete
Displays statistics for all pools:

pool show
Displays settings of pool mypool:

pool mypool show
Options
You can use these options with this command:
◆ <pool key list>
Specifies a list of pool names separated by a space. A pool name is a
string from 1 to 31 characters, for example, new_pools.
◆ action on svcdown
Specifies the action to take if the service specified in the pool is marked
down. Possible values are none, reset, drop, or reselect. You can
specify no action with none, you can reset the system with reset, you can
drop connections using drop, or, you can reselect a node for the next
packet that comes in on a Layer 4 connection if the existing connection’s'
service is marked down by specifying reselect. The default is none.
◆ <ip:service>
Specifies an IP address and service being assigned to a pool as a member.
For example, 10.2.3.12:http.
◆ ip tos to client and ip tos to server
Specifies the Type of Service (ToS) level to use when sending packets to
a client or server. The default is 65535.
A - 112
◆ lb method
Specifies the load balancing mode that the system is to use for the
specified pool.
• dynamic ratio - Specifies a range of numbers that you want the
system to use in conjunction with the ratio load balancing method.
The default ratio number is 1.
• fastest - Indicates that the system passes a new connection based on
the fastest response of all currently active nodes in a pool. This
method may be particularly useful in environments where nodes are
distributed across different logical networks.
• fastest app resp - Indicates that the system passes a new connection
based on the fastest application response of all currently active nodes
in a pool.
• l3 addr - Indicates that the system passes connections sequentially to
each member configured using its IP address. The IP address is a
Layer 3 address.
• least conn - Indicates that the system passes a new connection to the
node that has the least number of current connections.
• least sessions - Indicates that the system passes a new connection to
the node that has the least number of current sessions. Least Sessions
methods work best in environments where the servers or other
equipment you are load balancing have similar capabilities. This is a
dynamic load balancing method, distributing connections based on
various aspects of real-time server performance analysis, such as the
current number of sessions
• member dynamic ratio - Indicates that the system passes a new
connection to the member based on continuous monitoring of the
servers, which are continually changing. This is a dynamic load
balancing method, distributing connections based on various aspects
of real-time server performance analysis, such as the current number
of connections per node or the fastest node response time.
• member least conn - Indicates that the system passes a new
connection to the member that has the least number of current
connections.
• member observed - Indicates that the system passes connections
sequentially to each member based on observed status of the member.
• member predictive - Indicates that the system passes connections
sequentially to each member based on a predictive algorithm.
• member ratio - Specifies a ratio number that you want the system to
use in conjunction with the ratio load balancing method. The default
ratio number is 1.
• node ratio - Specifies a ratio number that you want the system to use
in conjunction with the ratio load balancing method. The default ratio
number is 1.
• observed - Indicates that the system passes connections sequentially
to each node based on observed status of the member.

Appendix A
• predictive - Indicates that the system passes connections sequentially

to each node based on a predictive algorithm.
• rr - Indicates that the system passes connections sequentially to each
member. Round Robin is the default load balancing method.
◆ link qos to client and link qos to server
Specifies the Quality of Service (QoS) level to use when sending packets
to a client or server. The default is 65535.
◆ min active members
Specifies the minimum number of members that must remain available
for traffic to be confined to a priority group when using priority-based
activation. The default is 0.
◆ min up members
Enables or disables this feature. The default is disable.
◆ Specifies the minimum number of members that must remain up for
traffic to be confined to a priority group when using priority-based
activation. If the number specified is exceeded the action specified
happens. The default is 0.
◆ You can also specify the action taken if the min up members number is
exceeded. The actions you can specify are reboot to reboot the unit,
restart all to restart the load balancing system, or failover to failover to
another unit. The default is failover.
◆ monitor all
Creates a monitor rule for the pool. You can specify a monitor rule that
marks the pool down if the specified number of monitors are not
successful.
◆ nat
Enables or disables NAT connections for the pool.
◆ priority
Specifies a priority that you want to assign to a pool member, to ensure
that traffic is directed to that member before being directed to a member
of a lower priority.
◆ slow ramp time
Provides the ability to cause a pool member that has just been enabled, or
marked up, to receive proportionally less traffic than other members in
the pool. The proportion of traffic the member accepts is determined by
how long the member has been up in comparison to the slow ramp time
set for the pool. For example, if a pool using round robin has a slow ramp
time of 60 seconds, and the pool member has been up for only 30
seconds, it receives approximately half the amount of new traffic as other
pool members that have been up for more than 60 seconds. At 45
seconds, it receives approximately three quarters of the new traffic. Slow
ramp time is particularly useful for least connections load balancing
mode. The default is 0.
◆ snat
Enables or disables SNAT connections for the pool.
A - 114
◆ unit
Specifies the unit number used by this pool in an active-active redundant
system.
See also
monitor(1), node(1), virtual(1), bigpipe(1)

Appendix A
profile
Displays profile settings, resets statistics, or deletes a profile.
Syntax
Use this command to display profile settings, reset statistics, or delete a
profile.
Modify
<profile key> ::=
<name>
profile [<profile key list> | all] stats reset
Display
profile [<profile key list> | all] [show [all]]
profile [<profile key list> | all] list [all]
profile [<profile key list> | all] name [show]
Delete
profile (<profile key list> | all) delete
Description
Use this command to display or delete existing profiles. You can also reset
statistics for an existing profile or display the configuration for a profile.
Examples
Displays all profiles on the system. Includes all system profiles.
profile all show
See also
profile auth(1), profile clientssl(1), profile fastl4(1), profile fastthttp(1),
profile ftp(1), profile http(1), profile oneconnect(1), profile persist(1),
profile serverssl(1), profile statistics(1), profile stream(1), profile tcp(1),
profile udp(1), bigpipe(1)
A - 116
profile auth
Configures a type of authentication profile.
Syntax
Use this command to create, modify, display, or delete a type of
authentication profile.
Create/Modify
Important
Guide.
profile auth <profile auth key list> {}

profile auth (<profile auth key list> | all) [{] <auth profile arg list> [}]
<auth auth key> ::=
<name>
<auth profile arg> ::=
config (<name> | default)
credential source (http basic auth | default)
defaults from (<profile auth key> | none)
mode (enable | disable | default)
type (ldap | radius | ssl cc ldap | ssl ocsp | tacacs | generic | ssl crldp | \
default)
rule (<rule key> | none | default)
idle timeout (<number> | immediate | indefinite | default)
profile auth [<profile auth key list> | all] stats reset
Display
profile auth [<profile auth key list> | all] [show [all]]
profile auth [<profile auth key list> | all] list [all]
profile auth [<profile auth key list> | all] config [show]
profile auth [<profile auth key list> | all] credential source [show]
profile auth [<profile auth key list> | all] defaults from [show]
profile auth [<profile auth key list> | all] idle timeout [show] profile auth \
[<profile auth key list> | all] mode [show]
profile auth [<profile auth key list> | all] name [show]
profile auth [<profile auth key list> | all] partition [show]

Appendix A
profile auth [<profile auth key list> | all] rule [show]

profile auth [<profile auth key list> | all] stats [show]
profile auth [<profile auth key list> | all] type [show]
Delete
profile auth (<profile auth key list> | all) delete
Description
Create, modify, display, or delete an authentication profile. An
authentication profile is an object that specifies the type of authentication
module you want to implement, a parent profile, and the configuration
object. For example, you can use the profile auth command to create a
TACACS+ profile (see example following). You can either use the default
profile that the LTM system provides for each type of authentication
module, or create a custom profile. The types of authentication profiles you
can create with the profile auth command are: LDAP, SSL CC LDAP,
RADIUS, TACACS+, SSL OCSP, and CRLDP.
Examples
Creates a profile named mytacacs_profile for TACACS+ authentication:
profile auth mytacacs_profile {
config mytacacs_profile config credential source http basic auth defaults from tacacs \
mode enable type tacacs rule myrule1 idle timeout 60
}
Example of auth module implementation

For example, to configure the LDAP authentication module, create the
following objects.
1. Create an LDAP configuration object using the auth ldap
command.
2. Create an LDAP profile, in which you specify the authentication
module type as LDAP, specify a parent profile (either the default
ldap profile or another custom profile that you created), and
reference the LDAP configuration object. Use the command profile
auth (described in this page).
3. Configure the virtual server to reference the custom LDAP profile,
using the virtual command.
A - 118
Options
You can use these options with the profile auth command:
◆ config
Specifies the name of the auth configuration object you created. You can
specify an LDAP, RADIUS, TACACS+, SSL client certificate, SSL
OCSP, or CRLDP configuration object. This setting is required.
◆ credential source
Specifies the credential source as http basic auth or default. For LDAP,
RADIUS, and TACACS+, specify http basic auth for the credential
source. For SSL client certificate or SSL OCSP specify default.
◆ defaults from
Specifies the name of the default authentication profile from which you
want your custom profile to inherit settings. This setting is required.
◆ idle timeout
Sets the idle timeout for the auth profile. The options are a number,
immediate, indefinite, or default. The default is 300 seconds.
◆ mode
Specifies the profile mode. The options are enable, disable, or default.
◆ partition
Displays the partition in which the profile resides.
◆ rule
Specifies the name of the default rule or custom rule that corresponds to
the authentication method you want to use.
◆ type
Specifies the type of authentication profile you want use. The options
are: ssl crldp, ldap, radius, ssl cc ldap, ssl ocsp, tacacs, and generic.
• generic - Specify a generic auth profile configuration object name.
Unlike the other auth profile types, the auth profile generic type
requires the user to manually create or edit a PAM service
configuration file when using the command line interface. The name
of this configuration file for a given auth profile will be
/etc/pam.d/tmm_{name} where {name} is the value of the profile
instance's name. The bigpipe utility displays an informational
message to this effect, specifying the actual file to create or edit when
an auth profile of type generic is manipulated. We recommend that
you have expertise with PAM before you use this advanced feature.
• ldap - An LDAP authentication module is a mechanism for
authenticating or authorizing client connections passing through a
traffic management system. This module is useful when your
authentication or authorization data is stored on a remote LDAP
server or a Microsoft Windows Active Directory server, and you want
the client credentials to be based on basic HTTP authentication (that
is, user name and password). You configure an LDAP authentication
module by creating an LDAP configuration object, and creating an
LDAP profile.

Appendix A
• radius - By creating a RADIUS profile and one or more RADIUS

server objects, you can implement the RADIUS authentication
module as the mechanism for authenticating client connections
passing through LTM. You use this module when your authentication
data is stored on a remote RADIUS server. In this case, client
credentials are based on basic HTTP authentication (that is, user name
and password). To implement the RADIUS authentication module,
you must create the following objects: one or more high-level
RADIUS server objects, a RADIUS configuration object, and a
RADIUS profile. After you create these objects, you must assign the
RADIUS profile to a virtual server.
• ssl cc ldap - Using an SSL client certificate LDAP configuration
object and profile, you can implement the SSL client certificate
LDAP authentication module as the mechanism for authorizing client
connections passing through a traffic management system. In this
case, client credentials are based on SSL certificate credentials instead
of user name and password. LDAP client authorization is based not
only on SSL certificates but also on user groups and roles that you
define.
• ssl crldp - A Certificate Revocation List Distribution Point (CRLDP)
authentication module is a mechanism for handling certificate
revocations on a network, for client connections passing through the
BIG-IP system. To implement the CRLDP authentication module,
you must create the following objects: One or more high-level
CRLDP server objects, a CRLDP configuration object, and a CRLDP
profile. After you create these objects, you must assign the RADIUS
profile to a virtual server.
• ssl ocsp - Online Certificate Status Protocol (OCSP) is an
industry-standard protocol that offers an alternative to a certificate
revocation list (CRL) when using public-key technology. A CRL is a
list of revoked client certificates, which a server system can check
during the process of verifying a client certificate. The LTM system
supports both CRLs and the OCSP protocol. To implement the SSL
OCSP authentication module, you must create the following objects:
one or more high-level SSL OCSP responder objects, an SSL OCSP
configuration object, and an SSL OCSP profile. After you create these
objects, you must assign the SSL OCSP profile to a virtual server.
• tacacs - Using a tacacs+ profile, you can implement the TACACS+
authentication module as the mechanism for authenticating client
connections passing through a traffic management system. You use
this module when your authentication data is stored on a remote
TACACS+ server. In this case, client credentials are based on basic
HTTP authentication (that is, user name and password). You
configure a TACACS+ authentication module by creating a
TACACS+ configuration object, and then creating a TACACS+
profile.
A - 120
See also
auth crldp(1), auth ldap(1), auth radius(1), auth ssl cc ldap(1), auth ssl
ocsp(1), auth tacacs(1), bigpipe(1)

Appendix A
profile clientssl
Configures a Client SSL profile.
Syntax
Use this command to create, display, modify, or delete a Client SSL profile.
Create/Modify
Important
Guide.
profile clientssl <profile clientssl key list> {}

profile clientssl (<profile clientssl key list> | all) \
[{] <profile clientsll arg list> [}]
<profile clientssl key> ::=
<name>
<profile clientssl arg> ::=
defaults from (<profile clientssl key> | none)
key (<file name> | none | default)
cert (<file name> | none | default)
chain (<file name> | none | default)
ca file (<file name> | none | default)
crl file (<file name> | none | default)
client cert ca (<file name> | none | default)
ciphers (<string> | none | default)
options (microsoft sess id bug | MICROSOFT_SESS_ID_BUG | netscape challenge bug | \
NETSCAPE_CHALLENGE_BUG | netscape reuse cipher change bug |\
NETSCAPE_REUSE_CIPHER_CHANGE_BUG | sslref2 reuse cert type bug | \
SSLREF2_REUSE_CERT_TYPE_BUG | microsoft big sslv3 buffer | \
MICROSOFT_BIG_SSLV3_BUFFER | msie sslv2 rsa padding | MSIE_SSLV2_RSA_PADDING | \
ssleay 080 client dh bug | SSLEAY_080_CLIENT_DH_BUG | tls d5 bug | TLS_D5_BUG | \
tls block padding bug | TLS_BLOCK_PADDING_BUG | dont insert empty fragments | \
DONT_INSERT_EMPTY_FRAGMENTS | all bugfixes | ALL_BUGFIXES | passive close | \
PASSIVE_CLOSE | no session resumption on renegotiation | \
NO_SESSTION_RESUMPTION_ON_RENEGOTIATION | single dh use | SINGLE_DH_USE | \
ephemeral rsa | EPHEMERAL_RSA | cipher server preference | \
A - 122
CIPHER_SERVER_PREFERENCE | tls rollback bug | TLS_ROLLBACK_BUG | no sslv2 | \

NO_SSLv2 | no sslv3 | NO_SSLv3 | no tlsv1 | NO_TLSv1 | pks1 check 1 | \
PKCS1_CHECK_1 | pkcs1 check 2 | PKCS1_CHECK_2 | netscape ca dn bug | \
NETSCAPE_CA_DN_BUG | netscape demo cipher change bug | \
NETSCAPE_DEMO_CIPHER_CHANGE_BUG | default)
modssl methods (enable | disable | default)
cache size (<number> | default)
cache timeout (<number> | indefinite | default)
renegotiate period (<number> | indefinite | default)
renegotiate size (<number>[MB|mb] | indefinite | default)
renegotiate max record delay (<number> | indefinite | default)
peer cert mode (request | require | ignore | auto | default)
authenticate (once | always | default)
authenticate depth (<number> | default)
unclean shutdown (enable | disable | default)
strict resume (enable | disable | default)
nonssl (enable | disable | default)
passphrase (<string> | none | default)
handshake timeout (<number> | indefinite | default)
alert timeout (<number> | immediate | indefinite | default)
profile clientssl [<profile clientssl key list> | all] stats reset
Display
profile clientssl [<profile clientssl key list> | all] [show [all]]
profile clientssl [<profile clientssl key list> | all] list [all]
profile clientssl [<profile clientssl key list> | all] alert timeout [show]
profile clientssl [<profile clientssl key list> | all] authenticate [show]
profile clientssl [<profile clientssl key list> | all] authenticate depth [show]
profile clientssl [<profile clientssl key list> | all] ca file [show]
profile clientssl [<profile clientssl key list> | all] cache size [show]
profile clientssl [<profile clientssl key list> | all] cache timeout [show]
profile clientssl [<profile clientssl key list> | all] cert [show]
profile clientssl [<profile clientssl key list> | all] chain [show]
profile clientssl [<profile clientssl key list> | all] ciphers [show]
profile clientssl [<profile clientssl key list> | all] client cert ca [show]
profile clientssl [<profile clientssl key list> | all] crl file [show]
profile clientssl [<profile clientssl key list> | all] defaults from [show]
profile clientssl [<profile clientssl key list> | all] handshake timeout [show]
profile clientssl [<profile clientssl key list> | all] key [show]
profile clientssl [<profile clientssl key list> | all] mode [show]
profile clientssl [<profile clientssl key list> | all] modssl methods [show]
profile clientssl [<profile clientssl key list> | all] name [show]
profile clientssl [<profile clientssl key list> | all] nonssl [show]
profile clientssl [<profile clientssl key list> | all] options [show]

Appendix A
profile clientssl [<profile clientssl key list> | all] partition [show]

profile clientssl [<profile clientssl key list> | all] passphrase [show]
profile clientssl [<profile clientssl key list> | all] peer cert mode [show]
profile clientssl [<profile clientssl key list> | all] renegotiate max record delay [show]
profile clientssl [<profile clientssl key list> | all] renegotiate period [show]
profile clientssl [<profile clientssl key list> | all] renegotiate size [show]
profile clientssl [<profile clientssl key list> | all] stats [show]
profile clientssl [<profile clientssl key list> | all] strict resume [show]
profile clientssl [<profile clientssl key list> | all] unclean shutdown [show]
Delete
profile clientssl (<profile clientssl key list> | all) delete
Description
This command provides the ability to create a custom Client SSL profile.
Client-side profiles allow the traffic management system to handle
authentication and encryption tasks for any SSL connection coming into a
traffic management system from a client system. You implement this type of
profile by using the default profile, or creating a custom profile based on the
default clientssl profile and modifying its settings. All default profiles are
stored in the file /config/profile_base.conf.
Examples
Creates a Client SSL profile named myclientsslprofile using the system
defaults:
profile clientssl myclientsslprofile { mode enable }
Arguments
Several command arguments are available for use with this command.
• defaults from
Specifies the profile that you want to use as the parent profile. Your new
profile inherits all settings and values from the parent profile specified.
• mode
Specifies the profile mode, which enables or disables SSL processing.
The options are enable, disable, or default. The default is enable.
• key
Specifies the name of a key file that you generated and installed on the
system. When selecting this option, type a key file name or use the
default key name default.key. The default key name is default.key.
• cert
Specifies the name of the certificate installed on the traffic management
system for the purpose of terminating or initiating an SSL connection.
You can specify the default certificate name, which is default.crt.
A - 124
• chain
Specifies or builds a certificate chain file that a client can use to
authenticate the profile. To use the default chain name, specify default.
• ca file
Specifies the certificate authority (CA) file name. To use the default CA
file name, specify default. Configures certificate verification by
specifying a list of client or server CAs that the traffic management
system trusts.
• crl file
Specifies the certificate revocation list file name. To use the default
certificate revocation file name, specify default.
• client cert ca
Specifies the client cert certificate authority name. To use the client cert
certificate authority name, specify default.
• ciphers
Specifies a cipher name. To use the default ciphers, specify default.
Options
Several options are available, including some industry-related workarounds:
◆ [MICROSOFT SESS ID BUG]
This option handles a Microsoft session ID problem.
◆ [NETSCAPE CHALLENGE BUG]
This option handles the Netscape challenge problem.
◆ [NETSCAPE REUSE CIPHER CHANGE BUG]
This option handles a defect within Netscape-Enterprise/2.01
(https://merchant.neape.com), only appears when you are connecting
through SSLv2/v3 then reconnecting through SSLv3. In this case, the
cipher list changes.
First, a connection is established with the RC4-MD5 cipher list. If it is
then resumed, the connection switches to using the DES-CBC3-SHA
cipher list. However, according to RFC 2246, (section 7.4.1.3, cipher
suite) the cipher list should remain RC4-MD5.
As a workaround, you can attempt to connect with a cipher list of
DES-CBC-SHA:RC4-MD5 and so on. For some reason, each new
connection uses the RC4-MD5 cipher list, but any re-connection attempts
to use the DES-CBC-SHA cipher list. Thus Netscape, when
reconnecting, always uses the first cipher in the cipher list.
◆ [SSLREF2 REUSE CERT TYPE BUG]
This option handles the SSL reuse certificate type problem.
◆ [MICROSOFT BIG SSLV3 BUFFER]
This option enables a workaround for communicating with older
Microsoft applications that use non-standard SSL record sizes.

Appendix A
◆ [MSIE SSLV2 RSA PADDING]

Microsoft applications that use non-standard RSA key padding. This
option is ignored for server-side SSL.
◆ [SSLEAY 080 CLIENT DH BUG]
SSLeay-based applications that specify an incorrect Diffie-Hellman
public value length. This option is ignored for server-side SSL.
◆ [TLS D5 BUG]
This option is a workaround for communicating with older
TLSv1-enabled applications that specify an incorrect encrypted RSA key
length. This option is ignored for server-side SSL.
◆ [TLS BLOCK PADDING BUG]
TLSv1-enabled applications that use incorrect block padding.
◆ [DONT INSERT EMPTY FRAGMENTS]
This option disables a countermeasure against a SSL 3.0/TLS 1.0
protocol vulnerability affecting CBC ciphers. These ciphers cannot be
handled by certain broken SSL implementations. This option has no
effect for connections using other ciphers.
◆ [ALL BUGFIXES]
This option enables all of the above defect workarounds. It is usually safe
to use the All bugfixes Enabled option to enable the defect workaround
options when you want compatibility with broken implementations. Note
that if you edit the configuration in the web-based configuration utility,
the ALL BUGFIXES syntax is expanded into each individual option.
◆ [TLS ROLLBACK BUG]
This option disables version rollback attack detection. During the client
key exchange, the client must send the same information about
acceptable SSL/TLS protocol levels as it sends during the first hello.
Some clients violate this rule by adapting to the server's answer. For
example, the client sends an SSLv2 hello and accepts up to SSLv3.1
(TLSv1), but the server only understands up to SSLv3. In this case, the
client must still use the same SSLv3.1 (TLSv1) announcement. Some
clients step down to SSLv3 with respect to the server's answer and
violate the version rollback protection. This option is ignored for
server-side SSL.
◆ [SINGLE DH USE]
This option creates a new key when using temporary/ephemeral DH
parameters. This option must be used to prevent small subgroup attacks,
when the DH parameters were not generated using strong primes, for
example, when using DSA-parameters. If strong primes were used, it is
not strictly necessary to generate a new DH key during each handshake,
but it is recommended. Enable the Single DH use option, whenever
temporary/ephemeral DH parameters are used.
A - 126
◆ [EPHEMERAL RSA]
This option uses ephemeral (temporary) RSA keys when doing RSA
operations. According to the specifications, this is only done when an
RSA key can only be used for signature operations (namely under export
ciphers with restricted RSA key length). By setting this option, you
specify that ephemeral RSA keys are always used. This option breaks
compatibility with the SSL/TLS specifications, and may lead to
interoperability problems with clients. Therefore, we do not recommend
it. You should use ciphers with EDH (ephemeral Diffie-Hellman) key
exchange instead. This option is ignored for server-side SSL.
◆ [CIPHER SERVER PREFERENCE]
When choosing a cipher, use this option to all the server's preferences
instead of the client’s references. When this option is not set, the SSL
server always follows the client's references. When this option is set, the
SSLv3/TLSv1 server chooses by using its own references. Due to the
different protocol, for SSLv2 the server sends its list of preferences to the
client and the client always chooses.
◆ [PKCS1 CHECK 1]
This debugging option deliberately manipulates the PKCS1 padding used
by SSL clients in an attempt to detect vulnerability to particular SSL
server vulnerabilities. We do not recommend this option for normal use.
The system ignores this option for client-side SSL.
◆ [PKCS1 CHECK 2]
◆ [NETSCAPE CA DN BUG]
This option handles a defect regarding the system crashing or hanging. If
the system accepts a Netscape browser connection, demands a client cert,
has a non-self-signed CA that does not have its CA in Netscape, and the
browser has a certificate, the system crashes or hangs. This option works
for Netscape 3.x and 4.xbeta.
◆ [NETSCAPE DEMO CIPHER CHANGE BUG]
This option deliberately manipulates the SSL server session resumption
behavior to mimic that of certain Netscape servers (see the Netscape
reuse cipher change bug workaround description). We do not recommend
this option for normal use. The system ignores this option for server-side
SSL.
◆ [NO SSLv2]
Do not use the SSLv2 protocol.
◆ [NO SSLv3]
◆ [NO TLSv1]
Do not use the TLSv1 protocol.

Appendix A
◆ [NO SESSION RESUMPTION ON RENEGOTIATION]

When performing renegotiation as an SSL server, this option always
starts a new session (that is, session resumption requests are only
accepted in the initial handshake). This option is ignored for server-side
SSL.
◆ [PASSIVE CLOSE]
Indicates how to handle industry-related workarounds.
• none - Choose this option if you want to disable all workarounds. We
do not recommend this option.
• default - Specifies the value, all bugfixes enabled, which enables a
set of industry-related miscellaneous workarounds related to SSL
processing.
◆ modssl methods
Enables or disables ModSSL methods. This setting enables or disables
ModSSL method emulation. This setting should be enabled when
OpenSSL methods are inadequate. For example, you can enable this
when you want to use SSL compression over TLSv1.
◆ cache size
Specify the SSL session cache size. For client-side profiles only, you can
configure timeout and size values for the SSL session cache. Because
each profile maintains a separate SSL session cache, you can configure
the values on a per-profile basis.
◆ cache timeout
Specify the SSL session cache timeout value. This specifies the number
of usable lifetime seconds of negotiated SSL session IDs. The default
timeout value for the SSL session cache is 300 seconds. Acceptable
values are integers greater than or equal to 5. You can also set this value
to indefinite.
◆ renegotiate period
Specify the Renegotiate Period setting to renegotiate an SSL session
based on the number of seconds that you specify.
◆ renegotiate size
Specify the Renegotiate Size setting forces the traffic management
system to renegotiate an SSL session based on the size, in megabytes, of
application data that is transmitted over the secure channel.
◆ renegotiate max record delay
The Renegotiate Max Record Delay setting forces the traffic
management system to renegotiate an SSL session based on the
maximum number of SSL records that can be received while waiting for
the client to initiate the renegotiation. If the maximum number of SSL
records is received, the traffic management system closes the connection.
This setting applies to client-side profiles only.
◆ peer cert mode
Specify the peer certificate mode. Options are request, require, ignore,
auto, or default.
A - 128
◆ authenticate
Specify frequency of authentication. Options are once, always, or
default.
◆ authenticate depth
Specify the authenticate depth. This is the client certificate chain
maximum traversal depth.
◆ unclean shutdown
By default, the SSL profile performs unclean shutdowns of all SSL
connections, which means that underlying TCP connections are closed
without exchanging the required SSL shutdown alerts. If you want to
force the SSL profile to perform a clean shutdown of all SSL
connections, you can disable the default setting.
◆ strict resume
Specify enable to prevent an SSL session from being resumed after an
unclean shutdown. The default option is disable, which causes the SSL
profile to allow uncleanly shut down SSL sessions to be resumed.
Conversely, when the enable option is set, the SSL profile refuses to
resume SSL sessions after an unclean shutdown.
◆ nonssl
Specify enable to allow non-SSL connections to pass through the traffic
management system as clear text.
◆ passphrase
Specify the key passphrase if required.
◆ handshake timeout
Specify the handshake timeout in seconds. You can also specify
indefinite, or default.
◆ alert timeout
Specify the alert timeout in seconds. You can also specify immediate,
indefinite, or default.
See also
profile(1), profile serverssl(1), bigpipe(1)

Appendix A
profile dns
Configures a domain name service (DNS) profile.
Syntax
Use this command to create, modify, display, or delete a DNS profile.
Create/Modify
Important
Guide.
profile dns <profile dns key list> {}

profile dns (<profile dns key list> | all) [{] <profile dns arg list> [}]
<profile dns key> ::=
<name>
<profile dns arg> ::=
defaults from (<profile dns key> | none)
gtm (enable | disable | default) Modify
profile dns (<profile dns key list> | all) stats reset
Display
profile dns (<profile dns key list> | all) [show [all]]
profile dns (<profile dns key list> | all) list [all]
profile dns (<profile dns key list> | all) defaults from [show]
profile dns (<profile dns key list> | all) gtm [show]
profile dns (<profile dns key list> | all) name [show]
profile dns (<profile dns key list> | all) partition [show]
profile dns (<profile dns key list> | all) stats [show]
Delete
profile dns (<profile dns key list> | all) delete
Description
This command provides the ability to define the behavior of DNS traffic.
A - 130
Examples
Creates a DNA profile named mydnsprofile that inherits its settings from
the system default DNS profile:
profile dns mydnsprofile {}
Options
You can use these options with the profile dns command:
• defaults from
• name
Specifies the name of the profile.
• gtm
Indicates whether to allow the Global Traffic Manager (GTM) to handle
DNS resolution for DNS queries and responses that contain wide IP
names. The options are enable, disable, and default (that is, accept the
default from the parent profile). The default is enable.
• partition
Displays the partition within which the profile resides.
See also
dns(1), profile(1), virtual(1), bigpipe(1)

Appendix A
profile fasthttp
Configures a Fast HTTP profile.
Syntax
Use this command to create, modify, display, or delete a Fast HTTP profile.
Create/Modify
Important
Guide.
profile fasthttp <profile fasthttp key list> {}

profile fasthttp (<profile fasthttp key list> | all) [{] <fasthttp profile arg list> [}]
<profile fasthttp key> ::=
<name>
<profile fasthttp arg> ::=
client close timeout (<number> | immediate | indefinite | default)
conn pool idle timeout override (<number> | disable | indefinite | default)
conn pool max reuse (<number> | default)
conn pool max size (<number> | default)
conn pool min size (<number> | default)
conn pool replenish (enable | disable | default)
conn pool step (<number> | default)
defaults from (<profile fasthttp key list> | none)
force http10 response (enable | disable | default)
header insert (<string> | none | default)
http11 close workarounds (enable | disable | default)
insert xforwarded for (enable | disable | default)
layer7 (enable | disable | default)
max header size (<number> | default)
max requests (<number> | default)
mss override (<number> | default)
reset on timeout (enable | disable | default)
server close timeout (<number> | immediate | indefinite | default)
unclean shutdown (enable | disable | fast | default)
profile fasthttp [<profile fasthttp key list> | all] stats reset
A - 132
Display
profile fasthttp [<profile fasthttp key list> | all] [show [all]]
profile fasthttp [<profile fasthttp key list> | all] list [all]
profile fasthttp [<profile fasthttp key list> | all] defaults from [show]
profile fasthttp [<profile fasthttp key list> | all] client close timeout [show]
profile fasthttp [<profile fasthttp key list> | all] conn pool idle timeout [show]
profile fasthttp [<profile fasthttp key list> | all] conn pool max reuse [show]
profile fasthttp [<profile fasthttp key list> | all] conn pool max size [show]
profile fasthttp [<profile fasthttp key list> | all] conn pool min size [show]
profile fasthttp [<profile fasthttp key list> | all] conn pool replenish [show]
profile fasthttp [<profile fasthttp key list> | all] conn pool step [show]
profile fasthttp [<profile fasthttp key list> | all] force http10 response [show]
profile fasthttp [<profile fasthttp key list> | all] header insert [show]
profile fasthttp [<profile fasthttp key list> | all] http11 close workarounds [show]
profile fasthttp [<profile fasthttp key list> | all] idle timeout [show]
profile fasthttp [<profile fasthttp key list> | all] insert xforwarded for [show]
profile fasthttp [<profile fasthttp key list> | all] layer7 [show]
profile fasthttp [<profile fasthttp key list> | all] max header size [show]
profile fasthttp [<profile fasthttp key list> | all] max requests [show]
profile fasthttp [<profile fasthttp key list> | all] mss override [show]
profile fasthttp [<profile fasthttp key list> | all] name [show]
profile fasthttp [<profile fasthttp key list> | all] partition [show]
profile fasthttp [<profile fasthttp key list> | all] reset on timeout [show]
profile fasthttp [<profile fasthttp key list> | all] server close timeout [show]
profile fasthttp [<profile fasthttp key list> | all] stats [show]
profile fasthttp [<profile fasthttp key list> | all] unclean shutdown [show]
Delete
profile fasthttp (<name list> | all) delete
Description
The Fast HTTP profile provides the ability to accelerate certain HTTP
connections such as banner ads.
Examples
Creates a Fast HTTP profile named myfasthttpprofile that inherits its
settings from the system default fasthttp profile:
profile fasthttp myfasthttpprofile {}

Appendix A
Options
You can use the following options with the profile fasthttp command:
◆ defaults from
◆ client close timeout
Specifies the number of seconds after which the system closes a client
connection, when the system either receives a client FIN packet or sends
a FIN packet. This setting overrides the idle timeout setting. The default
setting is 5.
◆ conn pool idle timeout override
Specifies the number of seconds after which a server-side connection in a
OneConnectTM pool is eligible for deletion, when the connection has no
traffic. This setting overrides the idle timeout that you specify. The
default is 0 seconds, which disables the override setting.
◆ conn pool max reuse
Specifies the maximum number of times that the system can re-use a
current connection. The default setting is 0.
◆ conn pool max size
Specifies the maximum number of connections to a load balancing pool.
A setting of 0 specifies that a pool can accept an unlimited number of
connections. The default setting is 2048.
◆ conn pool min size
Specifies the minimum number of connections to a load balancing pool.
A setting of 0 specifies that there is no minimum. The default setting is
10.
◆ conn pool replenish
The default is enable. When this setting is enabled, the system
replenishes the number of connections to a load balancing pool to the
number of connections that existed when the server closed the
connection to the pool. When disabled, the system replenishes the
connection that was closed by the server, only when there are fewer
connections to the pool than the number of connections set in the conn
pool min size connections option. See the conn pool min size option
above.
◆ conn pool step
Specifies the increment in which the system makes additional
connections available, when all available connections are in use. The
default setting is 4.
◆ force http10 response
Specifies whether to rewrite the HTTP version in the status line of the
server to HTTP 1.0 to discourage the client from pipelining or chunking
data. The default is disable.
A - 134
◆ header insert
Specifies a string that the system inserts as a header in an HTTP request.
If the header exists already, the system does not replace it.
◆ http11 close workarounds
Enables or disables HTTP 1.1 close workarounds. The default is disable.
◆ idle timeout
Specifies the number of seconds after which a connection is eligible for
deletion, when the connection has no traffic. The default is 300 seconds.
◆ insert xforwarded for
Specifies whether the system inserts the XForwarded For header in an
HTTP request with the client IP address, to use with connection pooling.
• enable: Specifies that the system inserts the XForwarded For header
with the client IP address.
• disable: Specifies that the system does not insert the XForwarded
For header.
◆ layer7
When enabled, the system parses HTTP data in the stream. Disable this
setting if you want to use the performance HTTP profile to shield against
DDOS attacks against non-HTTP protocols. The default setting is
enable.
◆ max header size
Specifies the maximum amount of HTTP header data that the system
buffers before making a load balancing decision. The default setting is
32768.
◆ max requests
Specifies the maximum number of requests that the system can receive
on a client-side connection, before the system closes the connection. A
setting of 0 specifies that requests are not limited. The default is 0.
◆ mss override
Specifies a maximum segment size (MSS) override for server-side
connections. The default setting is 0, which corresponds to an MSS of
1460. You can specify any integer between 536 and 1460.
◆ partition
◆ reset on timeout
When enabled, the system sends a TCP RESET packet when a
connection times out, and deletes the connection. The default is enable.
◆ server close timeout
Specifies the number of seconds after which the system closes a client
connection, when the system either receives a client FIN packet or sends
a FIN packet. This setting overrides the idle timeout setting. The default
setting is 5.
Specifies how the system handles closing a connection. The default is
enable, which allows unclean shutdown of a client connection. Use

Appendix A
disable to prevent unclean shutdown of a client connection. Fast

specifies that the system sends a RESET packet to close the connection
only if the client attempts to send further data after the response has
completed. Default specifies to use the setting from the parent profile.
See also
profile(1), virtual(1), bigpipe(1)
A - 136
profile fastl4
Configures a Fast Layer 4 profile.
Syntax
Use this command to create, modify, display, or delete a Fast Layer 4
profile.
Create/Modify
Important
Guide.
profile fastL4 <profile fastL4 key list> {}

profile fastL4 (<profile fastL4 key list> | all) [{] <profile fastL4 arg list> [}]
<profile fastL4 key> ::=
<name>
<profile fastL4 arg> ::=
defaults from (<profile fastL4 key> | none)
mss override (<number> | default)
pva acceleration (none | assist | full | default)
reassemble fragments (enable | disable | default)
tcp close timeout (<number> | immediate | indefinite | default)
tcp timestamp (preserve | strip | rewrite | default)
tcp wscale (preserve | strip | rewrite | default)
tcp generate isn (enable | disable | default)
tcp strip sack (enable | disable | default)
ip tos to client (<num> | pass | default)
ip tos to server (<num> | pass | default)
link qos to client (<num> | pass | default)
link qos to server (<num> | pass | default)
tcp handshake timeout (<number> | immediate | indefinite | default)
rtt from client (enable | disable | default)
rtt from server (enable | disable | default)
loose initiation (enable | disable | default)
loose close (enable | disable | default)

Appendix A
hardware syncookie (enable | disable | default)

software syncookie (enable | disable | default)
profile fastL4 [<profile fastL4 key list> | all] stats reset
Display
profile fastL4 [<profile fastL4 key list> | all] [show [all]]
profile fastL4 [<profile fastL4 key list> | all] list [all]
profile fastL4 [<profile fastL4 key list> | all] defaults from [show]
profile fastL4 [<profile fastL4 key list> | all] hardware syncookie [show]
profile fastL4 [<profile fastL4 key list> | all] idle timeout [show]
profile fastL4 [<profile fastL4 key list> | all] ip tos to client [show]
profile fastL4 [<profile fastL4 key list> | all] ip tos to server [show]
profile fastL4 [<profile fastL4 key list> | all] link qos to client [show]
profile fastL4 [<profile fastL4 key list> | all] link qos to server [show]
profile fastL4 [<profile fastL4 key list> | all] loose close [show]
profile fastL4 [<profile fastL4 key list> | all] loose initiation [show]
profile fastL4 [<profile fastL4 key list> | all] max segment override [show]
profile fastL4 [<profile fastL4 key list> | all] mss override [show]
profile fastL4 [<profile fastL4 key list> | all] name [show]
profile fastL4 [<profile fastL4 key list> | all] partition [show]
profile fastL4 [<profile fastL4 key list> | all] pva acceleration [show]
profile fastL4 [<profile fastL4 key list> | all] reassemble fragments [show]
profile fastL4 [<profile fastL4 key list> | all] reset on timeout [show]
profile fastL4 [<profile fastL4 key list> | all] rtt from client [show]
profile fastL4 [<profile fastL4 key list> | all] rtt from server [show]
profile fastL4 [<profile fastL4 key list> | all] software syncookie [show]
profile fastL4 [<profile fastL4 key list> | all] stats [show]
profile fastL4 [<profile fastL4 key list> | all] tcp generate isn [show]
profile fastL4 [<profile fastL4 key list> | all] tcp strip sack [show]
profile fastL4 [<profile fastL4 key list> | all] tcp timestamp [show]
profile fastL4 [<profile fastL4 key list> | all] tcp wscale [show]
profile fastL4 [<profile fastL4 key list> | all] tcp handshake timeout [show]
profile fastL4 [<profile fastL4 key list> | all] tcp close timeout [show]
Delete
profile fastL4 (<profile fastL4 key list> | all) delete
Description
The fastl4 profile is the default profile used by the system when you create a
basic configuration for non-UDP traffic. Any changes you make to an active
fastL4 profile (one that is in use by a virtual server) take affect after the idle
A - 138
timeout value has passed. That means new connections are affected by the
profile change immediately. However, old connections need to be aged out
by the idle timeout value or closed for the new values to take effect.
Examples
Creates a custom Fast Layer 4 profile named myfastl4profile that inherits
its settings from the system default fastl4 profile:
profile fastl4 myfastl4profile {}
Options
You can use these options with the profile fastL4 command:
◆ defaults from
◆ idle timeout
Specifies an idle timeout in seconds. You can also specify immediate,
indefinite, or default. This setting specifies the number of seconds that a
connection is idle before the connection is eligible for deletion. When
you specify an idle timeout for the Fast L4 profile, the value needs to be
greater than the db variable Pva.Scrub time in msec for it to work
properly. The default is 300 seconds.
◆ mss override
Specifies a maximum segment size (MSS) override for server-side
connections. The default setting is disable, which corresponds to an MSS
of 1460. Disable specifies that the system does not use an MSS override.
To choose a different value than the default, specify any integer between
536 and 1460 bytes. Note that this is also the MSS advertised to a client
when a client first connects.
◆ pva acceleration
Specifies the Packet Velocity® ASIC acceleration mode. The options are
none, assist, full, or default.
◆ reassemble fragments
Specifies whether to reassemble fragments. The options are enable,
disable, or default. This option is enabled by default.
Specifies whether you want to reset connections on timeout. The options
are enable, disable, or default. This option is enabled by default.
◆ tcp close timeout
Specifies an TCP close timeout in seconds. You can also specify
◆ tcp timestamp
Specifies how you want to handle the TCP timestamp. The options are
preserve, strip, rewrite, or default. Preserve is the default setting for
this option.

Appendix A
◆ tcp wscale
Specifies how you want to handle the TCP window scale. The options
are preserve, strip, rewrite, or default. The default setting for this
option is preserve TCP window scale.
◆ tcp generate isn
Specifies whether you want to generate TCP sequence numbers on all
SYNs that conform with RFC1948, and allow timestamp recycling. This
option is disabled by default.
◆ tcp strip sack
Specifies whether you want to block the TCP SackOK option from
passing to server on an initiating SYN. This option is disabled by default.
◆ ip tos to client
Specifies an IP TOS number for the client side. This setting specifies the
Type of Service level that the traffic management system assigns to UDP
packets when sending them to clients. The default number is 65535,
which indicates, do not modify UDP packets.
◆ ip tos to server
Specifies an IP TOS number for the server side. This setting specifies the
Type of Service level that the traffic management system assigns to UDP
packets when sending them to servers. The default number is 65535,
◆ link qos to client
Specifies a Link QoS (VLAN priority) number for the client side. This
setting specifies the Quality of Service level that the system assigns to
UDP packets when sending them to clients. The default number is 65535,
◆ link qos to server
Specifies a Link QoS (VLAN priority) number for the server side. This
setting specifies the Quality of Service level that the system assigns to
UDP packets when sending them to servers. The default number is
65535, which indicates, do not modify UDP packets.
◆ tcp handshake timeout
Specifies a TCP handshake timeout in seconds. You can also specify
◆ rtt from client
Enables or disables the TCP timestamp options to measure the round trip
time to the client. The default is disable.
◆ rtt from server
Enables or disables the TCP timestamp options to measure the round trip
time to the server. The default is disable.
◆ loose initiation
Specifies that the system initializes a connection when it receives any
TCP packet, rather than requiring a SYN packet for connection initiation.
A - 140
◆ loose close
Specifies that the system closes a loosely-initiated connection when the
system receives the first FIN packet from either the client or the server.
◆ partition
◆ hardware syncookie
Enables or disables hardware SYN cookie support when PVA10 is
present on the system. Note that when you set the hardware syncookie
option to enable, you may also want to set the following variables of the
db command, based on your requirements:
• pva.SynCookies.Full.ConnectionThreshold (default: 500000)
• pva.SynCookies.Assist.ConnectionThreshold (default: 500000)
• pva.SynCookies.ClientWindow (default: 0)
◆ software syncookie
Enables or disables software SYN cookie support when PVA10 is not
present on the system. The default is disable.
See also

Appendix A
profile ftp
Configures an FTP profile.
Syntax
Use this command to create, modify, display, or delete an FTP profile.
Create/Modify
Important
Guide.
profile ftp <profile ftp key list> {}

profile ftp (<profile ftp key list> | all) [{] <profile ftp arg list> [}]
<profile ftp key> ::=
<name>
<profile ftp arg> ::=
defaults from (<profile ftp key> | none)
translate extended (enable | disable | default)
data port (<service> | none | default)
profile ftp [<profile ftp key list> | all] stats reset
Display
profile ftp [<profile ftp key list> | all] [show [all]]
profile ftp [<profile ftp key list> | all] list [all]
profile ftp [<profile ftp key list> | all] data port [show]
profile ftp [<profile ftp key list> | all] defaults from [show]
profile ftp [<profile ftp key list> | all] name [show]
profile ftp [<profile ftp key list> | all] partition [show]
profile ftp [<profile ftp key list> | all] stats [show]
profile ftp [<profile ftp key list> | all] translate extended [show]
Delete
profile ftp (<profile ftp key list> | all) delete
A - 142
Description
Manages a profile for FTP traffic.
Examples
Creates a custom FTP profile named myftpprofile that inherits its settings
from the system default FTP profile:
profile ftp myftpprofile { }
Options
You can use these options with the profile ftp command:
• data port
Specifies a service, or default to use the default setting, or none. This is
the data channel port used for this FTP profile. By default, this is 20, but
may need to be changed to use a non-default FTP port.
• defaults from
• partition
• translate extended
This setting is enabled by default, and thus, automatically translates
RFC2428 extended requests EPSV and EPRT to PASV and PORT when
communicating with IPv4 servers.
See also

Appendix A
profile http
Creates, modifies, displays, or deletes an HTTP profile.
Syntax
Use this command to create, modify, display, or delete an HTTP profile.
Create/Modify
Important
Guide.
profile http <profile http key list> {}

profile http (<profile http key list> | all) [{] <HTTP profile arg list> [}]
<profile http key> ::=
<name>
<profile http arg> ::=
defaults from (<profile http key> | none)
adaptive parsing (enable | disable | default)
basic auth realm (<string> | none | default)
compress (enable | disable | selective | default)
compress browser workarounds (enable | disable | default)
compress buffer size (<number> | default)
compress content type exclude ((<string list> | none) [add | delete] | default)
compress content type include ((<string list> | none) [add | delete] | default)
compress cpu saver (enable | disable | default)
compress cpu saver high (<number> | default)
compress cpu saver low (<number> | default)
compress gzip level (<number> | default)
compress gzip memory level (<number>(K|k) | default)
compress gzip window size (<number>(K|k) | default)
compress http 1.0 (enable | disable | default)
compress keep accept encoding (enable | disable | default)
compress min size (<number> | default)
compress prefer (deflate | gzip | default)
compress uri exclude ((<string list> | none) [add | delete] | default)
compress uri include ((<string list> | none) [add | delete] | default)
compress vary header (enable | disable | default)
A - 144
cookie secret (<string> | none | default)

fallback (<string> | none | default)
fallback status ((<string list> | none) [add | delete] | default)
header insert (<string> | none)
header erase (<string> | none | default)
insert xforwarded for (enable | disable | default)
lws separator (cr | lf | sp | none | default)
lws width (<number> | default)
max header size (<number> | default)
max requests (<number> | default)
oneconnect transformations (enable | disable | default)
pipelining (enable | disable | default)
ramcache (enable | disable | default)
ramcache aging rate (<number> | default)
ramcache entry (<ramcache info key list> | none) [add | delete] | default)
ramcache ignore client cache control (none | max age | all | default)
ramcache insert age header (enable | disable | default)
ramcache max age (<number> | default)
ramcache max entries (<number> | default)
ramcache max object size (<number> | default)
ramcache min object size (<number> | default)
ramcache size (<number>[mb | MB] | default)
ramcache uri exclude (<string list> | none) [add | delete] | default)
ramcache uri include (<string list> | none) [add | delete] | default)
ramcache uri pinned (<string list> | none) [add | delete] | default)
redirect rewrite (none | all | matching | nodes | default)
response (unchunk | rechunk | preserve chunk | selective chunk | default)
response headers allowed ((<string list> | none) [add | delete] | default)
<ramcache info key> ::=
exact max response <number> uri (<string> | none) host (<string> | none)
profile http [<profile http key list> | all] stats reset
Display
profile http [<profile http key list> | all] [show [all]]
profile http [<profile http key list> | all] list [all]
profile http [<profile http key list> | all] defaults from <show>
profile http [<profile http key list> | all] name <show>
profile http [<profile http key list> | all] adaptive parsing [show]
profile http [<profile http key list> | all] basic auth realm [show]
profile http [<profile http key list> | all] compress [show]
profile http [<profile http key list> | all] compress browser work arounds [show]
profile http [<profile http key list> | all] compress keep accept encoding [show]
profile http [<profile http key list> | all] compress buffer size [show]
profile http [<profile http key list> | all] compress cpu saver [show]

Appendix A
profile http [<profile http key list> | all] compress cpu saver high [show]
profile http [<profile http key list> | all] compress cpu saver low [show]
profile http [<profile http key list> | all] compress gzip level [show]
profile http [<profile http key list> | all] compress gzip memory level [show]
profile http [<profile http key list> | all] compress gzip window size [show]
profile http [<profile http key list> | all] compress http 1.0 [show]
profile http [<profile http key list> | all] compress keep accept encoding [show]
profile http [<profile http key list> | all] compress min size [show]
profile http [<profile http key list> | all] compress prefer [show]
profile http [<profile http key list> | all] compress content type exclude [show]
profile http [<profile http key list> | all] compress content type include [show]
profile http [<profile http key list> | all] compress uri exclude [show]
profile http [<profile http key list> | all] compress uri include[show]
profile http [<profile http key list> | all] compress vary header [show]
profile http [<profile http key list> | all] cookie secret [show]
profile http [<profile http key list> | all] encrypt cookies [show]
profile http [<profile http key list> | all] fallback [show]
profile http [<profile http key list> | all] fallback status [show]
profile http [<profile http key list> | all] header erase [show]
profile http [<profile http key list> | all] header insert [show]
profile http [<profile http key list> | all] insert xforwarded for [show]
profile http [<profile http key list> | all] lws separator [show]
profile http [<profile http key list> | all] lws width [show]
profile http [<profile http key list> | all] max header size [show]
profile http [<profile http key list> | all] max requests [show]
profile http [<profile http key list> | all] oneconnect transformations [show]
profile http [<profile http key list> | all] partition [show]
profile http [<profile http key list> | all] pipelining [show]
profile http [<profile http key list> | all] ramcache [show]
profile http [<profile http key list> | all] ramcache aging rate [show]
profile http [<profile http key list> | all] ramcache entry [<ramcache info key list> | \
all] [show]
profile http [<profile http key list> | all] ramcache ignore client cache control [show]
profile http [<profile http key list> | all] ramcache insert age header [show]
profile http [<profile http key list> | all] ramcache max age [show]
profile http [<profile http key list> | all] ramcache max entries [show]
profile http [<profile http key list> | all] ramcache max object size [show]
profile http [<profile http key list> | all] ramcache min object size [show]
profile http [<profile http key list> | all] ramcache size [show]
profile http [<profile http key list> | all] ramcache uri exclude [show]
profile http [<profile http key list> | all] ramcache uri include [show]
profile http [<profile http key list> | all] ramcache uri pinned [show]
profile http [<profile http key list> | all] redirect rewrite [show]
profile http [<profile http key list> | all] response [show]
A - 146
profile http [<profile http key list> | all] response headers allowed [show]
profile http [<profile http key list> | all] stats [show]
Delete
profile http (<profile http key list> | all) ramcache entry (<ramcache info key> | all) \
delete
profile http (<profile http key list> | all) delete
Description
Use the default HTTP profile to create a custom HTTP profile. This default
profile includes default values for any of the properties and settings related
to managing HTTP traffic. When you create a custom HTTP profile, you
can use the default settings, or you can change their values to suit your
needs. This profile contains the configuration settings for compression and
RAM Cache.
The BIG-IP system installation includes these HTTP-type profiles:
• http
• http-lan-optimized-caching
• http-wan-optimized-compression
• http-wan-optimized-compression-caching
You can modify the settings of these profiles, or create new HTTP-type
profiles using any of these existing profiles as parent profiles.
Examples
Creates a custom HTTP profile named myhttpprofile that inherits its
settings from the system default http profile:
profile http myhttpprofile { }
Replaces the header in the profile name myhttpprofile with the default
header:
profile http myhttpprofile header insert default
Displays ramcache entries for the profile my_rc_profile:

bigpipe profile http my_rc_profile ramcache entry show
Options
You can use these options with the profile http command:
◆ adaptive parsing
Enables or disables adaptive parsing.

Appendix A
◆ basic auth realm

Specifies a quoted string for the basic authentication realm. You can also
specify none or default. The value of the Basic Auth Realm setting is a
string that you provide. The system sends this string to a client whenever
authorization fails.
◆ compress
Specifies the compression mode. The options are enable, disable,
selective, and default. Note that the data compression feature
compresses HTTP server responses, and not client requests.
◆ compress browser workarounds
Enables or disables browser workarounds. The default is disable.
Enabling this attribute causes turns of compression on server responses
when any of the following conditions are detected:
• If the client browser is Netscape 4.0x, compression is turned off. Note
that Netscape 4.0x browsers advertise that they can handle
compression, but they do not handle it gracefully. In this case, we
disable compression entirely for that class of Netscape browsers.
• If the client browser is Netscape 4.x (4.10 and beyond) and the server
response Content-Type is neither text/html or text/plain,
compression is turned off. This class of Netscape browsers can handle
plain text and HTML just fine, but there are known issues with other
types of content.
• If the client browser is Microsoft Internet Explorer (any version), the
server response Content-Type is either text/css or
application/x-javascript, and the clients connection is over SSL,
compression is turned off. The Microsoft article ID for this problem is
825057.
• If the client browser is Microsoft Internet Explorer (any version), the
server response Content-Type is either text/css or
application/x-javascript, and the server set the header
Cache-Control to no-cache, compression is turned off. The
Microsoft article ID for this problem is 327286.
◆ compress buffer size
Specifies the maximum number of uncompressed bytes that the system
buffers before determining whether or not to compress the response.
Useful when the headers of a server response do not specify the length of
the response content. The default value is 4096.
◆ compress content type exclude
Excludes a specified list of content types from compression of HTTP
Content-Type responses. Use a string list to specify a list of content
types you want to compress.
◆ compress content type include
Specifies a list of content types for compression of HTTP Content-Type
responses. Use a string list to specify a list of content types you want to
compress.
A - 148
◆ compress cpu saver

Specifies the CPU saver setting. When the CPU saver is enabled, the
system monitors the percent of CPU usage and adjusts compression rates
automatically when the CPU usage reaches the percentage defined in the
cpu saver low or the cpu saver high options. The default setting is
enable.
◆ compress cpu saver high
Specifies the percent of CPU usage at which the system starts
automatically decreasing the amount of content being compressed, as
well as the amount of compression which the system is applying. The
default setting is 90 percent.
◆ compress cpu saver low
Specifies the percent CPU usage at which the system resumes content
compression at the user-defined rates. The default is 75 percent.
◆ compress gzip level
Specifies a value that determines the amount of memory that the system
uses when compressing a server response. The default is 8.
◆ compress gzip memory level
Specifies a value that determines the amount of memory that the system
uses when compressing a server response. The default value is 8.
◆ compress gzip window size
Specifies the number of bits in the window size that the system uses
when compressing a server response. The default is 16 bits.
◆ compress http 1.0
Enables or disables compression of HTTP/1.0 server responses.
◆ compress min size
Specifies the minimum length in bytes of a server response that is
acceptable for compressing that response. The length in bytes applies to
content length only, not headers. The default setting is 1024.
◆ compress prefer
Specifies the type of compression that is preferred by the system. The
options are deflate, gzip, or default.
◆ compress uri exclude
Disables compression on a specified list of HTTP Request-URI
responses. Use a regular expression to specify a list of URIs you do not
want to compress.
◆ compress uri include
Enables compression on a specified list of HTTP Request-URI
responses. Use a regular expression to specify a list of URIs you want to
compress.
◆ compress vary header
Enables or disables the insertion of a Vary header into cacheable server
responses. The default is enable.
◆ cookie secret
Specifies a passphrase for the cookie encryption.

Appendix A
◆ defaults from
◆ encrypt cookies
Encrypts specified cookies that the BIG-IP system sends to a client
system.
◆ fallback
Specifies an HTTP fallback host. HTTP redirection allows you to
redirect HTTP traffic to another protocol identifier, host name, port
number, or URI path. For example, if all members of the targeted pool
are unavailable (that is, the members are disabled, marked as down, or
have exceeded their connection limit), the system can redirect the HTTP
request to the fallback host, with the HTTP reply Status Code 302
Found. For details about how to configure this string, refer to the
◆ fallback status
Specifies one or more three-digit status codes that can be returned by an
HTTP server.
◆ header erase
Specifies the header string that you want to erase from an HTTP request.
You can also specify none or default.
◆ header insert
Specifies the header string that you want to insert into an HTTP request.
You can also specify none or default. An optional setting in an HTTP
profile is HTTP header insertion. The HTTP header being inserted can
include a client IP address. Including a client IP address in an HTTP
header is useful when a connection goes through a secure network
address translation (SNAT) and you need to preserve the original client
IP address. The format of the header insertion that you specify must be a
quoted string. When you assign the configured HTTP profile to a virtual
server, the system then inserts the header specified by the profile into any
HTTP request that the system sends to a pool or pool member.
◆ insert xforwarded for
When using connection pooling, which allows clients to make use of
other client requests' server-side connections, you can insert the
X-Forwarded-For header and specify a client IP address.
◆ keep accept encoding
Enables or disables keep accept encoding. When enabled, causes the
target server to perform the data compression instead of the LTM system.
◆ lws separator
Specifies the linear white space separator that the system should use
between HTTP headers when a header exceeds the maximum width
specified by the lws width setting. The options are cr, lf, or sp.
◆ lws width
Specifies the maximum number of columns allowed for a header that is
inserted into an HTTP request. See also lws separator.
A - 150
◆ max header size

Specifies the maximum header size.
◆ oneconnect transformations
Enables the system to perform HTTP header transformations for the
purpose of keeping server-side connections open. This feature requires
configuration of a OneConnect profile.
◆ partition
◆ pipelining
Enables HTTP/1.1 pipelining. This allows clients to make requests even
when prior requests have not received a response. In order for this to
succeed, however, destination servers must include support for
pipelining.
◆ ramcache
Enables or disables the RAM Cache feature. The default setting is
disable. Note that you cannot insert a cookie on an HTTP RESPONSE
when the RAM Cache is enabled and the document is cacheable.
◆ ramcache aging rate
Specifies how long the system considers the cached content to be valid.
◆ ramcache entry
Specifies the following information about a ramcache entry:
• exact max response
Specifies the maximum number of responses allowed to utilize the
cached entry.
• URI
Specifies the URI from which the entry was cached.
• host
Specifies the host from which the entry was cached.
◆ ramcache ignore client cache control
Specifies if you want to ignore cache disabling headers sent by clients.
You can set this to none, max age, or all.
◆ ramcache insert age header
When enabled, inserts Age and Date headers in the response.
◆ ramcache max age
Specifies how long the system considers the cached content to be valid.
◆ ramcache max entries
Specifies the maximum number of entries that can be in the RAM cache.
The default is 0, which means that the system does not limit the
maximum entries.
◆ ramcache max object size
Specifies the largest object that the system considers eligible for caching.
The default setting is 50000 bytes.

Appendix A
◆ ramcache min object size

Specifies the smallest object that the system considers eligible for
caching. The default setting is 500 bytes.
◆ ramcache size
Specifies the maximum size for the RAM cache. When the cache reaches
the maximum size, the system starts removing the oldest entries. The
default setting is 100 megabytes.
◆ ramcache uri exclude
Configures a list of URIs to exclude in the RAM Cache. A value of none
specifies that URI pinning is not activated. The default setting is none.
◆ ramcache uri include
Configures a list of URIs to include in the RAM Cache. A value of none
specifies that URI pinning is not activated. The default setting is none.
◆ ramcache uri pinned
Specifies whether the system retains or excludes certain URIs in the
RAM cache. The pinning process forces the system either to cache URIs
that typically are ineligible for caching, or to not cache URIs that
typically are eligible for caching.
◆ redirect rewrite
Specifies the redirect rewrite mode. The options are none, all, matching,
nodes, and default.
◆ response
Specifies how to handle chunked and unchunked requests and responses.
• unchunk
If the request or response is chunked, this option unchunks the request
or response, and processes the HTTP content, and passes the request
or response on as unchunked. The Keep-Alive value for the
Connection header is not supported, and therefore the system sets the
value of the header to Close.
If the request or response is unchunked, the LTM system processes

the HTTP content and passes the request or response on untouched.
• rechunk
If the request or response is chunked, the system unchunks the request
or response, processes the HTTP content, re-adds the chunk trailer
headers, and then passes the request or response on as chunked. Any
chunk extensions are lost.
If the request or response is unchunked, the system adds transfer

encoding and chunking headers on egress.
• preserve chunk
Specifies that the system processes the HTTP content, and sends the
response to the client unchanged.
A - 152
• selective chunk
If the request or response is chunked, the system unchunks the request
or response, processes the HTTP content, re-adds the chunk trailer
headers, and then passes the request or response on as chunked. Any
chunk extensions are lost.
If the request is unchunked, the system processes the HTTP content

and then passes the request or response on untouched.
• default
Indicates to use the value in the default http profile.
◆ response headers allowed
Specifies headers that the BIG-IP system allows in an HTTP response.
See also
profile(1), virtual(1), profile fasthttp(1), bigpipe(1)

Appendix A
profile httpclass
Configures an HTTP Class type of profile.
Syntax
Use this command to create an HTTP class profile, redirect HTTP traffic to
https using the same virtual server, and redirect HTTP traffic without
changing the URL in the browser.
Create/Modify
Important
Guide.
profile httpclass <profile httpclass key list> {}

profile httpclass (<profile httpclass key list> | all) [{] \
<profile httpclass arg list> [}]
<profile httpclass key> ::=
<name>
<profile httpclass arg> ::=
asm (enable | disable | default)
cookies ((<regex/glob list> | none) [add | delete] | default)
defaults from (<profile httpclass key> | none)
headers ((<regex/glob list> | none) [add | delete] | default)
hosts ((<regex/glob list> | none) [add | delete] | default)
paths ((<regex/glob list> | none) [add | delete] | default)
pool (<poolkey> | none | default)
redirect (<string> | none | default)
url rewrite (<string> | none | default)
wa (enable | disable | default)
<regex/glob> ::
[glob | regex] <string>
profile httpclass [<profile httpclass key list> | all] stats reset
Display
profile httpclass [<profile httpclass key list> | all] [show [all]]
profile httpclass [<profile httpclass key list> | all] list [all]
profile httpclass [<profile httpclass key list> | all] asm <show>
A - 154
profile httpclass [<profile httpclass key list> | all] cookies <show>

profile httpclass [<profile httpclass key list> | all] defaults from <show>
profile httpclass [<profile httpclass key list> | all] headers <show>
profile httpclass [<profile httpclass key list> | all] hosts <show>
profile httpclass [<profile httpclass key list> | all] name <show>
profile httpclass [<profile httpclass key list> | all] partition <show>
profile httpclass [<profile httpclass key list> | all] paths <show>
profile httpclass [<profile httpclass key list> | all] pool <show>
profile httpclass [<profile httpclass key list> | all] redirect <show>
profile httpclass [<profile httpclass key list> | all] stats [show]
profile httpclass [<profile httpclass key list> | all] url rewrite <show>
profile httpclass [<profile httpclass key list> | all] wa <show>
Delete
profile httpclass (<profile httpclass key list> | all) delete
Description
Use this command to create an HTTP class profile, redirect HTTP traffic to
HTTPS using the same virtual server, and redirect HTTP traffic without
changing the URL in the browser.
Examples
Creates an HTTP class profile named myhttpclassprofile that inherits its
settings from the system default HTTP Class profile:
profile httpclass myhttpclassprofile { }
Options
• asm
Specifies application security. You can set the asm option only if the
system is licensed for the BIG-IP® Application Security Manager. The
options are enable, disable, and default.
• cookies
Specifies how the system routes all incoming HTTP traffic for the web
application, based on cookie headers.
• defaults from
• headers
Specifies how the system routes incoming HTTP traffic for the web
application, based on HTTP headers and values.
• hosts
Specifies how the system routes incoming HTTP traffic, based on host
information.

Appendix A
• partition
• paths
Specifies how the system routes all incoming HTTP traffic for the web
application, based on URI paths.
• pool
Specifies a local traffic pool to which the system sends the HTTP traffic.
The options are <pool key>, none, and default.
• redirect
Specifies a URL to which the system redirects the traffic. The options are
none, <string>, and default.
• url rewrite
Specifies the TCL expression that the system uses to rewrite the request
URI that is forwarded to the server without sending an HTTP redirect to
the client. The options are none, <string>, and default.
• wa
Specifies web acceleration. You can set the wa option only if the system
is licensed for the BIG-IP WebAccelerator Module. The options are
enable, disable, and default.
See also
profile(1), profile http(1)
A - 156
profile oneconnect
Creates, modifies, displays, or deletes a OneConnectTM profile.
Syntax
Use this command to create, modify, display, or delete a OneConnectTM
profile.
Create/Modify
Important
Guide.
profile oneconnect <profile oneconnect key list> {}

profile oneconnect (<profile oneconnect key list> | all) \
[{] <profile oneconnect arg list> [}]
<profile oneconnect key> ::=
<name>
<profile oneconnect arg> ::=
defaults from (<<profile oneconnect key> | none)
idle timeout override (<number> | disable | indefinite | default)
max size (<number> | default)
max age (<number> | default)
max reuse (<number> | default)
source mask (<ip mask> | none | default)
profile oneconnect [<<profile oneconnect key list> | all] stats reset
Display
profile oneconnect [<profile oneconnect key list> | all] [show [all]]
profile oneconnect [<profile oneconnect key list> | all] list [all]
profile oneconnect [<profile oneconnect key list> | all] defaults from [show]
profile oneconnect [<profile oneconnect key list> | all] idle timeout override [show]
profile oneconnect [<profile oneconnect key list> | all] max size [show]
profile oneconnect [<profile oneconnect key list> | all] max age [show]
profile oneconnect [<profile oneconnect key list> | all] max reuse [show]
profile oneconnect [<profile oneconnect key list> | all] name [show]
profile oneconnect [<profile oneconnect key list> | all] partition [show]
profile oneconnect [<profile oneconnect key list> | all] source mask [show]

Appendix A
profile oneconnect [<profile oneconnect key list> | all] stats [show]
Delete
profile oneconnect (<profile oneconnect key list> | all) delete
Description
Create a OneConnect profile that optimizes connections by improving client
performance and increasing server capacity.
Examples
Creates a OneConnect profile named myOCprofile that inherits its settings
from the system default OneConnect profile:
profile oneconnect myOCprofile { }
Options
• defaults from
• idle timeout override
Specifies the number of seconds that a connection is idle before the
connection flow is eligible for deletion. Possible values are disable,
indefinite, or a numeric value that you specify. The default is disable.
• max size
Specifies the maximum number of connections that the system holds in
the connection reuse pool. If the pool is already full, then the server-side
connection closes after the response is completed. The default setting is
10000.
• max age
Specifies the maximum age in number of seconds allowed for a
connection in the connection reuse pool. For any connection with an age
higher than this value, the system removes that connection from the reuse
pool. The default maximum age is 86400.
• max reuse
Specifies the maximum number of times that a server-side connection
can be reused. The default is 1000.
• partition
• source mask
Specifies a source IP mask. The system applies the value of this setting to
the source address to determine its eligibility for reuse. A mask of 0
causes the system to share reused connections across all clients. A host
mask, that is, all 1 values in binary, causes the system to share only those
reused connections originating from the same client IP address. The
default mask is 0.0.0.0.
A - 158
See also
profile(1), bigpipe(1)

Appendix A
profile persist
Configures a persistence profile.
Syntax
Use this command to create, modify, display, or delete a persistence profile.
Create/Modify
Important
Guide.
profile persist <profile persist key list> {}

profile persist (<profile persist key list> | all) [{] <persistence profile arg list> [}]
<profile persist key>::=
<name>
<persistence profile arg> ::=
defaults from (<profile persist key> | none)
mode (none | source addr | dest addr | cookie | ssl | msrdp | universal | hash | \
sip | default)
rule (<rule key> | none | default)
timeout (<number> | immediate | indefinite | default)
mask (<ip mask> | none)
cookie mode (insert | rewrite | passive | hash | default | none)
cookie expiration ([<number>d] [<hh>:<mm>:<ss>] | default)
cookie hash offset (<number> | default)
cookie hash length (<number> | default)
cookie name (<string> | none | default)
mirror (enable | disable | default)
msrdp session directory (enable | disable | default)
map proxies (enable | disable | default)
across pools (enable | disable | default)
across services (enable | disable | default)
across virtuals (enable | disable | default)
Display
profile persist [<profile persist key list> | all] [show [all]]
profile persist [<profile persist key list> | all] list [all]
A - 160
profile persist [<profile persist key list> | all] defaults from [show]
profile persist [<profile persist key list> | all] across pools [show]
profile persist [<profile persist key list> | all] across services [show]
profile persist [<profile persist key list> | all] across virtuals [show]
profile persist [<profile persist key list> | all] cookie expiration [show]
profile persist [<profile persist key list> | all] cookie hash length [show]
profile persist [<profile persist key list> | all] cookie hash offset [show]
profile persist [<profile persist key list> | all] cookie mode [show]
profile persist [<profile persist key list> | all] cookie name [show]
profile persist [<profile persist key list> | all] map proxies [show]
profile persist [<profile persist key list> | all] mask [show]
profile persist [<profile persist key list> | all] mirror [show]
profile persist [<profile persist key list> | all] mode [show]
profile persist [<profile persist key list> | all] msrdp session directory [show]
profile persist [<profile persist key list> | all] name [show]
profile persist [<profile persist key list> | all] partition [show]
profile persist [<profile persist key list> | all] rule [show]
profile persist [<profile persist key list> | all] timeout [show]
Delete
profile persist (<profile persist key list> | all) delete
Description
A persistence profile is a pre-configured object that automatically enables
persistence when you assign the profile to a virtual server. Using a
persistence profile avoids having to write an iRule to implement a type of
persistence.
Each type of persistence that the traffic management system offers includes
a corresponding default persistence profile. These persistence profiles each
contain settings and setting values that define the behavior of the system for
that type of persistence. You can either use the default profile, or create a
custom profile based on the default.
Examples
Creates a custom persistence profile named mypersistprofile that inherits
its settings from the default Cookie persistence profile:
profile persist mypersistprofile cookie { }
Options
You can use these options with the profile persist command:

Appendix A
◆ across pools
Enables or disables persistence across pools. Persistence across all pools
causes the traffic management system to maintain persistence for all
connections requested by the same client, regardless of which pool hosts
each individual connection initiated by the client. The default is disable.
◆ across services
Enables or disables persistence across services. The default is disable.
◆ across virtuals
Enables or disables persistence across virtual servers. Persistence across
all virtual servers causes the traffic management system to maintain
persistence for all connections requested by the same client, regardless of
which virtual server hosts each individual connection initiated by the
client. The default is disable.
◆ cookie expiration
Specifies the cookie expiration date in the format <number>
<hh>:<mm>:<ss>. The default is 0 seconds.
◆ cookie hash length
Specifies the cookie hash length. The length is the number of bytes to use
when calculating the hash value. The default is 0 bytes.
◆ cookie hash offset
Specifies the cookie has offset. The offset is the number of bytes in the
cookie to skip before calculating the hash value. The default is 0 bytes.
◆ cookie mode
Specifies the cookie mode for cookie persistence. The default is insert.
Options are: none, insert, rewrite, passive, hash, and default.
• insert
If you specify HTTP cookie insert method within the profile, the
information about the server to which the client connects is inserted in
the header of the HTTP response from the server as a cookie. The
cookie is named BIGipServer <pool name>, and it includes the
address and port of the server handling the connection. The expiration
date for the cookie is set, based on the timeout configured on the
traffic management system. HTTP cookie insert method is the
default value for the cookie mode setting.
• rewrite
Specifies cookie rewrite mode. HTTP cookie rewrite mode requires
you to set up the cookie created by the server. For HTTP cookie
rewrite mode to succeed, there needs to be a blank cookie coming
from the web server for the system to rewrite. With Apache server
variants, the cookie can be added to every web page header by adding
the following entry to the httpd.conf file:
Header add Set-Cookie BIGipCookie=0000000000000000000000000...
(The cookie must contain a total of 120 zeros.)

• passive
If you specify HTTP cookie passive mode, the system does not insert
or search for blank Set-Cookie headers in the response from the
A - 162
server. This method does not try to set up the cookie. With this
method, the server provides the cookie, formatted with the correct
server information and timeout.
• hash
If you specify cookie hash mode, the hash mode consistently maps a
cookie value to a specific node. When the client returns to the site, the
system uses the cookie information to return the client to a given
node. With this mode, the web server must generate the cookie. The
system does not create the cookie automatically, as it does with insert
mode.
• default
Indicates that you want to use the settings from the parent profile.
◆ cookie name
Specifies the cookie name. Type the name of an HTTP cookie being sent
by the Web site. This could be something like Apache or
SSLSESSIONID. The name depends on the type of web server your site
is running. This attribute is used by cookie hash mode.
◆ defaults from
◆ map proxies
Enables or disables the map proxies attribute. The default setting for the
map proxies for the persistence variable is enable. The AOL proxy
addresses are hard-coded. This enables you to use client IP address
persistence with a simple persist mask, but forces all AOL clients to
persist to the same server. All AOL clients persist to the node that was
picked for the first AOL client connection received. The default is
disable.
◆ mask
Specifies an IP mask. This is the mask used by simple persistence for
connections.
◆ mirror
Enables or disables mirroring of persistence date. The default is disable.
◆ mode
Specifies the persistence mode. The default is none. This setting is
required. The options are: none, source addr, dest addr, cookie, ssl,
msrdp, universal, hash, sip, or default.
• source addr
Also known as simple persistence, source address affinity persistence
same server based solely on the source IP address of a packet.
• dest addr
Also known as sticky persistence, destination address affinity
persistence supports TCP and UDP protocols, and directs session
requests to the same server based solely on the destination IP address
of a packet.

Appendix A
• cookie
Cookie persistence uses an HTTP cookie stored on a client computer
to allow the client to reconnect to the same server previously visited at
a web site.
• ssl
SSL persistence is a type of persistence that tracks non-terminated
SSL sessions, using the SSL session ID. Even when the client's IP
address changes, the LTM system still recognizes the connection as
being persistent based on the session ID. Note that the term
non-terminated SSL sessions refers to sessions in which the traffic
management system does not perform the tasks of SSL certificate
authentication and encryption/re-encryption.
• msrdp
Microsoft Remote Desktop persistence tracks sessions between
clients and servers running Microsoft Remote Desktop Protocol
(MSRDP).
• universal
Universal persistence allows you to write an expression that defines
what to persist on in a packet. The expression, written using the same
expression syntax that you use in iRules, defines some sequence of
bytes to use as a session identifier.
• hash
Hash persistence allows you to create a persistence hash based on an
existing iRule.
• sip
SIP persistence is a type of persistence used for servers that receive
Session Initiation Protocol (SIP) messages sent through UDP. SIP is a
protocol that enables real-time messaging, voice, data, and video.
• default
Specify default if you want to use the default system profile settings
for persistence mode.
◆ msrdp session directory
Enables or disables the MSRDP session directory option for MSRDP
persistence. Enable this option to implement Windows Terminal Server
persistence for those Windows servers on which the Session Directory
service is not available. The default is enable.
◆ partition
◆ rule
Specifies a rule name if you are using a rule for universal persistence.
◆ timeout
Specifies the timeout. Possible values are default, immediate,
indefinite, or a numeric value that you specify. This is the simple
persistence timeout. The default is 180 seconds.
A - 164
See also
profile(1), virtual(1), rule(1), bigpipe(1)

Appendix A
profile serverssl
Configures a Server SSL profile.
Syntax
Use this command to create, modify, display, or delete a Server SSL profile.
Create/Modify
Important
Guide.
profile serverssl <profile serverssl key list> {}

profile serverssl (<profile serverssl key list> | all) [{] <profile serverssl arg list>
[}]
<profile serverssl key> ::=
<name>
<profile serverssl arg> ::=
defaults from (<profile serverssl key> | none)
key (<file name> | none | default)
cert (<file name> | none | default)
chain (<file name> | none | default)
ca file (<file name> | none | default)
crl file (<file name> | none | default)
ciphers (<string> | none | default)
passphrase (<string> | none | default)
options ([MICROSOFT_SESS_ID_BUG]
[NETSCAPE_CHALLENGE_BUG][NETSCAPE_REUSE_CIPHER_CHANGE_BUG]
[SSLREF2_REUSE_CERT_TYPE_BUG][MICROSOFT_BIG_SSLV3_BUFFER] [MSIE_SSLV2_RSA_PADDING]
[SSLEAY_080_CLIENT_DH_BUG] [TLS_D5_BUG] [TLS_BLOCK_PADDING_BUG]
[DONT_INSERT_EMPTY_FRAGMENTS] [ALL_BUGFIXES] [TLS_ROLLBACK_BUG]
[SINGLE_DH_USE] [EPHEMERAL_RSA] [CIPHER_SERVER_PREFERENCE] [PKCS1_CHECK_1]
[PKCS1_CHECK_2] [NETSCAPE_CA_DN_BUG] [NETSCAPE_DEMO_CIPHER_CHANGE_BUG]
[NO_SSLv2] [NO_SSLv3] [NO_TLSv1] [NO_SESSION_RESUMPTION_ON_RENEGOTIATION]
[PASSIVE_CLOSE] | none | default)
modssl methods (enable | disable | default)
renegotiate period (<number> | immediate | indefinite | default)
renegotiate size (<number>[MB|mb] | indefinite | default)
peer cert mode (require | ignore | default)
authenticate (once | always | default)
A - 166
authenticate depth (<number> | default)

authenticate name (<string> | default)
unclean shutdown (enable | disable | default)
strict resume (enable | disable | default)
handshake timeout (<number> | immediate | indefinite | default)
alert timeout (<number> | immediate | indefinite | default)
cache size (<number> | default)
cache timeout (<number> | immediate | indefinite | default)
profile serverssl [<profile serverssl key list> | all] stats reset
Display
profile serverssl [<profile serverssl key list> | all] [show [all]]
profile serverssl [<profile serverssl key list> | all] list [all]
profile serverssl [<profile serverssl key list> | all] name [show]
profile serverssl [<profile serverssl key list> | all] defaults from [show]
profile serverssl [<profile serverssl key list> | all] mode [show]
profile serverssl [<profile serverssl key list> | all] key [show]
profile serverssl [<profile serverssl key list> | all] cert [show]
profile serverssl [<profile serverssl key list> | all] chain [show]
profile serverssl [<profile serverssl key list> | all] ca file [show]
profile serverssl [<profile serverssl key list> | all] crl file [show]
profile serverssl [<profile serverssl key list> | all] ciphers [show]
profile serverssl [<profile serverssl key list> | all] options [show]
profile serverssl [<profile serverssl key list> | all] modssl methods [show]
profile serverssl [<profile serverssl key list> | all] renegotiate period [show]
profile serverssl [<profile serverssl key list> | all] renegotiate size [show]
profile serverssl [<profile serverssl key list> | all] peer cert mode [show]
profile serverssl [<profile serverssl key list> | all] authenticate [show]
profile serverssl [<profile serverssl key list> | all] authenticate depth [show]
profile serverssl [<profile serverssl key list> | all] authenticate name [show]
profile serverssl [<profile serverssl key list> | all] unclean shutdown [show]
profile serverssl [<profile serverssl key list> | all] strict resume [show]
profile serverssl [<profile serverssl key list> | all] passphrase [show]
profile serverssl [<profile serverssl key list> | all] handshake timeout [show]
profile serverssl [<profile serverssl key list> | all] alert timeout [show]
profile serverssl [<profile serverssl key list> | all] cache size [show]
profile serverssl [<profile serverssl key list> | all] cache timeout [show]
profile serverssl [<profile serverssl key list> | all] stats [show]
profile serverssl [<profile serverssl key list> | all] partition [show]
Delete
profile serverssl (<profile serverssl key list> | all) delete

Appendix A
Description
Server-side profiles allow the traffic management system to handle
encryption tasks for any SSL connection being sent from a Local Traffic
Management system to a target server. A server-side SSL profile is able to
act as a client by presenting certificate credentials to a server when
authentication of the Local Traffic Management system is required You
implement this type of profile by using the default profile, or creating a
custom profile based on the serverssl profile template and modifying its
settings.
Examples
Creates a custom Server SSL profile named myserversslprofile that inherits
its settings from the system default serverssl profile:
profile serverssl myserversslprofile { }
Arguments
Several arguments are available for use with this command.
◆ ca file
Specifies the certificate authority (CA) file name or indicates the system
uses the certificate authority file name from the parent profile.
Configures certificate verification by specifying a list of client or server
CAs that the traffic management system trusts.
◆ cert
Specifies the certificate file name or indicates the system uses the
certificate file name from the parent profile. Specifies the name of the
certificate installed on the traffic management system for the purpose of
terminating or initiating an SSL connection. The default is default.crt.
◆ chain
Specifies the chain name or indicates the system uses the chain name
from the parent profile. Specifies or builds a certificate chain file that a
client can use to authenticate the profile.
◆ ciphers
Specifies a cipher name or indicates the system uses the default ciphers
from the parent profile.
◆ crl file
Specifies the certificate revocation list file name or indicates the system
uses the certificate revocation file name from the parent profile.
◆ defaults from
A - 168
◆ key
Specifies the key file name or indicates the system uses the key file name
from the parent profile. Specifies the name of the key installed on the
traffic management system for the purpose of terminating or initiating an
SSL connection. The default key file name is default.key.
◆ mode
Specifies the profile mode. The options are enable, disable, or default.
Enables or disables SSL processing. The default is enable.
Options
These options are available, including some industry-related workarounds:
◆ alert timeout
Specifies the alert timeout in seconds. You can also specify immediate,
indefinite, or default. The default is 60 seconds.
◆ authenticate
Specifies frequency of authentication. Options are once, always, or
default.
◆ authenticate depth
Specifies the client certificate chain maximum traversal depth.
◆ authenticate name
Specifies a Common Name (CN) that is embedded in a server certificate.
The system authenticates a server based on the specified CN.
◆ cache size
Specifies the SSL session cache size. For client-side profiles only, you
can configure timeout and size values for the SSL session cache. Because
each profile maintains a separate SSL session cache, you can configure
the values on a per-profile basis.
◆ cache timeout
Specifies the SSL session cache timeout value, which is the usable
lifetime seconds of negotiated SSL session IDs. The default is 300
seconds. Acceptable values are integers greater than or equal to 5. You
can also set this value to immediate or indefinite.
◆ handshake timeout
Specifies the handshake timeout in seconds. You can also specify
immediate, indefinite, or default.
◆ modssl methods
Enables or disables ModSSL method emulation. Use enable when
OpenSSL methods are inadequate. For example, you can enable modssl
methods when you want to use SSL compression over TLSv1.
◆ passphrase
Specifies the key passphrase, if required.
◆ peer cert mode
Specifies the peer certificate mode. Options are require, ignore, and
default.

Appendix A
◆ renegotiate period
Specifies the number of seconds to renegotiate an SSL session. The
options are a number you specify, immediate, indefinite, and default. The
default is indefinite specifying that you do not want SSL negotiation.
◆ renegotiate size
Specifies a throughput size, in bytes, of SSL renegotiation. This setting
forces the traffic management system to renegotiate an SSL session
based on the size, in megabytes, of application data that is transmitted
over the secure channel. The default is indefinite specifying that you do
not want a throughput size.
◆ strict resume
You can enable or disable the resumption of SSL sessions after an
unclean shutdown. The default is disable, which indicates that the SSL
profile refuses to resume SSL sessions after an unclean shutdown.
By default, the SSL profile performs unclean shutdowns of all SSL
connections, which means that underlying TCP connections are closed
without exchanging the required SSL shutdown alerts. If you want to
force the SSL profile to perform a clean shutdown of all SSL
connections, you can disable the default setting.
◆ [ALL BUGFIXES]
This option enables all of the above defect workarounds. It is usually safe
to use the All bugfixes Enabled option to enable the defect workaround
options when compatibility with broken implementations is desired. Note
that if you edit the configuration in the web-based configuration utility,
the ALL BUGFIXES syntax is expanded into each individual option.
◆ [CIPHER SERVER PREFERENCE]
When choosing a cipher, this option uses the server's preferences instead
of the client references. When this option is not set, the SSL server
always follows the client's references. When this option is set, the
SSLv3/TLSv1 server chooses by using its own references. Due to the
different protocol, for SSLv2 the server sends its list of preferences to the
client and the client always chooses.
◆ [DONT INSERT EMPTY FRAGMENTS]
This option disables a countermeasure against a SSL 3.0/TLS 1.0
protocol vulnerability affecting CBC ciphers. These ciphers cannot be
handled by certain broken SSL implementations. This option has no
effect for connections using other ciphers.
◆ [EPHEMERAL RSA]
This option uses ephemeral (temporary) RSA keys when doing RSA
operations. According to the specifications, this is only done when an
RSA key can only be used for signature operations (namely under export
ciphers with restricted RSA key length). By setting this option, you
specify that you want to use ephemeral RSA keys always. This option
breaks compatibility with the SSL/TLS specifications and may lead to
interoperability problems with clients. Therefore, we do not recommend
A - 170
this option. You should use ciphers with EDH (ephemeral

Diffie-Hellman) key exchange instead. This option is ignored for
server-side SSL.
◆ [MICROSOFT BIG SSLV3 BUFFER]
Microsoft applications that use non-standard SSL record sizes.
◆ [MICROSOFT SESS ID BUG]
This option handles a Microsoft session ID problem.
◆ [MSIE SSLV2 RSA PADDING]
Microsoft applications that use non-standard RSA key padding. This
option is ignored for server-side SSL.
◆ [NETSCAPE CA DN BUG]
This option handles a defect regarding the system crashing or hanging. If
the system accepts a Netscape browser connection, demands a client cert,
has a non-self-signed CA that does not have its CA in Netscape, and the
browser has a certificate, the system crashes or hangs. This option works
for 3.x and 4.xbeta.
◆ [NETSCAPE CHALLENGE BUG]
This option handles the Netscape challenge problem.
◆ [NETSCAPE DEMO CIPHER CHANGE BUG]
This option deliberately manipulates the SSL server session resumption
behavior to mimic that of certain Netscape servers (see the Netscape
reuse cipher change bug workaround description). We do not recommend
this option for normal use. It is ignored for server-side SSL.
◆ [NETSCAPE REUSE CIPHER CHANGE BUG]
This option handles a defect within Netscape-Enterprise/2.01
(https://merchant.neape.com), only appearing when connecting through
SSLv2/v3 then reconnecting through SSLv3. In this case, the cipher list
changes.
First, a connection is established with the RC4-MD5 cipher list. If it is
then resumed, the connection switches to using the DES-CBC3-SHA
cipher list. However, according to RFC 2246, (section 7.4.1.3, cipher
suite) the cipher list should remain RC4-MD5.
As a workaround, you can attempt to connect with a cipher list of
DES-CBC-SHA:RC4-MD5 and so on. For some reason, each new
connection uses the RC4-MD5 cipher list, but any re-connection attempts
to use the DES-CBC-SHA cipher list. Thus Netscape, when
reconnecting, always uses the first cipher in the cipher list.
◆ [NO SESSION RESUMPTION ON RENEGOTIATION]
When performing renegotiation as an SSL server, this option always
starts a new session (that is, session resumption requests are only
accepted in the initial handshake). The system ignores this option for
server-side SSL.
◆ [NO SSLv2]

Appendix A
◆ [NO SSLv3]
◆ [NO TLSv1]
Do not use the TLSv1 protocol.
◆ [PASSIVE CLOSE]
Specifies how to handle passive closes.
• none
Choose this option if you want to disable all workarounds. We do not
recommend this option.
• default
Specifies the value, all bugfixes enabled, which enables a set of
industry-related miscellaneous workarounds related to SSL
processing.
◆ [PKCS1 CHECK 1]
◆ [PKCS1 CHECK 2]
◆ [SINGLE DH USE]
This option creates a new key when using temporary/ephemeral DH
parameters. This option must be used to prevent small subgroup attacks,
when the DH parameters were not generated using strong primes (for
example. when using DSA-parameters). If strong primes were used, it is
not strictly necessary to generate a new DH key during each handshake,
but it is recommended. You should enable the Single DH Use option
whenever temporary or ephemeral DH parameters are used.
◆ [SSLEAY 080 CLIENT DH BUG]
SSLeay-based applications that specify an incorrect Diffie-Hellman
public value length. This option is ignored for server-side SSL.
◆ [SSLREF2 REUSE CERT TYPE BUG]
This option handles the SSL reuse certificate type problem.
◆ [TLS BLOCK PADDING BUG]
TLSv1-enabled applications that use incorrect block padding.
◆ [TLS D5 BUG]
This option is a workaround for communicating with older
TLSv1-enabled applications that specify an incorrect encrypted RSA key
length. This option is ignored for server-side SSL.
A - 172
◆ [TLS ROLLBACK BUG]

This option disables version rollback attack detection. During the client
key exchange, the client must send the same information about
acceptable SSL/TLS protocol levels as it sends during the first hello.
Some clients violate this rule by adapting to the server's answer. For
example, the client sends an SSLv2 hello and accepts up to SSLv3.1
(TLSv1), but the server only processes up to SSLv3. In this case, the
client must still use the same SSLv3.1 (TLSv1) announcement. Some
clients step down to SSLv3 with respect to the server's answer and
violate the version rollback protection. The system ignores this option for
server-side SSL.
See also
profile(1), profile clientssl(1), bigpipe(1)

Appendix A
profile stats
Creates, modifies, displays, or deletes a statistics profile.
Syntax
Use this command to create, modify, display, or delete a Statistics profile.
Create/Modify
Important
Guide.
profile stats <profile stats key list> {}

profile stats (<profile stats key list> | all) [{] <profile stats arg list> [}]
<profile stats key> ::=
<name>
<profile stats arg> ::=
defaults from (<profile stats key> | none)
field<i> (<name> | none | default) (i=1-32)
profile stats [<profile stats key list> | all] stats reset
Display
profile stats [<profile stats key list> | all] [show [all]]
profile stats [<profile stats key list> | all] list [all]
profile stats [<profile stats key list> | all] name [show]
profile stats [<profile stats key list> | all] defaults from [show]
profile stats [<profile stats key list> | all] field<i> [show]
Delete
profile stats [<profile stats key list> | all] delete
Description
Use the stats profile to create a custom statistics profile.
A - 174
Examples
Lists all available custom statistics fields:
profile stats all list
Options
• defaults from
profile inherits all settings and values from the parent profile.
• field
Specifies the field identifier. This is a number from 1 to 32.
• partition
See also
profile(1), bigpipe(1)

Appendix A
profile stream
Configures a Stream profile.
Syntax
Use this command to create, modify, display, or delete a Stream profile.
Create/Modify
Important
Guide.
profile stream <profile stream key list> {}

profile stream (<profile stream key list | all) [{] <profile stream arg list> [}]
<profile stream key> ::=
<name>
<profile stream arg> ::=
defaults from (<profile stream key> | none)
target (<string> | none | default)
source (<string> | none | default)
profile stream [<profile stream key list> | all] stats reset
Display
profile stream [<profile stream key list> | all] [show [all]]
profile stream [<profile stream key list> | all] list [all]
profile stream [<profile stream key list> | all] defaults from [show]
profile stream [<profile stream key list> | all] name [show]
profile stream [<profile stream key list> | all] partition [show]
profile stream [<profile stream key list> | all] target [show]
profile stream [<profile stream key list> | all] stats [show]
profile stream [<profile stream key list> | all] source [show]
Delete
profile stream (<profile stream key list> | all) delete
A - 176
Description
The stream profile helps you to manage Real-Time Streaming Protocol
(RTSP) connections. The RTSP protocol opens a control channel over TCP
for the purpose of setting up and controlling a streaming session. The RTSP
protocol also opens up data channels, usually over UDP, to transmit the
streaming data.
Examples
Creates a custom stream profile named mystreamprofile that inherits its
settings from the system default stream profile:
profile stream mystreamprofile { }
Options
You can use these options with the profile stream command:
• defaults from
• partition
• target
Specifies the string you want to rewrite. You can also specify default if
you want to use the default system profile value.
• source
Specifies the string that is used to rewrite the target string. You can also
specify default if you want to use the default stream profile value.
See also

Appendix A
profile tcp
Configures a TCP profile.
Syntax
Use this command to create, modify, display, or delete a TCP profile.
Create/Modify
Important
Guide.
profile tcp <profile tcp key list> {}

profile tcp (<profile tcp key list | all) [{] <profile tcp arg list> [}]
<profile tcp key> ::=
<name>
<profile tcp arg> ::=
defaults from (<profile tcp key> | none)
abc (enable | disable | default)
ack on push (enable | disable | default)
bandwidth delay (enable | disable | default)
close wait (<number> | immediate | indefinite | default)
cmetrics cache (enable | disable | default)
congestion control (reno | newreno | scalable | highspeed | none | default)
deferred accept (enable | disable | default)
delayed acks (enable | disable | default)
dsack (enable | disable | default)
ecn (enable | disable | default)
fin wait (<number> | immediate | indefinite | default)
idle timeout (<number> | indefinite | default)
ip tos (<number> | default)
keep alive interval (<number> | default)
limited transmit (enable | disable | default)
link qos (<number> | default)
max retrans (<number> | default)
max retrans syn (<number> | default)
md5 sign (enable | disable | default)
md5 sign passphrase (<string> | none | default)
A - 178
nagle (enable | disable | default)

proxy buffer high (<number> | default)
proxy buffer low (<number> | default)
proxy mss (enable | disable | default)
proxy options (enable | disable | default)
recv window (<number> | default)
rfc1323 (enable | disable | default)
selective acks (enable | disable | default)
send buffer (<number> | default)
slow start (enable | disable | default)
time wait (<number> | immediate | indefinite | default)
time wait recycle (enable | disable | default)
profile tcp [<profile tcp key list> | all] stats reset
Display
profile tcp [<profile tcp key list> | all] [show all]]
profile tcp [<profile tcp key list> | all] name [show]
profile tcp [<profile tcp key list> | all] defaults from [show]
profile tcp [<profile tcp key list> | all] abc [show]
profile tcp [<profile tcp key list> | all] ack on push [show]
profile tcp [<profile tcp key list> | all] bandwidth delay [show]
profile tcp [<profile tcp key list> | all] close wait [show]
profile tcp [<profile tcp key list> | all] cmetrics cache [show]
profile tcp [<profile tcp key list> | all] congestion control [show]
profile tcp [<profile tcp key list> | all] deferred accept [show]
profile tcp [<profile tcp key list> | all] delayed acks [show]
profile tcp [<profile tcp key list> | all] dsack [show]
profile tcp [<profile tcp key list> | all] ecn [show]
profile tcp [<profile tcp key list> | all] fin wait [show]
profile tcp [<profile tcp key list> | all] idle timeout [show]
profile tcp [<profile tcp key list> | all] ip tos [show]
profile tcp [<profile tcp key list> | all] keep alive interval [show]
profile tcp [<profile tcp key list> | all] limited transmit [show]
profile tcp [<profile tcp key list> | all] link qos [show]
profile tcp [<profile tcp key list> | all] max retrans [show]
profile tcp [<profile tcp key list> | all] max retrans syn [show]
profile tcp [<profile tcp key list> | all] md5 sign [show]
profile tcp [<profile tcp key list> | all] md5 sign passphrase [show]
profile tcp [<profile tcp key list> | all] nagle [show]
profile tcp [<profile tcp key list> | all] partition [show]
profile tcp [<profile tcp key list> | all] proxy buffer high [show]
profile tcp [<profile tcp key list> | all] proxy buffer low [show]
profile tcp [<profile tcp key list> | all] proxy mss [show]

Appendix A
profile tcp [<profile tcp key list> | all] proxy options [show]
profile tcp [<profile tcp key list> | all] recv window [show]
profile tcp [<profile tcp key list> | all] reset on timeout [show]
profile tcp [<profile tcp key list> | all] rfc1323 [show]
profile tcp [<profile tcp key list> | all] selective acks [show]
profile tcp [<profile tcp key list> | all] send buffer [show]
profile tcp [<profile tcp key list> | all] slow start [show]
profile tcp [<profile tcp key list> | all] stats [show]
profile tcp [<profile tcp key list> | all] time wait [show]
profile tcp [<profile tcp key list> | all] time wait recycle [show]
Delete
profile tcp (<profile tcp key list> | all) delete
Description
The TCP profile is a configuration tool for managing TCP network traffic.
Many of the TCP profile settings are standard SYSCTL types of settings,
while others are unique to the traffic management system. For most of the
TCP profile settings, the default values usually meet your needs. The
specific settings that you might want to change are: Reset on Timeout, Idle
Timeout, IP ToS, and Link QoS.
The BIG-IP system installation includes these TCP-type profiles: tcp,
tcp-lan-optimized, and tcp-wan-optimized. You can modify the settings of
these profiles, or create new TCP-type profiles using any of these existing
profiles as parent profiles.
Examples
Creates a custom TCP profile named mystcpprofile that inherits its settings
from the system default tcp profile:
profile tcp mytcpprofile { }
Options
You can use these options with the profile tcp command:
◆ abc
When enabled, increases the congestion window by basing the increase
amount on the number of previously unacknowledged bytes that each
ACK covers. The default is enable.
◆ ack on push
When enabled, significantly improves performance to Windows and
MacOS peers who are writing out on a very small send buffer. The
default is disable.
A - 180
◆ bandwidth delay
When enabled, the system attempts to calculate the optimal bandwidth to
use to contact the client, based on throughput and round-trip time,
without exceeding the available bandwidth. The default is enable.
◆ close wait
Specifies the number of seconds that a connection remains in a
LAST-ACK state before quitting. A value of 0 represents a term of
forever (or until the matrix of the FIN state). The default is 5 seconds.
You can also specify immediate, indefinite, or default.
◆ cmetrics cache
When enabled, specifies that the system uses a cache for storing
congestion metrics. The default is enable.
◆ congestion control
Specifies the algorithm to use to share network resources among
competing users to reduce congestion. The default is New Reno.
The options are:
• High Speed: Specifies that the system uses a more aggressive,
loss-based algorithm.
• New Reno: Specifies that the system uses a modification to the Reno
algorithm that responds to partial acknowledgements when SACKs
are unavailable.
• None: Specifies that the system does not use a
network-congestion-control mechanism, even when congestion
occurs.
• Reno: Specifies that the system uses an implementation of the TCP
Fast Recovery algorithm, which is based on the implementation in the
BSD Reno release.
• Scalable: Specifies that the system uses a TCP algorithm
modification that adds a scalable, delay-based and loss-based
component into the Reno algorithm.
◆ defaults from
◆ deferred accept
When enabled, the system defers allocation of the connection chain
context until the client response is received. This setting is useful for
dealing with 3-way handshake DOS attacks. The default is disable.
◆ delayed acks
When enabled, the traffic management system allows coalescing of
multiple ACK responses. The default is enable.
◆ dsack
When enabled, specifies the use of the Selective ACKs (SACK) option to
acknowledge duplicate segments. The default is disable.

Appendix A
◆ ecn
When enabled, the system uses the TCP flags CWR and ECE to notify
its peer of congestion and congestion counter-measures. The default is
disable.
◆ fin wait
Specifies the number of seconds that a connection is in the FIN-WAIT or
closing state before quitting. The default is 5 seconds. A value of 0
represents a term of forever (or until the matrix of the FIN state). You
can also specify immediate, indefinite, or default.
◆ idle timeout
connection is eligible for deletion. You can also specify indefinite or
default. The default is 300 seconds.
◆ ip tos
Specifies the Type of Service level that the traffic management system
assigns to TCP packets when sending them to clients.
◆ keep alive interval
Specifies the keep alive probe interval, in seconds. The default is 1800
seconds.
◆ limited transmit
When enabled, the system uses limited transmit recovery revisions for
fast retransmits (as specified in RFC 3042) to reduce the recovery time
for connections on a lossy network. The default is enable.
◆ link qos
Specifies the Quality of Service level that the system assigns to TCP
packets when sending them to clients.
◆ max retrans
Specifies the maximum number of retransmissions of data segments that
the system allows.
◆ max retrans syn
Specifies the maximum number of retransmissions of SYN segments that
the system allows.
◆ md5 sign
Specifies, when enabled, that the system uses RFC2385 TCP-MD5
signatures to protect TCP traffic against intermediate tampering. The
default is disable.
◆ md5 sign passphrase
Specifies, when enabled, a plaintext passphrase which may be between 1
and 80 characters in length, and is used in a shared-secret scheme to
implement the spoof-prevention parts of RFC2385.
◆ nagle
Specifies, when enabled, that the system applies Nagle's algorithm to
reduce the number of short segments on the network. The default setting
is enable. Note that for interactive protocols such as Telnet, rlogin, or
SSH, we recommend disabling this setting on high-latency networks, to
improve application responsiveness.
A - 182
◆ proxy buffer high

Specifies the highest level at which the receive window is closed. The
default is 16384.
◆ proxy buffer low
Specifies the lowest level at which the receive window is closed. The
default is 4096.
◆ proxy mss
When enabled, the system advertises the same mss to the server as was
negotiated with the client. The default is enable.
◆ proxy options
When enabled, the system advertises an option, such as a time-stamp to
the server only if it was negotiated with the client. The default is enable.
◆ recv window
Specifies the size of the receive window, in bytes. The default value is
4096 bytes.
Specifies whether to reset connections on timeout.
◆ rfc1323
When enabled, the system uses the timestamp and window-scaling
extensions for TCP (as specified in RFC 1323) to enhance high-speed
network performance. The default is enable.
◆ selective acks
When enabled, the system negotiates RFC2018-compliant Selective
Acknowledgements with peers. The default is enable.
◆ send buffer
Specifies the size of the buffer, in bytes. The default is 8192 bytes.
◆ slow start
When enabled, the system uses larger initial window sizes (as specified
in RFC 3390) to help reduce round trip times. The default is enable.
◆ time wait
Specifies the number of seconds that a connection is in the TIME-WAIT
state before closing. You can also specify immediate, indefinite, or
default. The default is 2 seconds.
◆ time wait recycle
Specifies whether the system recycles the connection when a SYN
packet is received in a TIME-WAIT state. The default is enable.
See also

Appendix A
profile udp
Configures a UDP profile.
Syntax
Use this command to create, modify, display, or delete a UDP profile.
Create/Modify
Important
Guide.
profile udp <profile udp key list> {}

profile udp (<profile udp key list> | all) [{] <profile udp arg list> [}]
<profile udp key> ::=
<name>
<UDP profile arg> ::=
defaults from (<profile udp key> | none)
ip tos (<number> | default)
link qos (<number> | default)
datagram lb (enable | disable | default)
allow payload (enable | disable | default)
profile udp [<profile udp key list> | all] stats reset
Display
profile udp [<profile udp key list> | all] [show [all]]
profile udp [<profile udp key list> | all] list [all]
profile udp [<profile udp key list> | all] defaults from [show]
profile udp [<profile udp key list> | all] allow payload [show]
profile udp [<profile udp key list> | all] datagram lb [show]
profile udp [<profile udp key list> | all] idle timeout [show]
profile udp [<profile udp key list> | all] ip tos [show]
profile udp [<profile udp key list> | all] link qos [show]
profile udp [<profile udp key list> | all] name [show]
profile udp [<profile udp key list> | all] partition [show]
profile udp [<profile udp key list> | all] stats [show]
A - 184
Delete
profile udp (<profile udp key list> | all) delete
Description
The UDP profile is a configuration tool for managing UDP network traffic.
Examples
Creates a custom UDP profile named myudpprofile that inherits its settings
from the system default udp profile:
profile udp myudpprofile { }
Options
You can use these options with the profile udp command:
• defaults from
• idle timeout
connection is eligible for deletion. You can also specify immediate,
indefinite, or default. The default is 60 seconds.
• ip tos
Specifies the Type of Service level that the traffic management system
assigns to UDP packets when sending them to clients.
• link qos
Specifies the Quality of Service level that the system assigns to UDP
packets when sending them to clients.
• datagram lb
Provides the ability to load balance UDP datagram by datagram. The
default is disable.
• allow payload
Provides the ability to allow the passage of datagrams that contain header
information, but no essential data. The default is disable.
See also

Appendix A
pva
Displays or resets Packet Velocity® ASIC statistics for the BIG-IP system.
Syntax
Use this command to display or reset Packet Velocity® ASIC statistics.
Display
<pva key> ::=
(<number>.<number> | none)
pva [<pva key list> | all] [show all]]
Modify
pva [<pva key list> | all] stats reset
Description
Display or reset Packet Velocity® ASIC statistics for the BIG-IP system
See also
bigpipe(1)
A - 186
radius server
Creates, modifies, displays, or deletes a RADIUS server object for RADIUS
authentication.
Syntax
Use this command to create, modify, display, or delete a RADIUS server.
Create/Modify
Important
Guide.
radius server <radius server key list> {}

radius server (<radius server key list> | all) [{] <radius server arg list> [}]
<radius server key> ::=
<name>
<radius server arg> ::=
server (<string> | none)
secret (<string> | none)
Display
radius server [<radius server key list> | all] [show [all]]
radius server [<radius server key list> | all] list [all]
radius server [<radius server key list> | all] name [show]
radius server [<radius server key list> | all] server [show]
radius server [<radius server key list> | all] service [show]
radius server [<radius server key listt> | all] secret [show]
radius server [<radius server key list> | all] timeout [show]
radius server [<radius server key list> | all] partition [show]
Delete
radius server (<radius server key list> | all) delete

Appendix A
Description
Creates, modifies, or deletes the RADIUS server object. Note that you must
also create an auth radius profile to use a RADIUS server object.
Examples
Lists the configuration for all RADIUS server objects on the system:
radius server all list
Creates a RADIUS server object named myserver2 with the secret of

mysecret, an IP address of 12.12.10.4 on port 80, and a timeout of 65
seconds:
radius server myserver2 secret \mysecret\ server \12.12.10.4\
service 80 timeout 65>
Options
You can use these options with the radius server command:
• partition
Displays the partition in which the radius server resides.
• secret
Sets the secret key used to encrypt and decrypt packets sent or received
from the server. This setting is required.
• server
The host name or IP address of the RADIUS server. This setting is
required.
• service
Specifies the port for RADIUS authentication traffic. The default is port
1812.
• timeout
Specifies the timeout value in seconds. The default is 3 seconds. You can
also specify immediate or indefinite.
See also
auth_radius(1), bigpipe(1)
A - 188
rate class
Configures rate classes.
Syntax
Use this command to create, modify, display, or delete a rate class.
Create/Modify
rate class <rate class key list> {}
rate class (<rate class key list> | all) [{] <rate class arg list> [}]
<rate class key> ::=
<name>
<rate class arg> ::=
rate <number>[bps | K[bps] | M[bps] | G[bps]]
ceiling <float>[bps | K[bps] | M[bps] | G[bps]]
burst <float>[K | M | G]
parent (<rate class key> | none)
type (sfq | pfifo)
direction (to client | to server | any)
rate class [<rate class key list> | all] stats reset
Display
rate class [<rate class key list> | all] [show [all]]
rate class [<rate class key list> | all] list [all]
rate class [<rate class key list> | all] rate [show]
rate class [<rate class key list> | all] burst [show]
rate class [<rate class key list> | all] ceiling [show]
rate class [<rate class key list> | all] cname [show]
rate class [<rate class key list> | all] direction [show]
rate class [<rate class key list> | all] parent [show]
rate class [<rate class key list> | all] stats [show]
rate class [<rate class key list> | all] type [show]
Delete
rate class (<rate class key list> | all) delete
Description
A rate class is a rate-shaping policy that you want to assign to a type of
traffic, such as Layer 3 traffic that specifies a certain source, destination, or
service. More specifically, a rate class defines the number of bits per second

Appendix A
that the system allows per connection and the number of packets in a queue.
You configure rate shaping by creating a rate class and then assigning the
rate class to a packet filter, a virtual server, or from within an iRule.
Examples
Creates the rate class myRTclass with a rate of 500 Mbps:
rate class myRTclass { rate 500M }
Deletes the rate class myRTclass:

rate class myRTclass delete
Options
You can use these options with the rate class command:
• burst
Specifies the maximum number of bytes that traffic is allowed to burst
beyond the base rate. You can configure the rate in kilobits per second
(Kbps), megabits per second (Mbps), or gigabits per second (Gbps).
• ceiling
Similar to the base rate, specifies how far beyond the base rate traffic is
allowed to flow when bursting. This number sets an absolute limit. No
traffic can exceed this rate. You can configure the rate in bits per second
(bps), kilobits per second (Kbps), megabits per second (Mbps), or
gigabits per second (Gbps).
• direction
Specifies the direction of traffic to which the rate class is applied.
Possible values are to client, to server, or any.
• parent
Specifies the rate class used to create a custom rate class. A custom rate
class borrows bandwidth from a parent class. Note that borrowing
bandwidth affects the base rate, ceiling rate, and queue discipline.
• rate
Specifies the maximum throughput rate allowed for traffic handled by
the rate class. Packets that exceed the specified number are dropped. This
setting is required. You can configure the rate in bits per second (bps),
kilobits per second (Kbps), megabits per second (Mbps), or gigabits per
second (Gbps).
• type
The two options for type are sfq or pfifo. Stochastic Fair Queueing
(SFQ) is a queueing method that queues traffic under a set of many lists,
choosing the specific list based on a hash of the connection information.
This results in traffic from the same connection always being queued in
the same list. SFQ then dequeues traffic from the set of the lists in a
round-robin fashion. The overall effect is that fairness of dequeueing is
achieved because one connection cannot control the queue at the
exclusion of another. If the rate class has a parent class, the default
queueing discipline is that of the parent class. If the rate class has no
parent class, then the default value is sfq.
A - 190
The Priority FIFO (PFIFO) queueing method queues all traffic under a
set of five lists based on the Type of Service (ToS) field of the traffic.
Four of the lists correspond to the four possible ToS values (Minimum
delay, Maximum throughput, Maximum reliability, and Minimum
cost). The fifth list represents traffic with no ToS value. The Priority
FIFO method processes these five lists in a way that preserves the
meaning of the ToS field as much as possible. For example, a packet
with the ToS field set to Minimum cost might yield dequeuing to a
packet with the ToS field set to Minimum delay.
See also
packet filter(1), rule(1), virtual(1), bigpipe(1)

Appendix A
route
Configures routes for traffic management.
Syntax
Use this command to create, display, or delete a traffic route.
Create
route <route key list> {}
route (<route key list> | all) [{] <route arg list> [}]
<route key> ::=
(<ip addr> [mask <ip mask> | (prefixlen / ) <number>] | default [inet | inet6]
(dynamic | static)
<route arg> ::=
gateway (<ip addr> | none)
mtu <number>
pool (<pool key> | none)
(reject)
Display
route [<route key list> | all] [show [all]]
route [<route key list> | all] list [all]
route [<route key list> | all] dest [all]
route [<route key list> | all] gateway [show]
route [<route key list> | all] mtu [show]
route [<route key list> | all] pool [show]
route [<route key list> | all] source [show]
route [<route key list> | all] type [show]
route [<route key list> | all] vlan [show]
Delete
route (<route key list> | all | inet | inet6) delete
Description
Configure static routes for the system, including default routes. When
configuring a static route, you can specify a gateway (that is, the next- or
last-hop router) to be an IP address, a VLAN name, or the name of a pool of
routers.
A - 192
Examples
Sets the route 12.12.3.0/24 on the VLAN named internal:
route 12.12.3.0/24 vlan internal
Options
You can use the following options with the route command.
Note
The options gateway, vlan, pool, and reject are mutually exclusive. You can
use only one of these options at a time, and at least one of these options is
required when using the route command.
• default
Sets the default routing type to IPv4 (inet) or IPv6 (inet6).
• gateway
Specifies a gateway address for the system.
• ip addr
Creates an IP address/netmask route. You can also specify the route
using CIDR notation, such as 12.12.3.0/24.
• mtu
Sets a specific maximum transition unit (MTU).
• pool
Specifies a routing pool. A routing pool contains several routes.
• reject
Rejects packets coming from the specified route.
• vlan
Specifies the VLAN name for the route.
See also
mgmt(1), bigpipe(1), mgmt route(1), pool(1), vlan(1), vlangroup(1)

Appendix A
rule
Creates, modifies, deletes, and displays iRules for traffic management
system configuration.
Syntax
Use this command to create, modify, display, or delete an iRule.
Create/Modify
Important
Guide.
rule <rule key list> {}

rule (<rule key list> | all) [{] <rule arg list> [}]
<rule key> ::=
<name>
<rule arg> ::=
<iRule>
Display
rule [<rule key list> | all] [show [all]]
rule [<rule key list> | all] list [all]
rule [<rule key list> | all] definition [show]
rule [<rule key list> | all] name [show]
rule [<rule key list> | all] partition [show]
Delete
rule (<rule key list> | all) delete
Description
iRules can direct traffic not only to specific pools, but also to individual pool
members, including port numbers and URI paths, either to implement
persistence or to meet specific load balancing requirements. The syntax that
you use to write iRules is based on the Tools Command Language (Tcl)
A - 194
programming standard. Thus, you can use many of the standard Tcl
commands, plus a robust set of extensions that the LTM system provides to
help you further increase load balancing efficiency.
For information about standard Tcl syntax, see
http://tmml.sourceforge.net/doc/tcl/index.html. For a list of Tcl
commands that have been disabled within the traffic management system
and therefore cannot be used in the traffic management system, see the
Configuration Guide for BIG-IP® Local Traffic Management. This guide
is available at http://tech.f5.com.
Examples
In this example, the iRule my_Rule includes the event declaration
CLIENT_ACCEPTED, as well as the iRule command IP::remote_addr.
In this case, the IP address that the iRule command returns is that of the
client, because the default context of the event declaration
CLIENT_ACCEPTED is clientside:
rule my_Rule '{ when CLIENT_ACCEPTED { if [[IP::remote_addr] ==
10.1.1.80] { pool myPool }}}'
This example shows the iRule my_Rule2, which includes the event
declaration SERVER_CONNECTED, as well as the iRule command
IP::remote_addr. In this case, the IP address that the iRule command
returns is that of the server, because the default context of the event
declaration SERVER_CONNECTED is serverside:
rule my_Rule2 '{ when SERVER_CONNECTED { if { [IP::remote_addr]
== 10.1.1.80 } { pool my_pool2 }}}'
In this example, the iRule my_Rule3 includes the event declaration

CLIENT_ACCEPTED, as well as the iRule command IP::remote_addr.
In this case, the IP address 10.1.1.80 is directed to the pool named
blackhole, while traffic originating from other addresses is directed to the
pool normalService. Instead of one IP address, you could also specify a
class that contains IP addresses that you want to send to the blackhole pool:
rule my_Rule3 '{ when CLIENT_ACCEPTED { if [[IP::remote_addr] ==
10.1.1.80] { pool blackhole } else { pool normalService }}}'
See also
persist(1), pool(1), profile(1), rate class(1), snat(1), bigpipe(1)

Appendix A
save
Writes the current configuration to a file.
Syntax
Use this command to write the current configuration of the BIG-IP system
to a file.
Modify
save
save all
Description
Use this command to save the current configuration of the BIG-IP system.
Options
You can use these options with the save command:
◆ save
Specifies that the BIG-IP system creates a backup of the following files:
• bigip.conf
• bigip_local.conf
◆ save all
Specifies that the BIG-IP system creates a backup of the following files:
• bigip.conf
• bigip_local.conf
• bigip_base.conf
A - 196
self
Configures a self IP address for a VLAN.
Syntax
Use this command to create, modify, display, and delete a self IP address.
Create/Modify
self <self key list> {}
self (<self key list> | all) [{] <self arg list> [}]
<self key> ::=
(<ip addr> | none)
<self arg> ::=
netmask (<ip mask> | none)
unit <number>
floating (enable | disable)
allow (default | all | none | <protocol/service list>) [add | delete]
<protocol/service> ::=
(proto <protocol list> | (tcp | udp) <service list>)
Display
self [<self key list> | all] list [all]
self [<self key list> | all] [show [all]]
self [<self key list> | all] addr [show]
self [<self key list> | all] allow [show]
self [<self key list> | all] floating [show]
self [<self key list> | all] netmask [show]
self [<self key list> | all] unit [show]
self [<self key list> | all] vlan [show]
Delete
self (<self key list> | all) delete
Description
A self IP address is an IP address that is assigned to the system. Self IP
addresses are part of the configuration of the BIG-IP network components.
You must define at least one self IP address for each VLAN.

Appendix A
Examples
Adds the self IP address 10.10.10.24 to the VLAN named internal:
self 10.10.10.24 vlan internal
Enables a floating IP address on the external VLAN. The floating attribute

makes this address float to the active unit in a redundant system
configuration:
self 10.1.1.1 vlan external netmask 255.255.0.0 floating enable
Options
You can use the following options with the self command.
• addr
Specifies the self IP address for a VLAN.
• allow
Specifies the type of protocol/service that the VLAN handles.
• floating
Enables or disables a floating self IP address for the VLAN. A floating
self IP address is an additional self IP address for a VLAN that serves as
a shared address by both units of a BIG-IP redundant system.
• netmask
Specifies a netmask for the self IP address.
• unit
Specifies the unit number in a redundant system.
• vlan
Specifies the VLAN for which you are setting a self IP address. This
setting is required.
See also
vlan(1), vlangroup(1), bigpipe(1)
A - 198
self allow
Configures the default allow list for all self IP addresses on the BIG-IP
system.
Syntax
Use this command to modify or display the default allow list for all self IP
addresses on the BIG-IP system. The default allow list displays which
service and protocol ports allow connections from outside the system.
Connections made to a service or protocol port that is not on the list are
refused.
Modify
self allow {}
self allow [{] <self allow arg list> [}]
<self allow arg> ::=
default (<protocol/service list> | default | all | none) [add | delete]
<protocol/service> ::=
proto <protocol> | (tcp | udp) <service>
Display
self allow list [all]
self allow [show [all]]
self allow default [show]
Description
Use this command to modify or display the default allow list for all self IP
addresses on the BIG-IP system.
Examples
Sets the default allow list for all self IP addresses on the system to the
system default:
self allow default tcp 22 53 161 443 4353 udp 53 161 520 1026 4353 proto 89
Sets the default allow list for all self IP addresses on the system to TCP:
self allow default tcp 55
Displays the default allow list for all self IP addresses on the system:
self allow default
Options
You can use the following options with the self allow command:

Appendix A
• default
Indicates to reset the default allow list to the system default allow list.
• all
Specifies all protocols and services. Use this option to open the system to
complete access.
See also
vlan(1), vlangroup(1), bigpipe(1)
A - 200
shell
Displays information about, and customizes the bigpipe shell.
Modify
shell {}
shell [{] <shell arg list> [}]
<shell arg> ::=
prompt <string>
read partition <name>
write partition <name>
partition <name>
Display
shell [show [all]]
shell list [all]
shell prompt [show]
shell read partition [show]
shell write partition [show]
shell partition [show]
Description
When typed at the BIG-IP system prompt, the bigpipe shell command starts
the bigpipe utility in its shell mode and presents a prompt at which you can
type bigpipe commands. You can also use the bigpipe shell command from
the BIG-IP system prompt to configure the shell.
Once the bigpipe utility is started in its shell mode, you can use the shell
command to configure the shell.
Examples
Customizes the bigpipe shell prompt to display as F5>:
shell prompt F5>
Displays the bigpipe shell prompt, and the Read and Write partitions:
shell list
have Write access to the partition named Application1:
shell write partition Application1
have Read and Write access to the partition named Application2:
shell partition Application2

Appendix A
Options
You can use these options with the shell command:
• prompt
Specifies a string to use for the bigpipe shell prompt. The default prompt
is bp>.
• read partition
Changes the partition to which you have Read access to the partition you
• write partition
Changes the partition to which you have Write access to the partition you
• partition
Changes the partition to which you have Read and Write access to the
partition you specify. This option is only available to users with access to
all partitions.
See also
partition(1), bigpipe(1)
A - 202
snat
Configures secure network address translation (SNAT).
Syntax
Use this command to create, modify, display, or delete a SNAT.
Create/Modify
snat <snat key list> {}
snat (<snat key list> | all) [{] <snat arg list> [}]
<snat key> ::=
<name>
<snat arg> ::=
mirror (enable | disable)
(none | automap)
origins (<ip addr list> | none) [add | delete]
translation <snat translation key>
snatpool (<snatpool key> | none)
<orig IP> ::= <IP addr> [mask <ip mask>]
snat [<snat key list> | all] stats reset
Display
snat [<snat key list> | all] [show [all]]
snat [<snat key list> | all] list [all]
snat [<snat key list> | all] mirror [show]
snat [<snat key list> | all] name [show]
snat [<snat key list> | all] origins [show]
snat [<snat key list> | all] snatpool [show]
snat [<snat key list> | all] stats [show]
snat [<snat key list> | all] translation [show]
snat [<snat key list> | all] type [show]
snat [<snat key list> | all] vlans [show]
Delete
snat (<snat key list> | all) delete

Appendix A
Description
The snat command creates, deletes, sets properties on, and displays
information about SNATs. A SNAT defines the relationship between an
externally visible IP address, SNAT IP, or translated address, and a group of
internal IP addresses, or originating addresses, of individual servers at your
site.
Examples
Creates the SNAT mysnat that translates the address of connections that
originate from the address 10.1.1.3 to the translation address 11.1.1.3:
snat mysnat { origin 10.1.1.3 translation 11.1.1.3 }
Options
You can use these options with the snat command:
• automap
Turns on SNAT automapping. This setting can only be used when
snatpool and translation are not used.
• mirror
Enables or disables mirroring of SNAT connections.
• origin
Specifies an originating IP address. Note that originating addresses are
behind the unit. This setting is required.
• snatpool
Specifies the name of a SNAT pool. This setting can only be used when
automap and translation are not used.
• translation
Specifies a translated IP address. Note that translated addresses are
outside the traffic management system. This setting can only be used
when automap and snatpool are not used.
• type
Displays the type of SNAT. The types are automap, snatpool, and
translation.
• vlan
Specifies the name of the VLAN to which you want to assign the SNAT.
The default is vlans all enable.
See also
nat(1), snat translation(1), snatpool(1), virtual(1), bigpipe(1)
A - 204
snat translation
Configures an explicit SNAT translation address.
Syntax
Use this command to create, modify, display, or delete an explicit SNAT
translation address.
Create/Modify
snat translation <snat translation key list> {}
snat translation (<snat translation key list> | all) [{] <snat translation arg list> [}]
<snat translation key> ::=
(<ip addr> | none)
<snat translation arg> ::=
(enable | disable)
unit <number>
limit <number>
tcp timeout (<number> | indefinite)
udp timeout (<number> | indefinite)
ip timeout (<number> | immediate | indefinite)
snat translation [<snat translation key list> | all] stats reset
Display
snat translation [<snat translation key list> | all] [show [all]]
snat translation [<snat translation key list> | all] list [all]
snat translation [<snat translation key list> | all] addr [show]
snat translation [<snat translation key list> | all] arp [show]
snat translation [<snat translation key list> | all] enabled [show]
snat translation [<snat translation key list> | all] ip timeout [show]
snat translation [<snat translation key list> | all] limit [show]
snat translation [<snat translation key list> | all] stats[show]
snat translation [<snat translation key list> | all] tcp timeout [show]
snat translation [<snat translation key list> | all] udp timeout [show]
snat translation [<snat translation key list> | all] unit [show]
Delete
snat translation (<snat translation key list> | all) delete
Description
Explicitly defines the properties of a SNAT translation address.

Appendix A
Examples
Disables Address Resolution Protocol (ARP) on all SNAT translation
addresses:
snat translation all arp disable
Options
You can use these options with the snat translation command:
• arp
Indicates whether or not the system responds to ARP requests or sends
gratuitous ARPs. The default is enable.
• ip timeout
Specifies the number of seconds that IP connections initiated using a
SNAT address are allowed to remain idle before being automatically
disconnected. Possible values are immediate, indefinite, or a number
that you specify.
• limit
Specifies the number of connections a translation address must reach
before it no longer initiates a connection. The default value of 0 indicates
that the setting is disabled.
• tcp timeout
Specifies the number of seconds that TCP connections initiated using a
that you specify. The default setting is indefinite.
• udp timeout
Specifies the number of seconds that UDP connections initiated using a
that you specify. The default setting is indefinite.
• unit
Specifies the unit number in a redundant system.
See also
nat(1), snat(1), snatpool(1), virtual(1), bigpipe(1)
A - 206
snatpool
Configures a SNAT pool.
Syntax
Use this command to create, modify, display, or delete a SNAT pool.
Create/Modify
snatpool <snatpool key list> {}
snatpool (<snatpool key list> | all) [{] <snatpool arg list> [}]
<snatpool key> ::=
<name>
<snatpool arg> ::=
members (<snatpool translation key list> | none) [add | delete]
<snat translation key> ::=
(<ip addr> | none)
snatpool [<snatpool key list> | all] stats reset
Display
snatpool [<snatpool key list> | all] [show [all]]
snatpool [<snatpool key list> | all] list [all]
snatpool [<snatpool key list> | all] members [show]
snatpool [<snatpool key list> | all] name [show]
snatpool [<snatpool key list> | all] stats [show]
Delete
snatpool (<snatpool key list> | all) delete
Description
A SNAT pool is a pool of translation addresses that you can map to one or
more original IP addresses. Translation addresses in a SNAT pool are not
self-IP addresses. You can simply create a SNAT pool and then assign it as
a resource directly to a virtual server. This eliminates the need for you to
explicitly define original IP addresses to which to map translation addresses.
Examples
Creates the SNAT pool mysnatpool1 that contains the translation addresses
(members) 11.12.11.24 and 11.12.11.25:
snatpool mysnatpool1 { member 11.12.11.24 11.12.11.25 }
Delete the SNAT pool named mysnatpool1:

snatpool mysnatpool1 delete

Appendix A
See also
nat(1), snat(1), snat translation(1), bigpipe(1)
A - 208
ssl
Displays or resets Secure Sockets Layer (SSL) statistics for the BIG-IP
system.
Syntax
Use this command to display or reset SSL statistics for the system.
Display
ssl [show [all]]
Modify
ssl stats reset
Description
Displays or resets SSL statistics for the system.
Examples
Displays all SSL statistics for the system:
ssl show all
See also
bigpipe(1)

Appendix A
stop
Discontinues command continuation
Syntax
Use this command to discontinue command continuation.
Usage
stop
Description
If you type any command using an unbalanced opening brace, the bigpipe
shell stores the command entered up to that point. The shell stores any
subsequent commands in a similar way until you type a command that
closes all open braces, or you type the stop command.
Example
Suppose you type the auth radius command, with an opening brace, but no
closing brace:
bp> auth radius rad-1 {
The shell does nothing. At this point, you can continue to type more options
for the auth radius command:
debug enable
retries 4
The shell continues to gather the syntax for the command. When finished
typing, you can either type a command containing a closing brace (}), in
which case the shell runs the full command sequence that you typed, or you
can type:
stop
The shell presents an empty prompt:

bp>
A - 210
stp
Configure spanning tree protocols on the system.
Syntax
Use this command to modify or display an RSTP, MSTP, or STP
configuration.
Modify
stp {}
stp [{] <stp arg list> [}]
<stp arg> ::=
config name (<string> | none)
config revision <number>
forward delay <number>
hello <number>
max age <number>
max hops <number>
mode (stp | rstp | mstp | disable | passthru)
transmit hold <number>
Display
stp [show [all]]
stp list [all]
stp config name [show]
stp config revision [show]
stp forward delay [show]
stp hello [show]
stp max age [show]
stp max hops [show]
stp mode [show]
stp transmit hold [show]
Description
Provides the ability to configure spanning tree protocols for the traffic
management system. Spanning tree protocols are Layer 2 protocols for
preventing bridging loops. The system supports multiple spanning tree
protocol (MSTP), rapid spanning tree protocol (RSTP), and spanning tree
protocol (STP).

Appendix A
Examples
Sets the STP mode to passthru. Passthru mode forwards spanning tree
bridge protocol data units (BPDUs) received on any interface to all other
interfaces:
stp mode passthru
Sets the STP mode to disable. No STP, RSTP, or MSTP packets are
transmitted or received on the interface or trunk, and the spanning tree
algorithm exerts no control over forwarding or learning on the port or the
trunk:
stp mode disable
Options
You can use these options with the stp command:
◆ config name
Specifies the configuration name (1 - 32 characters in length) only when
the spanning tree mode is MSTP. The default configuration name is a
string representation of a globally-unique MAC address belonging to the
traffic management system.
The MSTP standard introduces the concept of spanning tree regions,
which are groups of adjacent bridges with identical configuration names,
configuration revision levels, and assignments of VLANs to spanning
tree instances.
◆ config revision
Specifies the revision level of the MSTP configuration only when the
spanning tree mode is MSTP. The specified number must be in the range
0 to 65535. The default is 0.
◆ forward delay
In the original Spanning Tree Protocol, the forward delay parameter
controlled the number of seconds for which an interface was blocked
from forwarding network traffic after a reconfiguration of the spanning
tree topology. This parameter has no effect when RSTP or MSTP are
used, as long as all bridges in the spanning tree use the RSTP or MSTP
protocol. If any legacy STP bridges are present, then neighboring bridges
must fall back to the old protocol, whose reconfiguration time is affected
by the forward delay value. The default forward delay value is 15, and
the valid range is 4 to 30.
◆ hello
Specifies the time interval in seconds between the periodic transmissions
that communicate spanning tree information to the adjacent bridges in
the network. The default is 2 seconds, and the valid range is 1 to 10. The
default hello time is optimal in virtually all cases. Changing the hello
time is not recommended.
A - 212
◆ max age
Specifies the number of seconds for which spanning tree information
received from other bridges is considered valid. The default is 20
seconds, and the valid range is 6 to 40 seconds.
◆ max hops
Specifies the maximum number of hops an MSTP packet may travel
before it is discarded. Use this option only when the spanning tree mode
is MSTP. The number of hops must be in the range of 1 to 255 hops. The
default number of hops is 20.
◆ mode
Specifies one of three spanning tree modes:
• stp
STP mode is supported for legacy systems. If STP is detected in the
network, the traffic management system changes to STP mode even
when the mode option is set to rstp or mstp.
• rstp
The default mode is RSTP, or rapid spanning tree protocol. RSTP
converges to a fully-connected state quickly.
• mstp
MSTP mode supports multiple spanning tree instances. The spanning
tree instances operate independently of one another. Each instance
asserts control over one or more VLANs, called the members of the
spanning tree instance. STP and RSTP do not support multiple
spanning tree instances. They support only a single instance (instance
0), which contains all VLANs.
• disabled
Disabled mode discards spanning tree bridge protocol data units
(BPDUs) received on any interface.
• passthru
Passthru mode forwards spanning tree bridge protocol data units
(BPDUs) received on any interface to all other interfaces. Essentially,
passthru mode makes the traffic management system transparent to
spanning tree BPDUs.
◆ transmit hold
Specifies the absolute limit on the number of spanning tree protocol
packets the traffic management system may transmit on a port in any
hello time interval. It is used to ensure that spanning tree packets do not
unduly load the network even in unstable situations. The default is 6
packets, and the valid range is 1 to 10 packets.
See also
interface(1), stp instance(1), bigpipe(1)

Appendix A
stp instance
Configures an STP configuration instance.
Syntax
Use this command to create, modify, display, or delete an STP configuration
instance.
Create/Modify
stp instance <stp instance key list> {}
stp instance (<stp instance key list> | all) [{] <stp instance arg list> [}]
<stp instance key> ::=
<number>
<stp instance arg> ::=
vlans (<vlan key list> | none) [add | delete]
priority <number>
interfaces (<stp interface list> | none) [add | delete]
trunks (<stp interface list> | none) [add | delete]
<stp interface key> ::=
<interface>
<trunk>
<stp interface arg> ::=
external path cost <number>
internal path cost <number>
priority <number>
stp instance (<stp instance key list> | all) stats reset
Display
stp instance [<stp instance key list> | all] [show [all]]
stp instance [<stp instance key list> | all] list [all]
stp instance [<stp instance key list> | all] interfaces [show]
stp instance [<stp instance key list> | all] priority [show]
stp instance [<stp instance key list> | all] stats [show]
stp instance [<stp instance key list> | all] trunk [show]
stp instance [<stp instance key list> | all] vlans [show]
Delete
stp instance (<stp instance key list> | all) delete
Description
Creates, modifies, and displays an STP configuration instance.
A - 214
Examples
Displays all STP instances on the system:
stp instance show
Lists the configuration information for all STP instances:

stp instance list
All members are removed from the instance, and then the instance itself is
deleted. Spanning tree instance 0 (the Common and Internal Spanning Tree)
cannot be deleted. This command may be used only in MSTP mode:
stp instance 2 delete
Options
You can use these options with the stp instance command:
◆ vlan
Specifies a list of VLAN names.
◆ priority
Specifies the priority number. Each bridge in a spanning tree instance has
a priority value. The relative values of the bridge priorities control the
topology of the spanning tree chosen by the protocol. The bridge with the
lowest priority value (numerically) becomes the root of the spanning tree.
Priority values vary from 0 to 61440 in increments of 4096.
◆ interface path cost
Specifies the interface internal or external path cost number. Each
network interface has an associated path cost within each spanning tree
instance. The path cost represents the relative cost of sending network
traffic through that interface. In calculating the spanning tree, the
algorithm tries to minimize the total path cost between each point of the
tree and the root bridge. By manipulating the path costs of different
interfaces it is possible to steer traffic toward paths that are faster, more
reliable, and/or more economical. Path costs can take values in the range
1 to 200,000,000. The default path cost for an interface is based on the
interface's maximum speed, not its actual speed.
In MSTP mode there are two kinds of path cost: external and internal.
The external path cost applies only to spanning tree instance 0, the
Common and Internal Spanning Tree (CIST). It is used to calculate the
cost to reach an adjacent spanning tree region. Independently, internal
path costs can be set for each spanning tree instance (including instance
0) in MSTP mode. The internal path costs are used to calculate the costs
of reaching adjacent bridges within the same spanning tree region.

Appendix A
◆ interface priority
Specifies the interface priority number. Each network interface has an
associated priority within each spanning tree instance. The relative
values of the interface priorities influence which interfaces are chosen to
carry network traffic. All other things being equal, interfaces with
numerically lower priority values are favored to carry traffic. Interface
priorities take values in the range 0 to 240 in increments of 16. The
default interface priority is 128, the middle of the valid range.
◆ trunk path cost
Specifies the trunk internal or external path cost number.
In MSTP mode there are two kinds of path cost: external and internal.
The external path cost applies only to spanning tree instance 0, the
Common and Internal Spanning Tree (CIST). It is used to calculate the
cost to reach an adjacent spanning tree region. Independently, internal
path costs can be set for each spanning tree instance (including instance
0) in MSTP mode. The internal path costs are used to calculate the costs
of reaching adjacent bridges within the same spanning tree region.
◆ trunk priority
Specifies the trunk priority number. Each network trunk has an
associated priority within each spanning tree instance. The relative
values of the trunk priorities influence which trunks are chosen to carry
network traffic. All other things being equal, trunks with numerically
lower priority values are favored to carry traffic. Trunk priorities take
values in the range 0 to 240 in increments of 16. The default trunk
priority is 128, the middle of the valid range.
See also
interface(1), stp(1), bigpipe(1)
A - 216
stream
Displays or resets global stream statistics for the BIG-IP system.
Syntax
Use this command to display or reset global stream statistics for the system.
Modify
stream stats reset
Display
stream [show [all]]
Description
Displays or resets stream statistics for the system.
Examples
Displays the global stream statistics for the system:
stream show
Resets all global stream statistics on the system:

stream stats reset
See also
bigpipe(1)

Appendix A
sys-icheck
Identifies unintended modifications to BIG-IP system files.
Syntax
Use this command at the BIG-IP system prompt to identify any unintended
modifications to BIG-IP system files. Note that a hot fix (patch) is an
intended modification that will not be identified by the sys-icheck
command.
Usage
sys-icheck [options]
Options
Use these options with the sys-icheck command.
• -h
Use this option to show help for the sys-reset command.
• -w
Use this option to report Warn issues, as well as the default, Error
issues.
• -i
Use this option to report Info and Warn issues, as well as the default,
Error issues.
Description
The sys-icheck command identifies any unintended modifications to BIG-IP
system files and returns Error issues. Use the options to report Warn or
Info issues, as well.
Examples
Runs the sys-icheck utility, and returns Info, Error, and Warn issues:
sys-reset -i
See also
sys-reset(8)
A - 218
sys-reset
Returns the configuration of the system to the factory default (installation
time) state.
Syntax
Use this command at the BIG-IP system prompt to return the configuration
of the system to the factory default (installation time) state.
Usage
sys-reset [options]
Options
Use these options with the sys-reset command.
• -h
Use this option to show help for the sys-reset command.
• -p
Use this option to ignore all applied hot fixes.
• -u
Use this option to ignore unrecoverable file errors.
Description
The sys-reset command runs the sys-icheck utility, and if there are no
system integrity issues, returns the system to the factory default state. Note
that if you have applied hot fixes (patches) to your system, you must specify
an override option for sys-reset to run.
Examples
Runs the sys-reset command to restore the system to the factory default
state ignoring any hot fixes that have been applied to the system:
sys-reset -p
See also
sys-icheck(8)

Appendix A
tcp
Displays or resets TCP statistics for the BIG-IP system.
Syntax
Use this command to display or reset TCP statistics for the BIG-IP system.
Modify
tcp stats reset
Display
tcp [show [all]]
Description
Display or reset TCP statistics for the system.
Examples
Resets TCP statistics for the system:
tcp stats reset
See also
bigpipe(1)
A - 220
tmm
Displays or resets statistics about the TMM service.
Syntax
Use this command to display or reset statistics about the TMM service.
Modify
tmm [<tmm key list> | all] stats reset
<tmm key> ::= (<number>.<number> | none)
Display
tmm [<tmm key list> | all] [show [all]]
Description
You use this command to view or reset statistics about the Traffic
Management Microkernel (TMM) service. The purpose of this service is to
direct all application traffic passing through the BIG-IP system.
See also
bigpipe(1)

Appendix A
trunk
Configures a trunk, with link aggregation.
Syntax
Use this command to create, modify, display, or delete a trunk.
Create/Modify
trunk <trunk key list> {}
trunk (<trunk key list> | all) [{] <trunk arg list> [}]
<trunk key> ::=
<name>
<trunk arg> ::=
interfaces (<interface key list> | none) [add | delete]
lacp (enable | disable)
lacp mode (active | passive)
lacp timeout (short | long)
distribution (src dest mac | dest mac | src dest ip | src dest port | index)
policy (auto | max bw)
stp (enable | disable)
stp reset (enable | disable)
trunk [<trunk key list> | all] stats reset
Display
trunk [<trunk key list> | all] [show [all]]
trunk [<trunk key list> | all] list [all]
trunk [<trunk key list> | all] distribution [show]
trunk [<trunk key list> | all] interfaces [show]
trunk [<trunk key list> | all] lacp [show]
trunk [<trunk key list> | all] lacp mode [show]
trunk [<trunk key list> | all] lacp timeout [show]
trunk [<trunk key list> | all] name [show]
trunk [<trunk key list> | all] policy [show]
trunk [<trunk key list> | all] stats [show]
trunk [<trunk key list> | all] stp [show]
trunk [<trunk key list> | all] stp reset [show]
Delete
trunk (<trunk key list> | all) delete
A - 222
Description
Link aggregation allows multiple physical links to be treated as one logical
link. It is also referred as trunking. The main objective of link aggregation
is to provide increased bandwidth at a lower cost, without having to upgrade
hardware. The bandwidth of the aggregated trunk is the sum of the capacity
of individual member links. Thus it provides an option for linearly
incremental bandwidth as opposed to bandwidth options available through
physical layer technology. The traffic management system supports link
aggregation control protocol (LACP).
When a trunk is created, LACP is disabled by default. In this mode, no
control packets are exchanged and the member links carry traffic as long as
the physical layer is operational. In the event of physical link failure, an
LACP member is removed from the aggregation.
It should be noted that both endpoints of the trunk should have identical
LACP configuration in order to work properly. A mixed configuration
where one endpoint is LACP enabled and other LACP disabled is not valid.
Examples
Creates a trunk named mytrunk that includes the interfaces 1.1, 1.2, and
1.3:
trunk mytrunk { interface 1.1 1.2 1.3 }
Enable LACP on the trunk named mytrunk:

trunk mytrunk lacp enable
Enable active LACP mode on the trunk mytrunk:

trunk mytrunk lacp mode active
Options
You can use these options with the trunk command:
◆ distribution
Specifies the method of frame distribution. The options are src dest mac,
dest mac, or src dest ip. When frames are transmitted on a trunk, they
are distributed across the working member links. The distribution
function ensures that the frames belonging to a particular conversation
are neither mis-ordered nor duplicated at the receiving end. Distribution
is done by calculating a hash value based on source and destination
addresses carried in the frame, and associating the hash value with a link.
All frames with a particular hash value are transmitted on the same link,
thereby maintaining frame order.
◆ interfaces
Specifies a list of interface names separated by spaces.
◆ lacp
Indicates whether to enable or disable Link Aggregation Control Protocol
(LACP).

Appendix A
◆ lacp mode
Sets the LACP mode to active or passive.
• In active mode, LACP packets are transmitted periodically, regardless
of peer systems control value.
• In passive mode, LACP packets are not transmitted periodically,
unless peer system's control value is active.
◆ lacp timeout
Sets the LACP timeout to short or long. The default value is long.
• When you use the short timeout value, LACP packets are exchanged
every second.
• When you use the long timeout value, LACP packets are exchanged
every 30 seconds.
◆ policy
Sets the LACP policy to auto or max bw (maximum bandwidth). Link
aggregation is allowed only when all the interfaces are operating at the
same media speed and connected to the same partner aggregation system.
When there is a mismatch among configured members due to
configuration errors or topology changes (auto-negotiation), link
selection policy determines which links become working members and
form the aggregation.
• With auto link selection, the lowest numbered operational link is
chosen as the reference link. All the members that have the same
media speed and are connected to the same partner as that of the
reference link are declared as working members, and they are
aggregated. The other configured members do not carry traffic.
• With max bw link selection, a subset of links that gives maximum
aggregate bandwidth to the trunk is added to the aggregation.
◆ stp
Enables or disables spanning tree protocols (STP).
◆ stp reset
Enables or disables STP reset.
See also
interface(1), vlan(1), vlangroup(1), bigpipe(1)
A - 224
udp
Displays or resets all UDP statistics for the system.
Syntax
Use this command to display or reset all UDP statistics for the system.
Modify
udp stats reset
Display
udp [show [all]]
Description
Displays or resets all UDP statistics for the system.
Examples
Displays the UDP statistics for the system:
udp stats show
See also
bigpipe(1)

Appendix A
unit
Displays the unit ID for the unit, or peer unit, in a redundant system.
Syntax
Use this command to display the unit ID of a unit in a redundant system.
Display
unit [peer] [show]
Description
Displays the unit ID for the unit, or peer unit, in a redundant system.
Examples
Displays the unit number of the peer unit in the redundant system:
unit peer show
Displays the unit number of the unit in the redundant system:

unit show
See also
ha table(1), bigpipe(1)
A - 226
user
Configures user accounts for managing the BIG-IP system.
Syntax
Use this command to create, display, modify, or delete user accounts on the
BIG-IP system.
Create/Modify
Important
Guide.
user <user key list> {}

user (<user key list> | all) [{] <user arg list> [}]
<user key> ::=
<name>
<user arg> ::=
<name>
password (<old password> <new password>)
description <string>
shell <file name>
role (administrator | manager | app editor | operator | guest | policy editor | none)
in <partition key>
Note
Only users with the administrator role can save user accounts. Therefore, if
you have a role other than administrator, and you are creating or modifying
user accounts, when you are done with your work, you must contact an
administrator to save the accounts to the bigip.conf file.
Display
user [<user key list> | all] [show [all]]
user [<user key list> | all] list [all]
user [<user key list> | all] role [show]
user [<user key list> | all] name [show]
user [<user key list> | all] password [show]
user [<user key list> | all] description [show]

Appendix A
user [<user key list> | all] home [show]

user [<user key list> | all] shell [show]
user [<user key list> | all] partition [show]
Delete
user (<user key list> | all) delete
Description
The user command allows you to create, display, modify, or delete user
accounts.
Examples
Creates a new user in the pm_users partition:
shell write partition pm_users user nwinters password none none role guest in all
Changes the password for the nwinters account from none to h411pass:
user nwinters password none h411pass
Displays all the user accounts and the role and partition to which each
account is assigned:
user show
Options
You can use these options with the user command:
• user <name>
Specifies the name of the user account you are configuring.
• role <user role> in <partition key>
Specifies the user role you want to assign to the user account and the
partition that the user account can access. The available user roles are
administrator, manager, app editor, operator, guest, policy editor,
and none. You can indicate that you do not want to assign a role to the
user account by using the option none.
• password <old password> <new password>
Changes the password for a user account, by specifying the old and the
new password.
• description <string>
Describes the user account.
• home <string>
Displays the home directory for the user account. The home directory is
based on the user name.
• shell (<file name> | none)
Specifies the shell for the user account.
• partition
Displays the name of the partition within which the user account resides.
A - 228
See also
partition(1), shell(1), bigpipe(1)

Appendix A
version
Displays software version information for the system.
Syntax
Use this command to display the software version information for the
system.
Display
version [show [all]]
version list [all]
Description
Displays detailed licensing and version information for the system,
including kernel version, BIG-IP software version, installed hot fixes, and a
list of licensed features.
Examples
Displays detailed licensing and version information for the system:
version
See also
bigpipe(1)
A - 230
virtual
Configures a virtual server.
Syntax
Use this command to create, modify, display, or delete a virtual server.
Create/Modify
Important
Guide.
virtual <virtual key list> {}

virtual (<virtual key list> | all) [{] <virtual arg list> [}]
<virtual key> ::=
<name>
<virtual arg> ::=
(enable | disable)
auth (<profile auth key list> | none) [add | delete]
clone pools (<clone pool name/type list> | none) [add | delete]
cmp (enable | disable)
cmp processor (<number>.<number> | none)
destination <node>
fallback persist (<profile persist key> | none)
(ip forward | l2 forward | reject)
ip protocol (<protocol> | any | * | none)
httpclass (<profile httpclass key list> | none) [add | delete]
lasthop pool (<pool key> | none)
limit <number>
mirror (enable | disable)
persist (<profile persist key list> | none) [add | delete]
pool (<pool key> | none)
profiles (<virtual server profile list> | none) [add | delete]
rate class (<rate class key> | none)
rules (<rule key list> | none) [add | delete]
snat (automap | none)
snatpool (<snatpool key> | none)

Appendix A
translate address (enable | disable)

translate service (enable | disable)
<virtual server profile> ::=
<virtual server profile key list> {[} virtual server profle arg list> {]}
<virtual server profile key> ::=
<profile http key>
<virtual server profile arg> ::=
(clientside | serverside)
virtual [<virtual key list> | all] stats reset
Display
virtual [<virtual key list> | all] [show [all]]
virtual [<virtual key list> | all] list [all]
virtual [<virtual key list> | all] auth [show]
virtual [<virtual key list> | all] clone pools [show
virtual [<virtual key list> | all] cmp [show]
virtual [<virtual key list> | all] cmp processor [show]
virtual [<virtual key list> | all] cmp mode [show]
virtual [<virtual key list> | all] destination [show]
virtual [<virtual key list> | all] enabled [show]
virtual [<virtual key list> | all] fallback persist [show]
virtual [<virtual key list> | all] httpclass [show]
virtual [<virtual key list> | all] ip protocol [show]
virtual [<virtual key list> | all] limit [show]
virtual [<virtual key list> | all] lasthop pool [show]
virtual [<virtual key list> | all] mask [show]
virtual [<virtual key list> | all] mirror [show]
virtual [<virtual key list> | all] name [show]
virtual [<virtual key list> | all] partition [show]
virtual [<virtual key list> | all] persist [show]
virtual [<virtual key list> | all] pool [show]
virtual [<virtual key list> | all] profiles [show]
virtual [<virtual key list> | all] rate class [show]
virtual [<virtual key list> | all] rules [show]
virtual [<virtual key list> | all] snat [show]
virtual [<virtual key list> | all] snatpool [show]
virtual [<virtual key list> | all] stats [show]
virtual [<virtual key list> | all] translate address [show]
virtual [<virtual key list> | all] translate service [show]
virtual [<virtual key list> | all] type [show]
virtual [<virtual key list> | all] vlans [show]
A - 232
Delete
virtual (<virtual key list> | all) delete
Description
The virtual command creates, deletes, modifies properties on, and displays
information about virtual servers. Virtual servers are externally visible IP
addresses that receive client requests, and instead of sending the requests
directly to the destination IP address specified in the packet header, sends
the requests to any of several content servers that make up a load balancing
pool. Virtual servers also apply various behavioral settings to multiple
traffic types, enable persistence for multiple traffic types, and direct traffic
according to user-written iRules. For more information see, the
Examples
Create a virtual server named myV20, which uses the source address
persistence method:
virtual myV20 { destination 11.11.11.12:* persist source addr pool myPool }
Replaces the profile associated with the virtual server vs_fast14_http4.

Note that to replace the profile associated with a virtual server, you must
enclose the name of the new profile in braces:
virtual vs_fastl4_http4 {profile udp}
Delete the virtual servers named myV4, myV5, myV6, myV7, myV8,
myV9, and myV10:
virtual myV4 myV5 myV6 myV7 myV8 myV9 myV10 delete
Options
You can use these options with the virtual command:
• auth
Specifies a list of authentication profile names separated by spaces that
the virtual server uses to manage authentication.
• clone pools
Specifies clone pools that the virtual server uses to replicate either
client-side traffic (that is, prior to address translation) or server-side
traffic (that is, after address translation) to a member of the specified
clone pool. This feature is used for intrusion detection.
• cmp
Enables or disables clustered multi-processor (CMP) acceleration. This
feature applies to certain platforms only. The default is enable.
• cmp mode
Displays the CMP mode for a virtual server.

Appendix A
• cmp processor
Specifies the processor for CMP acceleration. This feature applies to
certain platforms only.
• destination
Specifies the IP address and service on which the virtual server listens for
connections.
• (enable | disable)
Specifies the state of the virtual server. The default is enable. Note that
when you disable a virtual server, the virtual server no longer accepts
new connection requests. However, it allows current connections to
finish processing before going to a down state.
• fallback persist
Specifies a fallback persistence profile for the virtual server to use when
the default persistence profile is not available.
• httpclass
Specifies a list of httpclass profiles, separated by spaces, with which the
virtual server works to increase the speed at which the virtual server
processes HTTP requests.
• (ip forward | l2 forward | reject)
Specifies whether to enable IP forwarding or layer 2 (L2) forwarding, or
to reject forwarding for the virtual server. IP forwarding allows the
virtual server to simply forward packets directly to the destination IP
address specified in the client request. Layer 2 forwarding is the means
by which frames are exchanged directly between hosts, with no IP
routing required.
• ip protocol
Specifies the IP protocol for which you want the virtual server to direct
traffic. Sample protocol names are TCP and UDP. Note that you do not
use this setting when creating an httpclass virtual server.
• lasthop pool
Specifies the name of the last hop pool that you want the virtual server to
use to direct reply traffic to the last hop router.
• limit
Specifies the maximum number of concurrent connections you want to
allow for the virtual server.
• mask
Specifies the netmask for a network virtual server only. This setting is
required for a network virtual server. The netmask clarifies whether the
host bit is an actual zero or a wildcard representation.
• mirror
Enables or disables mirroring. You can use mirroring to maintain the
same state information in the standby unit that is in the active unit,
allowing transactions such as FTP file transfers to continue as though
uninterrupted. The default is enable.
• name
Specifies a unique name for the virtual server. This setting is required.
A - 234
• partition
Displays the name of the partition within which the virtual server resides.
• persist
Specifies a list of profiles separated by spaces that the virtual server uses
to manage connection persistence.
• pool
Specifies a default pool to which you want the virtual server to
automatically direct traffic.
• profiles
Specifies a list of profiles for the virtual server to use to direct and
manage traffic.
• rate class
Specifies the name of an existing rate class you that you the virtual server
to use to enforce a throughput policy for incoming network traffic.
• rules
Specifies a list of iRules separated by spaces that customizes the virtual
server to direct and manage traffic.
• snat
Indicates to enable SNAT automap for the virtual server.
• snatpool
Specifies the name of an existing SNAT pool that you want the virtual
server to use to implement selective and intelligent SNATs.
• translate address
Enables or disables address translation for the virtual server. Turn
address translation off for a virtual server if you want to use the virtual
server to load balance connections to any address. This option is useful
when the system is load balancing devices that have the same IP address.
• translate service
Enables or disables port translation. Turn port translation off for a virtual
server if you want to use the virtual server to load balance connections to
any service.
• vlan (enable | disable)
Specifies a list of names of external VLANs from which you want the
virtual server to accept traffic. Indicates whether or not the VLAN is
enabled or disabled. The default is vlans all enable.
See also
pool(1), profile auth(1), profile persist(1), rule(1), vlan(1), vlangroup(1),
bigpipe(1)

Appendix A
virtual address
Configures virtual addresses.
Syntax
Use this command to enable, disable, display, or delete a virtual address.
Modify
virtual address <virtual address key list> {}
virtual address (<virtual address key list> | all) [{] <virtual address arg list> [}]
<virtual address key> ::=
(<ip addr> | none)
<virtual address arg> ::=
(enable | disable)
floating (enable | disable)
limit <number>
route advertisement (enable | disable)
server (all | any | none)
unit <number>
virtual address [<virtual address key list> | all] stats reset
Display
virtual address [<virtual address key list> | all] [show [all]]
virtual address [<virtual address key list> | all] list [all]
virtual address [<virtual address key list> | all] address [show]
virtual address [<virtual address key list> | all] arp [show]
virtual address [<virtual address key list> | all] floating [show]
virtual address [<virtual address key list> | all] enabled [show]
virtual address [<virtual address key list> | all] limit [show]
virtual address [<virtual address key list> | all] mask [show]
virtual address [<virtual address key list> | all] partition [show]
virtual address [<virtual address key list> | all] route advertisement [show]
virtual address [<virtual address key list> | all] server [show]
virtual address [<virtual address key list> | all] stats [show]
virtual address [<virtual address key list> | all] unit [show]
Delete
virtual address (<virtual address key list> | all) delete
A - 236
Description
Provides the ability to enable, disable, display and delete virtual addresses.
You can also list the virtual address configuration.
Examples
Disables the virtual address 10.10.10.20:
virtual address 10.10.10.20 disable
Deletes the virtual address 10.10.10.20:

virtual address 10.10.10.20 delete
Lists the configuration information for the virtual server 10.10.10.25:

virtual address 10.10.10.25 list
Options
You can use these options with the virtual address command:
• arp
Enables or disables ARP for the specified virtual address. The default is
enable.
• (enable | disable)
Enables or disables the specified virtual address. The default is enable.
• floating
Enables or disables floating self IP addresses for the specified virtual
address. The default is enable. A floating self IP address is an additional
self IP address for a VLAN that serves as a shared address by both units
of a BIG-IP redundant system.
• limit
Sets a concurrent connection limit in seconds for one or more virtual
servers. The default is 0 seconds.
• mask
Sets the netmask or one or more network virtual servers only. This
setting is required for network virtual servers.
• partition
Displays the partition within which the virtual address resides.
• route advertisement
Enables or disables route advertisement for the specified virtual address.
• server
Specifies the server that uses the specified virtual address. The options
are none, any, or all.
• unit
Specifies the unit number of a redundant pair that uses the specified
virtual address. The default is 0.

Appendix A
See also
virtual(1), bigpipe(1)
A - 238
vlan
Configures a virtual local area network (VLAN).
Syntax
Use this command to create, modify, display, or delete a VLAN.
Create/Modify
vlan <vlan key list> {}
vlan (<vlan key list> | all) [{] <vlan arg list> [}]
<vlan key> ::=
<name>
<vlan arg> ::=
tag <number>
interfaces (<interface list> | none) [add | delete]
interfaces [tagged] (<interface list> | none) [add | delete]
trunks (<trunk list> | none) [add | delete]
trunks [tagged] (<trunk list> | none) [add | delete]
failsafe (enable | disable)
failsafe (restart | failover | failover restart | go active | no action | reboot |
restart all | failover abort tm)
mac masq (<mac addr> | none)
fdb (<l2 forward list> | none) [add | delete]
learning (enable | disable forward | disable drop)
mtu <number>
source check (enable | disable)
<l2 forward> ::=
<l2 forward key list> [{] <l2 forward arg list> [}]
<l2 forward key> ::=
<mac addr>
(dynamic | static)
<l2 forward arg> ::=
(dynamic | static)
interface <interface>
trunk <trunk>
Display
vlan [<vlan key list> | all] [show [all]]
vlan [<vlan key list> | all] list [all]
vlan [<vlan key list> | all] failsafe [show]
vlan [<vlan key list> | all] fdb [show]
vlan [<vlan key list> | all] interfaces [show]

Appendix A
vlan [<vlan key list> | all] interfaces tagged [show]

vlan [<vlan key list> | all] learning [show]
vlan [<vlan key list> | all] mac masq [show]
vlan [<vlan key list> | all] mtu [show]
vlan [<vlan key list> | all] name [show]
vlan [<vlan key list> | all] source check [show]
vlan [<vlan key list> | all] tag [show]
vlan [<vlan key list> | all] timeout [show]
vlan [<vlan key list> | all] trunks [show]
vlan [<vlan key list> | all] trunks tagged [show]
Delete
vlan (<vlan key list> | all) delete
Description
This command creates, displays and modifies settings for VLANs. VLANs
are part of the configuration of the BIG-IP network components. VLANs
can be based on either ports or tags.
When creating a VLAN, a tag value for the VLAN is automatically chosen
unless you specify a tag value on the command line. VLANs can have both
tagged and untagged interfaces. You can add an interface to a single VLAN
as an untagged interface. You can also add an interface to multiple VLANs
as a tagged interface.
Examples
Create the VLAN myvlan that includes the interfaces 1.2, 1.3, and 1.4:
vlan myvlan interface 1.2 1.3 1.4
Delete the VLAN named myvlan:

vlan myvlan delete>
Options
You can use these options with the vlan command:
◆ failsafe
Enables a failsafe mechanism that causes the active unit to fail over to a
redundant unit when loss of traffic is detected on a VLAN, and traffic is
not restored during the fail-over timeout period for that VLAN. The
default action set with VLAN fail-safe is restart all. When the failsafe
mechanism is triggered, all the daemons are restarted and the unit fails
over. The default is disable.
A - 240
◆ fdb
Specifies the forwarding database. You can edit the Layer 2 forwarding
table to enter static MAC address assignments. The forwarding database
has an entry for each node in the VLAN and associates the MAC address
of that node with the traffic management system.
◆ interfaces
Specifies a list of interfaces that you want to assign to the VLAN.
◆ interfaces tagged
Specifies a list of tagged interfaces. A tagged interface is an interface that
you assign to a VLAN in a way that causes the system to add a VLAN
tag into the header of any frame passing through that interface. Use
tagged interfaces when you want to assign a single interface to multiple
VLANs.
◆ learning
Specifies whether switch ports placed in the VLAN are configured for
switch learning, forwarding only, or dropped. Possible values are:
enable, disable forward, or disable drop. The default is enable.
◆ mac masq
Configures a shared MAC masquerade address. You can share the media
access control (MAC) masquerade address between units in a redundant
system. This has the following advantages:
• Increased reliability and failover speed, especially in lossy networks
• Interoperability with switches that are slow to respond to the network
changes
• Interoperability with switches that are configured to ignore network
changes
◆ mtu
Sets a specific maximum transition unit (MTU) for the VLAN. The
default is 1500.
◆ source check
Specifies that only connections that have a return route in the routing
table are accepted. The default is disable.
◆ tag
Specifies a number that the system adds into the header of any frame
passing through the VLAN.
◆ timeout
Specifies the number of seconds that an active unit can run without
detecting network traffic on this VLAN before it initiates a fail-over. The
default is 90 seconds.
◆ trunks
Specifies a list of trunks. A trunk is a combination of two or more
interfaces and cables configured as one link.

Appendix A
◆ trunks tagged
Specifies a list of tagged trunks. A tagged trunk is a trunk that you assign
to a VLAN in a way that causes the system to add a VLAN tag into the
header of any frame passing through the trunk. Use tagged trunks when
you want to assign a single trunk to multiple VLANs.
See also
interface(1), self(1), vlangroup(1), virtual(1), bigpipe(1)
A - 242
vlangroup
Configures a VLAN group.
Syntax
Use this command to create, modify, display, or delete a VLAN group.
Create/Modify
vlangroup <vlangroup key list> {}
vlangroup (<vlangroup key list> | all) [{] <vlangroup arg list> [}]
<vlangroup key> ::=
<name>
<vlangroup arg> ::=
bridge all (enable | disable)
bridge in standby (enable | disable)
mac masq (<mac addr> | none)
members (<vlan key list> | none) [add | delete]
proxy excludes (<ip list> | none) [add | delete]
tag <number>
transparency (opaque | translucent | transparent)
Display
vlangroup [<vlangroup key list> | all] [show [all]]
vlangroup [<vlangroup key list> | all] list [all]
vlangroup [<vlangroup key list> | all] bridge all [show]
vlangroup [<vlangroup key list> | all] bridge in standby [show]
vlangroup [<vlangroup key list> | all] mac masq [show]
vlangroup [<vlangroup key list> | all] members [show]
vlangroup (<vlangroup key list> | all) proxy excludez [show]
vlangroup [<vlangroup key list> | all] tag [show]
vlangroup [<vlangroup key list> | all] transparency [show]
Delete
vlangroup (<vlangroup key list> | all) delete
Description
The vlangroup command defines a VLAN group, which is a grouping of
two or more VLANs belonging to the same IP network for the purpose of
allowing Layer 2 packet forwarding between those VLANs.

Appendix A
The VLANs between which the packets are to be passed must be on the
same IP network, and they must be grouped using the vlangroup command.
For example:
vlangroup network11 { vlans add internal external }
Examples
Creates a VLAN group named myvlangroup that consists of VLANs
named vlan1 and vlan2:
vlangroup myvlangroup member vlan1 vlan2
Shows the statistics for all elements of the specified VLAN group:
vlangroup myvlangroup show
Deletes the specified VLAN group named myvlangroup:

vlangroup myvlangroup delete
Options
You can use these options with the vlangroup command:
◆ bridge all
When enabled, specifies that the VLAN group forwards all frames,
including non-IP traffic. The default is disable.
◆ bridge in standby
When enabled, specifies that the VLAN group forwards packets, even
when the system is the standby unit in a redundant system. Note that this
setting is designed for deployments in which the VLAN group exists on
only one of the units. If that does not match your configuration, using
this setting may cause adverse effects. The default is enable.
◆ mac masq
Specifies a MAC address to be used with a redundant system. A 6-byte
ethernet address in case-insensitive hexadecimal colon notation, for
example, 00:0b:09:88:00:9a.
◆ members
The names of the VLANs you want to add to the VLAN group.
◆ proxy excludes
Specifies the IP addresses that you want to include in the proxy ARP
exclusion list. If you use VLAN groups, you must configure a proxy
ARP forwarding exclusion list. We recommend that you configure this
feature if you use VLAN groups with a redundant system. The reason is
that both units need to communicate directly with their gateways and the
back-end nodes. Creating a proxy ARP exclusion list prevents traffic
from being proxied through the active unit due to proxy ARP. This traffic
needs to be sent directly to the destination, not proxied.
A - 244
◆ tag
Specifies a number to be the tag for the VLAN. A VLAN tag is an
identification number the system inserts into the header of a frame that
indicates the VLAN to which the destination device belongs. Use VLAN
tags when a single interface forwards traffic for multiple VLANs.
◆ transparency
Specifies the level of exposure of remote MAC addresses within VLAN
groups. Possible values are: opaque, translucent, or transparent. The
default is translucent.
• Use opaque when you have a Cisco router in the network sending
CDP packets to the system. Because opaque VLAN groups require a
source and destination MAC address and CDP packets do not contain
a source and destination MAC address, the CDP packets are not
forwarded through the VLAN group. This mode changes the MAC
address to the MAC address assigned to the VLAN group. A proxy
ARP with Layer 3 forwarding.
• Use transparent when you want to leave the MAC address
unchanged by the traffic management system. Layer 2 forwarding
with the original MAC address of the remote system preserved across
VLANs.
• Use translucent when you want to use the real MAC address of the
requested host with the locally unique bit toggled. Layer 2 forwarding
with locally-unique bit, toggled in ARP response across VLANs.
See also
interface(1), self(1), vlan(1), virtual(1), bigpipe(1)

Appendix A
A - 246
Glossary
Glossary
address resolution protocol

Address Resolution Protocol (ARP) is an industry-standard protocol that
determines a host’s Media Access Control (MAC) address based on its IP
address.
administrative partition
An administrative partition is a logical container that you create, containing
a defined set of BIG-IP system objects, such as virtual servers, pools, and
profiles. See also pool, profile, and virtual server.
allow list
An allow list displays which service and protocol ports allow connections
from outside the system.
ARP
See address resolution protocol.
authentication
Authentication is the process of verifying a user’s identity when the user is
attempting to log on to a system.
authentication profile
An authentication profile is a configuration tool that you use to implement a
PAM authentication module. Types of authentication modules that you can
implement with an authentication profile are: LDAP, RADIUS, TACACS+,
SSL Client Certificate LDAP, and OCSP. See also profile.
bigdb
Every BIG-IP system includes a bigdb database. The bigdb database holds a
set of bigdb configuration keys, which define the behavior of various
aspects of the BIG-IP system.
bigpipe
The BIG-IP system includes a tool known as the bigpipe utility. It consists
of an extensive set of commands that you can use to manage the BIG-IP
system.
bigtop
The bigtop utility is a statistical monitoring utility that ships on the BIG-IP
system. This utility provides real-time statistical information.
BIG-IP® Command Line Interface Guide Glossary - 1

Glossary
certificate
A certificate is an online credential signed by a trusted certificate authority
and used for SSL network traffic as a method of authentication. certificate
authority (CA) A certificate authority is an external, trusted organization
that issues a signed digital certificate to a requesting computer system for
use as a credential to obtain authentication for SSL network traffic.
certificate authority
A certificate authority is an external, trusted organization that issues a
signed digital certificate to a requesting computer system for use as a
credential to obtain authentication for SSL network traffic. See also
certificate.
certificate revocation list

A certificate revocation list (CRL) is a list that an authenticating system
checks to see if the SSL certificate that the requesting system presents for
authentication has been revoked. See also certificate.
certificate verification
Certificate verification is the part of an SSL handshake that verifies that a
client’s SSL credentials have been signed by a trusted certificate authority.
See also certificate.
class
A class is a list of data that you define and use with iRules operators.
Internal classes are stored in the bigip.conf file. External classes are stored
in external files that you define.
client-side SSL profile

A client-side SSL profile is an SSL profile that controls the behavior of SSL
traffic going from a client system to the BIG-IP system. See also profile.
clone pool
A clone pool replicates all traffic coming into it and sends that traffic to a
duplicate pool. See also pool.
configuration object
A configuration object is a user-created object that the BIG-IP system uses
to implement a PAM authentication module. There is one type of
configuration object for each type of authentication module that you create.
Configuration utility
The Configuration utility is the browser-based application that you use to
configure the BIG-IP system.
Glossary - 2
Glossary
connection persistence
Connection persistence is an optimization technique whereby a network
connection is intentionally kept open for the purpose of reducing
handshaking.
cookie persistence
Cookie persistence is a mode of persistence where the BIG-IP system stores
persistent connection information in a cookie.
CRL
See certificate revocation list.
current partition
When a user logs in, the system determines the default current partition
(usually the Common partition) based on the user’s login account. If the
user’s account grants permission to access more than one partition, the user
can change the current partition, and can also change the default current
partition. See also administrative partition.
custom monitor
A custom monitor is a user-created monitor. See also monitor.
custom profile
A custom profile is a profile that you create. A custom profile can inherit its
default settings from a parent profile that you specify. See also profile.
default-deny policy
A default-deny policy restricts Internet access to everything that is not
explicitly permitted.
failover
Failover is the process whereby a standby unit in a redundant system takes
over when a software failure or a hardware failure is detected on the active
unit. See also redundant system.
floating IP address
An IP address assigned to a VLAN and shared between two computer
systems is known as a floating IP address. See also VLAN.
hash persistence
Hash persistence allows you to create a persistence hash based on an
existing iRule. See also iRule.

Glossary
health monitor
A health monitor checks a node to see if it is up and functioning for a given
service. If the node fails the check, it is marked down. Different monitors
exist for checking different services. See also monitor.
host virtual server

A host virtual server is a virtual server that represents a specific site, such as
an Internet web site or an FTP site, and it load balances traffic targeted to
content servers that are members of a pool. See also virtual server and pool.
HTTP chunking
HTTP chunking refers to the HTTP/ 1.1 feature known as chunked
encoding, which allows HTTP messages to be broken up into several parts.
Chunking is most often used by servers when sending responses.
HTTP redirect
An HTTP redirect sends an HTTP 302 Object Found message to clients.
You can configure a pool with an HTTP redirect to send clients to another
node or virtual server if the members of the pool are marked down. See also
virtual server and pool.
HTTP transformation
When the BIG-IP system performs an HTTP transformation, the system
manipulates the Connection header of a server-side HTTP request, to ensure
that the connection stays open.
ICMP
See internet control message protocol.
interface
A physical port on a BIG-IP system is called an interface.
internet control message protocol

Internet Control Message Protocol (ICMP) is an Internet communications
protocol used to determine information about routes to destination
addresses.
internal VLAN
The internal VLAN is a default VLAN on the BIG-IP system. In a basic
configuration, this VLAN has the administration ports open. In a normal
configuration, this is a network interface that handles connections from
internal servers. See also VLAN.
iRule
An iRule is a script that you write to direct and manipulate the way that the
BIG-IP system manages application traffic.
Glossary - 4
Glossary
last hop
A last hop is the final hop a connection takes to get to the BIG-IP system.
You can allow the BIG-IP system to determine the last hop automatically to
send packets back to the device from which they originated. You can also
specify the last hop manually by making it a member of a last hop pool. See
also pool.
Layer 1 through Layer 7

Layers 1 through 7 refer to the seven layers of the Open System
Interconnection (OSI) model. Thus, Layer 2 represents the data-link layer,
Layer 3 represents the IP layer, and Layer 4 represents the transport layer
(TCP and UDP). Layer 7 represents the application layer, handling traffic
such as HTTP and SSL.
LDAP
See lightweight directory access protocol.
LDAP authentication module

An LDAP authentication module is a user-created module that you
implement on an BIG-IP system to authenticate client traffic using a remote
LDAP server. See also lightweight directory access protocol.
LDAP client certificate SSL authentication module

An LDAP client certificate SSL authentication module is a user-created
module that you implement on an BIG-IP system to authorize client traffic
using SSL client credentials and a remote LDAP server. See also lightweight
directory access protocol.
lightweight directory access protocol

Lightweight Directory Access Protocol (LDAP) is an Internet protocol that
email programs use to look up contact information from a server.
load balancing method

A load balancing method is a method of determining how to distribute
connections across a load balancing pool. See also pool.
local traffic management

Local traffic management is the process of managing network traffic that
comes into or goes out of a local area network (LAN), including an intranet.
MAC
Media Access Control (MAC) is a protocol that defines the way
workstations gain access to transmission media, and is most widely used in
reference to LANs. For IEEE LANs, the MAC layer is the lower sublayer of
the data link layer protocol.

Glossary
MAC address
A MAC address is used to represent hardware devices on an Ethernet
network. See also MAC.
MCPD
See master control program daemon service.
management interface
The management interface is a special port on the BIG-IP system, used for
managing administrative traffic. Named MGMT, the management interface
does not forward user application traffic, such as traffic slated for load
balancing.
management route
A management route is a route that forwards traffic through the special
management (MGMT) interface. See also management interface.
master control program daemon service

The Master Control Program Daemon (MCPD) service manages the
configuration data on a BIG-IP system.
MGMT
See management interface.
monitor
The BIG-IP system uses monitors to determine whether nodes are up or
down. There are several different types of monitors, and they use various
methods to determine the status of a server or service.
monitor association
A monitor association is an association that a user makes between a health
or performance monitor and a pool, pool member, or node. See also
monitor.
NAT (network address translation)

A Network Address Translation (NAT) is an alias IP address that identifies
a specific node managed by the BIG-IP system to the external network.
network virtual server

A network virtual server is a virtual server whose IP address has no bits set
in the host portion of the IP address (that is, the host portion of its IP address
is 0). There are two kinds of network virtual servers: those that direct client
traffic based on a range of destination IP addresses, and those that direct
client traffic based on specific destination IP addresses that the BIG-IP
system does not recognize. See also virtual server.
Glossary - 6
Glossary
node
A node address is the IP address associated with one or more nodes. This IP
address can be the real IP address of a network server, or it can be an alias IP
address on a network server.
non-terminated SSL session

A non-terminated SSL session is a session in which the system does not
perform the tasks of SSL certificate authentication, encryption and
re-encryption. See also secure sockets layer.
OCSP
See online certificate status protocol.
OCSP responder
An OCSP responder is an external server used for communicating SSL
certificate revocation status to an authentication server such as the BIG-IP
system. See also online certificate status protocol.
OneConnect
The F5 Networks OneConnectTM feature optimizes the use of network
connections by keeping server-side connections open and pooling them for
re-use.
online certificate status protocol

Online Certificate Status Protocol (OCSP) is a protocol that authenticating
systems can use to check on the revocation status of digitally-signed SSL
certificates. The use of OCSP is an alternative to the use of a CRL. See also
certificate revocation list.
packet rate
The packet rate is the number of data packets per second processed by a
server.
partition
See administrative partition.
persistence profile
A persistence profile is a pre-configured object that automatically enables
persistence when you assign the profile to a virtual server. See also profile.
pool
A pool is composed of a group of network devices (called members). The
BIG-IP system load balances requests to the nodes within a pool based on
the load balancing method and persistence method you choose when you
create the pool or edit its properties.

Glossary
pool member
A pool member is a server that is a member of a load balancing pool. See
also pool.
pre-configured monitor
A pre-configured monitor is a monitor that the BIG-IP system provides. See
also monitor.
profile
A profile is a configuration tool containing settings for defining the behavior
of network traffic. The BIG-IP system contains profiles for managing
FastL4, HTTP, TCP, FTP, SSL, and RTSP traffic, as well as for
implementing persistence and application authentication.
profile setting
A profile setting is a configuration attribute within a profile that has a value
associated with it. You can configure a profile setting to customize the way
that the BIG-IP system manages a type of traffic. See also profile.
QoS level
See quality of service level.
quality of service level

The Quality of Service (QoS) level is a means by which network equipment
can identify and treat traffic differently based on an identifier. Essentially,
the QoS level specified in a packet enforces a throughput policy for that
packet. See also type of service level.
rate class
A rate class determines the volume of traffic allowed through a rate filter.
rate shaping
Rate shaping is a type of extended IP filter. Rate shaping uses the same IP
filter method but applies a rate class, which determines the volume of
network traffic allowed.
redundant system
A redundant system is a pair of units that are configured for fail-over. In a
redundant system, there are two units, one running as the active unit and one
running as the standby unit. If the active unit fails, the standby unit takes
over and manages connection request.
self IP address
A self IP address is an IP address that is assigned to the system. Self IP
addresses are part of the base configuration. You must define at least one
self IP address for each VLAN.
Glossary - 8
Glossary
secure sockets layer

Secure Sockets Layer (SSL) is a network communications protocol that uses
public-key technology as a way to transmit data in a secure manner.
SIP persistence
SIP persistence is a type of persistence used for servers that receive Session
Initiation Protocol (SIP) messages sent through UDP. SIP is a protocol that
enables real-time messaging, voice, data, and video.
SNAT (secure network address translation)

A SNAT is a feature you can configure on the BIG-IP system. A SNAT
defines a routable alias IP address that one or more nodes can use as a
source IP address when making connections to hosts on the external
network.
SNAT pool
A SNAT pool is a pool of translation addresses that you can map to one or
more original IP addresses. Translation addresses in a SNAT pool are not
self-IP addresses. See also pool.
spanning tree protocol

Defined by IEEE, Spanning Tree Protocol (STP) is a protocol that provides
loop resolution in configurations where one or more external switches are
connected in parallel with the BIG-IP system.
SSH
SSH is a protocol for secure remote login and other secure network services
over a non-secure network.
SSL
See secure sockets layer.
SSL persistence
SSL persistence is a type of persistence that tracks non-terminated SSL
sessions, using the SSL session ID. See also secure sockets layer.
SSL profile
An SSL profile is a configuration tool that you use to terminate and initiate
SSL connections from clients and servers. See also secure sockets layer and
profile.
STP
See spanning tree protocol.

Glossary
TACACS
Terminal Access Controller Access Control System (TACACS) is an older
authentication protocol common to UNIX systems. TACACS allows a
remote access server to forward a user’s login password to an authentication
server.
TACACS+
TACACS+ is an authentication mechanism designed as a replacement for
the older TACACS protocol. There is little similarity between the two
protocols, however, and they are therefore not compatible. See also
TACACS.
Tcl
See tools command language.
TMM service
See traffic management microkernel service.
tools command language

Tools Command Language (Tcl) is an industry-standard scripting language.
On the BIG-IP system, users use Tcl to write iRulesTM. See also iRules.
ToS level
See type of service level.
traffic management microkernel service

The Traffic Management Microkernel (TMM) service is the process running
on the BIG-IP system that performs most traffic management for the
product.
trunking
Trunking is link aggregation that allows multiple physical links to be treated
as one logical link. The main objective of link aggregation is to provide
increased bandwidth at a lower cost, without having to upgrade hardware.
The bandwidth of the aggregated trunk is the sum of the capacity of
individual member links. Thus it provides an option for linearly incremental
bandwidth as opposed to bandwidth options available through physical layer
technology. The traffic management system supports link aggregation
control protocol (LACP).
trusted CA file
A trusted CA file is a file containing a list of certificate authorities that an
authenticating system can trust when processing client requests for
authentication. A trusted CA file resides on the authenticating system and is
used for authenticating SSL network traffic. See also certificate authority.
Glossary - 10
Glossary
trusted MAC address

A trusted MAC address is a MAC address that passes MAC address-based
authentication. See also MAC address.
type of service level

The Type of Service (ToS) level is another means, in addition to the QoS
level, by which network equipment can identify and treat traffic differently
based on an identifier. See also quality of service level.
user role
A user role is a type and level of access that you assign to a BIG-IP system
user account. By assigning user roles, you can control the extent to which
BIG-IP system administrators can view or modify the BIG-IP system
configuration.
virtual address
A virtual address is an IP address associated with one or more virtual servers
managed by the BIG-IP system.
VLAN (virtual local area network)

A VLAN is a logical grouping of interfaces connected to network devices.
You can use a VLAN to logically group devices that are on different
network segments. Devices within a VLAN use Layer 2 networking to
communicate and define a broadcast domain.
virtual server
A virtual server is a specific combination of virtual address and virtual port,
associated with a content site that is managed by an BIG-IP system or other
type of host server.
VLAN group
A VLAN group is a logical container that includes two or more distinct
VLANs. VLAN groups are intended for load balancing traffic in a Layer 2
network, when you want to minimize the reconfiguration of hosts on that
network. See also VLAN.

Glossary
Glossary - 12
Index
Index
BIG-IP Network and System Management Guide 1-5

802.3ad link aggregation 3-1 BIG-IP Quick Start Instructions 1-5
bigip.conf 4-20
bigip.license 4-21
A bigip_base.conf 4-20
access control 3-1 bigpipe shell
active script 4-4, 4-11 about command completion 2-2
additional information about command continuation 2-2
in bigpipe online man pages 1-3 about command editing 2-2
in Tcl reference books 1-3 about command history 2-2
in the BIG-IP Network and System Management about escape feature 2-4
Guide 1-5 about the prompt 2-1
in the BIG-IP Quick Start Instructions 1-5 controlling 2-2
in the Configuration Guide for BIG-IP Local Traffic customizing 2-3
Management 1-5 using 2-1
in the Configuration Worksheet 1-5 using command continuation A-210
in the Installation, Licensing, and Upgrades for bigpipe shell command
BIG-IP Systems guide 1-5 and command syntax A-26
in the Linux Syslog-ng man page 1-3 invoking the bigpipe shell 2-2, 4-3
in the Platform Guide 1-5 bigpipe shell prompt, customizing 2-3
on Configuration utility Welcome screen 1-8 bigpipe utility 5-17
on tech.f5.com 1-8 and command list 2-4
admin user account 4-5, 4-6 and command syntax 2-1
Administrator role 4-2, 4-5 defined 1-2
alert.conf 4-4, 4-20 displaying protocol statistics 4-12
Application Security Manager 5-7 introducing 2-1
application traffic, managing 5-2 using for local traffic management 5-1
arp command 2-4, A-4 using online man pages 1-3
ARP protocol using to manage BIG-IP system 4-3
customizing base network components 3-1 bigstart command 1-2, 4-2, 4-12, 4-13, 4-18
ASN.1 DER format 5-12 bigstart utility 4-12
auth crldp command 2-4, 5-14, A-7 bigtop command 4-2, 4-14, 4-15
auth ldap command 2-4, 5-13, A-9 bigtop utility
auth radius command 2-4, A-14 and command options 4-14
auth ssl cc ldap command 2-4, 5-14, A-17 and running 4-12
auth ssl ocsp command 2-4, 5-14, A-21 and runtime commands 4-15
auth tacacs command 2-4, 5-14, A-23 defined 1-2
auto last hop feature 5-3 exiting 4-15
bit activity, displaying 4-14
byte activity, displaying 4-14
B
base network components 3-1
base network configuration, customizing 3-1 C
bcm56xxd service, handling failure of 4-11 CA certificates, generating 5-9
bigconf.conf 4-21 certificate association 5-12
bigd service, handling failure of 4-11 certificate information, viewing 5-12
bigdb attributes, defined 4-16 certificate revocation lists
bigdb database 4-15 See CRLs.
bigdb variable certificate signing request files, generating 5-9
printing 4-16 certificate verification 5-12
setting value of 4-16 certificates, revoking 5-11
viewing value of 4-15 chunking 5-8
BIG-IP Application Security Manager 1-1 class command 2-4, A-28
BIG-IP Global Traffic Manager 1-1 client authentication 5-9
BIG-IP Link Controller 1-1 client certificates, creating 5-10
BIG-IP Local Traffic Manager 1-1 Client SSL profile 5-1
BIG-IP® Command Line Interface Guide Index - 1

Index
clone pools, configuring 5-3 E

command completion 2-2 email, sending 4-17
command continuation 2-2, A-210 embedded distribution points 5-10
command editing 2-2 escape feature, using in the bigpipe shell 2-4
command history 2-2 events, tracking 4-17
command summary 2-4 exit command 2-2, 2-5, A-43
command syntax, identifying 1-6
commands
See individual command entries. F
Common partition 4-5 f5active script 4-11
compression, configuring 5-5 f5adduser command 4-9, A-44
config command 2-4, 4-2, A-32 f5standby script 4-11
config utility, defined 1-2 failover
configuration files configuring user-defined scripts 4-11
editing 4-4 locating directory 4-11
viewing and modifying 4-20 failover command 2-5, A-46
Configuration Guide for BIG-IP Local Traffic Management fallback hosts 5-5
1-5 Fast HTTP profile 5-6, 5-15
configuration information, storing 4-15 Fast L4 profile 5-17
Configuration utility fasthttp command 2-5, 4-12, A-48
about Welcome screen 1-8 fastl4 command 2-5, 4-12, A-47
using online help 1-8 FFP-supported platforms 3-2
Configuration Worksheet 1-5 filters, for packets 3-1
conn command 2-4, A-35 find_keys command 4-21
connection persistence, configuring 5-15 finding help 1-8
connection pooling 5-15 formatting conventions 1-5
cookie 5-6 ftp command 2-5, 4-12, A-49
cookie encryption, enabling or disabling 5-6 FTP profile 5-1
cookie persistence 5-15
cookie secret 5-6
CRLDP authentication module 5-12 G
crldp server command 2-4, 5-14, A-37 gencert utility
CRLDP servers 5-13 defined 1-2
CRLs using to generate a temporary certificate and
creating 5-11 request file 5-9
generating using to generate SSL certificates and keys 5-1
viewing 5-12 gencert utility, running 5-9
current partition, defined 4-7 genconf utility
custom monitors 5-18 using to generate a key 5-1
custom profiles 5-2 genkey utility
using to generate SSL certificates 5-1
global command 2-5, 4-12, A-50
D
daemon command 2-5, 4-11, A-39
daemons, listed 4-11 H
data compression, configuring 5-5 ha table command 2-5, A-51
db command 2-5, 4-15, 5-7, A-41 halt command 4-2
default partition 4-8 hardware command 2-5, A-53
default profiles 5-2 hardware syncookie feature 5-7
denial-of-service (DoS) attacks, managing 5-7 headers, inserting and erasing 5-6
Destination Address Affinity persistence 5-15 health monitors, associating 5-18
dirname-based addresses 5-10 help command 2-5, 4-3, A-54
dns command 2-5, A-42 help, finding 1-8
hostname command 4-2
hosts file 4-21
hosts.allow 4-21
hosts.deny 4-21
Index - 2
Index
HTTP Class profile 5-7 log file

http command 2-5, 4-12, A-55 managing 4-17
HTTP compression, configuring 5-5 resizing 4-17, 4-18
HTTP headers, inserting and erasing 5-6
HTTP profile 5-1, 5-15
HTTP redirections, rewriting 5-5 M
HTTP requests, redirecting 5-5 management port
HTTP response chunking 5-8 adding routes 3-2
HTTP traffic, optimizing using profiles 5-8 configuring 4-5
httpd.conf 4-21 managing network traffic 5-2
manual resume
configuring for monitors 5-19
I marking node up 5-20
icmp command 2-5, 4-12, A-56 marking pool member up 5-20
Installation, Licensing, and Upgrades for BIG-IP Systems mcp command 2-5, A-64
1-5 MCPD service
interface command 2-5, A-57 handling failure of 4-11
interfaces restarting 4-12
customizing base network components 3-1 using current configuration data 4-20
internal trunk distribution 3-2 memory command 2-5, A-65
ip command 2-5, 4-12, A-61 merge command 2-5, A-66
ipfwrate.conf 4-21 mgmt command 2-5, 4-5, A-67
iRules MGMT port, configuring 4-5
and SNATs 5-4 mgmt route command 2-5, A-69
and Tcl commands 1-2 mirror command 2-5, A-71
associating with virtual servers 5-21 monitor command 2-5, 5-18, 5-19, 5-20, A-73
implementing 5-21 monitoring JDBC connections 5-19
modifying profile settings 5-2 monitors
about configuring manual resumption 5-19
associating with pools or nodes 5-18
J creating custom 5-18
JDBC connections, monitoring 5-19 using pre-configured 5-18
JDBC services, monitoring 5-19 MSRDP persistence 5-15
K N
Keep-Alive headers 5-15 nat command 2-6, A-85
key association 5-12 ndp command 2-6, A-88
keys, generating 5-9, 5-10 network management tasks, performing 3-1
node command 2-6, 4-20, 5-18, 5-19, 5-20, A-90
L nodes
configuring manual resumption 5-3
last hop routers 5-3
marking up 5-20
Layer 4 profile 5-1
removing and returning to service 4-19
LDAP CRL distribution point 5-11
removing from service 4-19
LDAP servers 5-13
removing individual nodes from service 4-20
less file page utility 4-17
returning individual nodes to service 4-20
licenses, viewing 4-21
returning to service 4-19
Linux Syslog-ng man page 1-3
setting status manually 5-20
list command 2-5, A-62
viewing 4-20
load balancing
setting up basic configuration 5-2
load balancing pool O
and monitor association 5-18 ocsp responder command 2-6, 5-13, 5-14, A-93
load command 2-5, 4-12, 4-20, A-63 oneconnect 5-16
local traffic management 5-1 oneconnect command 2-6, 4-12, A-97
online help 1-8

Index
online man pages 1-3 profile oneconnect command 2-6, 5-16, A-157
accessing from the shell prompt 1-3, A-1 profile persist command 2-6, A-160
accessing from the system prompt 1-3, A-1 profile serverssl command 2-6
open connections 5-16 profile settings, modifying 5-2
opening brace, using in command syntax 2-3 profile stats command 2-6
OpenSSL 0.9.8.x 5-10 profile stream command 2-6
openssl utility 1-3, 5-1, 5-9, 5-10, 5-11, 5-12 profile tcp command 2-6, 5-8
openssl.conf 4-21 profile udp command 2-7
profiles, using to set timeout values 5-17
protocol statistics, displaying 4-12
P pva command 2-7
packet activity, displaying 4-14
packet filter command 2-6, 3-1, 5-18, A-98
packet filter rules 5-18 Q
packet filters Quality of Service (QoS) levels, setting 5-17
customizing base network components 3-1 quit command 2-2, 2-7
pager notifications, activating 4-17
partition command 2-6, 4-6, A-104
partitions R
about Common 4-5 radius server command 2-7, 5-13, 5-14
about current 4-7 RADIUS servers 5-13
about Read partition 4-7 rate class command 2-7, 5-18
about Write partition 4-7 rate shaping 5-18
accessing 4-6 rateclass.conf 4-21
changing current 4-6 RCP services, checking health of 5-19
creating 4-6 Read access 4-6
creating and managing 4-5 Read partition 4-7
defined 4-5 real-time statistics, displaying 4-14
setting default 4-8 reboot command 4-2
passwords, adding and stripping 5-12 redirections, rewriting 5-5
PEM format conversion 5-12 redundant system configuration 4-11
persist command 2-6, A-106 references to other documents, identifying 1-6
persistence 5-15 refresh interval, resetting 4-14
persistence types 5-15 remote server authentication 5-13
PKCS12 file, creating 5-10 requests, redirecting 5-5
platform command 2-6, A-108 resize-logFS script 4-17
Platform Guide 1-5 Root account 4-2, 4-12
pool assignation 5-19 route command 2-7, 3-2
pool command 2-6, 5-2, 5-3, 5-17, 5-18, 5-20, A-110 route keys 3-2
pool members route mgmt command 3-2
configuring manual resumption 5-3 routes
marking up 5-20 about the routes file 4-21
removing from service 4-19 adding, configuring, and removing 3-2
returning to service 4-19 customizing base network components 3-1
setting status manually 5-20 RPC services, monitoring 5-19
pre-configured monitors 5-18 rpcinfo command 5-19
printdb command 4-2 RSA keys 5-12
profile auth command 2-6, A-117 rule command 2-7, 5-4, 5-21
profile clientssl command 2-6, 5-2, A-122
profile command 2-6, 5-2, 5-12, 5-13, 5-14, 5-17, A-116 S
profile dns command 2-6, A-130
save command 2-7, A-196
profile fasthttp command 2-6, 5-6, 5-16, A-132
scp command 4-2
profile fastl4 command 2-6, 5-7, A-137
scripts
profile ftp command 2-6, A-142
using active 4-4, 4-11
profile http command 2-6, 5-5, 5-6, 5-8, 5-16, A-144
using f5active 4-11
profile httpclass command 2-6, A-154
using f5standby 4-11
Index - 4
Index
using resize-logFS 4-17 STP protocol 3-1

using standby 4-4, 4-11 stream command 2-7, 4-12, A-217
self allow command 2-7 style conventions 1-5
self command 2-7 support, technical 1-8
self IP addresses switch interfaces, adding routes 3-2
customizing base network components 3-1 sys-icheck command 4-3, A-218
server authentication 5-11 Syslog messages, samples of 4-17
server certificates, creating 5-11 Syslog utility
Server SSL profile 5-1 defined 1-2
server-side connections 5-15 managing log files 4-17
service failure 4-11 syslog.conf file 4-17
services, listed 4-11 sys-reset command 4-3, A-219
session persistence 5-15 system command A-220
Setup utility 3-1 system licenses, viewing 4-21
shell command system management components 4-1
and command syntax A-201 system management tools 4-2
defined 2-7 system, setting up basic load balancing 5-2
setting Read partition 4-7 system-supplied profiles 5-2
setting Write partition 4-7
SIP persistence 5-15
SMB services T
monitoring 5-19 TACACS+ servers 5-13
retrieving list of 5-19 Tcl commands 5-21
smbclient command 5-19 Tcl programming language, defined 1-3
snat command 2-7, 5-4, A-203 Tcl reference books, using 1-3
SNAT pools, creating 5-4 tcp command 2-7, 4-12, A-220
snat translation command 2-7, 5-4, A-205 TCP profile 5-1, 5-17
snatpool command 2-7, 5-4, A-207 TCP traffic
SNATs, creating 5-4 optimizing using profiles 5-8
snmpd.conf 4-21 setting service levels on packets 5-17
snmptrap.conf 4-21 technical support 1-8
sod service, handling failure of 4-11 terminal access 4-2, 4-6
software syncookie feature 5-7 timeout values, setting 5-17
solution examples, about 1-6 tmm command 2-7, A-221
Source Address Affinity persistence 5-15 tmm service
Spanning Tree Protocol about status 4-13
customizing base network components 3-1 handling failure of 4-11
ssh command 4-2 traffic types, listing of 5-2
ssh file 4-21 traffic, copying 5-3
sshd_config 4-21 translation addresses, assigning 5-4
SSL certificates, generating 5-9 trunk command 2-7, A-222
SSL Client Certificate LDAP servers 5-13 trunk.internal.ffp key 3-2
ssl command 2-7, 4-12, A-209 trunks
SSL OCSP responders 5-13 customizing base network components 3-1
SSL persistence 5-15 Type of Service (ToS) levels, setting 5-17
SSL traffic management 5-9
ssl.csr 5-9 U
ssl.key 5-9
udp command 2-7, 4-12, A-225
standby script 4-4, 4-11
UDP profile 5-1, 5-17
statistics
UDP traffic 5-17
displaying 4-12
unchunking 5-8
displaying real-time 4-14
unit command 2-7, A-226
status, setting manually 5-20
Universal persistence 5-15
stop command 2-2, 2-7, A-210
user accounts
stp command 2-7, A-211
creating and managing 4-9
stp instance command 2-7, A-214
modifying and deleting 4-10

Index
user command 2-1, 2-7, 4-9, 4-10, A-227

user.db 4-21
user_alert.conf 4-20
users file 4-21
V
version command 2-7, A-230
virtual address command 2-8, A-236
virtual addresses
enabling and disabling 4-19
virtual command
and command syntax A-231
and logs 4-17
assigning a last hop pool to a virtual server 5-3
assigning a persistence profile to a virtual server
5-15
assigning a pool to a virtual server 5-19
assigning a profile to a virtual server 5-3
assigning an HTTP profile to a virtual server 5-5, 5-8
associating an authentication profile with a virtual
server 5-14
configuring virtual servers 4-19
creating an authentication profile 5-13
creating or modifying a virtual server 5-3
described 2-8
displaying virtual servers 4-20
managing network traffic 5-2
setting up basic load balancing 5-2
verifying assignation of pool or profile 5-17
virtual ports
virtual server mappings 4-20
virtual servers
enabling and disabling 4-19
viewing 4-20
vlan command 2-8, A-239
VLAN groups
customizing base network components 3-1
vlangroup command 2-8, A-243
VLANs
customizing base network components 3-1
W
WebAccelerator module 5-7
Welcome screen
in the Configuration utility 1-8
Write access 4-6
Write partition 4-7
Index - 6

Big-Ip Command Line v94

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Big-Ip Command Line v94

Uploaded by

Copyright:

Available Formats

BIG-IP Command Line Interface Guide

Export Regulation Notice

Canadian Regulatory Compliance

BIG-IP® Command-Line Interface Guide i

BIG-IP® Command Line Interface Guide v

auth ssl ocsp ..................................................................................................................................A-21

BIG-IP® Command Line Interface Guide vii

profile stream ............................................................................................................................. A-176

• Introducing the BIG-IP system

• About this guide

• Finding help and technical support resources

Introducing the BIG-IP system

◆ BIG-IP®Application Security Manager

BIG-IP® Command Line Interface Guide 1-1

Overview of the BIG-IP system command line interface

Understanding command line utilities and tools

◆ The Tools Command Language (Tcl) programming language

For more information

BIG-IP® Command Line Interface Guide 1-3

About this guide

This guide is written for use by system administrators who prefer to

BIG-IP® Command Line Interface Guide 1-5

Using the configuration examples

Identifying new terms

Identifying references to objects, names, and commands

Identifying references to other documents

Identifying command syntax

Table 1.1 explains additional special conventions used in command line

Item in text Description

\ Indicates that the command continues on the following line, and

< > Identifies a user-defined parameter. For example, if the command

| Separates parts of a command.

[] Indicates that syntax inside the brackets is optional.

... Indicates that you can type a series of items.

::= Indicates the options that you can use.

Table 1.1 Command line syntax conventions

BIG-IP® Command Line Interface Guide 1-7

Finding help and technical support resources

• Introducing the bigpipe utility

• Using the bigpipe shell

• bigpipe command summary

Introducing the bigpipe utility

You can type bigpipe utility commands in either of two ways:

bp> user show

Using the bigpipe shell

BIG-IP® Command Line Interface Guide 2-1

Controlling the bigpipe shell

Using the bigpipe shell command history and editing feature

Using the bigpipe shell command completion feature

Using the bigpipe shell command continuation feature

Customizing the bigpipe shell

To customize the bigpipe shell prompt

the system changes the shell prompt to:

BIG-IP® Command Line Interface Guide 2-3

Using the bigpipe shell escape feature

bigpipe command summary

class Configures classes on the BIG-IP system.

Table 2.1 The bigpipe utility commands

db Displays or modifies bigdbTM database entries.

exit Exits the bigpipe shell.

failover Sets the BIG-IP system as active or standby.

global Sets global variable definitions.

ha table Displays the settings for high availability on a system.