-
[F5]F5OS Command 정리Network 2023. 12. 8. 06:21728x90반응형
안녕하세요
F5 가 r시리즈 모델을 출시함에 따라 F5OS를 접하게 되었습니다.
아직 익숙하지 않은 F5OS의 멍령어를 편하게 익히기 위해 TMOS와 같이 정리해 보았습니다.
< MGMT 설정 > (SYSTEM SETTINGS ›› Management Interface)
TMOS: create sys management-ip x.x.x.x/xx
TMOS: create sys management-route default gateway x.x.x.x
appliance-1# config
Entering configuration mode terminal
appliance-1(config)# system mgmt-ip config dhcp-enabled false
appliance-1(config)# system mgmt-ip config ipv4 system address 192.168.200.8
appliance-1(config)# system mgmt-ip config ipv4 prefix-length 16
appliance-1(config)# system mgmt-ip config ipv4 gateway 192.168.0.1
< MGMT 확인 >
TMOS: show sys management-ip
appliance-1# show system mgmt-ip
https://clouddocs.f5.com/training/community/rseries-training/html/rseries_security.html
< password-policy 설정 > (USER MANAGEMENT ›› Authentication Settings)
appliance-1(config)# system aaa password-policy config required-numeric <value>
appliance-1(config)# system aaa password-policy config required-lowercase <value>
appliance-1(config)# system aaa password-policy config required-uppercase <value>
appliance-1(config)# system aaa password-policy config required-special <value>
appliance-1(config)# system aaa password-policy config required-numeric <value>
appliance-1(config)# system aaa password-policy config root-unlock-time < value>
< password-policy 확인 >
직접적인 명령어 없음
appliance-1# show running-config
< user 생성 > (USER MANAGEMENT ›› Users)
TMOS: create auth user <newusername> shell bash partition-access replace-all-with { all-partitions { role admin } } password <userpassword>
appliance-1(config)# system aaa authentication users user test config username test role admin
appliance-1(config-user-test)# config
appliance-1(config-user-test)# config set-password password
Value for 'password' (<string>): *********
appliance-1(config-user-test)# commit
< user 확인 >
TMOS: list auth user
appliance-1# show system aaa authentication users user
< HTTPS ACL 설정 > (SYSTEM SETTINGS > Allow List)
TMOS: modify sys httpd allow replace-all-with { x.x.x.x/x }
TMOS: modify sys httpd allow add { x.x.x.x/x }
appliance-1(config)# system allowed-ips allowed-ip test-https config ipv4 address 192.168.200.0 prefix-length 24 port 443
appliance-1(config-allowed-ip-test-https)# commit
< HTTPS ACL 삭제 >
TMOS: modify sys httpd allow delete { x.x.x.x/x }
appliance-1(config)# no system allowed-ips allowed-ip test-https config ipv4 address 192.168.200.0 prefix-length 24 port 443
< SSH ACL 설정 > (SYSTEM SETTINGS > Allow List)
TMOS: modify sys sshd allow replace-all-with { x.x.x.x/x }
TMOS: modify sys sshd allow add { x.x.x.x/x }
appliance-1(config)# system allowed-ips allowed-ip test-ssh config ipv4 address 192.168.200.0 prefix-length 24 port 22
appliance-1(config-allowed-ip-test-ssh)# commit
< SSH ACL 삭제 >
TMOS: modify sys sshd allow delete { x.x.x.x/x }
appliance-1(config)# no system allowed-ips allowed-ip test-ssh config ipv4 address 192.168.200.0 prefix-length 24 port 22
< SNMP ACL 설정 > (SYSTEM SETTINGS > Allow List)
TMOS: modify sys snmp allowed-addresses add { x.x.x.x/x }
appliance-1(config)# system allowed-ips allowed-ip test-snmp config ipv4 address 192.168.200.0 prefix-length 24 port 161
appliance-1(config-allowed-ip-test-snmp)# commit
< SNMP ACL 삭제 >
TMOS: modify sys snmp allowed-addresses delete { x.x.x.x/x }
appliance-1(config)# no system allowed-ips allowed-ip test-snmp config ipv4 address 192.168.200.0 prefix-length 24 port 161
< Console Idle-timeout 설정 >
TMOS: modify sys global-settings console-inactivity-timeout <seconds>appliance-1(config)# system settings config idle-timeout 300
appliance-1(config)# commit
< Console Idle-timeout 확인 >
TMOS: list sys global-settings console-inactivity-timeout
appliance-1# show system settings state idle-timeout
< SSH Idle-timeout 설정 >
TMOS: modify sys sshd inactivity-timeout <seconds>
appliance-1(config)# system settings config sshd-idle-timeout 300
appliance-1(config)# commit
< SSH Idle-timeout 확인 >
TMOS: list sys sshd inactivity-timeout
appliance-1# show system settings state sshd-idle-timeout
< GUI Idle-timeout 설정 > (USER MANAGEMENT > Authentication Settings)
TMOS: modify sys httpd auth-pam-idle-timeout <seconds>
appliance-1(config)# system aaa restconf-token config lifetime 20
appliance-1(config)# commit
< GUI Idle-timeout 확인 >
TMOS: list sys httpd auth-pam-idle-timeout
appliance-1# show system aaa restconf-token
< SSH Banner 설정 > (SYSTEM SETTINGS ›› General)
appliance-1(config)# system config motd-banner
(<string>) (SSH banner):
[Multiline mode, exit with ctrl-D.]
> <banner text>
> ctrl-D
appliance-1(config)# commit
< GUI Banner 설정 > (SYSTEM SETTINGS ›› General)
appliance-1(config)# system config login-banner
(<string>) (GUI banner):
[Multiline mode, exit with ctrl-D.]
> <banner text>
> ctrl-D
appliance-1(config)# commit
< SNMPv3 설정 > (SYSTEM SETTINGS ›› SNMP Configuration - Users)
appliance-1(config)# system snmp users user snmpv3user config authentication-protocol md5 authentication-password
(<string, min: 8 chars, max: 32 chars>): ***********
appliance-1(config)# system snmp users user snmpv3user config privacy-protocol aes privacy-password
(<string, min: 8 chars, max: 32 chars>): ***********
< SNMPv1/v2c 설정 > (SYSTEM SETTINGS ›› SNMP Configuration - Communities)
appliance-1(config)# system snmp communities community comm_v1 config security-model v1
appliance-1(config)# system snmp communities community comm_v2 config security-model v2c
< SNMPv1/v2c 확인 >
appliance-1# show system snmp communities community
< SNMPv1/v2c Trap 설정 > (SYSTEM SETTINGS ›› SNMP Configuration - Targets)
appliance-1(config)# system snmp targets target snmpv1target config community comm_v1 ipv4 address 11.22.33.44 port 162
Value for 'security-model' [v1,v2c]: v1
appliance-1(config)# system snmp targets target snmpv2target config community comm_v2 ipv4 address 11.22.33.44 port 162
Value for 'security-model' [v1,v2c]: v2c
< SNMPv1/v2c Trap 확인 >
appliance-1# show system snmp targets target
appliance-1# show running-config system snmp
< SNMPv3 Trap 설정 > (SYSTEM SETTINGS ›› SNMP Configuration - Targets)
system snmp targets target snmpv3target config user snmpv3user ipv4 address 11.11.22.22 port 162
< SNMPv3 Trap 확인 >
appliance-1# show system snmp targets target
appliance-1# show running-config system snmp
< TACACS+ 설정 >
(USER MANAGEMENT ›› Authentication Settings)
(USER MANAGEMENT ›› Server Groups)
appliance-1(config)# system aaa authentication config authentication-method TACACS_ALL
appliance-1(config)# system aaa server-groups server-group tacacs-server config type TACACS name tacacs-server
appliance-1(config)# ssystem aaa server-groups server-group tacacs-server servers server 12.34.56.78 tacacs config port 49 secret-key
(<AES encrypted string>): ***********
< TACACS+ 확인 >
appliance-1# show system aaa server-groups
appliance-1# show running-config
< Radius 설정 >
(USER MANAGEMENT ›› Authentication Settings)
(USER MANAGEMENT ›› Server Groups)
appliance-1(config)# system aaa authentication config authentication-method RADIUS_ALL
appliance-1(config)# system aaa server-groups server-group radius-server config type RADIUS name radius-server
appliance-1(config)# system aaa server-groups server-group radius-server servers server 11.22.33.44 config address 11.22.33.44
appliance-1(config)# system aaa server-groups server-group radius-server servers server 11.22.33.44 radius config auth-port 1812 timeout 5 secret-key
(<AES encrypted string>): ***********
< Radius 확인 >
appliance-1# show system aaa server-groups
appliance-1# show running-config
< Log 설정 > (SYSTEM SETTINGS ›› Log Settings - Remote Log Servers)
appliance-1(config)# system logging remote-servers remote-server 13.24.35.46 config proto udp remote-port 514
< Log 확인 >
appliance-1# show running-config
< NTP 설정 > (SYSTEM SETTINGS ›› Time Settings)
appliance-1(config)# system ntp config enabled enable-ntp-auth
appliance-1(config)# system ntp servers server time.bora.net
< NTP 확인 >
TMOS: ntpq -pn
appliance-1# show system ntp
< 원격 관리 서비스 데몬 관리 >
SSHD
TMOS: stop sys service sshd
TMOS: start sys service sshd
[root@appliance-1 ~]# systemctl stop sshd.service
[root@appliance-1 ~]# systemctl start sshd.service
HTTPD
TMOS: stop sys service httpd
TMOS: start sys service httpd
docker ps |egrep 'IMAGE|http-server'
[root@appliance-1 ~]# docker stop http-server
[root@appliance-1 ~]# docker start http-server
SNMPD (확인 필요 - daemon을 중지해도 정상적인 SNMP 응답을 받음)
TMOS: stop sys service snmpd
TMOS: start sys service snmpd
docker ps |egrep 'IMAGE|snmp_service'
[root@appliance-1 ~]# docker stop snmp-server
[root@appliance-1 ~]# docker start snmp-server
< OS 무결성 검사 >
[root@appliance-1 iso]# pwd
/var/export/chassis/import/iso
[root@appliance-1 iso]# sha512sum F5OS-A-1.6.0-5841.R2R4.iso
44b526e27bda68a1a2131d063139af81fec39c082c83d88de49d45ac1b7dd339e6d78252318669b8b6409d512bf5a0a11d1a017b8bb119e0054266155b6eca50 F5OS-A-1.6.0-5841.R2R4.iso
[root@appliance-1 iso]# cat F5OS-A-1.6.0-5841.R2R4.DEV.iso.sha512
SHA512(F5OS-A-1.6.0-5841.R2R4.DEV.iso)= 44b526e27bda68a1a2131d063139af81fec39c082c83d88de49d45ac1b7dd339e6d78252318669b8b6409d512bf5a0a11d1a017b8bb119e0054266155b6eca50
< RestAPI >
TMOS (모니터 추가/삭제)
1. GET
curl -sku admin:te -H "Content-Type: application/json" -X GET "https://192.168.100.100/mgmt/tm/ltm/monitor/tcp/m_test"
2. POST
curl -sku admin:te -H "Content-Type: application/json" -X POST "https://192.168.100.100/mgmt/tm/ltm/monitor/tcp/" -d "{ \"name\": \"m_test2\", \"defaultsFrom\": \"/Common/tcp\", \"interval\": 5, \"timeout\": 16 }"
3. PATCH
curl -sku admin:te -H "Content-Type: application/json" -X PATCH "https://192.168.100.100/mgmt/tm/ltm/monitor/tcp/m_test2" -d "{ \"interval\": 20, \"timeout\": 100 }"
4. PUT
curl -sku admin:te -H "Content-Type: application/json" -X PUT "https://192.168.100.100/mgmt/tm/ltm/monitor/tcp/m_test2" -d "{ \"interval\": 10 }"
5. DELETE
curl -sku admin:te -H "Content-Type: application/json" "https://192.168.100.100/mgmt/tm/ltm/monitor/tcp/m_test2" -X DELETE
======================================================================================
F5OS (Allow-IPS 추가 삭제)
1. GET
curl -sku "admin":"it" -H "Content-Type: application/yang-data+json" -X GET "https://192.168.200.8:8888/restconf/data/openconfig-system:system/f5-allowed-ips:allowed-ips"
2. POST (-X POST 구문을 넣으면 동작 안함)
curl -sku "admin":"it" "https://192.168.200.8:8888/restconf/data/openconfig-system:system/f5-allowed-ips:allowed-ips" -H "Content-Type: application/yang-data+xml" -d "<allowed-ip> <name>snmp-allow-01</name> <config> <ipv4> <address>192.168.120.0</address> <prefix-length>24</prefix-length> <port>161</port> </ipv4> </config> </allowed-ip>"
3. PATCH
curl -sku "admin":"it" -X PATCH "https://192.168.200.8:8888/restconf/data/openconfig-system:system/f5-allowed-ips:allowed-ips" -H "Content-Type: application/yang-data+xml" -d "<allowed-ips> <allowed-ip> <name>snmp-allow-01</name> <config> <ipv4> <address>192.168.140.0</address> </ipv4> </config> </allowed-ip> </allowed-ips>"
4. PUT
curl -sku "admin":"it" -X PUT "https://192.168.200.8:8888/restconf/data/openconfig-system:system/f5-allowed-ips:allowed-ips" -H "Content-Type: application/yang-data+xml" -d "<allowed-ips> <allowed-ip> <name>snmp-allow-01</name> <config> <ipv4> <address>192.168.200.15</address> <prefix-length>32</prefix-length> <port>443</port> </ipv4> </config> </allowed-ip> </allowed-ips>"
5. DELETE
curl -sku "admin":"it" -X DELETE "https://192.168.200.8:8888/restconf/data/openconfig-system:system/f5-allowed-ips:allowed-ips" -H "Content-Type: application/yang-data+xml" -d "<allowed-ips> <allowed-ip> <name>snmp-allow-01</name> </allowed-ip> </allowed-ips>"
< QKView 캡쳐 >
TMOS: qkview
appliance-1# system diagnostics qkview
Possible completions:
cancel Cancel a qkview in progress
capture Start collecting diagnostics data
delete Delete a qkview file
list List qkview files
status Get the status of a qkview in progress
appliance-1# system diagnostics qkview capture filename 20230802_r5k.qkview
< QKView 상태 확인 >
appliance-1# system diagnostics qkview status
result {"Busy":true,"Percent":11,"Status":"collecting","Message":"Collecting Data","Filename":"20230802_r5k.qkview"}
< QKView 파일 확인 >
appliance-1# system diagnostics qkview list
result {"Qkviews":[{"Filename":"20230802_r5k.qkview","Date":"2023-08-02T14:07:41.902056478+09:00","Size":116042968},{"Filename":"r5600.tar","Date":"2023-07-25T14:55:04.552722047+09:00","Size":111129421}]}
< QKView 파일 위치 >
[root@appliance-1 qkview]# pwd
/var/shared/qkview
[root@appliance-1 qkview]# ls
20230802_r5k.qkview r5600.tar
< TCPDump 캡쳐 >
admin mode (r2k, r4k 미지원)
- WARNING:Interface name can only be "0.0", "Port.SubPort", or a lag name
- admin mode의 tcpdump는 mgmt 미지원, trunk(lag)는 지원
appliance-1# system diagnostics tcpdump
Possible completions:
pcap filter expression for BPF
-i interface to capture packets. If omitted, or "0.0", means all interfaces.
-w pcap file to write the captured packets
bpf pcap filter expression for BPF
interface interface to capture packets. If omitted, or "0.0", means all interfaces.
outfile pcap file to write the captured packets
appliance-1# system diagnostics tcpdump -i mgmt host 175.196.233.94 and port 22 -w 20230802_tcpdump_sample2.pcap
root mode
- any(모든 interface)를 제외한 개별 interface dump는 지원 안함
- tcpdump -D 에서 나온 interface dump만 가능
[root@appliance-1 ~]# tcpdump -nni any tcp -c 10 -w 20230803_root_dump.pcap
파일 저장 경로 지정을 안 했을 경우 아래 경로에 저장
[root@appliance-1 ~]# find / -name "20230803_root_dump.pcap"
/sysroot/ostree/deploy/velocity/var/roothome/20230803_root_dump.pcap
/var/roothome/20230803_root_dump.pcap
< TCPDump 파일 위치 확인 >
[root@appliance-1 tcpdump]# pwd
/var/F5/system/shared/tcpdump
[root@appliance-1 tcpdump]# ls
20230802_tcpdump_sample2.pcap 20230802_tcpdump_sample.pcap example_1.pcap example_capture.pcap health-monitor-f5os-1.pcap health-test.pcap
< 전원 상태 점검, FAN 점검 >
TMOS: show sys hardware
appliance-1# show system health summary components component state
COMPONENT COMPONENT COMPONENT
NAME NAME HEALTH SEVERITY
---------------------------------------
appliance - unhealthy critical
fantray - ok info
lcd - ok info
m.2-slot1 - ok info
psu-1 - unhealthy critical
psu-2 - ok info
appliance-1# show system health summary
system health summary components component appliance
state health unhealthy
state severity critical
ATTRIBUTE ATTRIBUTE ATTRIBUTE ATTRIBUTE
ATTRIBUTE NAME DESCRIPTION HEALTH SEVERITY VALUE UPDATED AT
--------------------------------------------------------------------------------------------------------------------------------------
appliance/hardware/psu/psu1 - psu:status:output-ok PSU Status Output OK unhealthy critical 0 2023-07-31T17:10:19+09:00
appliance/hardware/psu/psu1 - psu:status:input-ok PSU Status Input OK ok warning 0 2023-07-31T17:10:19+09:00
system health summary components component fantray
state health ok
state severity info
system health summary components component lcd
state health ok
state severity info
system health summary components component m.2-slot1
state health ok
state severity info
system health summary components component psu-1
state health unhealthy
state severity critical
ATTRIBUTE ATTRIBUTE ATTRIBUTE ATTRIBUTE
ATTRIBUTE NAME DESCRIPTION HEALTH SEVERITY VALUE UPDATED AT
--------------------------------------------------------------------------------------------------------------------------------------
appliance/hardware/psu/psu1 - psu:status:input-ok PSU Status Input OK ok warning 0 2023-07-31T17:10:19+09:00
appliance/hardware/psu/psu1 - psu:status:output-ok PSU Status Output OK unhealthy critical 0 2023-07-31T17:10:19+09:00
system health summary components component psu-2
state health ok
state severity info
< NTP 확인 >
TMOS: ntpq -np
appliance-1# show system ntp
system ntp state enabled
system ntp state enable-ntp-auth false
ASSOCIATION ROOT ROOT POLL KEY
ADDRESS ADDRESS PORT VERSION TYPE IBURST PREFER STRATUM DELAY DISPERSION OFFSET INTERVAL ID AUTHENTICATED
----------------------------------------------------------------------------------------------------------------------------------------------
time.bora.net 203.248.240.140 123 4 SERVER false false 3 0 36 3 6 - false
< interface 확인 >
TMOS: show net interface
appliance-1# show interfaces interface state full
interfaces interface 1.0
state name 1.0
state type ethernetCsmacd
state mtu 9600
state enabled true
state oper-status DOWN
state counters in-octets 0
state counters in-unicast-pkts 0
state counters in-broadcast-pkts 0
state counters in-multicast-pkts 0
state counters in-discards 0
state counters in-errors 0
state counters in-fcs-errors 0
state counters out-octets 0
state counters out-unicast-pkts 0
state counters out-broadcast-pkts 0
state counters out-multicast-pkts 0
state counters out-discards 0
state counters out-errors 0
state forward-error-correction auto
state lacp_state LACP_DEFAULTED
< CPU 사용량 >
TMOS: show sys performance / show sys cpu
appliance-1# show components component cpu state
components component platform
cpu state cpu-utilization thread cpu
cpu state cpu-utilization current 20
cpu state cpu-utilization five-second-avg 16
cpu state cpu-utilization one-minute-avg 16
cpu state cpu-utilization five-minute-avg 17
CPU CORE THREAD
INDEX CACHESIZE CNT FREQ STEPPING CNT MODELNAME
----------------------------------------------------------------------------------------
0 12800(KB) 12 2100.000(MHz) 7 12 Intel Atom(R) P5342 processor
FIVE ONE FIVE
THREAD SECOND MINUTE MINUTE
INDEX THREAD CURRENT AVG AVG AVG
-------------------------------------------------
0 cpu0 21 11 9 13
1 cpu1 18 19 21 23
2 cpu2 10 15 11 13
3 cpu3 11 8 16 15
4 cpu4 7 5 12 13
5 cpu5 12 24 19 17
6 cpu6 26 18 18 14
7 cpu7 46 31 24 26
8 cpu8 14 6 9 13
9 cpu9 26 21 21 22
10 cpu10 21 20 23 24
11 cpu11 17 7 7 9
< Memory 사용량 >
TMOS: show sys performance / show sys memory
appliance-1# show components component platform state
state description r4600
state serial-no f5-tacr-nsut
state part-no "203-0417-03 REV B"
state empty false
state tpm-integrity-status Valid
state memory available 7765426176
state memory free 613437440
state memory used-percent 88
state memory platform-total 15034273792
state memory platform-used 7437078528
state temperature current 23.0
state temperature average 23.0
state temperature minimum 22.0
state temperature maximum 24.0
< Log 확인 >
TMOS: /var/log/
admin
appliance-1# show system events
root
[root@appliance-1 log]# pwd
/var/F5/system/log
728x90반응형'Network' 카테고리의 다른 글
[F5] 알아두면 유용한 DB 리스트 (1) 2023.12.10 [F5] SUB(subscription) 라이센스(license) 관련 (0) 2023.12.09 [F5] rSeries F5OS Password Recovery (1) 2023.12.05 [F5] DNS Verify Member Availability 옵션 테스트 (0) 2023.12.04 [F5] Configuring an automatic logout for idle sessions (0) 2023.12.03