Supplemental Document : Discovering F5 Networks Devices

Applies To:

Show Versions Show Versions

F5 Monitoring Pack

  • 3.2.2, 3.2.1, 3.2.0, 3.1.2, 3.1.1, 3.1.0, 3.0.0
Original Publication Date: 08/30/2013 Updated Date: 04/18/2019

Note: This documentation was adapted from the F5 Management Pack Wiki hosted on DevCentral (http://devcentral.f5.com/wiki/MgmtPack.HomePage.ashx). Certain links or context described in this document may refer to content originally created on the Wiki.


Discovering F5 Networks devices

Note - You must run discovery from either the Root Management Server if it is a standalone server, or one of the Management Servers other than the RMS. This also means you must have installed the F5 Monitoring Pack onto all Management Servers, including the RMS (which must be installed onto first). You can use Remote Desktop or Terminal Services, but discovery will not work from the Web Console.

Once you have successfully installed and configured the F5 Monitoring Pack software, you can discover managed F5 Networks devices on your system. Discovering F5 devices is the first step in monitoring these devices with the F5 Monitoring Pack. You can discover F5 Networks devices by manually entering device names or addresses, by using a CSV file, or by scanning a subnet.

Ports Required to Communicate with an F5 Device During Discovery

By default the required ports to communicate with an F5 device from the F5 monitoring service are, on the F5 device: - 443 (HTTPS): iControl connection - 4353: iQuery connection

If the F5 device is behind a firewall, TCP ports 443 and 4353 need to be enabled on the firewall, for bi-directional communication between the F5 device and the F5 Monitoring Service. On the F5 monitoring host the ports for the device connection sockets are allocated dynamically (within the range available on the local TCP/IP stack). When the F5 device is configured to use different ports (from the defaults specified above) for iControl and iQuery connection, the F5 Monitoring service needs to be configured to use the appropriate ports. The related configuration settings are set in f5mpsvc.exe.config file's section:

<appSettings>
...
<add key="iQueryRemotePort" value="4353" />
<add key="iControlRemotePort" value="443" />
...
</appSettings>

Discovering devices by IP address or subnet scan

When you start the Discover Devices wizard, you can select to discover devices my manually entering device address and password information for each device that you want to discover. On the Devices to be Discovered List, you can type an IP address or FQDN for any device in the network, then add authorization credentials that the system uses to authenticate itself to network devices. Alternately, you can scan a subnet on the network to discover all available, compatible F5 devices. When you scan a subnet, the system uses ping to determine the list of devices available. From this list, you can choose to monitor these devices with F5 Monitoring Pack.

Discovering devices using a CSV file

You can also add devices to the list of managed devices by importing a file containing values that specify the IP address, user name, and password of each device. The F5 Monitoring Pack uses the information from this file to populate the Device List box in the Discover Devices wizard.

When you create a CSV file to use for device discovery, use the following format with each unique device represented on its own line: , , The variable refers to the IP address of the device to discover, is the user name that you want F5 Monitoring Pack to use to log on to the device, and is the password for the user name. For example, if you have a list of five devices to discover, your import file may have the following entries: 10.10.10.1,admin,pass001 10.10.10.2,admin,pass002 10.10.10.3,admin,pass003 10.10.10.4,admin,pass004 10.10.10.5,admin,pass005

[ Top ]

Using the discovery wizard

F5 Monitoring Pack provides a Discover Devices Wizard to assist you in adding devices to the managed device list. The wizard provides prompts to guide you through each of the three different methods of discovering devices:

  • By network subnet scan
  • By manual specification of individual device address
  • By importing device address information from an external CSV file

To start the wizard and choose a discovery method

  1. Expand the Actions pane, and under F5 Actions Tasks, click Discover F5 Devices. The Discover Devices wizard opens.
  2. In the Discover Method box, choose one of the following options, and then click Next", Newline, Tab," Manually enter device names/addresses: choose this method to enter the FQDN or IP address of each device to discover.", Newline, Tab, " From a File: choose this method to import a list of device IP addresses from a CSV file.", Newline, Tab, "* Scan a Subnet: choose this method to scan a subset of the network for compatible F5 devices.
  3. Depending on the option you choose, follow the appropriate procedure listed.", Newline, Tab," To manually enter device names and addresses, see To discover a device by manually entering device names and addresses below", Newline, Tab, " To import a list of device names and addresses from a CSV file, see To discover a device using a CSV file below", Newline, Tab, "* To scan the network, see To discover a device by scanning a subnet below

To discover a device by manually entering device names and addresses

  1. On the Devices to be Discovered List screen, in the Device Information box, enter the network address, and then click Edit Credentials.The F5 Device Authentication window appears.
  2. In the F5 Device Authentication window, enter the user name and password associated with the network address, and then click OK.
  3. Click Add to add the network address and cached credentials to the Device List.The IP address and user name appear in the Device List box.", Newline, "_Note: You can enter up to 33 devices at a time; however, we recommend discovering up to three devices on the Device List at once for optimal performance.
  4. Once you have added all the devices you wish, make sure to check the "Authorize Big3d Update" checkbox and then click the Discover button to discover the devices listed.The Discover Devices wizard screen appears, showing you the status of the discovery process for each of the devices you listed.

To discover a device using a CSV file

  1. On the File Devices Discovery wizard screen, in the File Information section, click Browse.
  2. The Open Device List File dialog box opens.
  3. Browse for the CSV file that contains the device list information, select it, and click Open.
  4. Click Next to move to the Devices to be Discovered List screen.The list of devices appears in the Device List box on the screen.
  5. Once you have made sure that the devices are correct, make sure to check the "Authorize Big3d Update" checkbox and then click the Discover button to discover the devices listed.The Discover Devices wizard screen appears, showing you the status of the discovery process for each of the devices in the list.

To discover a device by scanning a subnet

  1. On the Subnet Devices Discovery wizard screen, in the Root IP Address box, type an network subnet root address that you want to scan, for example, type 10.10.13.0 to scan for devices within that subnet.
  2. In the Mask box, type the netmask to use when searching the network subnet you previously specified.
  3. Click Next to start the scan.The Subnet Scan wizard screen opens, listing the devices found on the subnet as the system finds them.
  4. After the system finds all compatible devices on the subnet, click Next to move to the Devices to be Discovered List screen.
  5. From here you may want to verify the devices that the subnet scan found. Once you have made sure that the devices are correct, make sure to check the "Authorize Big3d Update" checkbox and then click the Discover button to discover the devices listed.The Discovery Progress screen appears, showing you the status of the discovery process for each of the devices in the list.
[ Top ]

Deleting F5 devices from the device list

When you remove a device, the device no longer appears in the Datagram View or State View and the system no longer collects statistical metrics for the device. However, if you re-add the device at a later date, F5 Monitoring Pack retains historical data for the managed device.

To remove a device

  1. Log into the Management Server you discovered the device from. If you do not remember this, it is located below in the information pane in the Operations Manager Console when you click on a device. The field to look for is "Discovered By Host".
  2. Once logged into the correct Management Server, open up the Operations Manager Console and in the Monitors Pane, expand the F5 State View. The device list appears in the main pane ||
  3. Click the device that you want to remove to select it.
  4. Expand the Actions pane, and under F5 Monitoring Pack Monitoring Service Tasks, click Remove F5 Device.The device is removed from the device list. You may also right-click on the device and choose "Device Tasks" and pick Remove from the list of options.

Understanding details of discovery process

When you use F5 Monitoring Pack to discover devices in your network, it installs an updated version of the big3d agent on devices that you discover. The system uses big3d to collect statistical data from managed devices, and requires that certain systems have updated versions in order to be compatible with F5 Monitoring Pack. Also, when discovering a device, the system uses a managed device's IP address in conjunction with its MAC address. This ensures that duplicate IP addresses that may exist in multiple networks do not cause errors.

Reviewing changes to big3d

F5 Monitoring Pack version 1.0 includes a new version of the big3d agent. The big3d agent collects performance information and runs on all BIG-IP systems. F5 Monitoring Pack uses big3d to collect performance data from managed devices. The Monitoring Pack Big-IP discovery process checks managed devices to ensure that big3d is a version equal to or greater than the Monitoring Pack version of big3d. If the version of big3d on any managed device is older than the version included with F5 Monitoring Pack 1.0, discovery can installs new version on the managed device.

When the big3d agent is restarted by the Monitoring Pack discovery process, or by a manual hotfix of big3d by an adminstrator, there is a small window of time where GTM balancing may be impacted ~ usually less than one minute.

To ensure that administrators are informed when the update is required, the Monitoring Pack does NOT update GTM unless the administrator specifically authorizes the update.

If you have not authorized a Big3d update, and the MP Discovery mechanism detects an older or unsupported version of Big3d, Discovery will be aborted and a related error message will be provided to the administrator. In this way, you can schedule when to update Big3d (via discovery) and manage and coordinate your GTM impact.

To authorize an update of Big3d you can do one of the following for a device:

  • Via the graphical UI, check the box at the bottom of the device list for authorization
  • Via the console UI (f5mpcmd.exe), include the ":updatebig3d" option in your discovery command
  • Via the PowerShell UI, include the "-UpdateBig3d" switch parameter for the Start-Discovery commandlet.

See the following article on updating the big3d agent on a managed device: https://support.f5.com/kb/en-us/solutions/public/9000/700/sol9741.html. This article references the Enterprise Manager, but the same information applies to the F5 Monitoring Pack.

About discovery using the MAC address

To ensure that a device is only discovered once, the F5 Monitoring Pack uses the MAC address in place of the IP address for the main identifier of each device. If the Monitoring Pack used only an IP address to identify and manage devices, this could cause issues with BIG-IP systems that have more than one IP address mapped to a single MAC address. This prevents the system from discovering multiple times for each unique IP address, and ensures that you do not need to configure network addresses specifically to work with F5 Monitoring Pack.

[ Top ]

Understanding F5 Device User Role Security and Discovery

This section explains some of the security details behind the F5 device user role required for device discovery and the underlying iControl and iQuery connectivity

  • Overview
  • Device Discovery and Management
  • Device Configuration Updates and Monitoring, Statistics
  • Conclusion

Overview

One of the most common questions when deciding what account should be used in the F5 Monitoring Pack for discovering an F5 device, is about what user role should this account have on the BIG-IP (F5 Device). For an accurate answer we need to take a deeper look into what exactly happens during the device discovery process and also through the lifetime of the device management activity provided by the F5 Monitoring Pack.

From the very beginning we should probably mention the dual aspect of the F5 Monitoring Pack's main functionality: monitoring and management. Monitoring in terms of collecting device statistics and providing System Center Operations Manager (SCOM) integration. Management or 'Device Management' in terms of featuring a certain set of F5 device related configuration tasks, which could be performed by SCOM administrators, given that they have the appropriate security role mapped on the F5 device. This sort of 'mapping' is handled by the 'Authorization Role' security layer within the F5 Monitoring Pack. In this article we'll be discussing the user role required on the F5 device for a successful discovery and device management, without going into the details of the authorization role mapping between this particular account and the SCOM management account.

The focus will be on the two stages / facets of the device-discovery-management and device-monitoring activities, provided by the F5 Monitoring Pack:

  • device discovery / management
  • device configuration updates and monitoring, statistics

Device Discovery and Management

Initial discovery of the F5 device requires Administrator role for the user account performing the device discovery (and we're referring to the F5 device user role here). The reason behind this is that during discovery, the iControl interface (port 443 on the F5 device) is used for device certificate management / upload as well as updating the big3d agent on the F5 device, when necessary. Generally speaking, iControl calls into the TMOS (the F5 device's Traffic Management Operating System) and for the particular tasks carried out during device discovery (certificate upload and big3d update), full admin rights are required. So one thing to consider here is that since the iControl makes calls into the TMOS, and these calls are impersonated by the account logged in through the iControl interface, the access policy is controlled by the TMOS's underlying AuthZ security layer. Evidently some of the calls may be allowed, others may not, depending on whose behalf the iControl calls are being executed and what exactly those calls are supposed to do inside the TMOS.

The actual discovery of the device configuration is performed through the iQuery interface (port 4353 on the F5 device). And we'll get back to the security context of the iQuery communication with the device. After the discovery process, iControl is used for performing occasional checks to the iControl interface on the F5 device. The call checking for iControl connectivity is only retrieving the timestamp on the device. This type of call doesn't necessarily require administrator privileges on the F5 device. As a matter of fact such an iControl call is allowed even for a guest account. So, a legitimate question could immediately follow: can we demote the role of the F5 device account used during discovery (which remember, had to be an Administrator) to something less than Administrator? Or, can we switch to a less privileged user account for maintaining device connectivity and manageability, after discovering the device? The answer is YES and NO. Depending on what is intended on the SCOM administration end, in terms of managing the F5 device.

As previously mentioned, the F5 Monitoring Pack provides certain device management capabilities, such as:

  • Add/Remove LTM Virtual Servers / LTM Pool Members
  • Disable/Enable LTM Pool Members
  • Force LTM Pool Members Offline / Online
  • etc.

These tasks could otherwise be done through the native F5 device management interface (web user interface), console/shell or through TMSH scripting, by the F5 device administrators, given that they have the appropriate security role for performing such operations. The F5 Monitoring Pack attempts to close the gap between the SCOM management and F5 device administration, providing a subset of such device configuration tasks through the SCOM management console.

There are network environments where the F5 device management tasks are exclusively assigned to a group of people who are not SCOM administrators. In this case having a lesser user role for the account used for device discovery would be a legitimate request. The F5 device user role of the account could go as low as 'Guest'. But then the F5 Monitoring Pack would only be able to monitor the device for configuration updates and statistics.

Note: When using a less privileged (e.g. non-administrator) user role for the F5 device account, attempting to set an F5 device object in Maintenance Mode (in SCOM parlance), through the SCOM management console, would fail, as the SCOM 'Maintenance Mode' task is mapped by the F5 Monitoring Pack to the appropriate iControl call, to disable / enable the underlying F5 device object, according to the SCOM Maintenance Mode status (started / stopped).

So, careful consideration should be taken about the user role assigned for the F5 device account used for discovery.

Note: If you wish to continue monitoring and configuring the device without allowing the user access to the admin account, you may lower the account to Manager. This will allow the user to still enable/disable members as well as receive vital health data from the Big-IP.

Device Configuration Updates and Monitoring, Statistics

As mentioned in the previous section, about device discovery, the actual discovery of the device configuration is performed through the iQuery interface (port 4353 on the F5 device). The F5 Monitoring Service (the actual monitoring agent of the F5 Monitoring Pack) subscribes to event notifications about device configuration changes via the iQuery (XML-like protocol). The iQuery interface is exposed through the big3d agent on the F5 device, and inbound/outbound iQuery traffic is directed though and from the MCPD (Master Control Program Daemon) in the TMOS. If say, there is a new LTM Pool Member added (for example using the device web management console), the F5 device configuration / hierarchy is almost immediately updated in SCOM. And this happens through the iQuery interface, where device configuration updates are sent from the F5 device to the F5 Monitoring Service. So there's no need for forcing a rediscovery of the device to process such a change in the SCOM's F5 device hierarchy (configuration) and health state.

Also, device statistics are provided through the iQuery interface. The F5 Monitoring Pack subscribes to device statistics through iQuery, as well. So iQuery is the main 'transport vehicle' for device configuration updates and device statistics. No device management per-se is or can be done through iQuery.

A few words now about the security context of the iQuery communication, between the F5 Monitoring Service and the F5 device. As I mentioned above, the iQuery communication channel with the F5 device is exposed by the big3d agent (on the F5 device). When the F5 device has been initially discovered, and remember this initial discovery task should have been done with an F5 device user account having Administrator role, the F5 Monitoring Service pushed a certificate out to the F5 device, through the SSL communication ensured by iControl. This certificate is used by the big3d agent to authenticate clients requesting iQuery connections. So coming back to our use case of switching or demoting to a lesser user role for the F5 device account used for discovery, the question is: would further iQuery communication still be possible with the F5 device, after discovery, if a less powerful (say 'Guest') account is used for F5 device communication? And the answer is YES. And I explain why. When the big3d receives a client connection request, it checks the available server certificates in the F5 device certificate store and matches them against the client requesting the connection. If the client has previously uploaded a valid certificate (which BTW happened through the initial device discovery process), then big3d grants full access to the client, and the iQuery 'season' is open for communication. And this would be OK, even if the F5 device credentials on the client side have long been changed to a Guest for example, on the F5 Monitoring Pack's side. How long this could go on? The server side certificate pushed on the F5 device, by the F5 Monitoring Service during initial discovery, would expire in 10 years.

Conclusion

The F5 device user account used by the F5 Monitoring Pack to handle the device connectivity has an important role in managing the iControl and iQuery communication with the device. When pondering about the user role to be assigned for such an account on the F5 device, SCOM administrators and F5 device administrators should consider the dual aspect of the F5 Monitoring Pack's main functionality: device-management and device-monitoring. Discovering an F5 device with the F5 Monitoring Pack initially requires an Administrator role for the F5 device user account. Eventually this user account could be demoted to a lesser role, or replaced by a different account, with less privileges. But in this case most of the device management features exposed through the F5 Monitoring Pack in SCOM would be lost. Still, such a requirement may be perfectly valid in network environments where the F5 device management tasks are exclusively assigned to a different group of people, who are not necessarily SCOM administrators. And this would employ the F5 Monitoring Pack only for monitoring statistics from F5 devices.

[ Top ]

Contacting F5 Networks

  Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.


Legal notices