Applies To:

Show Versions Show Versions

Archived Manual Chapter: bigpipe Command Reference
Manual Chapter
Table of Contents   |   << Previous Chapter

This article has been archived, and is no longer maintained.

This appendix contains the command syntax for specific BIG-IP® system commands, and the bigpipe commands that you can use to configure the BIG-IP® Secure Access Manager. You use the BIG-IP system commands at the BIG-IP system prompt. You can use the bigpipe commands at the bigpipe shell prompt (bp>) or at the system prompt. If you enter bigpipe commands at the system prompt, you must enter a b before the command. For example, to display a list of access control lists:
At the bigpipe shell prompt enter: acl list
For a full bigpipe command reference, see the BIG-IP® Command Line Interface Guide.
You can find additional information about command syntax in the online man pages. The BIG-IP® Secure Access Manager includes a complete set of online man pages for the commands that make up the bigpipe utility. You can access the online man pages for bigpipe commands in one of two ways:
From the BIG-IP system prompt, type man followed by the command name. You must use underscores between the words in the command name. For example:
From the bigpipe shell prompt, use the command name followed by help. Do not use underscores between the words in the command name. For example:
When using bigpipe commands, you can globally modify or delete objects of a specified type only when all objects of that type reside in a single partition. In other words, it is important to note that when you use the keyword, all, with an object type, the action you are performing applies only to objects of the specified type in the current Write partition. For more information about partitions, see Understanding partitions and user accounts in the BIG-IP® Network and System Management Guide.
When using bigpipe commands, you can use spaces or forward slashes in string parameters only if you use quotation marks (" ") around the parameter. For example, to configure the network access connectivity resource DemoNetAccess to launch Internet Explorer, using the path c:\program files\internet explorer\iexplore.exe, you type the following command at the bigpipe shell prompt:
connectivity resource network access DemoNetAccess application launch \
{path "c:\\program files\\internet explorer\\iexplore.exe"}
In the See also sections of this appendix, commands are followed by an industry-standard identifying number. The types that are listed in this appendix include:
Any of these commands may be followed by <name list>. This indicates a list of the specified items, separated by spaces.
The remainder of this appendix lists specific BIG-IP® system commands and the bigpipe utility commands that you can use to configure the BIG-IP® Secure Access Manager.
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
You can use the command aaa active directory server to create and manage an AAA Active Directory server. The Active Directory is a network structure supported by Windows® 2000, or later, that provides support for tracking and locating any object on a network.
Creates the AAA Active Directory server named MyADserver in the Company domain, sets the administrator logon name to administrator and the administrator password to !My123Password, and sets the Key Distribution Center to company.com:
Deletes the AAA Active Directory server named MyActiveDirectoryServer from the system.
admin name
Specifies the user name that has administrative permissions on an AAA Active Directory server.
admin password
Specifies the password associated with admin name.
domain
Specifies the Fully Qualified Domain Name (FQDN) of an AAA Active Directory server. This setting is required.
name
Specifies the name of an AAA Active Directory server. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
kdc
Specifies the KDC (Key Distribution Center). The default is none.
partition
Specifies the partition within which the object resides.
timeout
Specifies a timeout interval (in seconds) after which an AAA Active Directory server closes a connection. The default is 15 seconds.
aaa ldap server(1), aaa radius server(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
You can use the command aaa ldap server to create and manage an AAA LDAP server.
Creates the AAA LDAP server named MyLDAPserver that is assigned the IP address 172.30.6.144 and the administrator container distinguished name of cn=administrator,cn=users,dc=company,dc=companynet,dc=com with a password of !MyPassword:
Deletes the AAA LDAP server named MyLDAPServer from the system:
addr
Specifies the IP address of an AAA LDAP server. This setting is required.
admin dn
Specifies the Container Distinguished Name (DN) to use for authentication. This setting is required.
admin password
Specifies the password for admin name. This setting is required.
name
Specifies the name of the AAA server. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
port
Specifies the port number of the AAA LDAP server. The default is ldap. This setting is required.
timeout
Specifies a timeout interval (in seconds) for the AAA LDAP server after which the server closes a connection. The default is 15 seconds.
aaa active directory server(1), aaa radius server(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
service type (default | login | framed | callback login | callback framed | \
outbound | administrative | nas prompt | authenticate only | \
callback nas prompt | call check | callback administrative | last)
You can use the command aaa radius server to create and manage an AAA RADIUS server.
Creates the AAA RADIUS server named companyradiusserver that has an IP address of 172.30.6.144, and has a shared secret of !MySharedSecret:
Deletes the AAA RADIUS server named Myradiusserver from the system:
name
Specifies the name of an AAA RADIUS server. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
nas ip address
Specifies the IP address of an AAA RADIUS server.
partition
Specifies the partition within which the object resides.
retries
Specifies the number of retries for an AAA RADIUS server. The default is 3.
secret
Specifies the shared secret password of an AAA RADIUS server. This setting is required.
server
Specifies the IP address of an AAA RADIUS server. This setting is required.
service
Specifies the port number for the service. The default is radius. This setting is required.
service type
Specifies the service type for an AAA RADIUS server. This setting is optional.
timeout
Specifies a timeout interval (in seconds) for an AAA RADIUS server after which the server closes a connection. The default is 5 seconds.
aaa active directory server(1), aaa ldap server(1)
You can use the command access to reset the access statistics.
access policy(1), access policy item(1), access session(1)
Important: F5 Networks® recommends that you do not use the command line interface to create and manage an access policy. Instead, use the visual policy editor in the Configuration utility.
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
An access policy contains the steps that the client and server go through before the BIG-IP® Secure Access Manager grants access to a connection request. You can use the command access policy to create and then manage access policies.
Creates an access policy in which the user logs on and the system checks for a specific file. If the client contains the specified file, the access policy carries out an antivirus check, and then performs a RADIUS authentication and assigns a resource. If the client does not contain the specified file, but the RADIUS authentication is successful, the system performs the resource assignment and displays the webtop. The webtop is the users home page, which grants access to the network access connection.
Swaps the success and failure branches of the file check in the new configuration. If the client does not contain the specified file, the system performs an antivirus check followed by RADIUS authentication. If the client contains the specified file, the system performs a RADIUS authentication directly.
Creates an access policy named MyAccessPolicy that displays in the visual policy editor with the caption ldap_auth:
caption
Specifies the name of the access policy that displays in the visual policy editor. This setting is required.
default ending name
Specifies the name of the default ending for the access policy.
items
Adds an item to or deletes an item from the access policy.
macros
Adds a macro to or deletes a macro from the access policy. A macro is a commonly used, predefined section of an access policy configuration that usually contains several actions, which are configured in a flow, that can be added directly to an access policy and used with a minimum of configuration.
name
Specifies the name of the access policy. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
start item name
Specifies the name of the first action item in the access policy.
type
Specifies either an access policy or a macro.
access(1), access policy item(1), access session(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
type (ending denied | ending redirect | ending webtop | aaa active directory | \
aaa clientcert | aaa http | aaa ldap | aaa ntlm | aaa radius | \
connectivity resource | decision box | endpoint windows browser cache cleaner | \
endpoint windows check av | endpoint windows check file | \
endpoint windows check fw | endpoint windows check process | \
endpoint windows check registry | endpoint windows info os | logon page | \
message box | resource assign | variable assign | vlan selection)
access policy item [<access policy item key list> | all] agents \
[<access policy item agent key list> | all] [show]
access policy item [<access policy item key list> | all] agents \
[<access policy item agent key list> | all] name [show]
access policy item [<access policy item key list> | all] agents \
[<access policy item agent key list> | all] type [show]
You can use the command access policy item to create and manage an access policy item.
Creates the ending type access policy item named MyEnding that displays the caption ending in the visual policy editor:
Deletes the access policy item named MyEntryItem from the system:
agents
Specifies a list of agents that you want to add to or delete from the access policy item. You can specify the following:
name
Name of the agent.
type
Type of agent. The default is ending.
caption
Specifies the name of the access policy item that displays in the visual policy editor. This setting is required.
color
Specifies the number of the color you want to apply to the access policy item for display in the visual policy editor. The default is 0 (zero).
macro name
Specifies the name of the macro that you want to include in the access policy item.
name
Specifies the name of the access policy item. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
rules
Adds a rule to or deletes a rule from an access policy item. You can specify the following attributes for rules:
caption
The name of the rule that displays in the visual policy editor.
expression
An expression to use in this rule. You can write your own expression using the Tcl programming language. Note that when writing in Tcl you must always use a space before and after braces { }.
next item
The name of the next policy item in the access policy.
type
Specifies the type of access policy item. This setting is required. You can specify one of the following types:
action
An access policy item that indicates an action the system takes between the entry and ending items of an access policy branch.
ending
An access policy item that indicates the action the system takes at the end of an access policy branch. The predefined endings are:
logon_denied
Sets a failure ending to deny the user access.
webtop
Sets a successful ending to launch the secure access webtop.
entry
An access policy item that indicates the action the system takes when a user first attempts to access the network.
macrocall
An access policy item that is a user-defined macro.
terminalout
An access policy item that indicates the outcome of a macro branch.
access(1), access policy(1), access session(1)
You can use the command access session to display an access session.
You associate an access policy with a virtual server by associating an access profile with the virtual server. A connection that the system sends to a virtual server must include credentials that meet the requirements of the access policy associated with that virtual server.
access(1), access policy(1), access policy item(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
dst ip (<ip addr> [mask <ip mask> | (prefixlen | /) \
<number>] | default [inet | inet6])
src ip (<ip addr> [mask <ip mask> | (prefixlen | /) \
<number>] | default [inet | inet6])
An ACL is a set of restrictions associated with a resource or favorite that defines access for users and groups. You can use the command acl to create and manage ACLs.
Creates the access control list named MyACL that is the third ACL in the list of ACLs in the visual policy editor, and adds an access control entry that allows traffic using the default source IP address and the default destination IP address:
Deletes the MyACL access control list:
description
Describes the access control list.
entries
Adds an entry to or deletes an entry from an access control list.
action
Specifies the action that an access control list takes when this access control list entry is encountered. This setting is required. You can specify one of the following actions:
allow
Allows traffic.
continue
Stops checking against the remaining entries of an access control list, and continues evaluation at the next access control list.
discard
Drops packets silently.
reject
Drops a packet and sends TCP RST on TCP flows or proper ICMP messages on UDP flows. Silently drops a packet on other protocols.
dst ip
Specifies the destination IP address and network mask of the access control list entry.
dst port
Specifies the destination port or range of ports of the access control list entry.
log
Specifies the log level that is logged when actions of this type occur. Your options are:
none
Logs nothing. This is the default value.
config
Logs the configuration of a matched entry.
packet
Logs a matched packet.
summary
Logs the name and entry number of a matched access control list and access control list entry.
verbose
Logs everything.
protocol
Specifies the protocol number (TCP=6, UDP=17) of the access control list entry. The default is any.
src ip
Specifies the source IP address and network mask of the access control list entry.
src port
Specifies the source port or range of ports of the access control list entry.
name
Specifies the name of the access control list. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
order
Specifies the order of the access control entries in this access control list. This setting is required.
partition
Specifies the partition within which the object resides.
type
Specifies the type of access control list. The default is 14. This setting is required. The available types are:
14
Layer 4
17
Layer 7
You can use the command agent to display or delete an agent.
name
Specifies the name of an agent that you want to display or delete. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending denied(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows check process(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent message box(1), agent resource assign(1), agent variable assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
You can use the command agent aaa active directory to create and manage an AAA Active Directory agent.
Creates the query type AAA Active Directory agent named MyADQueryagent that uses the (SAMAccountName=%{session.logon.last.username}) filter and the companyAD server:
Creates the authorization type AAA Active Directory agent named MyADAuthagent that uses the companyAD server:
Deletes the MyADagent AAA Active Directory agent:
attrname
Adds an attribute name to the agent or deletes an attribute name from the agent.
fetchgroupattr
When enabled, the system administrator can retrieve the primary group attributes of a user, and use the primary domain name of the group in access policy item rules. The default is disable.
filter
Specifies the search criteria the system uses when querying an AAA Active Directory server for authentication information. The system supports session variables as part of search query string.
hints
When enabled, the system offers the user an option to create a hint that assists in remembering a password. The default is disable.
max logon attempt
Specifies the maximum number of opportunities that a user has in which to re-enter her credentials after her first attempt to log on fails. If you set this value to a number from 2 - 5 inclusive, the system offers a user the specified number of opportunities to log on after her first attempt to log on fails. If you set the value to 1, the system does not provide a second opportunity to log on after a first attempt to log on fails. The default is 3.
name
Specifies the name of an AAA Active Directory agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
server
Specifies an AAA Active Directory server the system uses for Active Directory queries and authentication.
type
Specifies the type of AAA Active Directory agent. The default is last. This setting is required.
upn
When enabled, the BIG-IP® Secure Access Manager supports the user principal name (UPN) naming style. An example of UPN is user@domain. The default is disable.
agent(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending denied(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows check process(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent message box(1), agent resource assign(1), agent variable assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
You can use the command agent aaa clientcert to create and manage an AAA Client Certification agent.
Creates the AAA Client Certification agent named MyCCagent in the Common partition:
Deletes the MyCCagent AAA Client Certification agent:
name
Specifies the name of an AAA Client Certification agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
agent(1), agent aaa active directory(1), agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending denied(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows check process(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent message box(1), agent resource assign(1), agent variable assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
You can use the command agent aaa ldap to create and manage an AAA LDAP agent.
The following two command sequences create the authorization type AAA LDAP agent named MyLDAPagent that is associated with the companyLDAP server that utilizes the cn=%{session.logon.last.username},cn=users,dc=lab,dc=fp,dc=f5net,dc=com user domain name, the cn=users,dc=lab,dc=fp,dc=com search domain, and the (SAMAccountName=%{{session.logon.last.username}) filter:
Creates the query type AAA LDAP agent named MyLDAPagent that is associated with the companyLDAP server that utilizes the cn=users,dc=lab,dc=fp,dc=com search domain and the (SAMAccountName=%{{session.logon.last.username}) filter:
Deletes the MyLDAPagent AAA LDAP agent:
attrname
Adds an attribute name to the agent or deletes an attribute name from the agent.
filter
Specifies the LDAP filter that the BIG-IP® Secure Access Manager uses when querying an AAA LDAP server for authentication information. You must use the filter option with the searchdn option.
max logon attempt
Specifies the maximum number of opportunities that a user has in which to re-enter his credentials after his first attempt to log on fails. If you set this value to a number from 2 - 5 inclusive, the system offers a user the specified number of opportunities to log on after his first attempt to log on fails. If you set the value to 1, the system does not provide a second opportunity to log on after a first attempt to log on fails. The default is 3.
name
Specifies the name of an AAA LDAP agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
searchdn
Specifies the base domain name that the BIG-IP Secure Access Manager uses for internal LDAP search operations. You must use the searchdn option with the filter option.
server
Specifies an AAA LDAP server that the system uses for LDAP queries and authentication.
type
Specifies a type of AAA LDAP agent. This setting is required. The default is last.
userdn
Specifies the fully qualified domain name of the BIG-IP Secure Access Manager. F5 Networks® recommends that you specify this value in lower case and without spaces for compatibility with some specific LDAP servers. The specific content of this string depends on your directory layout.
agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent aaa radius(1), agent decision box(1), agent ending denied(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows check process(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent message box(1), agent resource assign(1), agent variable assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
You can use the command agent aaa radius to create and manage an AAA RADIUS agent.
Creates the Myradiusagent AAA RADIUS agent that is associated with the Myradius server:
Deletes the Myradiusagent AAA RADIUS agent:
max logon attempt
Specifies the maximum number of opportunities that a user has in which to re-enter his credentials after his first attempt to log on fails. If you set this value to a number from 2 - 5 inclusive, the system offers a user the specified number of opportunities to log on after his first attempt to log on fails. If you set the value to 1, the system does not provide a second opportunity to log on after a first attempt to log on fails. The default is 3.
name
Specifies the name of an AAA RADIUS server. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
server
Specifies an AAA RADIUS server the system uses for RADIUS queries and authentication. This setting is required.
agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1), agent decision box(1), agent ending denied(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows check process(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent message box(1), agent resource assign(1), agent variable assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
You can use the command agent decision box to display or delete a decision box agent. A decision box provides a user with two options for accessing a system.
Note: You cannot use the command line interface to create or modify the messages that display in a decision box. You can edit customizable messages using the visual policy editor. For more information about using the editor, see Chapter 5, Creating Access Profiles and Access Policies.
name
Specifies the name of a Decision Box agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1), agent ending denied(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows check process(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent message box(1), agent resource assign(1), agent variable assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
Access policy endings indicate the final outcome of a branch of an access policy. The Logon Denied ending is the final result of an incorrect logon attempt. When a user reaches a Logon Denied ending, the user sees an error message. You can use the command agent ending denied to create and manage an Ending Denied agent.
Creates the Ending Denied agent named MyEndingDeniedAgent that is associated with the MyLogOffCG customization group:
customization group
Customizes the logon denied page, for example, adds a specific reason for the denial of access. This setting is required, and the customization group that you assign must be of the type logout.
name
Specifies the name of an Ending Denied agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows check process(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent message box(1), agent resource assign(1), agent variable assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
Access policy endings indicate the final outcome of a branch of an access policy. The Redirect ending is the result of the originally requested host being unavailable. When a user reaches a Redirect ending, the user sees a screen indicating that the user is being redirected to a different URL. You can use the command agent ending redirect to create and manage an Ending Redirect agent.
Creates the Ending Redirect agent named MyEndingRedirectAgent that redirects a connection to http://www.myweb.com:
name
Specifies the name of an Ending Redirect agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
url
Specifies the URL to which the system redirects the original request. This setting is required, and you must specify an absolute URL. An absolute URL specifies the exact location of a file or directory on the internet.
agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending denied(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows check process(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent message box(1), agent resource assign(1), agent variable assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
Access policy endings indicate the final outcome of a branch of an access policy. A Webtop ending is a successful ending in which the system displays the users home page, which grants access to the network access connection. You can use the command agent ending webtop to create and manage an Ending Webtop agent.
name
Specifies the name of an Ending Webtop agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending denied(1), agent ending redirect(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows check process(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent message box(1), agent resource assign(1), agent variable assign(1), agent vlan selection(1)
agent endpoint windows browser cache cleaner \
<agent endpoint windows browser cache cleaner key list> {}
agent endpoint windows browser cache cleaner \
(<agent endpoint windows browser cache cleaner key list> | all) \
[{] <agent endpoint windows browser cache cleaner arg list> [}]
agent endpoint windows browser cache cleaner \
[<agent endpoint windows browser cache cleaner key list> | all] [show [all]]
agent endpoint windows browser cache cleaner \
[<agent endpoint windows browser cache cleaner key list> | all] list [all]
agent endpoint windows browser cache cleaner \
[<agent endpoint windows browser cache cleaner key list> | all] clean passwords [show]
agent endpoint windows browser cache cleaner \
[<agent endpoint windows browser cache cleaner key list> | all] \
empty recycle bin [show]
agent endpoint windows browser cache cleaner \
[<agent endpoint windows browser cache cleaner key list> | all] idle timeout [show]
agent endpoint windows browser cache cleaner \
[<agent endpoint windows browser cache cleaner key list> | all] monitor webtop [show]
agent endpoint windows browser cache cleaner \
[<agent endpoint windows browser cache cleaner key list> | all] name [show]
agent endpoint windows browser cache cleaner \
[<agent endpoint windows browser cache cleaner key list> | all] partition [show]
agent endpoint windows browser cache cleaner \
[<agent endpoint windows browser cache cleaner key list> | all] \
remove connection entry [show]
agent endpoint windows browser cache cleaner \
(<agent endpoint windows browser cache cleaner key list> | all) delete
Endpoint security is a centrally managed method of monitoring and maintaining client-system security. You can use the command agent endpoint windows browser cache cleaner to create and manage an Endpoint Windows Browser Cache Cleaner agent, which cleans items from the browser and the computer of the client after logoff, and also enforces session inactivity timeouts.
Creates the Endpoint Windows Browser Cache Cleaner agent named MyEndpointWBCCagent that does not enforce a timeout:
Creates the Endpoint Windows Browser Cache Cleaner agent named MyEndpointWBCCagent that does not enforce a timeout, but does clear saved passwords from the client after logoff:
You can use these options with the command agent endpoint windows browser cache cleaner:
clean passwords
When enabled, the Endpoint Windows Browser Cache Cleaner agent ensures that saved passwords are cleared from the client after logoff. The default is disable.
empty recycle bin
When enabled, the Endpoint Windows Browser Cache Cleaner agent empties the Recycle Bin on the client after logoff. The default is disable.
idle timeout
Specifies the number of minutes that the client session can be idle before the Endpoint Windows Browser Cache Cleaner agent disconnects the session. The default is 0 (zero), which enforces no timeout. This setting is required.
monitor webtop
When enabled, the Endpoint Windows Browser Cache Cleaner agent forces session termination if the browser or webtop is closed. The default is disable.
name
Specifies the name of the Endpoint Windows Browser Cache Cleaner agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
remove connection entry
When enabled, the Endpoint Windows Browser Cache Cleaner agent removes the connection from the Network Connections Dial-up Networking folder on the client. The default is disable.
agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending denied(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows check process(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent message box(1), agent resource assign(1), agent variable assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
Endpoint security is a centrally managed method of monitoring and maintaining client-system security. You can use the command agent endpoint windows check av to create and manage an agent that enforces antivirus protection and performs endpoint checks for viruses.
Creates the Endpoint Windows Check Antivirus agent named MyEndpointWCAVagent, which verifies that the specified anti-virus software is running on the client that is attempting to connect:
You can use these options with the command agent endpoint windows check av:
items
Adds items to or deletes items from an Endpoint Windows Check AV agent. You can specify the following attributes for the antivirus software:
db age
Specifies the maximum age of the anti-virus database that you want an Endpoint Windows Check AV agent to verify the presence of on the client in order to allow the access policy to pass.
db version
Specifies the version of the anti-virus database that you want an Endpoint Windows Check AV agent to verify the presence of on the client in order to allow the access policy to pass.
id
Specifies the ID of the anti-virus software that you want an Endpoint Windows Check AV agent to verify the presence of on the client in order to allow the access policy to pass.
state
When enabled, an Endpoint Windows Check AV agent verifies that the specified anti-virus software is running on the client that is attempting to connect. When disabled, the agent verifies only that the antivirus software is present on the system. The default is disable.
version
Specifies the version of the anti-virus software that you want an Endpoint Windows Check AV agent to verify the presence of on the client in order to allow the access policy to pass.
name
Specifies the name of an Endpoint Windows Check AV agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending denied(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows check process(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent message box(1), agent resource assign(1), agent variable assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
<endpoint windows check file item> ::= [{] \
<endpoint windows check file item arg list> [}]
The BIG-IP® Secure Access Manager checks for the presence of one or more files on a client that is attempting to connect. If a file with the described properties exists, the action goes to the successful branch. If the file does not exist, or a file exists but one or more properties are not correct, the action goes to the fallback branch.
You can use the command agent endpoint windows check file to create or manage an Endpoint Windows Check File agent that verifies the presence of specified Windows® files on a client.
Creates the Endpoint Windows Check File agent named Myprofile_act_file_check_ag that checks that the client contains two files located in the C:\demo directory:
a 12 byte file named demofile that was modified no later than January 6, 2007 at 10:30, and has an MD5 checksum of 6b61ad518c23650b17e738e1fa2bb04e
a 9 byte file named test.file that has an MD5 check sum of f20d9f2072bbeb6691c0f9c5099b01f3:
Deletes the C:\demo\demofile file from the Endpoint Windows Check File agent named Company8profile_act_file_check_ag:
agent endpoint windows check file Company8profile_act_check_file \
{ files { filename "C:\\demo\\demofile" } delete }
You can use these options with the command agent endpoint windows check file:
files
Adds files to or deletes files from an Endpoint Windows Check File agent. You can specify the following attributes of the files that you want an Endpoint Windows Check File agent to verify the presence of on the client in order to allow the access policy to pass.
filename
Specifies the name of the file, including the full path, that you want an Endpoint Windows Check File agent to verify the presence of on the client in order to allow the access policy to pass. When you want add a file to or delete a file from the agent, this setting is required.
md5
Specifies the value of the MD5 checksum for the specified file that you want an Endpoint Windows Check File agent to verify on the client to match in order to allow the access policy to pass. The default is none.
modified
Specifies the last modified date of the specified file that you want an Endpoint Windows Check File agent to verify on the client in order to allow the access policy to pass. The default is 1970-01-01 00:00:00.
operation
Specifies the operator that you want an Endpoint Windows Check File agent to use when verifying the attributes of the specified file on the client. The default is equal.
signer
Specifies whether you want an Endpoint Windows Check File agent to verify that the specified file on the client is signed in order to allow the access policy to pass. The default is none.
size
Specifies the size, in bytes, of the specified file that you want an Endpoint Windows Check File agent to verify on the client in order to allow the access policy to pass. The default is 0 (zero).
version
Specifies the version of the specified file that you want an Endpoint Windows Check File agent to verify on the client in order to allow the access policy to pass. The version must be this form: x.x.x.x and the maximum value is 65535.65535.65535.65535. The default is none.
name
Specifies the name of an Endpoint Windows Check File agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending denied(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check fw(1), agent endpoint windows check process(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent message box(1), agent resource assign(1), agent variable assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
Endpoint security is a centrally managed method of monitoring and maintaining client-system security. You can use the command agent endpoint windows check fw to create or manage an Endpoint Windows Check FW agent that checks for the presence of the specified firewall on a client.
Creates the Endpoint Windows Check FW agent named MyEndpointWCFWagent, to which you can add items that you want the agent to verify the presence of on the client:
Creates the Endpoint Windows Check FW agent named MyEndpointWCFWagent, which verifies that the firewall running on the client that is attempting to connect is version 2.0:
You can use these options with the command agent endpoint windows check fw:
items
Adds an item to or deletes an item from an Endpoint Windows Check FW agent. You can specify the following attributes to define the item:
id
Specifies the ID of the firewall that you want an Endpoint Windows Check FW agent to verify on the client in order to allow the access policy to pass.
state
When enabled, an Endpoint Windows Check FW agent verifies that the specified firewall is running on the client that is attempting to connect. When you enable this attribute, you must specify either the ID or version of the firewall for which you want the agent to check. The default is disable.
version
Specifies the version of the firewall that you want an Endpoint Windows Check FW agent to verify on the client in order to allow the access policy to pass.
name
Specifies the name of an Endpoint Windows Check FW agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending denied(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check process(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent message box(1), agent resource assign(1), agent variable assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
agent endpoint windows check process \
(<agent endpoint windows check process key list> | all) \
[{] <agent endpoint windows check process arg list> [}]
agent endpoint windows check process \
[<agent endpoint windows check process key list> | all] [show [all]]
agent endpoint windows check process \
[<agent endpoint windows check process key list> | all] list [all]
agent endpoint windows check process \
[<agent endpoint windows check process key list> | all] expression [show]
agent endpoint windows check process \
[<agent endpoint windows check process key list> | all] name [show]
agent endpoint windows check process \
[<agent endpoint windows check process key list> | all] partition [show]
agent endpoint windows check process \
(<agent endpoint windows check process key list> | all) delete
You can use the command agent endpoint windows check process to create and manage an Endpoint Windows Check Process agent that collects information about the Windows processes running on the client.
Creates the Endpoint Windows Check Process agent named MyEndpointWCPagent that checks whether the client has installed either NISUM.exe or blackd.exe, and navapsvc.*.
agent endpoint windows check process MyEndpointWCPagent
{ (NISUM.exe OR blackd.exe) AND navapsvc.* }
You can use these options with the command agent endpoint windows check process:
expression
Specifies the expression that you want an Endpoint Windows Check Process agent to use to verify the processes that are running on the client in order to allow the access policy to pass. You can use the following operators: (and), AND, OR, NOT. You can also use wildcards in the process name, for example, navapsvc.*.
name
Specifies the name of an Endpoint Windows Check Process agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending denied(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent message box(1), agent resource assign(1), agent variable assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
agent endpoint windows check registry \
(<agent endpoint windows check registry key list> | all) \
[{] <agent endpoint windows check registry arg list> [}]
agent endpoint windows check registry \
[<agent endpoint windows check registry key list> | all] [show [all]]
agent endpoint windows check registry \
[<agent endpoint windows check registry key list> | all] list [all]
agent endpoint windows check registry \
[<agent endpoint windows check registry key list> | all] expression [show]
agent endpoint windows check registry \
[<agent endpoint windows check registry key list> | all] name [show]
agent endpoint windows check registry \
[<agent endpoint windows check registry key list> | all] partition [show]
agent endpoint windows check registry \
(<agent endpoint windows check registry key list> | all) delete
You can use the command agent endpoint windows check registry to create and manage an Endpoint Windows Check Registry agent that collects information about the Windows® registry keys on the client that is attempting to connect.
Creates the Endpoint Windows Check Registry agent named MyEndpointWCRagent that checks the registry on the client for version 5.0.2800.0 of Internet Explorer in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft directory:
agent endpoint windows check registry MyEndpointWCRagent { "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"."Version">= "5.0.2800.0" }
You can use these options with the command agent endpoint windows check registry:
expression
Specifies the expression that you want an Endpoint Windows Check Registry agent to use to verify the registry entries that are present on the client in order to allow the access policy to pass. You can use the following operators: (and), AND, OR, NOT.
You must use quotation marks (" ") around key and value arguments, and in data when the content contains spaces, commas, slashes, tabs, or other delimiters. If quotation marks exist as part of a registry path or value name, you must use quotation marks around those quotation marks.
The system treats data in the formats d.d[.d][.d] or d,d[,d][,d] (where d is a number) as a version number. The system treats data in the format mm/dd/yyyy as a date.
If the check is successful, the system returns 1. If the check fails, the system returns 0 (zero). If the expression is incorrect, the system returns -1.
name
Specifies the name of the an Endpoint Windows Check Registry agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending denied(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent message box(1), agent resource assign(1), agent variable assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
You can use the command agent endpoint windows info os to create and manage an Endpoint Windows Info OS agent that retrieves, from the client, information about the Microsoft Windows® operating system, such as version and hotfix number.
You can use these options with the command agent endpoint windows info os:
name
Specifies the name of an Endpoint Windows Info OS agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending denied(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent message box(1), agent resource assign(1), agent variable assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
You can use the command agent logging to create and manage a Logging agent that logs access control, remote connectivity, and audit events on the BIG-IP® Secure Access Manager. Access Control event messages pertain specifically to events such as client authentication, status of authentication, and access control lists. Remote Connectivity event messages pertain specifically to events such as network access and remote logging. Audit events messages are those that the BIG-IP Secure Access Manager logs as a result of changes made to system configuration.
Creates the Logging agent named MyProfile_act_logging_ag in partition Common and adds two session variables that define actions that the agent logs:
session.logon.* indicates to log application logon attempts
session.windows_check_file.Company8profile_act_file_check_ag.item_x.filename indicates to log the outcome of the file check on the client. The x in item_x indicates the order of the files in the list configured for the file checker. The list starts with index 0 (zero).
sessionvar "session.windows_check_file.Company8profile_act_file_check_ag.item_x.filename"
Deletes the session variable session.logon.* from the Logging agent named Company8profile_act_logging_ag:
agent logging Company8profile_act_logging_ag \
{ variables { sessionvar "session.logon.*" } delete }
name
Specifies the name of a Logging agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
variables
Adds a variable to or deletes a variable from a Logging agent. You use the sessionvar option to specify a session variable that indicates what actions the system logs.
agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending denied(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logon page(1), agent message box(1), agent resource assign(1), agent variable assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
You can use the command agent logon page to create and manage a Logon Page agent. This agent creates a logon page, which contains the form for the user to input the credentials required by an access policy. You can use the customization group attribute to customize the logon page.
Creates the Logon Page agent named MyLogonPageAgent that is associated with the customization group MyLogonPageCG:
customization group
Specifies a predefined configuration that contains several settings that you want the agent to use to configure a logon page. This setting is required, and the customization group that you assign must be of the type logon.
name
Specifies the name of a Logon Page agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending denied(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logging(1), agent message box(1), agent resource assign(1), agent variable assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
You can use the command agent message box to create, display, or delete a message box agent.
Note: You cannot use the command line interface to create or modify the messages that display in a message box. You can edit customizable messages using the visual policy editor. For more information about using the editor, see Chapter 5, Creating Access Profiles and Access Policies.
Creates the message box agent named MyMessageBoxAgent that is associated with the customization group named MyMessageBoxCG:
name
Specifies the name of a message box agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending denied(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent resource assign(1), agent variable assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
You can use the command agent resource assign to create and manage a resource assign agent that assigns an access control list (ACL), a resource group, or both to an access policy. A resource group is a collection of resources, ACLs, and protection criteria that includes your company intranet servers, applications, and network shares. An ACL is a set of restrictions associated with a resource or favorite that defines access for users and groups.
Creates the resource assign agent named MyAssignResourceAgent that is associated with the customization group MyAssignResourceCG:
caption
Specifies the name of the resource assign agent that displays in the visual policy editor. This setting is required.
name
Specifies the name of the resource assign agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
rules
Adds a rule to or deletes a rule from the resource assign agent. You can use the following attributes to define a rule:
acl
Specifies an access control list that this rule assigns to users.
connectivity resource group
Specifies the name of the connectivity resource group to which this rule applies.
expression
Specifies the expression that indicates which resource groups this rule assigns to users.
acl(1), agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending denied(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent message box(1), agent variable assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
You can use the command agent variable assign to create and manage a variable assignment agent that assigns one or more variables to an access policy.
Important: F5 Networks® recommends that you use the visual policy editor to create complex variable assignments.
Creates the Myprofile_act_variable_assign_ag variable assignment agent that automatically assigns the value of the common name field in the client certificate to the username field of the logon page. This is useful when an access policy contains the variable assignment agent in between the client certification and the AAA Active Directory server query actions.
Creates an access policy that carries out a configured access control list (ACL) when a particular branch in the access policy is followed, using the variable assignment agent to populate the appropriate variables with the ACL name.
name
Specifies the name of a variable assignment agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
variables
Adds a variable to or deletes a variable from the variable assignment agent. You must specify the following attributes for each variable:
expression
A Tcl expression that the system evaluates, and then assigns the value to a specific property of the assigned network access resource, or to a newly created session variable.
varname
A variable name that forms the left side of the expression. You can use the name of an existing session variable or a new session variable.
agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending denied(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent message box(1), agent resource assign(1), agent vlan selection(1)
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
You can use the command agent vlan selection to create and manage a VLAN selection agent.
Creates the VLAN selection agent named MyVLANselectionAgent that assigns the gateway LegacyRoute to the access policy:
gateway
Specifies a VLAN gateway to assign to an access policy. Note that the gateway must be defined on the server.
name
Specifies the name of a VLAN selection agent. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
agent(1), agent aaa active directory(1), agent aaa clientcert(1), agent aaa ldap(1), agent aaa radius(1), agent decision box(1), agent ending denied(1), agent ending redirect(1), agent ending webtop(1), agent endpoint windows browser cache cleaner(1), agent endpoint windows check av(1), agent endpoint windows check file(1), agent endpoint windows check fw(1), agent endpoint windows check registry(1), agent endpoint windows info os(1), agent logging(1), agent logon page(1), agent message box(1), agent resource assign(1), agent variable assign(1)
You can use the command connectivity resource to manage a connectivity resource that is a network access resource.
Displays information about the MyNetwork connectivity resource:
Deletes the MyNetwork connectivity resource:
name
Specifies the name of the connectivity resource. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
You can use the command connectivity resource group to create and manage a group of network access resources.
Creates a connectivity resource group named MyGroup to which you can add connectivity resources:
Creates a connectivity resource group named MyCRG that contains the connectivity resources MyNetwork:
connectivity resource group MyCRG \
{ connectivity resources MyNetwork }
connectivity resources
Adds a connectivity resource to or deletes a connectivity resource from a connectivity resource group.
name
Specifies the name of a connectivity resource group. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
connectivity resource network access \
(<connectivity resource network access key list> | all) \
[{] <connectivity resource network access arg list> [}]
connectivity resource network access \
[<connectivity resource network access key list> | all] [show [all]]
connectivity resource network access \
[<connectivity resource network access key list> | all] list [all]
connectivity resource network access \
[<connectivity resource network access key list> | all] acl [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] \
address space dhcp requests excluded [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] \
address space exclude subnet [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] \
address space include dns name [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] \
address space include subnet [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] \
address space local subnets excluded [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] address space protect [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] application launch [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] client interface speed [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] client ip filter engine [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] client power management [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] client proxy [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] client proxy address [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] \
client proxy exclusion list [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] \
client proxy local bypass [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] client proxy port [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] client proxy script [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] compression [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] description [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] dns primary [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] dns secondary [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] dns suffix [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] drive mapping [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] idle timeout threshold [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] idle timeout window [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] leasepool [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] \
microsoft network client [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] \
microsoft network server [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] name [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] partition [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] snat [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] snatpool [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] split tunneling [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] static host [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] wins primary [show]
connectivity resource network access \
[<connectivity resource network access key list> | all] wins secondary [show]
connectivity resource network access \
(<connectivity resource network access key list> | all) delete
You can use the command connectivity resource network access to define and manage network access for a connectivity resource.
Creates the MyNetwork connectivity resource network access definition using the access control list MyACL:
Deletes the MyNetwork connectivity resource network access definition:
You can use these options with the command connectivity resource network access:
acl
Specifies an access control list for a connectivity resource.
address space dhcp requests excluded
When enabled, the system sends DHCP requests on the local area network (LAN) interface. When disabled, DHCP requests pass through the network access connection. If you enable this option, you must also enable the split tunneling option. The default is disable.
DHCP is a protocol for assigning dynamic IP addresses to devices on a network. With dynamic addressing, a device can be assigned a different IP address every time it connects to the network.
address space exclude subnet
Adds a list of subnets that you want the system to exclude from the network access connection.
address space include dns name
Adds a DNS server as a connectivity resource on the network.
address space include subnet
Adds a list of subnets that you want the system to port forward through a network access connection.
address space local subnets excluded
When enabled, permits access to local subnets and to any host or subnet in the routes that you have specified in the routing table of the client. When you enable this option, the network access client does not support integrated IP filtering. The default is disable.
address space protect
When enabled, the client monitors any changes to the routing table after the network access connection has been established, and terminates the connection if the routing table is modified. The default is disable.
application launch
Adds the information to automatically launch an application from the client after the network access session is established. You can specify the following information:
os type
The type of operating system on which the application runs.
parameter
An application parameter.
path
A path to the application that you want to automatically launch from the client. Do not use apostrophes ( ) or quotation marks (" "). An example of a correct path is: c:\program files\internet explorer\iexplore.exe.
client interface speed
Specifies the displayed byte rate of the network access adapter on the client. The default is 5767168.
client ip filter engine
Enables or disables an IP address filtering engine on the client. The default is disable.
client power management
Specifies to ignore, prevent, or terminate client power management. The default is ignore.
client proxy
Enables or disables the Proxy client. The default is disable.
client proxy address
Specifies the IP address of the Proxy client.
client proxy exclusion list
Adds a list of Web addresses that do not need to be accessed through your proxy server to the connectivity resource network access, or deletes the list. You can use wild cards to match domain and host names or addresses, for example,
www.*.com, 128.*, 240.8, 8., mygroup.*, *.*.
client proxy local bypass
When enabled, requests for local (intranet) addresses bypass the proxy server. The default is disable.
client proxy port
Specifies the port number of the proxy server that you want network access clients to use to connect to the Internet. The default is any.
client proxy script
Specifies the URL of a proxy autoconfiguration script, if one is used with this connection.
compression
Specifies whether you want the traffic between the network access client and the BIG-IP® Secure Access Manager to be compressed.
gzip
Compress network access connection traffic using the gzip deflate method.
none
Do not compress network access connection traffic. This is the default.
description
Describes a connectivity resource.
dns primary
Specifies the primary IP address of the DNS server that the network access client uses.
dns secondary
Specifies the secondary IP address of the DNS server that the network access client uses.
dns suffix
Specifies the DNS suffix the client uses to resolve DNS names, before using the existing DNS suffix.
drive mapping
Adds the drive mapping for a network shared drive that automatically maps when a client establishes a connection to a connectivity resource, or deletes the drive mapping. You must specify the following attributes to map a drive:
description
A description of the mapping of the drive.
drive
The letter that identifies the drive. Choose a letter between d and z, inclusive. The default is d. Note that currently, the system supports only the Microsoft Windows® operating system.
path
The path to the server.
idle timeout threshold
Specifies the timeout threshold. The default is 0 (zero), which indicates no timeout.
The timeout threshold defines, in bytes per second, the criterion for updating the session. If the average byte rate falls below the threshold, the session times out according to the inactivity timeout settings defined in the access profile.
idle timeout window
Specifies, in seconds, the period in which the average byte rate is calculated. The idle timeout threshold defines, in bytes per second, the criterion for updating a session.
leasepool
Specifies a lease pool that assigns an IP address dynamically for all network access connections using this connectivity resource.
microsoft network client
Enables or disables the Microsoft® network client over the network access connection. The default is disable.
microsoft network server
Specifies, when enabled, that the network server can access remote resources over a VPN connection. The default is enable.
name
Specifies the name of a connectivity resource. This setting is required.
network
Specifies the following parameters to identify a network:
host
The IP address of the network.
mask
The netmask of the network that represents the range of IP addresses on the network. For example, you can use ffff:ffff:ffff:ffff:0000:0000:0000:0000 or ffff:ffff:ffff:ffff:: (with two colons at the end), or 0000:0000:0000:0000/24.
partition
Specifies the partition within which the object resides.
snat
Specifies how the system applies a selective and intelligent SNAT to VPN traffic. You can specify one of the following:
automap
The system uses the self IP address as the translation address. This is the default.
none
The system does not translate traffic.
snatpool
Specifies the name of the SNAT pool that the BIG-IP Secure Access Manager uses to implement selective and intelligent SNATs.
split tunneling
When enabled, the client routes only traffic targeted to the specified address space over the network access connection. All other traffic bypasses the tunnel. The default is disable.
static host
Adds a static host to or deletes a static host from a connectivity resource that the client uses to look up DNS names after a network access connection is established. You can specify the following attributes for a static host:
address
An IP address
hostname
A host name
wins primary
Specifies the primary IP address of the WINS server that the client uses. Microsoft® networks need this address to function properly.
wins secondary
Specifies the secondary IP address of the WINS server that the client uses. Microsoft® networks need this address to function properly.
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
You can use the command customization group to create and manage a customization group. A customization group is a set of customizable messages that the system can display. You can add a customization group to an access profile or an agent.
Creates the errormap customization group MyCG:
After you modify the MyCG customization group, activates the new setting:
action
Specifies the action to be performed on a parameter of the access profile to which this customization group is associated. The default is noop. You can specify one of the following:
deletefile
Deletes the file that contains the settings associated with this customization group.
noop
Takes no action.
update
Updates the settings associated with this customization group.
name
Specifies the name of the customization group. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
type
Specifies the type of item you are customizing. This setting is required. You can specify one of the following:
decision box
A decision box displays two customized options from which the user chooses.
errormap
An errormap includes customized messages that are displayed when specific errors occur during a network access session.
footer
A page footer includes a string of text. This footer can contain your custom text, with HTML tags.
header
A page header can include left and right-aligned images and a header background color.
last
A placeholder that is for system use only. Do not use this type.
logon
A logon page can contain information specific to your company.
logout
A logoff page can contain a message for a successful logoff or an access denied page.
message box
A message box displays a message that you want the user to read after taking a specific action.
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
leasepool (<leasepool key list> | all) \
[{] <leasepool arg list> [}]
You can use the command leasepool to create and manage a lease pool.
Creates a lease pool named MyLeasePool that contains a range of pool members with IP addresses from 172.168.0.1 - 172.168.0.254.
name
Specifies the name of the lease pool. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
members
Adds an IP address or a range of IP addresses to a lease pool, or deletes an IP address or range of IP addresses from a lease pool.
partition
Specifies the partition within which the object resides.
You can use the command ppp to reset the PPP global statistics.
Both of the following commands display point-to-point protocol global statistics for the BIG-IP® Secure Access Manager:
stats reset
Resets the statistics to zero.
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
default charset (english | arabic | baltic | central-eastern european | cyrillic |\
greek | hebrew | thai | turkish | utf-8 | vietnamese | western european | default)
You can use the command profile access to create and manage an access profile. An access profile is a pre-configured group of settings that you can use to configure secure network access for an application.
Creates an access profile named MyAccessProfile that is based on the default access profile named access, accepts the languages in the my_accepted_languages class, uses English as the default language, and utilizes these groups to customize the application pages and messages: company_logout, company_header, company_footer and company_errormap.
access policy
Specifies the access policy that you want to implement using this access profile. An access policy contains a visual representation of the steps that the client and server go through before the BIG-IP® Secure Access Manager grants access to a connection. This setting is required.
access policy timeout
Specifies, for this access profile, the number of seconds within which a user, who has followed through on a connection redirect, must access the webtop. The default is 300 seconds. This option is designed to keep malicious users from creating a DOS attack on the Secure Access Manager.
class accepted languages
Specifies the name of a class which defines the list of languages supported by the Secure Access Manager. The default languages are en (English), ja (Japanese), zh-cn (simplified Chinese [PRC]), and zh tw (traditional Chinese [Taiwan]). This setting is required.
class accepted languages display
This option is not currently available.
class browscap
Specifies the name of a class, which defines a list of user agents that you want the Secure Access Manager to support.
customization group
Specifies the customization group that defines what the successful logoff and error pages look like. This setting is required.
default charset
Do not use this option. Currently, F5 Networks® only supports UTF-8 encoding.
defaults from
Specifies the default access policy from which this profile is created. This setting is required.
default language
Specifies the default language for the Secure Access Manager that you want to implement with this access profile. The default is en (English). If the client requests a language that is not supported, the Secure Access Manager uses the default value. This setting is required.
errormap group
Specifies the customization settings for the error map that you want to implement with this access profile. This setting is required.
footer group
Specifies the customization settings for the footer that you want to implement with this access profile. This setting is required.
generation action
When you modify an access profile, you create a new generation of the access profile configuration. You can use one of the following options:
Important: For the BIG-IP Secure Access Manager to use the new generation access profile configuration, you must run the command profile access generation action increment.
increment
The system uses the new generation access configuration.
noop
The system does no operation. This is the default value.
generation timeout
Specifies the timeout, in seconds, for the new generation access configuration.
header group
Specifies the customization settings for the header that you want to implement with this access profile. This setting is required.
inactivity timeout
Specifies, for this access profile, the number of seconds that the session on the client can be idle before the server disconnects the VPN tunnel. The default is 900 seconds.
max concurrent users
Specifies, for this access profile, the number of concurrent sessions allowed. The default is 0 (zero), which represents unlimited sessions. This field is Read-only for Application Editors. Users assigned any other administrative role can modify this field.
name
Specifies the name of the access profile. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
partition
Specifies the partition within which the object resides.
Use this command at the BIG-IP system prompt to identify any unintended modifications to BIG-IP system files. Note that a hot fix (patch) is an intended modification that will not be identified by the command sys-icheck.
Use this option to report Warn issues, as well as the default, Error issues.
Use this option to report Info and Warn issues, as well as the default, Error issues.
The command sys-icheck identifies any unintended modifications to BIG-IP system files and returns Error issues. Use the options to report Warn or Info issues, as well.
Runs the sys-icheck utility, and returns Info, Error, and Warn issues:
Use this command at the BIG-IP® system prompt to return the configuration of the system to the factory default (installation time) state.
Use this option to prevent the /shared file system from being changed.
The command sys-reset runs the sys-icheck utility, and if there are no system integrity issues, returns the system to the factory default state. Note that if you have applied hot fixes (patches) to a system, you must specify an override option in order for the command sys-reset to run.
Runs the command sys-reset to restore the system to the factory default state ignoring any hot fixes that have been applied to the system:
Runs the command sys-reset to restore the system to the factory default state without changing the /shared file system.
Important: If you are assigned a user role that allows you to create objects, and you are assigned access to all partitions, then before you create an object in a specific partition, you must use the command bigpipe shell to set your Write partition to the partition in which you want to create the object.
vlan gateway (<vlan gateway key list> | all) \
[{] <vlan gateway arg list> [}]
You can use the command vlan gateway to create and manage a VLAN gateway.
name
Specifies the name of the VLAN gateway. This setting is required.
Note that the initial character should be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
next hop ip
Specifies the next hop IP address for the VLAN gateway entry. This setting is required.
partition
Specifies the partition within which the object resides.
vlan name
Specifies the name of the VLAN that you want to use as a gateway. This setting is required.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)