Brain dump for at least semi-good ideas

Category: APM

Protecting BigIP Report behind an APM – By Shannon Poole

A fellow Devcentral member named Shannon Poole graciously shared this guide on how to protect BigIP Report behind the APM. This would actually be the first “guest post” on the blog too. If you want to get into contact with Shannon you can connect with him via LinkedIn or send a message via Devcentral.

Thank you very much for sharing this Shannon!


Here is a simple configuration that I came up with to regulate access to my BIGIP Report and utilize the APM module.  I am, by no means, an expert with APM but this policy may be simple enough to deploy to anything you want.

The author would like to thank David Allshouse, Senior Systems Engineer for constructive criticism of the manuscript.

Configure an Active Directory AAA server

Navigate to Access Policy -> AAA Servers -> Active Directory and use the configuration below.  It is necessary to give a name, domain name, and IP address of the domain controller. Also, choose Direct rather than Use Pool.

Note:  A better configuration may be to use the Pool should a DC become unresponsive but that is something which can be configured later.

Creating a New Access Profile

Navigate to Access Policy -> Access Profiles List and hit the create button.  Provide a name, such as MyAccessProfile, and set the profile type to “ALL.” This could probably be set to “LTM-APM” if you want to be precise but that is not necessary.  Next, remove the check for “Secure” in “Cookie Options” as it is not required due to no SSO. Finally, add “English (en)” as a language is required and click Finish.

Note: Since I am not using multiple domains or SSO configurations for this setup, creating an access profile was fairly simple.  

Configure Your Access Policy

Once you have configured your Access Profile, you should now see your policy in the Access Profile List and should be able to click on the policy name, which brings you to the screen below:

Click on the Access Policy tab and now when you click on Edit Access Policy for Profile “My Access Policy”, you should see the following screen:

This brings you to the basic configuration of your policy and configured with a “deny-by-default” method similar to most things with F5.

Configure a Macro

With this policy, it was important to configure it in a way as to limit access via Active Directory security groups.  In order to do this, you need to add a macro to handle the logon page, authentication, and AD query processes. This can be done by clicking on “Add New Macro” and then selecting “AD auth query and resources” for the “Select macro template” drop-down.  Provide a name, such as “MyADAuth” and it should look like the template below:

Once you click “Save”, the Macro has been created and added to the policy:

The next step was to remove the “Resource Assign” and “AD Logging” items by clicking on the “X” and selecting delete.  These are not required for this policy. The end result should be this:

Now you am ready to configure the policy.  Start with the Logon Page and write some simple text in the “From Header Text” box and change the “Logon Button” to “Submit”.  Everything else was left as the defaults.

For the “AD Auth” configuration, only select the AAA server that you created earlier in the “Server” drop-down:

The AD Query is where you will configure your AD groups.  Like the previous screen shot, you need to select your AAA server from the “Server” drop-down:

Now it’s time to move onto the “Branch Rules” tab.  The first thing was to remove the “Primary Group ID is 100” branch rule so you can create your own.  Once that is removed, you are now free to select “Add Branch Rule.” It should look like this:

Next, rename the Branch Rule to “MyBranchRule” and select “change” which gives the ability to add an expression:

Next, click “Add Expression” and select the items that you see below while also adding your AD memberof attribute string for the group you want to use:

Once you click “Add Expression”, you should see your policy look like this:

Now you are ready to indicate which action determines a failure or a success within your macro.  You can do this by simply clicking on “Failure”, selecting the radio button for Successful, and click save:

The final step for the Access Policy configuration is to add your macro, MyADAuth, to the policy by selecting the plus sign between “Start” and “Deny” and navigating to the “Macrocalls” tab:

Now when you select the macro and click “Add Item”, it adds the macro to the policy:

Since both rules are set to deny, you need to change the Successful branch to an allow by clicking on “Deny” and selecting allow.

Save your changes and add the Access Policy to your Virtual Server.  To save your changes, you can simply click on the “Apply Access Policy” in the header above.  Then add the policy to your virtual server by navigating to your virtual server and adding it in the Access Policy section:

F5 case creation tweaks


F5 has recently updated their support portal and it was a great leap forward compared to the old one. Kudos on that!

Here’s a few functions that could we further improved:

  • Being able to log cases from a company perspective. When I log a case I want all my colleagues with access to the F5 support to be able to see the case, not just me.
  •  I want F5 to give me a drop down of the serial numbers my company owns instead of me having to find them myself.
  • The modules should be filtered based on what I have activated. This might require some call home function to be enabled on the devices, but the choice would be nice.
  • Give me an option to chat with a support representative. Checkpoint has this and it’s really good.

While waiting for these things to happen I’ve written a script that will do some of those things today.


Only show the activated modules

Only show the versions you have installed

You can still click on “Show all modules” to unhide them again.

Choose the load balancer from the drop-down

Get the serial number auto populated and verified. The drop-down is dynamically populated based on your BigIP Report data.


Other tweaks

  • Configure default case severity
  • Configure default choice for “Was this working before?”
  • Configure default chose for “Is the problem related to a virtual server?”
  • Configure a default peferred method of contact
  • Configure a default time zone


  • BigIP Report – See more here.
  • Tampermonkey – See more here.

How to use

  1. Install BigIP Report if you haven’t already done so.
  2. Install TamperMonkey.
  3. Click on the new script button:
  4. Replace everything in the script content with the content of “Casecreation.js”:
  5. Configure the script. The only mandatory configurations are the connect option in the TamperMonkey script metadata and the URL to the loadbalancers.json file of BigIP-Report:Example for if BigIPReport was hosted on linuxworker.j.local:

  6. Done!


Setting up F5 APM with Google Authenticator

Setting up a secure VPN is easier than you might think. With F5 APM and Google authenticator you’re up and running soon.

There is an article on devcentral doing this but I thought it could be a bit simpler so I wrote my own. Tested on version 12 but should be more or less applicable to version 11 as well. Please let me know if there’s any differences and I’ll update the article.

Powered by WordPress & Theme by Anders Norén