F5 iRule – URI, Path & Query

F5 iRule has the following 3 command list that can be a bit confusing. This is a short post to remember the differences between the 3 of them.

[HTTP::uri] – everything from “/” after the domain name to the end.

[HTTP::path]– everything from “/” after the domain name to the character before the “?”

[HTTP::query]– everything after the “?”

[HTTP::host] – domain name

In short:
[HTTP::uri] == [HTTP::path] + ? + [HTTP::query]

Example:
http://www.example.com/main/index.jsp?user=test&login=check

 [HTTP::uri]   - URI:   /main/index.jsp?user=test&login=check
 [HTTP::path]  - PATH:  /main/index.jsp
 [HTTP::query] - Query: user=test&login=check
 [HTTP::host]  - Host:  www.example.com

Cisco FirePower 9300

Cisco FP9300 is a chassis based enterprise grade firewall that provides high availability, scalability and throughput over 100+ Gbps depending on the hardware configuration.

A FP9300 chassis can have the following hardware components:

  • Chassis
  • Supervisor Module (SUP, Max 1 per chassis)
  • Security Module (SM, Max 3 per chassis)
  • Network Module (NM, Max 2 per chassis)

FP9300 Chassis

A Supervisor Module has the following ports:

  • RJ45
  • 1G Management Port.
  • 8*10G Built-in Ports

Network Modules (NM) can have the following port configuration:

  • 4*40G
  • 8*10G
  • 2*100G

Sup_NM_FP9300

Supervisor Module:

SUP attaches the SM to the Network.

SUP_HW_Diagram_FP9300

Security Module:

Security Modules (SM) comes in 2 main flavors:

  1. SM-36: 2 CPU, each with 36 cores for a total of 72 cores, 80Gbps
  2. SM-24: 2 CPU, each with 24 cores for a total of 48 cores, 60Gbps

Dual 800GB SSD in Raid-1 by default. SM modules have built-in Smart NIC & Crypto Accelerator.

SM_HW_Diagram_FP9300

Software:

Supervisor Module runs the FXOS software. An agent of the FXOS software will run on each of the Security Modules in order to enable the Supervisor to monitor and manage the SM.

Software_FP9300

Reference:

BRKSEC-3010 – Firepower 9300 Deep Dive (2016 Berlin)

Speaker(s)  Andrew Ossipov – Principal Engineer, Cisco

Cisco ASA – SNMP OID List

# show snmp-server oidlist

————————————————-
[0]    1.3.6.1.2.1.1.1.    sysDescr
[1]    1.3.6.1.2.1.1.2.    sysObjectID
[2]    1.3.6.1.2.1.1.3.    sysUpTime
[3]    1.3.6.1.2.1.1.4.    sysContact
[4]    1.3.6.1.2.1.1.5.    sysName
[5]    1.3.6.1.2.1.1.6.    sysLocation
[6]    1.3.6.1.2.1.1.7.    sysServices
[7]    1.3.6.1.2.1.1.8.    sysORLastChange

<Output Removed>

The above hidden command will provide the oid list in Cisco ASA.

F5 v11.x Device Trust Group

A week ago, I was upgrading HA F5 pair from 11.5.1 to 11.5.3 and noticed the existence of default “device_trust_group” in sync-only mode in GUI. I did not create it but it just showed up and there wasn’t a way to delete it. Apparently, this always existed in the background but was exposed via GUI in the later 11.x versions. Based on my experience, it wasn’t exposed via GUI in 11.5.1 but was exposed via GUI from 11.5.6

Device_Trust_Group

Reference: DevCentral

F5 Pool & Nodes

A Node is an IP address. Example: 10.10.10.10

A Pool Member is an IP Address + Port. Example: 10.10.10.10:8080

A Pool is a collection of Pool Members.

If you are managing an enterprise grade F5 infrastructure, there may come a time when you may have to replace a specific IP address with another IP address or replace multiple IP addresses in an F5 or multiple F5 devices.

This is a quick one-liner that will help you to identify all the pools that contain an IP address:

tmsh -q list ltm pool one-line | grep -E '($node_hostname|$node_ip)' | awk '{ print $3 }'

The above command should be run from “bash”.

Accessing F5’s bash:

root@LB1(/S1-green-P:Active)(tmos)# run util bash

[root@LB1:/S1-green-P:Active] ~ #

 NOTE: The “list ltm pool one-line” is available in 11.x code and not available in 10.x code. The command will list each pool in a single line.

An Example:

[root@LB1:/S1-green-P:Active] ~ # tmsh -q list ltm pool one-line | grep -E '10.10.10.19' | awk '{ print $3 }'
 POOL_ta_lt_http_private
 POOL_ta_lt_private
 POOL_ta_lt_public
 POOL_ta_lt-maintainance
 POOL_ta_lt-private
 POOL_ta_lt-public

Reference: Devcentral – Pool

What if you want the pool member alongside the pool ?

tmsh -q list ltm pool one-line | egrep -E "$check:[0-9]+"  | while read line; do myipport=$(echo $line | egrep -oE "$check:[0-9]+"); echo $line | awk '{printf "%s ",$3}'; echo "$myipport "; done

In the above line, replace “$check” with the IP Address that you are checking.

[root@LB1:/S1-green-P:Active] ~ #tmsh -q list ltm pool one-line | egrep -E "10.10.10.19:[0-9]+"  | while read line; do myipport=$(echo $line | egrep -oE "10.10.10.19:[0-9]+"); echo $line | awk '{printf "%s ",$3}'; echo "$myipport "; done

POOL_ta_lt_http_private 10.10.10.19:10542 
POOL_ta_lt_public 10.10.10.19:10253 
POOL_ta_lt_maintainance 10.10.10.19:10251 
POOL_ta_lt_private 10.10.10.19:10092 
POOL_ta_lt_public 10.10.10.19:10093

F5 CLI Display Length

While running cli commands on F5, you may run into display length issues:

(tmos.ltm)# show pool members | grep "10.10.10.10:"
Display all 158 items? (y/n) y

If you are executing the script on the F5 to obtain data, the "Display all xxx items? (y/n)" could be a problem. We can alter the display threshold using the following command:

(/Common)(tmos)# modify cli preference pager disabled display-threshold ?

Specifies the maximum number of objects that tmsh will display without requiring a user response to the question, "Display all <number> items? (y/n)". You can specify from 0 (zero) through 4,294,967,265 objects. 0 (zero) specifies that tmsh will display any number of objects without the warning.

(/Common)(tmos)#  modify cli preference pager disabled display-threshold 0

 

Identifying the Right Module – Cisco Nexus

N7K.LON# locator-led ?
chassis               Blink chassis led
fan                      Blink Fan led
module              Blink module led
powersupply   Blink powersupply led
xbar                   Xbar

When you are in a remote location and the data center tech can’t identify the right module, “locator-led” command in Nexus 7000 can be used to identify the right module. In other platforms, “blink” command is utilized.