F5 Programmability Training > Class 3: Introduction to SecDevOps > Module 1: Programmatic Firewall (AFM) Configuration Source | Edit on
Module 1, Lab 0: Authentication¶
Overview¶
In this lab, the iControl REST API will be used to provision a module on the BIG-IP. Before we begin, lets review how to generate an Authentication Token.
Note
- Use Postman collection to complete this lab.
- Some response content has been removed for brevity.
1.0.1. Get an Authentication Token¶
The Authentication Token is generated by using an HTTP POST with a body containing the username, password, and login provider to the REST endpoint for /mgmt/shared/authn/login.
Hint
Select the “F5 SecDevOps” Environment in Postman.
Send a Request with the following details.
MethodPOSTURLhttps://{{bigip-dev_mgmt}}/mgmt/shared/authn/login
HeadersContent-Type: application/json
Body{ "username":"admin", "password":"admin", "loginProviderName":"tmos" }
Copy the token you received into the bigip-dev_auth_token Postman environment variable.
Example Response
{
"username": "admin",
"loginReference": {
"link": "https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/login"
},
"loginProviderName": "tmos",
"token": {
"token": "TCJMWPGBQGPZPJYUCY57J2IITA",
"name": "TCJMWPGBQGPZPJYUCY57J2IITA",
"userName": "admin",
"authProviderName": "tmos",
"user": {
"link": "https://localhost/mgmt/shared/authz/users/admin"
},
"timeout": 1200,
"startTime": "2018-08-01T08:05:37.679-0700",
"address": "10.1.1.250",
"partition": "[All]",
"generation": 1,
"lastUpdateMicros": 1533135937678293,
"expirationMicros": 1533137137679000,
"kind": "shared:authz:tokens:authtokenitemstate",
"selfLink": "https://localhost/mgmt/shared/authz/tokens/TCJMWPGBQGPZPJYUCY57J2IITA"
},
"generation": 0,
"lastUpdateMicros": 0
}
1.0.2. Verify the Authentication Token Works¶
Hint
Send a Request with the following details.
MethodGETURLhttps://{{bigip-dev_mgmt}}/mgmt/tm/ltm
HeadersX-F5-Auth-Token: {{bigip-dev_auth_token}}
Body
Example Response
{
"kind": "tm:ltm:ltmcollectionstate",
"selfLink": "https://localhost/mgmt/tm/ltm?ver=13.1.0.8",
"items": [
{
"reference": {
"link": "https://localhost/mgmt/tm/ltm/auth?ver=13.1.0.8"
}
},
{
"reference": {
"link": "https://localhost/mgmt/tm/ltm/cipher?ver=13.1.0.8"
}
},
{
"reference": {
"link": "https://localhost/mgmt/tm/ltm/data-group?ver=13.1.0.8"
}
},
1.0.3. Set the Authentication Token Timeout¶
The Authentication Token timeout is set using an HTTP PATCH with a body containing the desired value to the REST endpoint for mgmt/shared/authz/tokens/{{bigip-dev_auth_token}}.
Hint
Send a Request with the following details.
MethodPATCHURLhttps://{{bigip-dev_mgmt}}/mgmt/shared/authz/tokens/{{bigip-dev_auth_token}}
HeadersContent-Type: application/json X-F5-Auth-Token: {{bigip-dev_auth_token}}
Body{ "timeout":"36000" }
Example Response
{
"token": "X54G4KAQUEGFZX2J7MUMFBKBC5",
"name": "X54G4KAQUEGFZX2J7MUMFBKBC5",
"userName": "admin",
"authProviderName": "tmos",
"user": {
"link": "https://localhost/mgmt/shared/authz/users/admin"
},
"timeout": 36000,
"startTime": "2018-08-01T08:27:58.961-0700",
"address": "10.1.1.250",
"partition": "[All]",
"generation": 2,
"lastUpdateMicros": 1533137298286141,
"expirationMicros": 1533173278961000,
"kind": "shared:authz:tokens:authtokenitemstate",
"selfLink": "https://localhost/mgmt/shared/authz/tokens/X54G4KAQUEGFZX2J7MUMFBKBC5"
}
1.0.1. Determine the license state¶
Before a module on a BIG-IP can be configured, it must be licensed. Using the newly generated Authentication Token, check the license state for all modules. This is done using an HTTP GET to the REST endpoint for /mgmt/tm/sys/license.
Hint
Send a Request with the following details.
MethodGETURLhttps://{{bigip-dev_mgmt}}/mgmt/tm/sys/license
HeadersX-F5-Auth-Token: {{bigip-dev_auth_token}}
Body
Note
- The afm module is currently provisioned for none while the ltm module is provisioned for nominal.
Example Response
},
"https://localhost/mgmt/tm/sys/license/0/active-modules/
%22Best%20Bundle,%20VE-10G%22": {
"nestedStats": {
"entries": {
"featureModules": {
"description": "{ \"Rate Shaping\" \"ASM, VE\"
\"DNS-GTM, Base, 10Gbps\" \"SSL, VE\" \"Max
Compression, VE\" \"AFM, VE\" \"DNSSEC\"
\"GTM Licensed Objects, Unlimited\" \"DNS
Licensed Objects, Unlimited\" \"DNS Rate
Fallback, 250K\" \"GTM Rate Fallback, 250K\"
\"GTM Rate, 250K\" \"DNS Rate Limit, 250K QPS\"
\"CGN, BIG-IP VE, AFM ONLY\" \"Routing
Bundle, VE\" \"PSM, VE\" }"
},
"key": {
"description": "KYQKGYX-EPPNOGV"
}
1.0.2. Retrieve all module provision states¶
Before a module on a BIG-IP can be configured, it also must be and provisioned. Check the provisioning state for all modules. This is done using an HTTP GET to the REST endpoint for /mgmt/tm/sys/provision.
Hint
Send a Request with the following details.
MethodGETURLhttps://{{bigip-dev_mgmt}}/mgmt/tm/sys/provision
HeadersX-F5-Auth-Token: {{bigip-dev_auth_token}}
Body
Note
- The afm module is currently provisioned for none while the ltm module is provisioned for nominal.
Example Response
{
"kind": "tm:sys:provision:provisioncollectionstate",
"selfLink": "https://localhost/mgmt/tm/sys/provision?ver=13.1.0.8",
"items": [
{
"kind": "tm:sys:provision:provisionstate",
"name": "afm",
"fullPath": "afm",
"generation": 5609,
"selfLink": "https://localhost/mgmt/tm/sys/provision/afm?ver=13.1.0.8",
"cpuRatio": 0,
"diskRatio": 0,
"level": "none",
"memoryRatio": 0
},
{
"kind": "tm:sys:provision:provisionstate",
"name": "ltm",
"fullPath": "ltm",
"generation": 1,
"selfLink": "https://localhost/mgmt/tm/sys/provision/ltm?ver=13.1.0.8",
"cpuRatio": 0,
"diskRatio": 0,
"level": "nominal",
"memoryRatio": 0
}
]
}
1.0.3. Retrieve single module provision state¶
To retrieve the provisioning state for a single module, send a HTTP GET to the REST endpoint for /mgmt/tm/sys/provision and include the name of the module. For example, /mgmt/tm/sys/provision/afm
Hint
Prior to performing the below steps, validate the {{module}} Postman environment variable is set to afm.
Send a Request with the following details.
MethodGETURLhttps://{{bigip-dev_mgmt}}/mgmt/tm/sys/provision/{{module}}
HeadersX-F5-Auth-Token: {{bigip-dev_auth_token}}
Body
Example Response
{
"kind": "tm:sys:provision:provisionstate",
"name": "afm",
"fullPath": "afm",
"generation": 5609,
"selfLink": "https://localhost/mgmt/tm/sys/provision/afm?ver=13.1.0.8",
"cpuRatio": 0,
"diskRatio": 0,
"level": "none",
"memoryRatio": 0
}
1.0.4.1. Provision module¶
The afm module is provisioned using an HTTP PATCH with a body containing a provisioning level to the REST endpoint for mgmt/tm/sys/provision/{{module}}.
Warning
- This step is optional and should only be performed if afm is not provisioned.
- Performing a provision/deprovision operation takes some time to complete. If the original request is still being processed, the below error may be encountered.
{
"code": 400,
"message": "01071003:3: A previous provisioning operation is in progress. Try again when the BIGIP is active.",
"errorStack": [],
"apiError": 3
}
Hint
Send a Request with the following details.
MethodPATCHURLhttps://{{bigip-dev_mgmt}}/mgmt/tm/sys/provision/{{module}}
HeadersContent-Type: application/json X-F5-Auth-Token: {{bigip-dev_auth_token}}
Body{ "level":"nominal" }
Example Response
{
"kind": "tm:sys:provision:provisionstate",
"name": "afm",
"fullPath": "afm",
"generation": 10636,
"selfLink": "https://localhost/mgmt/tm/sys/provision/afm?ver=13.1.0.8",
"cpuRatio": 0,
"diskRatio": 0,
"level": "nominal",
"memoryRatio": 0
}
1.0.4.2. Deprovision module¶
To deprovision a BIG-IP module, repeat step 1.0.4.1 and set the level to “none” for the selected module.
1.0.4.3. Re-provision module¶
Repeat steps 1.0.4.1 to re-provision the afm module to nominal if previously deprovisioned.
Note
- The afm module should be provisioned to nominal after performing the steps in this Lab.