F5 Programmability Training > Class 3: Introduction to SecDevOps > Module 1: Programmatic Firewall (AFM) Configuration Source | Edit on
Module 1, Lab 1: Provisioning AFM¶
Overview¶
In this lab, the iControl REST API will be used to provision a module on the BIG-IP. More specifically, the Advanced Firewall Manager (AFM) module will be provisioned for use in Module 1, Lab 2: Configuring AFM (Advanced Firewall Module).
Note
- Use Postman collection to complete this lab.
- Some response content has been removed for brevity.
1.1.1. Determine the license state¶
Before a module on a BIG-IP can be configured, it must be licensed. Using the newly generated Authentication Token, check the license state for all modules. This is done using an HTTP GET to the REST endpoint for /mgmt/tm/sys/license.
Hint
Send a Request with the following details.
MethodGETURLhttps://{{bigip-dev_mgmt}}/mgmt/tm/sys/license
HeadersX-F5-Auth-Token: {{bigip-dev_auth_token}}
Body
Note
- The afm module is currently provisioned for none while the ltm module is provisioned for nominal.
Example Response
},
"https://localhost/mgmt/tm/sys/license/0/active-modules/
%22Best%20Bundle,%20VE-10G%22": {
"nestedStats": {
"entries": {
"featureModules": {
"description": "{ \"Rate Shaping\" \"ASM, VE\"
\"DNS-GTM, Base, 10Gbps\" \"SSL, VE\" \"Max
Compression, VE\" \"AFM, VE\" \"DNSSEC\"
\"GTM Licensed Objects, Unlimited\" \"DNS
Licensed Objects, Unlimited\" \"DNS Rate
Fallback, 250K\" \"GTM Rate Fallback, 250K\"
\"GTM Rate, 250K\" \"DNS Rate Limit, 250K QPS\"
\"CGN, BIG-IP VE, AFM ONLY\" \"Routing
Bundle, VE\" \"PSM, VE\" }"
},
"key": {
"description": "KYQKGYX-EPPNOGV"
}
1.1.2. Retrieve all module provision states¶
Before a module on a BIG-IP can be configured, it also must be and provisioned. Check the provisioning state for all modules. This is done using an HTTP GET to the REST endpoint for /mgmt/tm/sys/provision.
Hint
Send a Request with the following details.
MethodGETURLhttps://{{bigip-dev_mgmt}}/mgmt/tm/sys/provision
HeadersX-F5-Auth-Token: {{bigip-dev_auth_token}}
Body
Note
- The afm module is currently provisioned for none while the ltm module is provisioned for nominal.
Example Response
{
"kind": "tm:sys:provision:provisioncollectionstate",
"selfLink": "https://localhost/mgmt/tm/sys/provision?ver=13.1.0.8",
"items": [
{
"kind": "tm:sys:provision:provisionstate",
"name": "afm",
"fullPath": "afm",
"generation": 5609,
"selfLink": "https://localhost/mgmt/tm/sys/provision/afm?ver=13.1.0.8",
"cpuRatio": 0,
"diskRatio": 0,
"level": "none",
"memoryRatio": 0
},
{
"kind": "tm:sys:provision:provisionstate",
"name": "ltm",
"fullPath": "ltm",
"generation": 1,
"selfLink": "https://localhost/mgmt/tm/sys/provision/ltm?ver=13.1.0.8",
"cpuRatio": 0,
"diskRatio": 0,
"level": "nominal",
"memoryRatio": 0
}
]
}
1.1.3. Retrieve single module provision state¶
To retrieve the provisioning state for a single module, send a HTTP GET to the REST endpoint for /mgmt/tm/sys/provision and include the name of the module. For example, /mgmt/tm/sys/provision/afm
Hint
Prior to performing the below steps, validate the {{module}} Postman environment variable is set to afm.
Send a Request with the following details.
MethodGETURLhttps://{{bigip-dev_mgmt}}/mgmt/tm/sys/provision/{{module}}
HeadersX-F5-Auth-Token: {{bigip-dev_auth_token}}
Body
Example Response
{
"kind": "tm:sys:provision:provisionstate",
"name": "afm",
"fullPath": "afm",
"generation": 5609,
"selfLink": "https://localhost/mgmt/tm/sys/provision/afm?ver=13.1.0.8",
"cpuRatio": 0,
"diskRatio": 0,
"level": "none",
"memoryRatio": 0
}
1.1.4.1. Provision module¶
The afm module is provisioned using an HTTP PATCH with a body containing a provisioning level to the REST endpoint for mgmt/tm/sys/provision/{{module}}.
Warning
- This step is optional and should only be performed if afm is not provisioned.
- Performing a provision/deprovision operation takes some time to complete. If the original request is still being processed, the below error may be encountered.
{
"code": 400,
"message": "01071003:3: A previous provisioning operation is in progress. Try again when the BIGIP is active.",
"errorStack": [],
"apiError": 3
}
Hint
Send a Request with the following details.
MethodPATCHURLhttps://{{bigip-dev_mgmt}}/mgmt/tm/sys/provision/{{module}}
HeadersContent-Type: application/json X-F5-Auth-Token: {{bigip-dev_auth_token}}
Body{ "level":"nominal" }
Example Response
{
"kind": "tm:sys:provision:provisionstate",
"name": "afm",
"fullPath": "afm",
"generation": 10636,
"selfLink": "https://localhost/mgmt/tm/sys/provision/afm?ver=13.1.0.8",
"cpuRatio": 0,
"diskRatio": 0,
"level": "nominal",
"memoryRatio": 0
}
1.1.4.2. Deprovision module¶
To deprovision a BIG-IP module, repeat step 1.1.4.1 and set the level to “none” for the selected module.
1.1.4.3. Re-provision module¶
Repeat steps 1.1.4.1 to re-provision the afm module to nominal if previously deprovisioned.
Note
- The afm module should be provisioned to nominal after performing the steps in this Lab.