F5 BIG-IP General Reference

f5 bigip reference

Concepts, architecture, and admin reference for F5 BIG-IP.

For CLI commands see: F5 - Load Balancer Commands For packet captures see: F5 - Packet Capture (tcpdump)


Platform Types

TypeDescription
HardwarePhysical appliances (i-series, VIPRION)
Virtual Edition (VE)VM deployment (VMware, Hyper-V, KVM, cloud)
vCMP GuestVirtual instance on vCMP-capable hardware

vCMP (Virtual Clustered Multiprocessing)

Virtualization technology that couples a custom hypervisor on the BIG-IP host with hardware-specific scalable guest VMs running TMOS. Now called “Tenant” in newer documentation. Allows multiple isolated BIG-IP instances on a single chassis.


Core LTM Objects

ObjectWhat it isWhy it matters
Virtual Server (VS)Listener on an IP:port (VIP)Front door for client traffic
PoolGroup of backend membersDefines where traffic can go
Pool MemberIP:port of a backend serviceActual target for load balancing
NodeBackend server IPReusable server definition for members
ProfilesL4/L7 behavior settingsEnable TCP/SSL/HTTP behaviors
iRules / LTM PolicyEvent-driven logic or declarative rulesCustomize traffic handling
PersistenceStickiness configurationKeeps a client on the same member

Object Hierarchy

Node → Pool Member → Pool → Virtual Server
         ↑              ↑
      Monitor      Load Balance Method

Virtual Server Types

TypeLayer(s)DescriptionUse Case
StandardL4 / L7Most common. Manages TCP/UDP and listens on a specific IP:portGeneral applications requiring traffic management
Forwarding (IP)L3Forwards packets based on IP headers. No connection terminationSimple packet forwarding without ADC features
Performance (L4)L4Optimized for high-speed L4 traffic. Terminates at TCP/UDP layerHigh throughput / low latency (e.g., telecom)
RejectL3 / L4Rejects traffic. Can log or drop connectionsBlocking unwanted traffic or null routing
DHCPL7 (DHCP)Manages DHCP trafficDHCP services managed through BIG-IP
InternalL7Internal processes within BIG-IP, not for client-server trafficInternal BIG-IP process management

HTTPS Flow Through BIG-IP

Client connects to a VIP on :443, BIG-IP terminates TLS, inspects HTTP, then optionally re-encrypts to servers.

Phases

PhaseWhat happensProfiles that matterNotes
1Client TCP handshake to VIP:443Client TCPL4 connection establishment
2TLS handshake (clientside). BIG-IP terminates TLSClient SSLClient cert validation only if mTLS configured
3HTTP parsing / normalisation (traffic is decrypted)HTTP profileEnables iRules/LTM policy actions based on headers/URI
4Policy / iRules / persistence / LB selectionVS + iRules + persistence + poolDecision can be L4 or L7 depending on config
5BIG-IP establishes or reuses serverside TCP connectionServer TCP (+ OneConnect if used)Not always a new connection
6BIG-IP establishes serverside TLS (re-encrypt)Server SSLServer cert validation depends on trust settings
7HTTP request sent to pool member; response returnsHTTP profileHSTS insertion happens on response to client, not to server
8Response is re-encrypted to clientside TLS sessionClient SSLClient receives HTTPS response

At-a-Glance

Client -> VIP:443 (TCP)
Client <-> BIG-IP (TLS clientside)
BIG-IP (HTTP parse, policy, persistence, LB)
BIG-IP <-> Pool Member (TCP)
BIG-IP <-> Pool Member (TLS serverside, if enabled)
Response -> BIG-IP -> Client (TLS)

Client SSL and Server SSL are separate profiles — validation and certs are independent.


Modules and Products

ModuleDescriptionKey Features
LTMLocal Traffic Manager — virtual servers, pools, load balancingTraffic management, load balancing, SSL offloading
DNS (formerly GTM)Authoritative DNS resolver, DNSSEC, and DR. Directs traffic by requestor IP to closest data centerGeo-location routing, disaster recovery
APMAccess Policy Manager — access control, identity, federation (SSO, SAML, OAuth). Inspects device and applies granular policiesAccess control, identity management, policy enforcement
SWGSecure Web Gateway — works with APM. Restricts outbound traffic via allow/deny listsWeb traffic filtering, data loss prevention
ASMApplication Security Manager — Layer 7 WAF. Protects against SQL injection, XSS, etc.Web app protection, OWASP mitigations
AFMAdvanced Firewall Manager — L3/L4 firewall, primarily DDoS protection. Works alone or with ASMNetwork firewall, DDoS protection
AAMApplication Acceleration Manager — optimisation for high-latency, WAN, database replicationTraffic optimisation, WAN acceleration
BIG-IQCentralised management for BIG-IP devicesDevice management, configuration, reporting
SilverlineCloud-based DDoS protection serviceDDoS mitigation, cloud security

High Availability

HA Modes

ModeDescription
Active/StandbyOne unit handles traffic, other is backup
Active/ActiveBoth handle traffic for different virtual addresses
N+MMultiple active units with M standbys (VIPRION)

Key Concepts

  • Device Trust: Secure communication between HA peers
  • Device Group: Collection of devices that sync configurations
  • Traffic Group: Floating IP addresses that failover together
  • Sync-Failover: Devices sync config AND can failover traffic groups

HA Verification

show sys failover
show cm device
show cm device-group
show cm sync-status
show cm traffic-group

Networking

VLAN and Self-IP Concepts

  • VLAN: Layer 2 segment
  • Self-IP: IP assigned to F5 on a VLAN
  • Floating IP: Shared IP that moves between HA peers

SNAT (Source NAT)

ModeDescription
AutomapUses self-IP of egress VLAN
SNAT PoolDedicated pool of IPs for translation
NonePreserves client IP (requires server default route through F5)

Admin Tasks

UCS Backup

# Create backup
tmsh save sys ucs /var/local/ucs/backup-$(date +%Y%m%d).ucs
 
# With private keys
tmsh save sys ucs /var/local/ucs/backup.ucs passphrase [password]
 
# List backups
ls -la /var/local/ucs/

Restore UCS

tmsh load sys ucs /var/local/ucs/backup.ucs
# Optionally: no-license, no-platform-check

Upgrade Workflow

  1. Prep

    • Save UCS backup
    • Verify HA sync
    • Download ISO to /shared/images/
  2. Install (standby first)

    install sys software image [image-name] volume [HD1.2]
    
  3. Reboot to new volume

    reboot volume [HD1.2]
    
  4. Verify

    • Check version: show sys version
    • Test functionality
    • Failover and repeat on peer

License Check

show sys license
show sys license detail

Logging

Log FileContents
/var/log/ltmLTM events, pool/member status
/var/log/apmAccess Policy Manager
/var/log/gtmGlobal Traffic Manager
/var/log/asmApplication Security Manager (WAF)
/var/log/auditConfiguration changes

Quick Reference

Common Ports

PortUse
443/TCPGUI (Configuration utility)
22/TCPSSH
4353/TCPiQuery (GTM sync)
1026/UDPNetwork failover
6699/TCPConfigSync

Reminders

  • HSTS: Inserted on the response to the client, not sent to the pool member
  • OneConnect: Allows serverside connection reuse; affects Phase 5 (serverside TCP) behavior