Skip to main content

F5 BIG-IP Discovery

The Infracast F5 BIG-IP plugin uses the iControl REST API to discover load balancer configuration including virtual servers, pools, pool members, iRules, SSL profiles, and self IPs. Authentication is via username and password against the BIG-IP management interface.

How It Works

  1. Infracast connects to the BIG-IP management API over HTTPS (default port 443)
  2. System information (hostname, version, platform) is collected first
  3. The plugin enumerates virtual servers, their associated pools, and pool members
  4. iRules, SSL profiles, and self IPs are collected in subsequent passes
  5. All resources are linked via edges in the Infracast graph

Prerequisites

  • HTTPS access (TCP/443) from the Infracast collector to the BIG-IP management IP
  • A read-only administrator account on the BIG-IP system
  • iControl REST API enabled (enabled by default on BIG-IP 11.4+)

Creating a Read-Only Account on BIG-IP

Via the BIG-IP UI:

  1. Navigate to System → Users → User List → Create
  2. Set User Name to infracast
  3. Set a strong password
  4. Set Role to Guest (read-only access to all partitions)
  5. Set Partition Access to All with Guest role
  6. Click Finished

Via tmsh CLI:

# SSH to the BIG-IP
ssh admin@bigip.example.com

# Create the user
tmsh create auth user infracast password "YourSecurePassword!" \
  partition-access add { all-partitions { role guest } }

# Save configuration
tmsh save sys config
tip

The Guest role provides read-only access to all objects in all partitions. This is the minimum required role for Infracast discovery.

Registering the Credential in Infracast

infracast creds add \
  --plugin f5-bigip \
  --name "bigip-prod" \
  --type basic-auth \
  --host "bigip.example.com" \
  --username "infracast" \
  --password-file /run/secrets/bigip-password

Configuring the Discovery Job

infracast.yaml
discovery:
  jobs:
    - name: f5-bigip-prod
      plugin: f5-bigip
      credential: bigip-prod
      schedule: "0 */6 * * *"   # every 6 hours
      config:
        host: "bigip.example.com"
        username: "infracast"
        # verify_tls: set to "true" in production with a valid TLS cert
        verify_tls: "false"

What Gets Discovered

Resource TypeDescription
f5.deviceBIG-IP device (hostname, product version, build, platform, edition)
f5.virtual_serverVirtual server (name, destination IP:port, partition, pool assignment, enabled state)
f5.poolLoad balancing pool (name, partition, load balancing mode, monitor)
f5.pool_memberPool member / node (name, address, port, partition, state)
f5.iruleiRule (name, partition, iRule TCL script reference)
f5.ssl_profileSSL/TLS client or server profile (name, partition)
f5.self_ipSelf IP address (name, address/prefix, VLAN, traffic group, port lockdown)

Edges link virtual servers to their associated pools, and pools to their members.

Troubleshooting

401 Unauthorized on API calls

Symptom: Error: API request failed: 401 Unauthorized

Checks:

  1. Verify username and password are correct
  2. Confirm the user account is not locked out (check under System → Users)
  3. Verify the user has Guest (or higher) partition access to All
# Test the API manually
curl -sk -u "infracast:YourPassword" \
  https://bigip.example.com/mgmt/tm/sys/version | python3 -m json.tool

TLS certificate errors

Symptom: Error: x509: certificate signed by unknown authority

Option A: Set verify_tls: "false" in the job config (acceptable on internal management networks)

Option B: Provide the BIG-IP CA certificate:

infracast creds update --name "bigip-prod" \
  --ca-cert-file /run/secrets/bigip-ca.pem
warning

Disable TLS verification only when connecting over a trusted, isolated management network. Do not use verify_tls: false over untrusted networks.

Missing partitions

Symptom: Virtual servers or pools from non-Common partitions are missing

Checks:

  1. The Guest role must have access to All partitions, not just Common
  2. Verify partition access in tmsh: 
    tmsh list auth user infracast
    The output should include all-partitions { role guest }.

Connection timeout

Symptom: Discovery jobs time out connecting to the BIG-IP

Checks:

  1. Verify the management IP is reachable from the collector: curl -sk https://bigip.example.com/mgmt/tm/sys/clock
  2. Check if a management firewall (mgmt-dhcp or mgmt-ip route) blocks the collector's IP
  3. On BIG-IP, check: tmsh show net interface mgmt