Device Template for F5 BIG IP 12.1.X and Newer

Here are the 4 main lines needed in an F5 Big IP 12.1.X and newer for the device template:

<Command Name="RESET" Value="run /util bash" RegEx="#"/>
<Command Name="Startup" Value="ucs" IsBinary="true"/>
<Command Name="Running" Value="config file"/>
<Command Name="DownloadConfigIndirectSCP" Value="tmsh save /sys ${ConfigType} /var/local/NCM.ucs${CRLF}${TransferProtocol} /var/local/NCM.ucs ${SCPServerUserName}@${SCPStorageAddress}:${StorageFilename}${CRLF}yes${SendConditionRegEx:Are you sure}${CRLF}${SCPServerPassword}${CRLF}no-passphrase"/>

In some cases, when using SCP Whitelisting and Blacklisting, that the fingerprint needs to be added, so a question is prompted, and using 'Yes' will work, however, in next run, 'Yes' is not needed. In the device template, you can see a Conditional Macro to send 'Yes'. If the question prompt comes up, 'Yes' is sent, otherwise, it is skipped.

More on this in this article. Note: The macro is only in NCM 8.0 and Newer.

Something not includes is the ability to specify the cipher for the SCP command, in some cases, the device template may need the -c <cipher_spec>, an example of this is below:

<Command Name="DownloadConfigIndirectSCP" Value="tmsh save /sys ${ConfigType} /var/local/NCM.ucs${CRLF}${TransferProtocol} -c AES192-CTR /var/local/NCM.ucs ${SCPServerUserName}@${SCPStorageAddress}:${StorageFilename}${CRLF}yes${SendConditionRegEx:Are you sure}${CRLF}${SCPServerPassword}${CRLF}no-passphrase"/>

More on this in this article.

Take a look at this article regarding the SCP backup for F5s and this article for the binary config storage setup in NCM.