F5 Backup Solution NCM : Partitioned F5 devices.

basilparsley

The below is a solution for backing up F5 configuration and UCS images, functional requirements :
a. Backs up / tracks most / all changes on all F5 partitions.
b. Backs up the F5 master key.
c. Backs up the F5 UCS image file.

Key points are that it backs up F5 objects to solar winds across all partitions, also backs up the master key which is required for full new hardware rebuilds, e.g. RMAs, I have not seen either of these functions posted elsewhere and are not part of the inbuilt templates (which only backup the Common partition).
Solution works alongside a locally running F5 cronjob that generates the UCS backup, the SW xml script SCPs this file from the F5 to SolarWinds.

F5 command to backup config = tmsh -c "cd / ; list all-properties recursive"
F5 command to backup the master key = f5mku -K
F5 command to backup the UCS = tmsh save sys ucs archive.ucs

Device Template xml output

<Configuration-Management Device="F5 Big IP" SystemOID=" 1.3.6.1.4.1.3375" AutoDetectType="BySystemOid">
<Commands>
<Command Name="RESET" Value="tmsh modify cli preference pager disabled display-threshold 0" />
<Command Name="Reboot" Value="" />
<Command Name="EnterConfigMode" Value="" />
<Command Name="ExitConfigMode" Value="" />
<Command Name="Startup" IsBinary="true" Format="Binary" Value="ucs" />
<Command Name="Running" Value="config file" />
<Command Name="DownloadConfig" Value="tmsh -c &quot;cd / ; list all-properties recursive&quot;" />
<Command Name="UploadConfig" Value="" />
<Command Name="DownloadConfigIndirect" Value="" />
<Command Name="UploadConfigIndirect" Value="" />
<Command Name="DownloadConfigIndirectSCP" ConfigType="Running" Value="echo ====F5 device master key in the following line : f5mku -K > /var/local/running-config.tmp${CRLF}f5mku -K >> /var/local/running-config.tmp${CRLF}echo ===== End of F5 device master key ===== >> /var/local/running-config.tmp${CRLF}echo >> /var/local/running-config.tmp${CRLF}tmsh -c &quot;cd / ; list all-properties recursive&quot; >> /var/local/running-config.tmp${CRLF}${TransferProtocol} -o ciphers=aes256-ctr /var/local/running-config.tmp ${SCPServerUserName}@${SCPStorageAddress}:${StorageFilename}${CRLF}yes${CRLF}${SCPServerPassword}" />
<Command Name="DownloadConfigIndirectSCP" ConfigType="Startup" Value=" /var/local/ucs/archive.ucs${CRLF}${TransferProtocol} -o ciphers=aes256-ctr /var/local/ucs/archive.ucs ${SCPServerUserName}@${SCPStorageAddress}:${StorageFilename}${CRLF}yes${CRLF}${SCPServerPassword}" />
<Command Name="EraseConfig" Value="" />
<Command Name="SaveConfig" Value="" />
<Command Name="Version" Value="tmsh show /sys version" />
<Command Name="Disconnect" Value="" />
</Commands>
</Configuration-Management>

Points to note :
This has been tested on TMOS ver. 13.1.3.4 and 13.1.3.6 against GTM / LTM / APM. Anyone using this, self evidently, needs to their own testing.
The "Running config" in this case = the output from command < tmsh -c "cd / ; list all-properties recursive"> which reclusively lists all configuration objects that the user has permissions to view. The F5 master key is also separately prepended to this backup file. In reality this is an analogue of the start up config.
The "Start up config" = the UCS (binary) image file that you can build an entire system out of with all the required objects e.g. certs / database settings etc.
The xml copies a pre-created UCS file from the F5 : this is therefore reliant on a local cronjob running on the F5  ; see below.
Should you wish to get SW to generate the UCS you need to replace the relevant code with the lines below (13.1.3.6 and above).

<Command Name="DownloadConfigIndirectSCP" ConfigType="Startup" Value="tmsh save sys ucs archive_name.ucs ${CRLF}${TransferProtocol} /var/local/ucs/archive_name.ucs ${SCPServerUserName}@${SCPStorageAddress}:${StorageFilename}${CRLF}yes${CRLF}${SCPServerPassword}"/>
<Command Name="UploadConfigIndirectSCP" Value="${TransferProtocol} ${SCPServerUserName}@${SCPStorageAddress}:${StorageFilename} /var/local/ucs/archive_name.ucs ${CRLF}${SCPServerPassword}${CRLF}tmsh load /sys ${ConfigType} /var/local/ucs/archive_name.ucs "/>

The CIPHER option -o ciphers=aes256-ctr was put in due to a “feature” on  F5 TMOS 13.1.3.4 which only presented limited SSH CIPHERS when SCP-ing from the box, this setting is not recommended generally, not required for 13.1.3.6 and likely not required for versions above this.

The F5 cronjob is as per the below, SW back up needs to run after this, crontab -e is the command to edit see F5 documentation. Note the filenames need to match the SW config.

# Saves running config to start up.
00 00 * * * tmsh save sys config
# Creates local UCS archive
05 00 * * * tmsh save sys ucs archive.ucs
# Optional secondary backup and log
20 00 * * * scp /var/local/ucs/archive.ucs <USERNAME>@&lt;Device-Name>:/folder/devicename_archive.ucs && logger -p local0.crit "F5 config <DEVICE_NAME>has been backed-up"

Finally I assume no responsibility or liability for any errors or omissions, config is provided "as is", you are responsible for your own environments.

Hopefully this is of assistance and saves someone out there some time and maybe will highlight the fact that using the command set provided does not work in partitioned environments.