F5 ASM Technical Series - Episode 1

F5 ASM Technical Series - Episode 1

F5 License:

When purchased from a vendor or obtained directly from F5, an F5 license is perpetual. Unlike evaluation and demonstration licenses, which have a defined expiration date, production licenses have no such restriction.

Why is this topic required?

It's critical to comprehend how the license process operates and when we need to be more cautious to react on.

And what is crucial to know about this? - Types of Keys to be used

Let's go on to the answer section, and it's critical to comprehend the steps when migrating your F5, upgrading your F5 version, reactivating your license, or dealing with other situations.

License Page – How it looks like (Example screenshot)

image.png

The license page talks about “Type/Date/Modules”

📌Type – The sort of license purchase is described. (Production/Evaluation).

📌Date – Activation date of the license.

📌Modules

  • Active Module - The functionalities for the modules mentioned under "Active Modules" are fully licensed and accessible for provisioning, setting up, and use.
  • Optional Module - The optional modules section (sometimes known as "unlicensed modules") lists modules with functions that are available for licensing. However, functionality for the optional module feature is dormant until the BIG-IP system is licensed for the module feature. The BIG-IP system may let you provision and configure objects for an optional (unlicensed) module feature.

Example - You might be able to configure functions like Domain Name System Security Extensions on a system that lists DNSSEC in the Optional Modules section (DNSSEC). However, functionality is dormant unless you speak with your F5 Sales representative and buy the add-on license for the DNSSEC module.

image.png

Gui -> System -> License

Cli Command - tmsh show /sys license detail

image.png

Activation of License:

Activation Page – How it looks like (Example screenshot)

image.png

The main elements on the general page are two.

📌Base Registration Key List

📌Add-On Registration Key List

Base Registration Key List – It is a 27-character string with an encrypted format combination of numbers and alphabets that tells the license server which F5 items you are licensed for.

  • The base key can be readily shifted to any location or attached or detached from the virtual machine.
  • In some cases, the base key supports upgrades up to 15; however, if we update to the 17 version, the license and configuration won't load properly and we'll run into problems. We need to check the licensing file to see what version the device upgrades to.
  • When we want to transfer the base key license from one device to another, we require support from F5 before we can release a license. We are unable to accomplish this on our own.

  • The format of the BIG-IP base registration key is as follows:

    AAAAA-BBBBB-CCCCC-DDDDD-EEEEEEE

Add-On Registration Key List – It also upgrades the speed of the license from 25 Mbps to Gbps, adds an APM license that wasn't initially purchased with the base registration key, and other modules. To a BIG-IP device, you can add feature modules to add further capability. You must receive an add-on registration key and reactivate the license before you may install a feature module. Utilizing the Configuration tool, you can activate the function following the acquisition of an add-on registration key. You must obtain a different add-on registration key for each device when licensing redundant BIG-IP systems.

  • The Add-on cannot be transferred, and it is attached to the device
  • Numerous add-ons key that pertains to modules enable are available for the device. (APM/ASM/AFM/IPS/IDS etc...)
  • The format of the BIG-IP add-on registration key is as follows:

    AAAAAAA-BBBBBBB

Automatic activation method: If you've set up the BIG-IP management port to route traffic to the Internet, you can use the automatic technique. For the F5 device to retrieve the license from the support site, an internet connection is required.

image.png

Manual activation method: If the BIG-IP management port is not set up to route traffic to the Internet, you should utilize the manual approach. The gadget lacks or does not expose the internet

image.png

Click Next The page looks like the one below.

image.png

It is a step by process to activate the license.

  1. After entering the base registration key or the base and add-on license keys, the dossier is generated.
  2. Need to copy the license and open the F5 license page (activate.f5.com/license/dossier.jsp),

  3. then we need to insert the step 1 dossier key

image.png

image.png

image.png

On the F5 license reactivate page, copy the license, and paste it.

image.png

After selecting Next, the service will resume, and the license will be applied to the device.

Problems Scenarios:

Scenario 1:

Problem: Version 17 was installed on an F5 device, but an issue occurred after it loaded. Version 17 has not loaded the configuration.

Solution: This problem cannot be promptly fixed because the licensing only allows for upgrades up to version 15, and any 16 or 17 versions that are deployed will not function. To instantly resolve the issue, downgrade to version 15 and load a UCS file onto the device to keep it operational.

Additionally, we can check with the F5 account manager to upgrade our base license key to version 17, but we cannot guarantee that they will be able to assist (Possibilities)

image.png

image.png

Booted the image with 15 versions and fixed the issue

image.png

Learning: We must follow the below steps before doing the upgrade.

  • Take a license as a backup
  • Refer license file (note what version should be applicable to perform upgrades)
  • License config file path /config/bigip.license – We can use the tail /cat command to view the file or grep “search word” /config/bigip.license to see what version is applicable for the device to perform the upgrade.

    Example – grep Exclusive_version /config/bigip.license or cat /config/bigip.license

💡 Note – Don’t modify anything the license file

image.png

Scenario 2:

Problem: Newly deployed a VM and unable to activate an existing license.

Solution: The license can only be used once on any given device after it has been activated. To release an existing license and re-use it with the new device, we need to raise a TAC with F5.

Again, it is advised referring to the license file before going for version selection. Even if the license may be transferred to another device, and the higher version is 17 but the license only supports 15, this creates an issue for activation.

Scenario 3:

Problem: License infringement follows an upgrade.

Solution: Yes, it has occasionally happened, and to fix the issue, choose to reactivate before boot.

  1. Go to system -> License -> Click the “Re-activate” button and activate the license.
  2. Go to system -> Software Management -> Boot Location -> Change the HD

image.png

The system will restart, and the installation of the newest version will go smoothly.

That's it about the F5 licensing part. We will meet on the next session!

If you have knowledge, let others light their candles in it. Happy Learning Always !

Community and Social Footprints :

Manikandan R

GitHub

Twitter

YouTube Cloud DevOps Free Trainings

Linkedin Page

Linkedin Group

Discord Channel

Dev

Did you find this article valuable?

Support Cloudnloud Tech Community by becoming a sponsor. Any amount is appreciated!