Unfortunately, my F5-201 certification has expired. Now i'm on the path to resit my F5-101 certification as the prerequisite for the F5-201 certification. Here is a quick dump of my study notes that might be helpful if you're heading down the F5 certification path.
With a few years of networking experience under my belt, I didn't need to rehash many of the fundamentals concepts, but I have still included them to help create a complete manifest of the knowledge needed. My goal here is to recap what I know, what I have brushed up on and what I expect to see on the F5-101 exam. If you don't have a background in networking my study notes may still fall far short of everything you need to know for the F5-101 exam. Either way, I would highly recommend you review the exam blueprints early in your study and again in the lead up to sitting the exam to ensure you haven't missed any topics.
- Links
- Exam Summary
- IP Addressing
- Open Systems Interconnection (OSI) model
- SSL/Certificates
- ARP
- Route Selection
- HTTP
- Command Line
- Status Symbols
- Traffic Statistics
- TTL and Hop Limit
- ICMP
- Upgrades
- TCP DUMP
- System Health
Links
- Exam Blueprint - https://my.f5.com/manage/s/article/K29900360
- Unofficial study guide - https://clouddocs.f5.com/training/community/f5cert/html/class1/class1.html#
- F5 Virtual Edition Trial - https://www.f5.com/trials/big-ip-virtual-edition
Exam Summary
Time: 90 minutes Pass mark: 245 out of 350 Question: 80 (70 scored, 10 pilot/beta)
Exam cadence: Should aim to answer 1 question a minute, 10 minutes for review.
F5 describes a minimally qualified candidate as being able to:
- Identify and define the components of TMOS
- Describe the Open Systems Interconnection (OSI) model
- Log in to a device and look at logs
- Troubleshoot basic network issues
- Create a problem statement
- Understand client-server networking
- Know common HTTP error codes
- Describe basic differences between public vs. private cloud
- Know common application service ports
IP Addressing
- An IPv4 address has a size of 32 bits
- An IPv6 address has a size of 128 bits
First Octet Rule
The class of address can be easily determined by examining the first octet of the address, and mapping that value to a class range below.
| Class | First Octet |
| ---------- | ----------- |
| A | 1 - 127 |
| B | 128 - 191 |
| C | 192 - 224 |Private Addressing
There are three non-overlapping ranges of IPv4 addresses, reserved for private networks. These addresses are not routed on the Internet and their use does not be coordinated with an IP address registry. Any user may use any of the reserved blocks.
| CIDR Block | Address Range | # Addresses |
| -------------- | ----------------------------- | ----------- |
| 10.0.0.0/24 | 10.0.0.0 – 10.255.255.255 | 16777216 |
| 172.16.0.0/12 | 172.16.0.0 – 172.31.255.255 | 1048576 |
| 192.168.0.0/16 | 192.168.0.0 – 192.168.255.255 | 65536 |IPv6 and Shortening
Addresses consist of 8 segments of 16 bits, 16 bytes or 128 bits long
- Zero Suppression: Because is it known that all 8 segments consist of 16 bits it is possible to remove any leading zeros from each section without making the address ambiguous.
- Zero Compression: Because it is known that each address must be made up of 8 segments it is possible to compress the first instance of multiple contiguous segments of all zeros without confusing the address. This is only allowed once within a single address.
Open Systems Interconnection (OSI) model
In the OSI reference model, the communications between systems are split into seven different abstraction layers:
- 7 Application layer
- 6 Presentation layer
- 5 Session layer
- 4 Transport layer
- 3 Network layer
- 2 Data link layer
- 1 Physical layer
1. Physical layer
The physical layer is responsible for the transmission and reception of unstructured raw data between a device, such as a network interface controller, Ethernet hub, or network switch, and a physical transmission medium. It converts the digital bits into electrical, radio, or optical signals. Bits are used on the Physical layer.
2. Data link layer
The data link layer provides node-to-node data transfer, a link between two directly connected nodes. It detects and possibly corrects errors that may occur in the physical layer. It defines the protocol to establish and terminate a connection between two physically connected devices. Frames and MAC addresses are used on the Data link layer.
3. Network layer
The network layer transfers packets from one node to another. Node can be on different networks where the packet may need to be routed intermediate nodes. If the message is too large to be transmitted from one node to another on the data link layer between those nodes, the network may split the message into several fragments at one node, sending the fragments independently, and reassembling the fragments at another node. Packets and IP address’ are used on the Network layer.
4. Transport layer
The transport layer is responsible for delivering, error checking, flow control, and sequencing data packets. It regulates the sequencing, size, and transfer of data between the 2 endpoints. It is the fist layer in the OSI model that is end to end. All lower layers are point to point. It gets the data from the session layer and breaks it into transportable segments. Two examples of the Transport Layer are the UDP (User Datagram Protocol) and TCP (Transmission Control Protocol). SYN, SYN-ACK, ACK
5. Session layer
The session layer will create communication channels, called sessions, between different devices. This layer is responsible for opening those sessions and ensuring that they’re functional during data transfer.It is also responsible for authentication and reconnections, and it can set checkpoints during a data transfer.
6. Presentation layer
The presentation layer is responsible for ensuring that the data is understandable for the end system or useful for later stages. It translates or formats data based on the application’s syntax or semantics. It also manages any encryption or decryption required by the application layer.
6. Application layer
The application layer is the layer of the OSI model that is closest to the end user, which means both the OSI application layer and the user interact directly with a software application that implements a component of communication between the client and server. Application-layer functions typically include file sharing, message handling, and database access, through the most common protocols at the application layer, known as HTTP, FTP, SMB/CIFS, TFTP, and SMTP.
SSL/Certificates
SSL Certificates can be attached to Client side and/or Server side connections.
- Client side - Control the certificate presented when receiving an inbound SSL requests from client endpoints
- Server side - Controls the certificate used when establishing an outbound connection to backend servers/services.
SSL Configurations
An F5 may be configured in several different ways to handel SSL connections:
- Full SSL Proxy / SSL Re-Encryption / SSL Bridging / SSL Terminations - In this method the BIG-IP will re-encrypt the traffic before sending it to the servers. Client sends encrypted traffic to BIG-IP, the BIG-IP then decrypts it and before sending it to the pool members re-encrypts it again. This method is generally used to satisfy the requirement of traffic to be encrypted between the LTM and Servers as well. When this method is used the servers will also have to decrypt and encrypt the traffic.
- SSL Offloading - In this method the client traffic is sent encrypted to BIG-IP. The BIG-IP is decrypts the traffic and sends the decrypted traffic to the server. Instead of the server decrypting and re-encrypting the traffic BIG-IP handles that removing the crypto overhead from the server.
- SSL Passthrough - As the name suggests the BIG-IP will just pass the traffic from client to servers absolving itself from any SSL related workload. Usually this setup is used if the applications do not support SSL proxy or cannot consume decrypted traffic. Since it’s just pass through LTM cannot read the headers which introduces limitations on persistence. Only non SSL information in the packet can be used to maintain persistence like source ip address, destination ip address.
ARP
The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, MAC address, associated with a given IP address, typically an IPv4 address.
ARP Process Example
Two computers (Computer 1 and Computer 2) are connected to each other on a LAN by Ethernet cables and a switch, with no gateways or routers. Computer 1 has a packet to send to Computer 2. Through DNS, it determines that Computer 2 has the IP address 192.168.0.55.
- To send the message, it also requires Computer 2’s MAC address.
- First, Computer 1 uses a cached ARP table to look up 192.168.0.55 for any existing records of Computer 2’s MAC address (00:EB:24:B2:05:AC).
- If the MAC address is found, it sends an Ethernet frame containing the IP packet onto the link with the destination address 00:EB:24:B2:05:AC.
- If the cache did not produce a result for 192.168.0.55, Computer 1 has to send a broadcast ARP request message (destination FF:FF:FF:FF:FF:FF MAC address), which is accepted by all computers on the local network, requesting an answer for 192.168.0.55.
Who has 192.168.0.55? Tell 192.168.0.22. - Computer 2 responds with an ARP response message containing its MAC and IP addresses. As part of fielding the request, Computer 2 may insert an entry for Computer 1 into its ARP table for future use.
- Computer 1 receives and caches the response information in its ARP table and can now send the packet.
ARP Command - Windows PC
C:\Users\UserName>arp -a
Interface: 10.1.1.10 --- 0x11
Internet Address Physical Address Type
10.1.1.1 aa-bb-cc-dd-ee-01 dynamic
10.1.1.12 aa-bb-cc-dd-ee-02 dynamic
10.1.1.13 aa-bb-cc-dd-ee-03 dynamicNote: Entries for addresses that can’t be resolved are not shown in the table
ARP Command - BIG-IP
root@(F5-01)(cfg-sync Standalone)(Active)(/Common)(tmos)# show net arp
--------------------------------------------------------------------------------
Net::Arp
Name Address HWaddress Vlan Expire-in-sec Status
--------------------------------------------------------------------------------
10.1.2.9 10.1.2.9 0:50:56:a0:10:9 /Common/2010 166 resolved
10.11.20.183%11 10.11.20.183%11 0:50:56:a0:9:7c /Common/2011 4 resolved
10.11.22.9%11 10.11.22.9%11 0:50:56:a0:10:a /Common/2011 58 resolved
10.12.20.185%12 10.12.20.185%12 0:50:56:a0:10:33 /Common/2012 2 resolvedBIG-IP ARP States
When you use the BIG-IP Configuration utility to view the entries in the ARP cache, you can view the state of each entry.
- RESOLVED - Indicates that the system has successfully received an ARP response (a MAC address) for the requested IP address within two seconds of initiating the request. An entry in a RESOLVED state remains in the ARP cache until the timeout period has expired.
- INCOMPLETE - Indicates that the system has made one or more ARP requests within the maximum number of requests allowed, but has not yet received a response.
- DOWN - Indicates that the system has made the maximum number of requests allowed, and still receives no response. In this case, the system discards the packet, and sends an ICMP host unreachable message to the sender. An entry with a DOWN state remains in the ARP cache until the first of these events occurs:
- Twenty seconds elapse.
- The BIG-IP system receives either a resolution response or a gratuitous ARP from the destination host.
- You explicitly delete the entry from the ARP cache.
MAC Masquerading
BIG-IP’s default failover mechanism is based on gratuitous ARP. BIG-IP has to send a gratuitous ARP for every floating IP and service IP address like virtual server IP address and SNAT address. The gratuitous ARP contains the physical MAC address of the new primary BIG-IP. With gratuitous ARP, the device that takes over sends gratuitous ARP packets, which asks all hosts on the LAN segment to update their ARP table. After the hosts updated their ARP table with the MAC address of the new primary BIG-IP, they send all traffic to the active BIG-IP.
Sometimes hosts like Firewalls or routers do not update their ARP table when they receive a gratuitous ARP. In this case the firewall or router will keep sending traffic to the old MAC address, which leads to service interruption.This issue can be addressed with MAC masquerade.
With MAC masquerade configured, BIG-IP devices will use the MAC masquerade address as source MAC for packets leaving BIG-IP. In case of a failover, the MAC address will not change. The new primary BIG-IP will start using the MAC masquerade MAC address. Now there is no need to update the hosts ARP table.
You should consider using MAC masquerading under the following conditions:
- To minimize Address Resolution Protocol (ARP) communication or dropped packets during traffic group failover events.
- To improve reliability and failover speed in lossy networks.
- To improve interoperability with switches that are slow to respond to gratuitous ARP requests.
To optimize the flow of traffic during failover events, you can configure MAC masquerade addresses for any defined traffic groups on the BIG-IP. A MAC masquerade address is a unique, floating MAC address that you create. You can assign one MAC masquerade address to each traffic group on a BIG-IP. By assigning a MAC masquerade address to a traffic group, you associate that address with any floating IP addresses associated with the traffic group. By configuring a MAC masquerade address for each traffic group, a single VLAN can potentially carry traffic and services for multiple traffic groups, with each service having its own MAC masquerade address.
To configure
tmshmodify /cm traffic-group <traffic_group> mac <mac_address>save /sys config
Route Selection
Routes to a destination network prefix will be selected based on the following order
- Route Specificity - Longest prefix match
- Administrative Distance
- Metric - The calculated weight/cost of the route generated by the routing protocol with that route
| Route Source | AD Value |
| -------------- | -------- |
| Connected | 0 |
| Static route | 1 |
| EIGRP summary | 5 |
| External BGP | 20 |
| EIGRP | 90 |
| OSPF | 110 |
| IS-IS | 115 |
| RIP | 120 |
| External EIGRP | 170 |
| Internal BGP | 200 |HTTP
Error Codes
- 1xx - Informational - The request was received, continuing process
- 2xx - successful - The request was successfully received, understood, and accepted
- 3xx - redirection - Further action needs to be taken in order to complete the request
- 4xx - client error - The request contains bad syntax or cannot be fulfilled
- 5xx - server error - The server failed to fulfil an apparently valid request
Common Codes
- 200 OK = Standard response for successful HTTP requests.
- 201 Created = The request has been fulfilled, resulting in the creation of a new resource
- 301 Moved Permanently = This and all future requests should be directed to the given URI.
- 302 Found (Previously “Moved temporarily”) + Tells the client to look at (browse to) another URL.
- 400 Bad Request = The server cannot or will not process the request due to an apparent client error (e.g., malformed request syntax, size too large, invalid request message).
- 401 Unauthorized = Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided.
- 403 Forbidden = The request contained valid data and was understood by the server, but the server is refusing action.
- 404 Not Found = The requested resource could not be found but may be available in the future
- 500 Internal Server Error = A generic error message, given when an unexpected condition was encountered and no more specific message is suitable.
- 502 Bad Gateway = The server was acting as a gateway or proxy and received an invalid response from the upstream server.
- 503 Service Unavailable = The server cannot handle the request (because it is overloaded or down for maintenance).
Command Line
[root@localhost:NO LICENSE:Standalone] config #- Common BASH shellroot@(localhost)(cfg-sync Standalone)(NO License)(/Common)(tmos)#- F5 TMSH shell
Common Commands
tmsh list /sys management-ip- Shows the current configuration of the management interface
sys management-ip 192.168.1.245/24 {
description configured-statically
}tmsh modify /sys management-ip 10.1.1.17/24 description 'hello world'- Configure management interfacetmsh list /sys management-route- Shows the current configuration of the management route table
sys management-route default {
description configured-statically
gateway 192.168.1.254
network default
}tmsh modify /sys management-route default gateway 10.1.1.1- Configure management routetmsh show /net interface- Show interface statistics
----------------------------------------------------------------
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
In Out In Out
----------------------------------------------------------------
1.1 uninit 0 0 0 0 0 0 none
1.2 uninit 0 0 0 0 0 0 none
1.3 uninit 0 0 0 0 0 0 none
mgmt up 122.4M 134.4K 35.6K 132 39 0 100TX-FDtmsh list /net interface 1.3- Show interface configuration
net interface 1.3 {
if-index 80
mac-address 00:0c:29:a0:16:00
media-fixed 10000T-FD
media-max auto
mtu 9198
}tmsh show /net route- Show the current data plane route table
--------------------------------------------------------------------------------------------
Net::Routes
Name Destination Type NextHop Origin
--------------------------------------------------------------------------------------------
external_default_gateway default gw 172.16.2.1 static
test-route 192.168.0.0/24 gw 172.16.2.254 static
172.16.2.0/24 172.16.2.0/24 interface /Common/external connected
172.16.1.0/24 172.16.1.0/24 interface /Common/internal connectedtmsh list /net route- Show the current configuration of the data plane route table
net route external_default_gateway {
gw 172.16.2.1
network default
}
net route test-route {
gw 172.16.2.254
network 192.168.0.0/24
}- ntpq -pn
[root@F5-01:Active:Standalone] config # ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
12.34.56.78 .XFAC. 16 u 49m 1024 0 0.000 0.000 0.000dig A host.domain @8.8.8.8- Preform a DNS lookup against DNS server 8.8.8.8 for the DNS name ‘host.domain’
; <<>> DiG 9.16.33 <<>> A host.domain @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41146
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;host.domain. IN A
;; ANSWER SECTION:
host.domain. 3600 IN A 1.2.3.4
;; Query time: 3 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jun 14 04:09:31 PDT 2024
;; MSG SIZE rcvd: 43Status Symbols
- Green Circle - Enabled and health monitors are succeeding
- Red Diamond - Enabled and off line due to the monitors failing
- Yellow Triangle - A configured connection limit is being reached
- Black circle - Administratively disabled and monitors are succeeding
- Black Diamond - Administratively disabled and monitors are failing.
- Black Square - Administratively disabled and no monitors are configured
- Blue Square - Status is unknown - No monitor is configured, traffic is able to pass
- Diamonds = Monitors are failing
- Circles = Monitors are succeeding
- Square = No monitors enabled to know the status - Status unknown
Traffic Statistics
- GUI Statistics -> Module Statistics -> Local Traffic - Select Object type(Virtual Server, Node, Pool)
- CLI
tmsh show /ltm virtual vip1
------------------------------------------------------------------
Ltm::Virtual Server: vip1
------------------------------------------------------------------
Status
Availability : unknown
State : enabled
Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet
CMP : enabled
CMP Mode : all-cpus
Destination : 172.16.2.50:any
Traffic ClientSide Ephemeral General
Bits In 0 0 -
Bits Out 0 0 -
Packets In 0 0 -
Packets Out 0 0 -
Current Connections 0 0 -
Maximum Connections 0 0 -
Total Connections 0 0 -
Evicted Connections 0 0 -
Slow Connections Killed 0 0 -
Min Conn Duration/msec - - 0
Max Conn Duration/msec - - 0
Mean Conn Duration/msec - - 0
Total Requests - - 0
SYN Cookies
Status not-activated
Hardware SYN Cookie Instances 0
Software SYN Cookie Instances 0
Current SYN Cache 0
SYN Cache Overflow 0
Total Software 0
Total Software Accepted 0
Total Software Rejected 0
Total Hardware 0
Total Hardware Accepted 0
Message Routing Framework In Out
Message 0 0
Request 0 0
Response 0 0
CPU Usage Ratio (%)
Last 5 Seconds 0
Last 1 Minute 0
Last 5 Minutes 0- CLI
tmsh show /ltm pool pool1
---------------------------------------------------------------------------------------
Ltm::Pool: pool1
---------------------------------------------------------------------------------------
Status
Availability : unknown
State : enabled
Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet
Monitor : none
Minimum Active Members : 0
Priority Groups : 0/0/0 (highest/current/lowest)
Current Active Members : 0
Available Members : 1
Total Members : 1
Total Requests : 0
Current Sessions : 0
Traffic ServerSide
Bits In 0
Bits Out 0
Packets In 0
Packets Out 0
Current Connections 0
Maximum Connections 0
Total Connections 0
Connection Queue Pool Pool and members
Number of connections queued now 0 0
Number of connections serviced 0 0
Queue head entry age (ms) 0 0
Maximum queue entry age ever (ms) 0 0
Maximum queue entry age recently (ms) 0 0
Average queue entry age (ms) 0 0
Message Routing Framework In Out
Message 0 0
Request 0 0
Response 0 0TTL and Hop Limit
To ensure IP packets have a limited lifetime on the network all IP packets have an 8 bit Time to Live (IPv4) or Hop Limit (IPv6) header field and value which specifies the maximum number of layer three hops (typically routers) that can be traversed on the path to their destination. Each time the packet arrives at a layer three network device (a hop) the value is reduced by one before it is routed onward. When the value eventually reaches one the packet is discarded by the device that receives it (as the value will be reduced to zero). Whilst this won’t prevent network issues caused by a routing loop or similar, it reduces their impact and may help avoid router failures. As it is an 8 bit field, the maximum possible value is 255 (11111111 in binary).
When discarding a packet with a TTL or Hop Limit of one or zero the router in question may (it’s not mandatory) send an ICMP error message to the source.
IPv4: type 11: ‘Time Exceeded’, code 0: ‘time to live exceeded in transit’IPv6: type 3: ‘Time Exceeded’, code 0: ‘Hop limit exceeded in transit’
ICMP
Unreachable Redirects
The ICMP Destination Unreachable message acts as a feedback mechanism for a router to let a source device know that it has no method to communicate with the desired destination. However, it is up to the sending device, upon receiving the ICMP Destination Unreachable message, whether to take any particular action. The ICMP Destination Unreachable (Type 3) message has six code types to indicate what type of failure is present:
- Code 0 “Network Unreachable” means the packet could not be delivered to the network specified
- Code 1 “Host Unreachable” means the packet can be routed to the destination network, but the specified host does not exist on the destination network.
- Code 2 “Protocol Unreachable” is sent when the router receives a non broadcast message destined for itself that uses an unknown protocol.
- Code 3 “Port Unreachable”
- Code 4 “Fragmentation need and the DF bit is set”
- Code 5 “Source Route Failed”
ICMPv6 uses Type 1 messages.
Redirects
ICMP Redirect messages (ICMP Type 5) are used when there are multiple gateways on the same network segment, and a host sends a packet to one of the gateways, but a different gateway on the same network segment has a better metric to the destination. When the gateway configured on the host receives the packet, but determines via its routing table that a different gateway on the same network segment is closer, it forwards the packet to the better gateway, and sends an ICMP Redirect message back to the host indicating that it should use the better gateway to reach the destination for future packets. ICMPv6 uses Type 137.
Upgrades
The process for an upgrade is generally
- Identify the active partition
- Install the new software on a partition that is NOT active
- Reboot the device into the updated partition.
- Verify
- Roll back if needed - Reboot into the original partition.
Engineering Hotfix
F5 may provide temporary code patches or engineering hotfixes to address issues between normal new Major, Minor, and Point software releases. F5 produces engineering hotfixes only for customers who have active contracts with F5 Global Support or F5 Premium Plus Support. While F5 endeavors to release the most stable code possible, engineering hotfixes do not undergo the extensive QA assessment of scheduled software releases. F5 offers engineering hotfixes with no warranty or guarantee of usability. Engineering hotfixes are normally provided by F5 Support through a support case. On some occasions engineering hotfixes may be available on MyF5 Downloads when fixes are required for critical security issues.
Software install location
Multiple software installations can exist on the BIG-IP system, but only one is active. You can install the new version or hotfix to an existing volume, overwriting the currently installed software version for that volume, or to a new, empty volume that you create during installation. You can install software only on inactive volumes. To install software to the active volume, you must boot to a different volume.
tmsh show /sys software status
-------------------------------------------------------------------
Sys::Software Status
Volume Product Version Build Active Status Allowed Version
-------------------------------------------------------------------
HD1.1 BIG-IP 17.1.1.3 0.0.5 yes complete yesTCP DUMP
tcpdump -i 2.1- Start a tcp dump on interface 2.1tcpdump -i external- Start a tcp dump on vlan externaltcpdump -n- Disable name resolutiontcpdump -w- Save output to a binary file. This is the required format if you need to send captures to F5 supporttcpdump file.txt- Save output to text file that is human readable. Only a subset of information is saved.tcpdump -r filename- Read a binary tcpdump capture file.tcpdump host 10.1.2.3- Filter to any traffic to or from the host 10.1.2.3tcpdump src host 10.1.2.3- Filter to only traffic sourced from host 10.1.2.3tcpdump dst host 10.1.2.3- Filter to only traffic going to host host 10.1.2.3tcpdump dst port 80- Filter to only traffic going to port 80
System Health
Logs
| Type | Log file | Description
| ------------- | --------------------------- |-----------------------------------------------------
| audit | /var/log/audit | The audit event messages are messages that the BIG-IP system logs as a result of changes to the BIG-IP system configuration. Logging audit events is optional.
| boot | /var/log/boot.log | The boot messages contain information that is logged when the system boots.
| cron | /var/log/cron | When the cron daemon starts a cron job, the daemon logs the information about the cron job in this file.
| daemon | /var/log/daemon.log | The daemon messages are logged by various daemons that run on the system.
| dmesg | /var/log/dmesg | The dmesg messages contain kernel ring buffer information that pertains to the hardware devices that the kernel detects during the boot process.
| GSLB | /var/log/gtm | The GSLB messages pertain to global traffic management events.
| httpd | /var/log/httpd/httpd_errors | The httpd messages contain the Apache Web server error log.
| kernel | /var/log/kern.log | The kernel messages are logged by the Linux kernel.
| local traffic | /var/log/ltm | The local traffic messages pertain specifically to the BIG-IP local traffic management events.
| mail | /var/log/maillog | The mail messages contain the log information from the mail server that is running on the system.
| packet filter | /var/log/pktfilter | The packet filter messages are those that result from the use of packet filters and packet-filter rules.
| security | /var/log/secure | The secure log messages contain information related to authentication and authorization privileges.
| system | /var/log/messages | The system event messages are based on global Linux events, and are not specific to BIG-IP local traffic management events.
| TMM | /var/log/tmm | The TMM log messages are those that pertain to Traffic Management Microkernel events.
| user | /var/log/user.log | The user log messages contain information about all user level logs.
| webui | /var/log/webui.log | The webui log messages display errors and exception details that pertain to the Configuration utility.Qkview and iHealth
- Go to System > Support.
- Select New Support Snapshot.
- For Health Utility, select Generate QKView.
- Select Start.
- Download.
https://ihealth.f5.com/