F5 BIG-IP Estate — example report

Generated 2026-07-05 21:49:01 UTC · 2 devices · query engine v0.1.0

BIG-IP Report Generator & f5‑query by bitwisecook
37Orphaned Objects

bigip-lab-01.example.net

TMOS 15.1.8.2 lab-device-01.ucs
2 orphaned pools (defined, referenced by nothing — no iRule can attach them either)
2 orphaned nodes (defined, referenced by nothing — no iRule can attach them either)
1 orphaned rules (defined, referenced by nothing — no iRule can attach them either)
3 orphaned monitors (defined, referenced by nothing — no iRule can attach them either)
5 orphaned profiles (defined, referenced by nothing — no iRule can attach them either)
3 pool(s) with no members: css_pool, jpg.pool, js.io_t80_pool
4 virtual server(s) with no default pool (forwarding / policy-driven)
5 SSL profile(s) in use
Bundle as app: 0 selected tick virtual servers, name the app, then open the Apps tab
NameDestinationPortPool ProfilesiRulesSNATProto
app1_t80_vs 192.168.1.21 80 tcphttp _sys_https_redirect tcp
app1_t443_vs 192.168.1.21 443 app1_t80_pool tcphttp automap tcp
app2_t80_vs 192.168.2.21 80 tcphttp _sys_https_redirect tcp
app2_t443_vs 192.168.2.21 443 app2_t80_pool tcphttp automap tcp
persistTest_80_vs 10.6.3.4 80 tcphttp tcp i
app3_t8443_vs 192.168.1.51 8443 app3_t8443_pool tcpapp3_clientsslapp3_serversslhttp app3_ruleapp3_rule2app3_rule3 app3_snat_pool tcp
app4_t80_vs 192.168.2.25 80 app4_pool tcphttp _sys_https_redirectapp4_pool_rule tcp i
forwarder_net_0.0.0.0 0.0.0.0 0 fastl4_loose
bigiq.benlab.io_t443_vs 10.200.244.15 443 bigiq.benlab.io_t443_pool httpASM_basic_policy_1f5-tcp-progressivewebsecurity automap tcp i
NameMembersMonitorLB ModeUsed By
MemberAddressPortMonitor
app1_Node1:80192.168.1.2280
app1_Node2:80192.168.1.2380
MemberAddressPortMonitor
app2_Node1:80192.168.2.2280
app2_Node2:80192.168.2.2380
MemberAddressPortMonitor
app3_Node1:8443192.168.1.528443
app3_Node2:8443192.168.1.538443
MemberAddressPortMonitor
10.3.110.10:8010.3.110.1080
10.3.110.10:44310.3.110.10443
10.3.110.10:844310.3.110.108443
dw1.lab.io:84438443
dw2.lab.io:443443/Common/http
MemberAddressPortMonitor
api.chucknorris.io:443443
MemberAddressPortMonitor
10.200.244.15:44310.200.244.15443
NameAddressMonitorUsed By Pools
10.10.10.1 10.10.10.1 app4_pool_rule
192.168.200.42 orphan 192.168.200.42 nothing
api.chucknorris.io app4_pool
app1_Node1 192.168.1.22 app1_t80_pool
app1_Node2 192.168.1.23 app1_t80_pool
app2_Node1 192.168.2.22 app2_t80_pool
app2_Node2 192.168.2.23 app2_t80_pool
app3_Node1 192.168.1.52 app3_t8443_pool
app3_Node2 192.168.1.53 app3_t8443_pool
app5_Node5 orphan 192.168.10.23 nothing
10.200.244.15 10.200.244.15 bigiq.benlab.io_t443_pool
NameTypeIntervalTimeoutSendReceiveUsed By
dubNameTst1_monitor dns 5 16 none 0
global_http_monitor http 5 16 GET /anywebsite.com\r\n ok 200 1
global_https_monitor https 5 16 GET /any-secure-website.com\r\n 201 continue 1
test_tcp_monitor tcp 5 16 send a tcp string receive a tcp string 0
app1_tcp_half_open_quick_monitor tcp-half-open 1 4 1
test_udp_monitor udp 5 16 default send string recieve-what? 0
bigiq_https_monitor https 5 16 GET /something \r\n none 1
NameEventsLinesAttached To
No pool / node / snatpool / data-group references (static or dynamic) in this iRule.
#comment

when HTTP_REQUEST {
    # add more here
}
No pool / node / snatpool / data-group references (static or dynamic) in this iRule.
#comment

when HTTP_REQUEST {
    # ben test 444
}
No pool / node / snatpool / data-group references (static or dynamic) in this iRule.
# app3_rule3 header

when SERVERSSL_DATA {
    # got something from server
}
Referenced objects: pool css_pool pool js.io_t80_pool
### test rule for corkscrew

  # 

when HTTP_REQUEST {

  # pool reference by variable declaration
  set html-pool web1Pool

  if { [HTTP::path] ends_with "*.css" }{

    # regular pool refernce
    pool css_pool

  } elseif { [HTTP::path] ends_with "*.jpg" }{

    # pool member refernce
    pool jpg.pool member 10.10.10.1 80

  } elseif { [HTTP::path] ends_with "*.js" }{

    # another pool reference with special characters
    pool js.io_t80_pool 

  } elseif { [HTTP::path] ends_with "*.xx" }{

    # pool reference not in tmos config
    ### *** seems the gui won't let you attach an irule to a vs with a pool that doesn't exist
    #pool missing_pool

  } elseif { [HTTP::path] ends_with "*.txt" }{

    # node reference
    node 10.10.10.1 80

  } else {

    # pool referenced by variable
    pool $html-pool

  }
}
No pool / node / snatpool / data-group references (static or dynamic) in this iRule.
NameTypeRecordsUsed By
01
01
01
01
as3_async_records0
config0
bigip-fast-templates0examples0goodFastTemplates0
NameTypeParentCertificateCiphersUsed By
app2_clientssl CLIENT_SSL clientssl 0
app3_clientssl CLIENT_SSL clientssl 1
test1 CLIENT_SSL clientssl 0
fastl4_loose FASTL4 1
global_http_monitor FTP ftp 1
dubNameTst1_profile HTTP http 0
dubName.Tst1_profile HTTP httpcompression 0
app3_serverssl SERVER_SSL serverssl 1
test2 SERVER_SSL serverssl 0

Certificate inventory pulled straight from the config — every sys file ssl-cert stanza carries its own expiry, subject and issuer. Days remaining is computed live against your clock, so this view is current whenever the report is opened. Sorted soonest-to-expire first; expired and expiring-within-30-days are flagged. Click a row for the SAN list, fingerprint and what uses it.

No sys file ssl-cert objects in this config. A UCS backup or a full config save (tmsh save sys config) includes them; a partial bigip.conf that only defines LTM objects may not.

Every credential-bearing field in the config — SSL private-key passphrases, monitor / RADIUS / SNMP / iApp secrets. BIG-IP stores these encrypted under the unit master key (f5mku -K). Values are masked: when the report was generated with the master key you can reveal the decrypted secret; otherwise it stays encrypted and cannot be shown. Nothing here was uploaded, and printing only shows secrets you have revealed.

ObjectFieldSecret
auth radius-server /Common/system_auth_name1 secret •••••••••••• encrypted
ltm auth radius-server /Common/system_auth_name1 secret •••••••••••• encrypted
sys file ssl-key /Common/f5_api_com.key passphrase •••••••••••• encrypted
Virtual Pool Node Monitor iRule Profile

Click a node to open its detail drawer. Click a connector line to light up everything connected to it (e.g. an iRule→pool link highlights every virtual using that iRule, and the pool's nodes). Dashed edges are pool references found inside an iRule.

Enter a client flow — which virtual server picks it up? Results are ranked most-specific first (the matched listener is highlighted at the top); virtuals at the same specificity are shown side by side. Click any listener to load the exact flow that reaches it and simulate its processing. Supports IPv4 and IPv6, VLANs and route domains. Source defaults to 0.0.0.0/0.

Curated F5 community, support and security-incident-response resources. Because this report is often generated from a .ucs archive of a device under investigation, the UCS forensic checklist below ties each archive path to the attacker behaviour to look for and its MITRE ATT&CK technique. Every link opens on F5 DevCentral, my.F5 or CISA — nothing here is loaded to render the page or phones home.

UCS forensic checklist — where to hunt and what it maps to

List the archive with tar -ztf archive.ucs, then extract and inspect the paths below. Compare against a known-good backup where you have one — a UCS taken from an already-compromised host can itself carry the implant.

Where to look (UCS path / config)What an attacker does thereMITRE ATT&CK
home/*/.bashrc, .bash_profile, .bash_login Shell-init hooks that silently re-launch malware whenever a user logs in — a favourite way to survive a clean-up. T1546.004
home/*/.ssh/authorized_keys Attacker-controlled SSH key for durable access. On password-auth deployments this file is normally absent or empty — any key is suspect. T1098.004
etc/passwd, etc/shadow Backdoor local accounts, unexpected UID 0 users, or altered password hashes. T1136 · T1078
etc/nsswitch.conf, etc/openldap/*, etc/krb5.conf, etc/security/* Redirected or weakened external authentication (LDAP/AD/RADIUS/Kerberos/PAM) to plant rogue trust or harvest credentials. T1556
etc/syslog-ng/* Logging disabled or quietly redirected so on-box activity is never recorded or forwarded. T1562.006
config/* iRules — cross-check the iRules tab An HTTP-event iRule acting as a web shell / covert C2: running commands or exfiltrating on a magic URI, header or cookie. T1505.003 · T1059
System binaries (running host, not in the UCS): /usr/bin/umount, /usr/sbin/httpd Trojanised binaries — hash, size or mtime that differ from the known-good release. T1554
etc/motd Tampered login banner (defacement / taunt, or to mask changes). T1491
Point-in-time indicators (2025 F5 incident & SIRT reporting). Reported artefacts have included the files /run/bigtlog.pipe and /run/bigstart.ltm; size / hash / timestamp mismatches on /usr/bin/umount and /usr/sbin/httpd; the account f5hubblelcdadmin reaching iControl REST from localhost; auditd entries that disable SELinux; and C2 disguised as HTTP 201 responses carrying a text/css content-type. These indicators are volatile and version-specific — confirm against the current F5 SIRT and CISA guidance rather than treating them as a fixed signature list.

Run the real f5-query DSL against this device, live in your browser — the query engine is compiled to WebAssembly and embedded in this page along with the config. Nothing leaves the page. Press Ctrl/⌘+Enter to run.


    

bigip-edge-02.example.net

TMOS 15.1.0.4 lab-device-02.ucs
2 orphaned monitors (defined, referenced by nothing — no iRule can attach them either)
3 orphaned profiles (defined, referenced by nothing — no iRule can attach them either)
3 virtual server(s) with no default pool (forwarding / policy-driven)
5 SSL profile(s) in use
Bundle as app: 0 selected tick virtual servers, name the app, then open the Apps tab
NameDestinationPortPool ProfilesiRulesSNATProto
app1_t80_vs 192.168.1.21 80 tcphttp _sys_https_redirect tcp
app1_t443_vs 192.168.1.21 443 app1_t80_pool tcphttp automap tcp
app2_t80_vs 192.168.2.21 80 tcphttp _sys_https_redirect tcp
app2_t443_vs 192.168.2.21 443 app2_t80_pool tcphttp automap tcp
app3_t8443_vs 192.168.1.51 8443 app3_t8443_pool tcpapp3_clientsslapp3_serversslhttp app3_ruleapp3_rule2app3_rule3 app3_snat_pool tcp
forwarder_net_0.0.0.0 0.0.0.0 0 fastl4_loose
NameMembersMonitorLB ModeUsed By
MemberAddressPortMonitor
app1_Node1:80192.168.1.2280
app1_Node2:80192.168.1.2380
MemberAddressPortMonitor
app2_Node1:80192.168.2.2280
app2_Node2:80192.168.2.2380
MemberAddressPortMonitor
app3_Node1:8443192.168.1.528443
app3_Node2:8443192.168.1.538443
NameAddressMonitorUsed By Pools
app1_Node1 192.168.1.22 app1_t80_pool
app1_Node2 192.168.1.23 app1_t80_pool
app2_Node1 192.168.2.22 app2_t80_pool
app2_Node2 192.168.2.23 app2_t80_pool
app3_Node1 192.168.1.52 app3_t8443_pool
app3_Node2 192.168.1.53 app3_t8443_pool
NameTypeIntervalTimeoutSendReceiveUsed By
global_http_monitor http 5 16 GET /anywebsite.com\r\n ok 200 1
global_https_monitor https 5 16 GET /any-secure-website.com\r\n 201 continue 1
test_tcp_monitor tcp 5 16 send a tcp string receive a tcp string 0
app1_tcp_half_open_quick_monitor tcp-half-open 1 4 1
test_udp_monitor udp 5 16 default send string recieve-what? 0
NameEventsLinesAttached To
No pool / node / snatpool / data-group references (static or dynamic) in this iRule.
#comment

when HTTP_REQUEST {
    # add more here
}
No pool / node / snatpool / data-group references (static or dynamic) in this iRule.
#rule2

when HTTP_RESPONSE {
    # 22222222
}
No pool / node / snatpool / data-group references (static or dynamic) in this iRule.
# app3_rule3 header

when SERVERSSL_DATA {
    # got something from server
}
NameTypeRecordsUsed By
01
01
01
01
as3_async_records0
config0
bigip-fast-templates0examples0goodFastTemplates0
NameTypeParentCertificateCiphersUsed By
app2_clientssl CLIENT_SSL clientssl 0
app3_clientssl CLIENT_SSL clientssl 1
test1 CLIENT_SSL clientssl 0
fastl4_loose FASTL4 1
app3_serverssl SERVER_SSL serverssl 1
test2 SERVER_SSL serverssl 0

Certificate inventory pulled straight from the config — every sys file ssl-cert stanza carries its own expiry, subject and issuer. Days remaining is computed live against your clock, so this view is current whenever the report is opened. Sorted soonest-to-expire first; expired and expiring-within-30-days are flagged. Click a row for the SAN list, fingerprint and what uses it.

No sys file ssl-cert objects in this config. A UCS backup or a full config save (tmsh save sys config) includes them; a partial bigip.conf that only defines LTM objects may not.

Every credential-bearing field in the config — SSL private-key passphrases, monitor / RADIUS / SNMP / iApp secrets. BIG-IP stores these encrypted under the unit master key (f5mku -K). Values are masked: when the report was generated with the master key you can reveal the decrypted secret; otherwise it stays encrypted and cannot be shown. Nothing here was uploaded, and printing only shows secrets you have revealed.

ObjectFieldSecret
auth radius-server /Common/system_auth_name1 secret •••••••••••• encrypted
ltm auth radius-server /Common/system_auth_name1 secret •••••••••••• encrypted
sys file ssl-key /Common/f5_api_com.key passphrase •••••••••••• encrypted
Virtual Pool Node Monitor iRule Profile

Click a node to open its detail drawer. Click a connector line to light up everything connected to it (e.g. an iRule→pool link highlights every virtual using that iRule, and the pool's nodes). Dashed edges are pool references found inside an iRule.

Enter a client flow — which virtual server picks it up? Results are ranked most-specific first (the matched listener is highlighted at the top); virtuals at the same specificity are shown side by side. Click any listener to load the exact flow that reaches it and simulate its processing. Supports IPv4 and IPv6, VLANs and route domains. Source defaults to 0.0.0.0/0.

Curated F5 community, support and security-incident-response resources. Because this report is often generated from a .ucs archive of a device under investigation, the UCS forensic checklist below ties each archive path to the attacker behaviour to look for and its MITRE ATT&CK technique. Every link opens on F5 DevCentral, my.F5 or CISA — nothing here is loaded to render the page or phones home.

UCS forensic checklist — where to hunt and what it maps to

List the archive with tar -ztf archive.ucs, then extract and inspect the paths below. Compare against a known-good backup where you have one — a UCS taken from an already-compromised host can itself carry the implant.

Where to look (UCS path / config)What an attacker does thereMITRE ATT&CK
home/*/.bashrc, .bash_profile, .bash_login Shell-init hooks that silently re-launch malware whenever a user logs in — a favourite way to survive a clean-up. T1546.004
home/*/.ssh/authorized_keys Attacker-controlled SSH key for durable access. On password-auth deployments this file is normally absent or empty — any key is suspect. T1098.004
etc/passwd, etc/shadow Backdoor local accounts, unexpected UID 0 users, or altered password hashes. T1136 · T1078
etc/nsswitch.conf, etc/openldap/*, etc/krb5.conf, etc/security/* Redirected or weakened external authentication (LDAP/AD/RADIUS/Kerberos/PAM) to plant rogue trust or harvest credentials. T1556
etc/syslog-ng/* Logging disabled or quietly redirected so on-box activity is never recorded or forwarded. T1562.006
config/* iRules — cross-check the iRules tab An HTTP-event iRule acting as a web shell / covert C2: running commands or exfiltrating on a magic URI, header or cookie. T1505.003 · T1059
System binaries (running host, not in the UCS): /usr/bin/umount, /usr/sbin/httpd Trojanised binaries — hash, size or mtime that differ from the known-good release. T1554
etc/motd Tampered login banner (defacement / taunt, or to mask changes). T1491
Point-in-time indicators (2025 F5 incident & SIRT reporting). Reported artefacts have included the files /run/bigtlog.pipe and /run/bigstart.ltm; size / hash / timestamp mismatches on /usr/bin/umount and /usr/sbin/httpd; the account f5hubblelcdadmin reaching iControl REST from localhost; auditd entries that disable SELinux; and C2 disguised as HTTP 201 responses carrying a text/css content-type. These indicators are volatile and version-specific — confirm against the current F5 SIRT and CISA guidance rather than treating them as a fixed signature list.

Run the real f5-query DSL against this device, live in your browser — the query engine is compiled to WebAssembly and embedded in this page along with the config. Nothing leaves the page. Press Ctrl/⌘+Enter to run.


    
f5-query