bigip-lab-01.example.net
| Name | Destination | Port | Pool | Profiles | iRules | SNAT | Proto | ||
|---|---|---|---|---|---|---|---|---|---|
| app1_t80_vs | 192.168.1.21 | 80 | — | tcphttp | _sys_https_redirect | — | tcp | ||
| app1_t443_vs | 192.168.1.21 | 443 | app1_t80_pool | tcphttp | automap | tcp | |||
| app2_t80_vs | 192.168.2.21 | 80 | — | tcphttp | _sys_https_redirect | — | tcp | ||
| app2_t443_vs | 192.168.2.21 | 443 | app2_t80_pool | tcphttp | automap | tcp | |||
| persistTest_80_vs | 10.6.3.4 | 80 | — | tcphttp | — | tcp | i | ||
| app3_t8443_vs | 192.168.1.51 | 8443 | app3_t8443_pool | tcpapp3_clientsslapp3_serversslhttp | app3_ruleapp3_rule2app3_rule3 | app3_snat_pool | tcp | ||
| app4_t80_vs | 192.168.2.25 | 80 | app4_pool | tcphttp | _sys_https_redirectapp4_pool_rule | — | tcp | i | |
| forwarder_net_0.0.0.0 | 0.0.0.0 | 0 | — | fastl4_loose | — | ||||
| bigiq.benlab.io_t443_vs | 10.200.244.15 | 443 | bigiq.benlab.io_t443_pool | httpASM_basic_policy_1f5-tcp-progressivewebsecurity | automap | tcp | i |
| Name | Members | Monitor | LB Mode | Used By | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▸ | app1_t80_pool | 2 | /Common/http and /Common/tcp | round-robin | app1_t443_vs | ||||||||||||||||||||||||
| |||||||||||||||||||||||||||||
| ▸ | app2_t80_pool | 2 | /Common/global_http_monitor and /Common/global_https_monitor | least-connections-member | app2_t443_vs | ||||||||||||||||||||||||
| |||||||||||||||||||||||||||||
| ▸ | app3_t8443_pool | 2 | /Common/app1_tcp_half_open_quick_monitor and /Common/http_head_f5 and /Common/http2_head_f5 and /Common/http and /Common/tcp_half_open | least-connections-member | app3_t8443_vs | ||||||||||||||||||||||||
| |||||||||||||||||||||||||||||
| ▸ | manyOptions_pool orphan | 5 | min 2 of | observed-member | nothing | ||||||||||||||||||||||||
| |||||||||||||||||||||||||||||
| ▸ | app4_pool | 1 | — | round-robin | app4_t80_vs | ||||||||||||||||||||||||
| |||||||||||||||||||||||||||||
| css_pool | 0 empty | — | round-robin | app4_pool_rule | |||||||||||||||||||||||||
| jpg.pool orphan | 0 empty | — | round-robin | nothing | |||||||||||||||||||||||||
| js.io_t80_pool | 0 empty | — | round-robin | app4_pool_rule | |||||||||||||||||||||||||
| ▸ | bigiq.benlab.io_t443_pool | 1 | /Common/bigiq_https_monitor | round-robin | bigiq.benlab.io_t443_vs | ||||||||||||||||||||||||
| |||||||||||||||||||||||||||||
| Name | Address | Monitor | Used By Pools |
|---|---|---|---|
| 10.10.10.1 | 10.10.10.1 | — | app4_pool_rule |
| 192.168.200.42 orphan | 192.168.200.42 | — | nothing |
| api.chucknorris.io | — | app4_pool | |
| app1_Node1 | 192.168.1.22 | — | app1_t80_pool |
| app1_Node2 | 192.168.1.23 | — | app1_t80_pool |
| app2_Node1 | 192.168.2.22 | — | app2_t80_pool |
| app2_Node2 | 192.168.2.23 | — | app2_t80_pool |
| app3_Node1 | 192.168.1.52 | — | app3_t8443_pool |
| app3_Node2 | 192.168.1.53 | — | app3_t8443_pool |
| app5_Node5 orphan | 192.168.10.23 | — | nothing |
| 10.200.244.15 | 10.200.244.15 | — | bigiq.benlab.io_t443_pool |
| Name | Type | Interval | Timeout | Send | Receive | Used By |
|---|---|---|---|---|---|---|
| dubNameTst1_monitor | dns | 5 | 16 | — | none | 0 |
| global_http_monitor | http | 5 | 16 | GET /anywebsite.com\r\n | ok 200 | 1 |
| global_https_monitor | https | 5 | 16 | GET /any-secure-website.com\r\n | 201 continue | 1 |
| test_tcp_monitor | tcp | 5 | 16 | send a tcp string | receive a tcp string | 0 |
| app1_tcp_half_open_quick_monitor | tcp-half-open | 1 | 4 | — | — | 1 |
| test_udp_monitor | udp | 5 | 16 | default send string | recieve-what? | 0 |
| bigiq_https_monitor | https | 5 | 16 | GET /something \r\n | none | 1 |
| Name | Events | Lines | Attached To | |
|---|---|---|---|---|
| ▸ | app3_rule | HTTP_REQUEST | 5 | app3_t8443_vs |
No pool / node / snatpool / data-group references (static or dynamic) in this iRule. flowchart TD
n0(["HTTP_REQUEST"])
class n0 evNode
classDef evNode fill:#dbeafe,stroke:#2563eb,color:#0b3a86;
#comment when HTTP_REQUEST { # add more here } | ||||
| ▸ | app3_rule2 | HTTP_REQUEST | 5 | app3_t8443_vs |
No pool / node / snatpool / data-group references (static or dynamic) in this iRule. flowchart TD
n0(["HTTP_REQUEST"])
class n0 evNode
classDef evNode fill:#dbeafe,stroke:#2563eb,color:#0b3a86;
#comment when HTTP_REQUEST { # ben test 444 } | ||||
| ▸ | app3_rule3 | SERVERSSL_DATA | 5 | app3_t8443_vs |
No pool / node / snatpool / data-group references (static or dynamic) in this iRule. flowchart TD
n0(["SERVERSSL_DATA"])
class n0 evNode
classDef evNode fill:#dbeafe,stroke:#2563eb,color:#0b3a86;
# app3_rule3 header when SERVERSSL_DATA { # got something from server } | ||||
| ▸ | app4_pool_rule | HTTP_REQUEST | 42 | app4_t80_vs |
Referenced objects: pool css_pool pool js.io_t80_pool flowchart TD
n0(["HTTP_REQUEST"])
class n0 evNode
classDef evNode fill:#dbeafe,stroke:#2563eb,color:#0b3a86;
### test rule for corkscrew # when HTTP_REQUEST { # pool reference by variable declaration set html-pool web1Pool if { [HTTP::path] ends_with "*.css" }{ # regular pool refernce pool css_pool } elseif { [HTTP::path] ends_with "*.jpg" }{ # pool member refernce pool jpg.pool member 10.10.10.1 80 } elseif { [HTTP::path] ends_with "*.js" }{ # another pool reference with special characters pool js.io_t80_pool } elseif { [HTTP::path] ends_with "*.xx" }{ # pool reference not in tmos config ### *** seems the gui won't let you attach an irule to a vs with a pool that doesn't exist #pool missing_pool } elseif { [HTTP::path] ends_with "*.txt" }{ # node reference node 10.10.10.1 80 } else { # pool referenced by variable pool $html-pool } } | ||||
| ▸ | app4_pool_rule2 unattached | 0 | — | |
No pool / node / snatpool / data-group references (static or dynamic) in this iRule. | ||||
| Name | Type | Records | Used By | |
|---|---|---|---|---|
| ▸ | ____appsvcs_declaration-1601897418975 | integer | 2 | 0 |
01 | ||||
| ▸ | ____appsvcs_declaration-1601900242421 | integer | 2 | 0 |
01 | ||||
| ▸ | ____appsvcs_declaration-1601900272772 | integer | 2 | 0 |
01 | ||||
| ▸ | ____appsvcs_declaration-1602008840967 | integer | 2 | 0 |
01 | ||||
| __appsvcs_update | string | 0 | 0 | |
| ▸ | dataStore | string | 1 | 0 |
as3_async_records0 | ||||
| datastore | string | 0 | 0 | |
| ▸ | config | string | 1 | 0 |
config0 | ||||
| ▸ | dataStore | string | 3 | 0 |
bigip-fast-templates0examples0goodFastTemplates0 | ||||
| Name | Type | Parent | Certificate | Ciphers | Used By |
|---|---|---|---|---|---|
| app2_clientssl | CLIENT_SSL | clientssl | — | — | 0 |
| app3_clientssl | CLIENT_SSL | clientssl | — | — | 1 |
| test1 | CLIENT_SSL | clientssl | — | — | 0 |
| fastl4_loose | FASTL4 | — | — | — | 1 |
| global_http_monitor | FTP | ftp | — | — | 1 |
| dubNameTst1_profile | HTTP | http | — | — | 0 |
| dubName.Tst1_profile | HTTP | httpcompression | — | — | 0 |
| app3_serverssl | SERVER_SSL | serverssl | — | — | 1 |
| test2 | SERVER_SSL | serverssl | — | — | 0 |
Certificate inventory pulled straight from the config — every sys file ssl-cert stanza carries its own expiry, subject and issuer. Days remaining is computed live against your clock, so this view is current whenever the report is opened. Sorted soonest-to-expire first; expired and expiring-within-30-days are flagged. Click a row for the SAN list, fingerprint and what uses it.
No sys file ssl-cert objects in this config. A UCS backup or a full config save (tmsh save sys config) includes them; a partial bigip.conf that only defines LTM objects may not.
Every credential-bearing field in the config — SSL private-key passphrases, monitor / RADIUS / SNMP / iApp secrets. BIG-IP stores these encrypted under the unit master key (f5mku -K). Values are masked: when the report was generated with the master key you can reveal the decrypted secret; otherwise it stays encrypted and cannot be shown. Nothing here was uploaded, and printing only shows secrets you have revealed.
| Object | Field | Secret |
|---|---|---|
| auth radius-server /Common/system_auth_name1 | secret | •••••••••••• encrypted |
| ltm auth radius-server /Common/system_auth_name1 | secret | •••••••••••• encrypted |
| sys file ssl-key /Common/f5_api_com.key | passphrase | •••••••••••• encrypted |
Click a node to open its detail drawer. Click a connector line to light up everything connected to it (e.g. an iRule→pool link highlights every virtual using that iRule, and the pool's nodes). Dashed edges are pool references found inside an iRule.
Enter a client flow — which virtual server picks it up? Results are ranked most-specific first (the matched listener is highlighted at the top); virtuals at the same specificity are shown side by side. Click any listener to load the exact flow that reaches it and simulate its processing. Supports IPv4 and IPv6, VLANs and route domains. Source defaults to 0.0.0.0/0.
Curated F5 community, support and security-incident-response resources. Because this report is often generated from a .ucs archive of a device under investigation, the UCS forensic checklist below ties each archive path to the attacker behaviour to look for and its MITRE ATT&CK technique. Every link opens on F5 DevCentral, my.F5 or CISA — nothing here is loaded to render the page or phones home.
DevCentral & community
Support & documentation
Compromise & UCS forensics
Hardening & advisories
Gov advisories & malware analysis
Threat intel & detection
UCS forensic checklist — where to hunt and what it maps to
List the archive with tar -ztf archive.ucs, then extract and inspect the paths below. Compare against a known-good backup where you have one — a UCS taken from an already-compromised host can itself carry the implant.
| Where to look (UCS path / config) | What an attacker does there | MITRE ATT&CK |
|---|---|---|
home/*/.bashrc, .bash_profile, .bash_login |
Shell-init hooks that silently re-launch malware whenever a user logs in — a favourite way to survive a clean-up. | T1546.004 |
home/*/.ssh/authorized_keys |
Attacker-controlled SSH key for durable access. On password-auth deployments this file is normally absent or empty — any key is suspect. | T1098.004 |
etc/passwd, etc/shadow |
Backdoor local accounts, unexpected UID 0 users, or altered password hashes. | T1136 · T1078 |
etc/nsswitch.conf, etc/openldap/*, etc/krb5.conf, etc/security/* |
Redirected or weakened external authentication (LDAP/AD/RADIUS/Kerberos/PAM) to plant rogue trust or harvest credentials. | T1556 |
etc/syslog-ng/* |
Logging disabled or quietly redirected so on-box activity is never recorded or forwarded. | T1562.006 |
config/* iRules — cross-check the iRules tab |
An HTTP-event iRule acting as a web shell / covert C2: running commands or exfiltrating on a magic URI, header or cookie. | T1505.003 · T1059 |
System binaries (running host, not in the UCS): /usr/bin/umount, /usr/sbin/httpd |
Trojanised binaries — hash, size or mtime that differ from the known-good release. | T1554 |
etc/motd |
Tampered login banner (defacement / taunt, or to mask changes). | T1491 |
/run/bigtlog.pipe and /run/bigstart.ltm; size / hash / timestamp mismatches on /usr/bin/umount and /usr/sbin/httpd; the account f5hubblelcdadmin reaching iControl REST from localhost; auditd entries that disable SELinux; and C2 disguised as HTTP 201 responses carrying a text/css content-type. These indicators are volatile and version-specific — confirm against the current F5 SIRT and CISA guidance rather than treating them as a fixed signature list.
Run the real f5-query DSL against this device, live in your browser — the query engine is compiled to WebAssembly and embedded in this page along with the config. Nothing leaves the page. Press Ctrl/⌘+Enter to run.