F5 BIG-IP

SecTrail CM enables automatic deployment and renewal of SSL certificates by establishing agentless connections to F5 BIG-IP devices.

Connection Requirements

Requirement	Detail	Description
Protocol	iControl REST API (HTTPS)	F5 BIG-IP's native REST API is used
Port	`443`	Standard HTTPS port
Authentication	Basic Authentication	Authentication via Username and Password
User Permission	tmsh + Administrator	Certificate upload and configuration permission

Automated Operations

SecTrail CM automatically performs the following operations on F5 BIG-IP:

Certificate and Key Upload: Secure transfer of SSL certificate and private key
Virtual Server Update: Configuring relevant virtual servers to use the new certificate
Configuration Sync: Automatic synchronization to peer devices in HA environments

Configuration Steps

1. Creating F5 BIG-IP User

Navigate to Automation > Device Users and create a user for F5.

User Permissions

Ensure the user has tmsh (Traffic Management Shell) permissions.

2. Adding F5 Device to SecTrail CM

Click Automation > Devices > Add New Device button and enter the following information:

F5 BIG-IP Device Creation

Name: Provide a descriptive name for the device
Device Users: Select the user created in Step 1
IP: Enter the IP address of the F5 BIG-IP device
Device Type: Select F5 BIG-IP from the dropdown menu
Deployment Type: Select Generative or Override mode
Cert Upload Only: Should only certificate be uploaded? (Disabled/Enabled)
Force Sync: Should automatic synchronization to standby device be active? (Disabled/Enabled)
Partition Name: Can be left as all by default

Deployment Type Options

Generative: SecTrail CM creates a new Client SSL Profile and automatically updates the Virtual Server
Override: Directly modifies the existing SSL Profile

Force Sync

In HA (High Availability) environments, you can enable Force Sync to ensure automatic synchronization to the standby device.

Automatic Discovery

After the F5 device is added to SecTrail CM, the IP addresses and ports of all Virtual Servers defined on the device are automatically included in the discovery period and scanned regularly.

3. Viewing Device Information

After the device is added, it will be displayed in the Automation > Devices list. Click on the row to view device details:

F5 BIG-IP Device Details and Virtual Server List

Virtual Server: Virtual Server names defined on the F5 device
Profile Name: SSL profile names
Type: Client-Side or Server-Side SSL profile type
Destination Address and Port: IP and port that the Virtual Server listens on
Common Name: Common Name value of the current certificate
Fingerprint: Certificate fingerprint
Deploy: For certificate deployment

Certificate Deployment

Step 1: Virtual Server and Certificate Selection

Select your F5 device from Automation > Devices
In the device details, find the Virtual Server where you want to deploy the certificate
Click the Deploy button on the relevant row
In the Deploy Certificate window that opens:
- Virtual Servers: Target Virtual Server information is displayed
- Certificate: Select the certificate you want to deploy from the dropdown menu

Certificate Deployment Screen

Step 2: Starting the Deployment Process

Click the Deploy button to start the certificate deployment process.

Step 3: Process Tracking

The deployment process can be tracked from Automation > Processes:

Generative Mode:

F5 BIG-IP Deployment - Generative Mode

Override Mode:

F5 BIG-IP Deployment - Override Mode

Operation Details

Step	Generative Mode	Override Mode
1	Certificate, key, and chain files are uploaded to F5 BIG-IP device	Certificate, key, and chain files are uploaded to F5 BIG-IP device
2	A new Client SSL profile is created using the existing Client SSL profile as parent	Existing Client SSL profile is directly updated (no new profile created)
3	The created new profile is assigned to the Virtual Server	Certificate in the profile is updated without changing VS configuration

Rollback Operation

The Manual Rollback feature can be used in case of issues after certificate deployment.

Automatic Rollback

If an error occurs at any step during the deployment process, the system automatically performs a rollback and all changes are reverted.

Rollback Steps

Navigate to Automation > Processes
Find the operation you want to rollback
Use the Manual-Rollback option in the Status column
Confirm

Operations During Rollback

Step	Generative Mode Rollback	Override Mode Rollback
1	VS's previous profile settings are restored	Certificate references in the profile are reverted to the old certificate
2	Profile created during deployment is removed	Newly uploaded certificate, key, and chain files are deleted
3	Certificate, key, and chain files are deleted from F5 device	-

Connection Requirements​

Automated Operations​

Configuration Steps​

1. Creating F5 BIG-IP User​

2. Adding F5 Device to SecTrail CM​

Deployment Type Options​

3. Viewing Device Information​

Certificate Deployment​

Step 1: Virtual Server and Certificate Selection​

Step 2: Starting the Deployment Process​

Step 3: Process Tracking​

Operation Details​

Rollback Operation​

Rollback Steps​

Operations During Rollback​