<< All versions
System Endpoints (
Network Endpoints (
Cluster Management (
Authentication & Authorization (
Analytics (
Security (
Access Policy Manager (
Cloud Endpoints (
Shared Endpoints (
Live Update (
ADC Certificate Management (
File Management (
CLI Settings (
WOM / iSession (
Skill v1.0.1
currentAutomated scan100/100automateyournetwork/netclaw/pyats-f5-platform
3 files
──Details
PublishedJune 4, 2026 at 11:57 AM
Content Hashsha256:4b93ac52fbfbb758...
Git SHA9218048c87a2
Bump Typepatch
──Files
Files (1 file, 24.6 KB)
SKILL.md24.6 KBactive
SKILL.md · 575 lines · 24.6 KB
version: "1.0.1" name: pyats-f5-platform description: "F5 BIG-IP platform operations via pyATS iControl REST — system, networking, HA/CM, auth, analytics, security, APM, live-update, ADC certs, file management. Use when checking BIG-IP system health, verifying HA sync status, auditing certificates, or inspecting F5 platform resources." license: Apache-2.0 user-invocable: true metadata: { "openclaw": { "requires": { "bins": ["python3"], "env": ["PYATS_TESTBED_PATH"] } } }
F5 BIG-IP Platform Operations via pyATS
Testbed Requirements
F5 BIG-IP devices in the pyATS testbed:
yaml
devices:bigip-01:os: bigiptype: load-balancerconnections:rest:class: restip: 10.0.0.20port: 443protocol: httpscredentials:default:username: "%ENV{F5_USERNAME}"password: "%ENV{F5_PASSWORD}"
How to Call
Use pyats_run_show_command with iControl REST API paths:
bash
PYATS_TESTBED_PATH=$PYATS_TESTBED_PATH python3 $MCP_CALL "python3 -u $PYATS_MCP_SCRIPT" pyats_run_show_command '{"device_name":"bigip-01","command":"show sys version"}'
System Endpoints (/mgmt/tm/sys/*)
Platform & Version
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/sys/version | BIG-IP software version, build, edition | |
/mgmt/tm/sys/software/image | Software images available on disk | |
/mgmt/tm/sys/software/volume | Boot volumes and active/standby slots | |
/mgmt/tm/sys/software/hotfix | Installed hotfixes | |
/mgmt/tm/sys/software/update | Software update status | |
/mgmt/tm/sys/hardware | Hardware platform: chassis, CPU model, memory, serial number | |
/mgmt/tm/sys/hostinfo | Host information: hostname, memory, CPU count, active/standby |
CPU, Memory & Disk
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/sys/cpu | CPU utilization per core — current, 5s, 1m, 5m averages | |
/mgmt/tm/sys/memory | Memory usage: TMM, other, host subsystems | |
/mgmt/tm/sys/disk/logical-disk | Logical disk partitions: size, free space, mount point | |
/mgmt/tm/sys/disk/directory | Disk directory usage | |
/mgmt/tm/sys/disk/application-volume | Application volumes | |
/mgmt/tm/sys/performance/all-stats | Consolidated performance: throughput, connections, CPU, memory | |
/mgmt/tm/sys/performance/connection | Active/new connection stats and trends | |
/mgmt/tm/sys/performance/throughput | Client/server throughput stats | |
/mgmt/tm/sys/performance/system | System-wide performance aggregation | |
/mgmt/tm/sys/performance/ramcache | RAM cache hit/miss/eviction stats |
System Configuration
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/sys/global-settings | Hostname, GUI setup, console inactivity, LCD display settings | |
/mgmt/tm/sys/db | System database variables (bigdb) — thousands of internal settings | |
/mgmt/tm/sys/provision | Module provisioning: LTM, GTM, ASM, APM, AFM allocation levels (nominal/minimum/dedicated) | |
/mgmt/tm/sys/httpd | HTTPD settings: SSL protocols, ciphers, access restrictions | |
/mgmt/tm/sys/sshd | SSHD settings: allowed ciphers, MACs, login grace time | |
/mgmt/tm/sys/daemon-ha | Daemon HA settings | |
/mgmt/tm/sys/daemon-log-settings/tmm | TMM daemon log settings | |
/mgmt/tm/sys/daemon-log-settings/mcpd | MCPD daemon log settings | |
/mgmt/tm/sys/daemon-log-settings/clusterd | Cluster daemon log settings | |
/mgmt/tm/sys/daemon-log-settings/csyncd | Config sync daemon log settings | |
/mgmt/tm/sys/daemon-log-settings/icrd | ICR daemon log settings | |
/mgmt/tm/sys/daemon-log-settings/lind | LIND daemon log settings | |
/mgmt/tm/sys/outbound-smtp | Outbound SMTP configuration |
Time Services
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/sys/ntp | NTP servers and timezone — verify NTP sync on every health check | |
/mgmt/tm/sys/dns | DNS resolver configuration: nameservers, search domains |
Logging & Syslog
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/sys/syslog | Syslog configuration: remote servers, facility, severity filters | |
/mgmt/tm/sys/log-config/destination/remote-syslog | Remote syslog destinations | |
/mgmt/tm/sys/log-config/destination/remote-high-speed-log | High-speed logging destinations | |
/mgmt/tm/sys/log-config/destination/local-syslog | Local syslog destinations | |
/mgmt/tm/sys/log-config/destination/local-database | Local database log destinations | |
/mgmt/tm/sys/log-config/destination/management-port | Management port log destinations | |
/mgmt/tm/sys/log-config/destination/ipfix | IPFIX log destinations | |
/mgmt/tm/sys/log-config/destination/splunk | Splunk log destinations | |
/mgmt/tm/sys/log-config/destination/arcsight | ArcSight log destinations | |
/mgmt/tm/sys/log-config/filter | Log filters | |
/mgmt/tm/sys/log-config/publisher | Log publishers (aggregate multiple destinations) | |
/mgmt/tm/sys/log-rotate | Log rotation settings |
SNMP
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/sys/snmp | SNMP configuration: communities, trap hosts, sysContact, sysLocation | |
/mgmt/tm/sys/snmp/communities | SNMP community strings | |
/mgmt/tm/sys/snmp/traps | SNMP trap configurations | |
/mgmt/tm/sys/snmp/users | SNMPv3 users |
Crypto & Certificates
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/sys/crypto/cert | SSL certificates installed on the system | |
/mgmt/tm/sys/crypto/key | SSL private keys | |
/mgmt/tm/sys/crypto/crl | Certificate revocation lists | |
/mgmt/tm/sys/crypto/csr | Certificate signing requests | |
/mgmt/tm/sys/crypto/cert-order-manager | Certificate order management | |
/mgmt/tm/sys/crypto/cert-validator/ocsp | OCSP certificate validator | |
/mgmt/tm/sys/crypto/fips | FIPS 140-2 status and key management | |
/mgmt/tm/sys/crypto/master-key | Master key information | |
/mgmt/tm/sys/crypto/server | Crypto server settings | |
/mgmt/tm/sys/crypto/checkip | Crypto check-IP settings |
Licensing
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/sys/license | Current license: registration key, modules, expiration, feature flags | |
/mgmt/tm/shared/licensing/registration | License registration details |
iCall & iApps
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/sys/icall/handler/periodic | iCall periodic handlers (scheduled tasks) | |
/mgmt/tm/sys/icall/handler/triggered | iCall triggered handlers | |
/mgmt/tm/sys/icall/handler/perpetual | iCall perpetual handlers | |
/mgmt/tm/sys/icall/istats-trigger | iCall iStats triggers | |
/mgmt/tm/sys/icall/script | iCall scripts | |
/mgmt/tm/sys/application/apl-script | APL scripts | |
/mgmt/tm/sys/application/custom-stat | Custom statistics | |
/mgmt/tm/sys/application/service | Application services (iApps) | |
/mgmt/tm/sys/application/template | Application templates |
Monitoring & Health
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/sys/sflow/receiver | sFlow receiver configuration | |
/mgmt/tm/sys/sflow/data-source/vlan | sFlow VLAN data sources | |
/mgmt/tm/sys/sflow/data-source/interface | sFlow interface data sources | |
/mgmt/tm/sys/sflow/data-source/http | sFlow HTTP data sources | |
/mgmt/tm/sys/sflow/data-source/system | sFlow system data sources | |
/mgmt/tm/sys/ipfix/destination | IPFIX collector destinations | |
/mgmt/tm/sys/ipfix/element | IPFIX information elements | |
/mgmt/tm/sys/connection | Active system connections | |
/mgmt/tm/sys/alert/snmp | SNMP alert settings | |
/mgmt/tm/sys/alert/lcd | LCD alert settings |
Management Access
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/sys/management-ip | Management IP address(es) | |
/mgmt/tm/sys/management-route | Management routing table | |
/mgmt/tm/sys/management-ovsdb | Management OVSDB settings | |
/mgmt/tm/sys/management-dhcp/sys-dhcp-config | Management DHCP configuration |
Miscellaneous System
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/sys/cluster | Cluster membership and status | |
/mgmt/tm/sys/dynad/key | Dynamic advertiser keys | |
/mgmt/tm/sys/ecm/cloud-provider | ECM cloud provider settings | |
/mgmt/tm/sys/feature-module | Feature module status | |
/mgmt/tm/sys/folder | Configuration folders (partitions) | |
/mgmt/tm/sys/fpga/firmware-config | FPGA firmware configuration | |
/mgmt/tm/sys/gepd | GEPD settings | |
/mgmt/tm/sys/pfman/consumer | PF manager consumer settings | |
/mgmt/tm/sys/pfman/device | PF manager device settings | |
/mgmt/tm/sys/state-mirroring | State mirroring settings | |
/mgmt/tm/sys/turboflex/profile-config | TurboFlex profile configuration | |
/mgmt/tm/sys/url-db/download-schedule | URL database download schedule | |
/mgmt/tm/sys/url-db/url-category | URL categories | |
/mgmt/tm/sys/datastor | Data store settings | |
/mgmt/tm/sys/diags/ihealth | iHealth diagnostic settings |
Network Endpoints (/mgmt/tm/net/*)
Interfaces & VLANs
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/net/interface | Physical interfaces: speed, duplex, media type, flow control, status | |
/mgmt/tm/net/vlan | VLANs: tag, interfaces, failsafe settings | |
/mgmt/tm/net/vlan-allowed-list | VLAN allowed list | |
/mgmt/tm/net/vlan-group | VLAN groups | |
/mgmt/tm/net/self | Self IPs: address, VLAN, traffic-group, allow-service list | |
/mgmt/tm/net/self-allow | Self IP allowed ports/protocols | |
/mgmt/tm/net/trunk | Trunk groups (802.3ad LACP) — member interfaces, distribution hash |
Routing
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/net/route | Static routes | |
/mgmt/tm/net/route-domain | Route domains (VRF equivalent on BIG-IP) | |
/mgmt/tm/net/routing/bgp | BGP configuration | |
/mgmt/tm/net/routing/bfd | BFD configuration | |
/mgmt/tm/net/routing/prefix-list | Prefix lists | |
/mgmt/tm/net/routing/route-map | Route maps | |
/mgmt/tm/net/routing/access-list | Access lists for routing |
Tunnels
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/net/tunnels/tunnel | Tunnel interfaces (GRE, VXLAN, IPsec, etc.) | |
/mgmt/tm/net/tunnels/gre | GRE tunnel profiles | |
/mgmt/tm/net/tunnels/vxlan | VXLAN tunnel profiles | |
/mgmt/tm/net/tunnels/ipsec | IPsec tunnel profiles | |
/mgmt/tm/net/tunnels/geneve | Geneve tunnel profiles | |
/mgmt/tm/net/tunnels/ipip | IPIP tunnel profiles | |
/mgmt/tm/net/tunnels/map | MAP tunnel profiles | |
/mgmt/tm/net/tunnels/wccp | WCCP tunnel profiles | |
/mgmt/tm/net/tunnels/ppp | PPP tunnel profiles | |
/mgmt/tm/net/tunnels/tcp-forward | TCP forward tunnel profiles | |
/mgmt/tm/net/tunnels/v6rd | 6rd tunnel profiles | |
/mgmt/tm/net/tunnels/fec | FEC (Forward Error Correction) tunnel profiles | |
/mgmt/tm/net/tunnels/etherip | EtherIP tunnel profiles | |
/mgmt/tm/net/tunnels/lw4o6 | Lightweight 4over6 tunnel profiles |
ARP & NDP
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/net/arp | ARP table entries | |
/mgmt/tm/net/ndp | IPv6 Neighbor Discovery Protocol entries |
IPsec
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/net/ipsec/ike-daemon | IKE daemon settings | |
/mgmt/tm/net/ipsec/ike-peer | IKE peers | |
/mgmt/tm/net/ipsec/ipsec-sa | IPsec Security Associations | |
/mgmt/tm/net/ipsec/ipsec-policy | IPsec policies | |
/mgmt/tm/net/ipsec/manual-security-association | Manual SAs | |
/mgmt/tm/net/ipsec/traffic-selector | IPsec traffic selectors |
Other Networking
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/net/stp | Spanning Tree Protocol settings | |
/mgmt/tm/net/stp-globals | STP global settings | |
/mgmt/tm/net/dag-globals | DAG (Disaggregated) global settings | |
/mgmt/tm/net/cos/global-settings | CoS global settings | |
/mgmt/tm/net/cos/traffic-priority | CoS traffic priority | |
/mgmt/tm/net/dns-resolver | DNS resolver settings | |
/mgmt/tm/net/lldp-globals | LLDP global settings | |
/mgmt/tm/net/multicast-globals | Multicast global settings | |
/mgmt/tm/net/packet-filter | Packet filter rules | |
/mgmt/tm/net/packet-filter-trusted | Trusted packet filter rules | |
/mgmt/tm/net/rate-shaping/class | Rate shaping classes | |
/mgmt/tm/net/rate-shaping/drop-policy | Rate shaping drop policies | |
/mgmt/tm/net/rate-shaping/queue | Rate shaping queues | |
/mgmt/tm/net/rate-shaping/shaping-policy | Shaping policies | |
/mgmt/tm/net/timer-policy | Timer policies | |
/mgmt/tm/net/fdb/tunnel | FDB tunnel entries | |
/mgmt/tm/net/fdb/vlan | FDB VLAN entries | |
/mgmt/tm/net/wccp | WCCP settings |
Cluster Management (/mgmt/tm/cm/*)
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/cm/device | Devices in the trust domain — hostname, management IP, version, HA status | |
/mgmt/tm/cm/device-group | Device groups — sync-failover, sync-only, type, members | |
/mgmt/tm/cm/sync-status | Config sync status — check this first on any HA pair | |
/mgmt/tm/cm/failover-status | Failover state — active/standby/forced-offline | |
/mgmt/tm/cm/traffic-group | Traffic groups — floating IPs, failover order, HA scoring | |
/mgmt/tm/cm/trust-domain | Trust domain membership | |
/mgmt/tm/cm/cert | CM certificates | |
/mgmt/tm/cm/key | CM keys |
Authentication & Authorization (/mgmt/tm/auth/*)
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/auth/source | Authentication source (local, remote) | |
/mgmt/tm/auth/user | Local user accounts | |
/mgmt/tm/auth/remote-user | Remote user default settings | |
/mgmt/tm/auth/remote-role | Remote role mapping | |
/mgmt/tm/auth/ldap | LDAP authentication configuration | |
/mgmt/tm/auth/radius | RADIUS authentication configuration | |
/mgmt/tm/auth/radius-server | RADIUS server list | |
/mgmt/tm/auth/tacacs | TACACS+ authentication configuration | |
/mgmt/tm/auth/password-policy | Password policy: complexity, expiration, lockout | |
/mgmt/tm/auth/partition | Administrative partitions | |
/mgmt/tm/auth/user-role | User role definitions |
Analytics (/mgmt/tm/analytics/*)
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/analytics/cpu/report | CPU analytics reports | |
/mgmt/tm/analytics/memory/report | Memory analytics reports | |
/mgmt/tm/analytics/disk/report | Disk analytics reports | |
/mgmt/tm/analytics/http/report | HTTP analytics: requests, response time, throughput, status codes | |
/mgmt/tm/analytics/tcp/report | TCP analytics: connections, retransmissions, round-trip time | |
/mgmt/tm/analytics/dns/report | DNS analytics: query types, response codes, latency | |
/mgmt/tm/analytics/dos-l3/report | L3 DoS analytics | |
/mgmt/tm/analytics/dos/report | DoS analytics: attack vectors, detection, mitigation events | |
/mgmt/tm/analytics/dos-vis-common/report | DoS visualization common reports | |
/mgmt/tm/analytics/asm/report | ASM (WAF) analytics: violations, attack types, blocked requests | |
/mgmt/tm/analytics/bot-defense/report | Bot defense analytics | |
/mgmt/tm/analytics/ssl-orchestrator/report | SSL Orchestrator analytics | |
/mgmt/tm/analytics/swg/report | Secure Web Gateway analytics | |
/mgmt/tm/analytics/global-settings | Analytics global settings | |
/mgmt/tm/analytics/application-security/report | Application security reports | |
/mgmt/tm/analytics/network-firewall/report | Network firewall analytics | |
/mgmt/tm/analytics/protocol-inspection/report | Protocol inspection analytics |
Security (/mgmt/tm/security/*)
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/security/firewall/management-ip-rules | Management IP access rules | |
/mgmt/tm/security/firewall/policy | AFM firewall policies | |
/mgmt/tm/security/firewall/address-list | Firewall address lists | |
/mgmt/tm/security/firewall/port-list | Firewall port lists | |
/mgmt/tm/security/firewall/rule-list | Firewall rule lists | |
/mgmt/tm/security/firewall/global-rules | Global firewall rules |
Access Policy Manager (/mgmt/tm/access/*)
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/access/acl/stats | APM ACL statistics | |
/mgmt/tm/access/profile/stats | APM profile statistics | |
/mgmt/tm/access/session-kill-all | APM session kill control (use with extreme caution) | |
/mgmt/tm/access/usecase-pack | APM usecase packs (Guided Configuration) |
Cloud Endpoints (/mgmt/tm/cloud/*)
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/cloud/device-group | Cloud device groups | |
/mgmt/tm/cloud/ltm/virtual-server | Cloud LTM virtual servers | |
/mgmt/tm/cloud/ltm/pool | Cloud LTM pools | |
/mgmt/tm/cloud/ltm/node | Cloud LTM nodes | |
/mgmt/tm/cloud/ltm/monitor | Cloud LTM monitors | |
/mgmt/tm/cloud/net/self-ip | Cloud self IPs | |
/mgmt/tm/cloud/net/vlan | Cloud VLANs | |
/mgmt/tm/cloud/net/route | Cloud routes | |
/mgmt/tm/cloud/iapp/service | Cloud iApp services | |
/mgmt/tm/cloud/iapp/template | Cloud iApp templates |
Shared Endpoints (/mgmt/tm/shared/*)
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/shared/licensing/registration | License registration details | |
/mgmt/tm/shared/failover-state | Shared failover state |
Live Update (/mgmt/tm/live-update/*)
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/live-update/asm-attack-signatures/installations | ASM attack signature updates | |
/mgmt/tm/live-update/bot-signatures/installations | Bot signature updates | |
/mgmt/tm/live-update/browser-challenges/installations | Browser challenge updates | |
/mgmt/tm/live-update/server-technologies/installations | Server technology detection updates | |
/mgmt/tm/live-update/threat-campaigns/installations | Threat campaign updates |
ADC Certificate Management (/mgmt/tm/adc/*)
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/adc/field-value/cert/subject | Certificate subject field values | |
/mgmt/tm/adc/field-value/cert/issuer | Certificate issuer field values | |
/mgmt/tm/adc/field-value/cert/key-type | Certificate key type values | |
/mgmt/tm/adc/field-value/cert/serial | Certificate serial numbers | |
/mgmt/tm/adc/field-value/key/key-type | Key type values | |
/mgmt/tm/adc/field-value/key/key-size | Key size values | |
/mgmt/tm/adc/field-value/key/security-type | Key security type values | |
/mgmt/tm/adc/field-value/crl/issuer | CRL issuer values | |
/mgmt/tm/adc/field-value/csr/subject | CSR subject values | |
/mgmt/tm/adc/field-value/csr/key-type | CSR key type values |
File Management (/mgmt/tm/file/*)
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/file/apm/aaa/ldap/sso | APM LDAP SSO files | |
/mgmt/tm/file/ssl-cert | SSL certificate files | |
/mgmt/tm/file/ssl-key | SSL key files | |
/mgmt/tm/file/ssl-crl | SSL CRL files | |
/mgmt/tm/file/ssl-csr | SSL CSR files | |
/mgmt/tm/file/data-group | External data group files | |
/mgmt/tm/file/external-monitor | External monitor script files | |
/mgmt/tm/file/ifile | iFile data files | |
/mgmt/tm/file/dashboard-viewset | Dashboard viewset files |
CLI Settings (/mgmt/tm/cli/*)
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/cli/alias | CLI aliases | |
/mgmt/tm/cli/global-settings | CLI global settings: idle timeout, pager, audit log | |
/mgmt/tm/cli/history | CLI command history | |
/mgmt/tm/cli/preference | CLI user preferences | |
/mgmt/tm/cli/script | CLI scripts (tmsh scripts) |
WOM / iSession (/mgmt/tm/wom/*)
| Endpoint | Description | |
|---|---|---|
/mgmt/tm/wom/local-s2s-application-entry | WOM local S2S application entries |
Workflows
1. BIG-IP Platform Health Check
/mgmt/tm/sys/version → software version, build→ /mgmt/tm/sys/hardware → platform model, serial, memory→ /mgmt/tm/sys/cpu → CPU utilization per core→ /mgmt/tm/sys/memory → TMM and host memory usage→ /mgmt/tm/sys/disk/logical-disk → disk space remaining→ /mgmt/tm/sys/performance/all-stats → throughput, connections→ /mgmt/tm/sys/ntp → NTP sync status→ /mgmt/tm/sys/provision → module allocation (LTM, GTM, ASM, APM)→ /mgmt/tm/sys/license → license expiration, feature flags→ Flag: CPU >80%, memory >85%, disk >90%, NTP out of sync, license expiring→ GAIT
2. HA / Cluster Verification
/mgmt/tm/cm/sync-status → config sync state (In Sync / Changes Pending / Disconnected)→ /mgmt/tm/cm/failover-status → active/standby/forced-offline→ /mgmt/tm/cm/device → device trust domain members, versions→ /mgmt/tm/cm/device-group → sync-failover groups, members, type→ /mgmt/tm/cm/traffic-group → floating IPs, failover order→ /mgmt/tm/net/self → self IPs with traffic-group assignments→ Flag: sync status not "In Sync", mismatched versions, traffic-group imbalance→ GAIT
3. Network Infrastructure Audit
/mgmt/tm/net/interface → physical interfaces, speed, duplex, status→ /mgmt/tm/net/vlan → VLANs, tagged interfaces, failsafe→ /mgmt/tm/net/self → self IPs, VLAN bindings, allow-service→ /mgmt/tm/net/trunk → LACP trunks, member status, hash→ /mgmt/tm/net/route → static routes→ /mgmt/tm/net/route-domain → route domains (VRFs)→ /mgmt/tm/net/arp → ARP entries (cross-reference with NetBox)→ /mgmt/tm/net/tunnels/tunnel → active tunnels (GRE, VXLAN, IPsec)→ Flag: interfaces down, trunk members missing, orphan self IPs→ GAIT
4. Security & Certificate Audit
/mgmt/tm/sys/crypto/cert → all installed certificates→ /mgmt/tm/sys/crypto/key → private keys (verify matching)→ /mgmt/tm/sys/crypto/crl → CRLs (check freshness)→ /mgmt/tm/auth/source → authentication source (local/remote)→ /mgmt/tm/auth/password-policy → password complexity and lockout→ /mgmt/tm/sys/httpd → HTTPS cipher/protocol settings→ /mgmt/tm/sys/sshd → SSH cipher/MAC settings→ /mgmt/tm/security/firewall/management-ip-rules → management access rules→ /mgmt/tm/sys/snmp/communities → SNMP community strings→ Flag: expiring certs (<30d), weak ciphers, default SNMP communities, no password policy→ Cross-reference BIG-IP version with NVD CVE→ GAIT
5. Analytics Deep Dive
/mgmt/tm/analytics/http/report → HTTP request rates, response times, errors→ /mgmt/tm/analytics/tcp/report → TCP connections, retransmissions, RTT→ /mgmt/tm/analytics/dns/report → DNS query patterns, response codes→ /mgmt/tm/analytics/dos/report → DoS detection/mitigation events→ /mgmt/tm/analytics/asm/report → WAF violations, attack types→ /mgmt/tm/analytics/cpu/report → CPU utilization trends→ /mgmt/tm/analytics/memory/report → memory trends→ Flag: high retransmission rate, rising DoS events, WAF violation spike→ GAIT
6. Live Update Status
/mgmt/tm/live-update/asm-attack-signatures/installations → ASM sig version, last update→ /mgmt/tm/live-update/bot-signatures/installations → bot sig freshness→ /mgmt/tm/live-update/threat-campaigns/installations → threat campaign updates→ /mgmt/tm/live-update/browser-challenges/installations → browser challenge updates→ /mgmt/tm/live-update/server-technologies/installations → server tech detection→ Flag: signatures >7 days old, threat campaigns stale→ GAIT
Integration with Other Skills
| Skill | Integration | |
|---|---|---|
| pyats-f5-ltm | LTM/GTM traffic management objects complement platform view | |
| f5-health-check | F5 MCP for operational monitoring; pyATS REST for full platform inventory | |
| f5-config-mgmt | F5 MCP for safe config changes; pyATS REST for pre/post platform audit | |
| f5-troubleshoot | F5 MCP for troubleshooting; pyATS REST for deep platform inspection | |
| nvd-cve | Scan BIG-IP software version against NVD vulnerability database | |
| netbox-reconcile | Cross-reference BIG-IP self IPs, interfaces, VLANs with NetBox | |
| servicenow-change-workflow | Gate all BIG-IP platform changes behind ServiceNow CRs | |
| gait-session-tracking | Every REST query logged in GAIT |
Guardrails
- All queries are read-only — GET requests to iControl REST API only
- No configuration changes — never POST/PUT/PATCH/DELETE via this skill
- Monitor sync-status first — always check
/mgmt/tm/cm/sync-statusbefore any HA pair operations - Check license expiration — flag licenses expiring within 30 days
- Verify NTP — out-of-sync NTP causes cert validation failures and log correlation issues
- Gate changes behind ServiceNow — any platform changes go through f5-config-mgmt with CR
- Record in GAIT — every API query must be logged