comtrade scom management pack for f5 big-ip€¦ · 1 . user guide comtrade scom management pack...

1

USER GUIDE

Comtrade SCOM Management Pack for F5 BIG-IP

Version 5.0 Release date: November 2017

Legal notices

Copyright notice © 2015-2017 Comtrade Software. All rights reserved. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, distributed, transmitted, stored in a retrieval system, modified or translated to another language in any form by any means, without the prior written consent of Comtrade Software (Comtrade). Trademarks Comtrade Software logos, names, trademarks and/or service marks and combinations thereof are the property of Comtrade or its affiliates. Other product names are the property of their respective trademark or service mark holders and are hereby acknowledged. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. Disclaimer The details and descriptions contained in this document are believed to have been accurate and up to date at the time the document was written. The information contained in this document is subject to change without notice. Comtrade Software provides this material "as is" and makes no warranty of any kind, expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Comtrade shall not be liable for errors and omissions contained herein. In no event shall Comtrade be liable for any direct, indirect, consequential, punitive, special or incidental damages, including, without limitation, damages for loss and profits, loss of anticipated savings, business interruption, or loss of information arising out of the use or inability to use this document, or any action taken based on the information contained herein, even if it has been advised of the possibility of such damages, whether based on warranty, contract, or any other legal theory. The only warranties for Comtrade Software products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

Notice This document is provided in connection with Comtrade Software products. Comtrade may have copyright, patents, patent applications, trademark, or other intellectual property rights covering the subject matter of this document. Except as expressly provided in any written license agreement from Comtrade Software, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property on Comtrade Software products. Use of underlying Comtrade Software product(s) is governed by their respective Software License and Support Terms.

Important: Please read Software License and Support Terms before using the accompanying software product(s). Comtrade Software www.comtradesoftware.com

http://www.comtradesoftware.com/

Contents 1. PREPARE ENVIRONMENT ......................................................................................................................... 5

1.1. REQUIREMENTS ............................................................................................................................................ 6 1.1.1. Hardware Requirements ................................................................................................................... 6 1.1.2. Software Requirements ..................................................................................................................... 6 1.1.3. Installation Requirements ................................................................................................................. 6

1.2. PRE-INSTALLATION CHECKS ............................................................................................................................. 7 1.3. CONFIGURING F5 BIG-IP DEVICES ................................................................................................................... 8

1.3.1. Configure SNMP Access ..................................................................................................................... 8 1.3.2. Configure iControl REST API Access ................................................................................................... 8

1.4. CREATE A SCOM RESOURCE POOL ................................................................................................................. 14 1.5. DISCOVERING BIG-IP DEVICE AS A NETWORK DEVICE IN SYSTEM CENTER OPERATIONS MANAGER ............................ 15

2. INSTALL AND CONFIGURE COMTRADE SCOM MANAGEMENT PACK FOR F5 BIG-IP ................................ 16

2.1. OBTAIN LATEST VERSION OF THE INSTALLATION PACKAGE ................................................................................... 17 2.2. INSTALL COMTRADE SCOM MANAGEMENT PACK FOR F5 BIG-IP ....................................................................... 17 2.3. CONFIGURE COMTRADE BIG-IP DEVICE ACTION ACCOUNT ................................................................................. 26 2.4. SET UP DATA WAREHOUSE ACTION ACCOUNT FOR THE F5 BIG-IP DEVICE IN SYSTEM CENTER OPERATIONS MANAGER 28

3. LICENSE ACTIVATION PROCEDURE ......................................................................................................... 29

3.1. EVALUATION AND UNIVERSAL LICENSE ACTIVATION ............................................................................................ 30 3.2. PERMANENT LICENSE ACTIVATION .................................................................................................................. 31

4. FUNCTIONALITY OVERVIEW ................................................................................................................... 33

4.1. GENERAL FUNCTIONALITIES........................................................................................................................... 34 4.1.1. Alerts ............................................................................................................................................... 34 4.1.2. All Performance Graphs .................................................................................................................. 34 4.1.3. MP Administration .......................................................................................................................... 34

4.2. COMTRADE MANAGEMENT PACK FOR F5 BIG-IP DEVICE ................................................................................... 34 4.2.1. Device Performance view ................................................................................................................ 34 4.2.2. Device Diagram view ....................................................................................................................... 34 4.2.3. Hardware Alerts .............................................................................................................................. 34

4.3. COMTRADE MANAGEMENT PACK FOR F5 BIG-IP DEVICE REPORTS ...................................................................... 35 4.4. COMTRADE MANAGEMENT PACK FOR F5 BIG-IP LTM ...................................................................................... 36

4.4.1. Dashboards ..................................................................................................................................... 36 4.4.2. LTM Performance views .................................................................................................................. 36 4.4.3. LTM Diagram view .......................................................................................................................... 36 4.4.4. Filtering Virtual Servers, Pools and Pool members .......................................................................... 36 4.4.5. HA Monitoring ................................................................................................................................. 37

4.5. COMTRADE MANAGEMENT PACK FOR F5 BIG-IP LTM REPORTS ......................................................................... 38 4.6. COMTRADE MANAGEMENT PACK FOR F5 BIG-IP ASM ..................................................................................... 38

4.6.1. ASM Statistics dashboard ................................................................................................................ 38 4.6.2. ASM Security policies view .............................................................................................................. 38

4.7. COMTRADE MANAGEMENT PACK FOR F5 BIG-IP ASM REPORTS ........................................................................ 39 4.8. COMTRADE MANAGEMENT PACK FOR F5 BIG-IP DNS ...................................................................................... 39

4.8.1. Some of the F5 BIG-IP Devices in F5 DNS Sync Group are not in sync monitor ............................... 39 4.8.2. DNS Wide IP Performance view....................................................................................................... 39 4.8.3. Wide IPs view .................................................................................................................................. 39

4.8.4. Filtering DNS objects ....................................................................................................................... 39

5. COMTRADE SCOM MANAGEMENT PACK FOR F5 BIG-IP OBJECTS, PROPERTIES, AND RELATIONSHIPS ... 41

6. UNINSTALLATION .................................................................................................................................. 43

6.1. UNINSTALLATION OVERVIEW......................................................................................................................... 44 6.2. REMOVE THE MANAGEMENT PACK FROM SCOM ............................................................................................. 44

7. TROUBLESHOOTING ............................................................................................................................... 45

7.1. WORKFLOW NOT TRIGGERED FOR COMTRADE SCOM MANAGEMENT PACK FOR F5 BIG-IP .................................... 46 7.2. ALERTS ARE NOT GENERATED BY COMTRADE SCOM MANAGEMENT PACK FOR F5 BIG-IP OR PERFORMANCE DATA IS NOT

COLLECTED ....................................................................................................................................................... 46 7.3. BIG-IP DEVICES NOT DISCOVERED BY COMTRADE SCOM MANAGEMENT PACK FOR F5 BIG-IP ............................... 47 7.4. RECALCULATING THE HEALTH OF A MONITOR ................................................................................................... 50 7.5. MISSING REGISTRY KEY ERROR APPEARS IN EVENT LOG WHEN UPGRADING COMTRADE SCOM MANAGEMENT PACK FOR F5

BIG-IP ............................................................................................................................................................ 51 7.6. DATA IS NOT DISPLAYED IN ASM STATISTICS DASHBOARD ................................................................................... 51 7.7. DATA FROM CERTAIN VIRTUAL SERVER IS MISSING IN ASM STATISTICS DASHBOARD ................................................. 52 7.8. ASM STATISTICS DASHBOARD IS NOT WORKING IN SCOM WEB CONSOLE ............................................................. 52 7.9. SELF IP ADDRESS PROPERTY IS EMPTY ............................................................................................................. 52 7.10. REST FRAMEWORK VERSION AND IS VIRTUAL PROPERTIES ARE EMPTY ................................................................. 52

8. SUPPORT SERVICES AND PRODUCT INFORMATION ............................................................................... 53

8.1. CONTACTING PRODUCT SUPPORT SERVICES ..................................................................................................... 54 8.1.1. Licensing .......................................................................................................................................... 54 8.1.2. Support ............................................................................................................................................ 55

8.2. GET MORE INFORMATION ABOUT COMTRADE PRODUCTS AND SERVICES ............................................................... 56 8.3. PROVIDE FEEDBACK ..................................................................................................................................... 56

9. APPENDIX .............................................................................................................................................. 57

9.1. CREATE A NEW MANAGEMENT PACK FOR OVERRIDES ........................................................................................ 58 9.2. UPGRADE PROCEDURE ................................................................................................................................. 58

9.2.1. Upgrading from any version later than 3.0 ..................................................................................... 58 9.2.2. Upgrading from any version earlier than 3.0 .................................................................................. 58

9.3. COMTRADE SCOM MANAGEMENT PACK FOR F5 BIG-IP QUIET AND PASSIVE INSTALLATION ..................................... 60 9.4. MANUAL IMPORT OF MANAGEMENT PACK FILES TO THE MANAGEMENT SERVER .................................................... 61 9.5. SET UP ACTION ACCOUNTS FOR THE F5 BIG-IP DEVICES USING WINDOWS POWERSHELL ........................................ 61 9.6. MONITORING LARGE ENVIRONMENTS WITH SYSTEM CENTER OPERATIONS MANAGER .............................................. 63 9.7. COMPLIANCE WITH FEDERAL INFORMATION PROCESSING STANDARDS (FIPS) ......................................................... 66

Chapter 1

1. Prepare environment

Prepare environment 6

1.1. Requirements

1.1.1. Hardware Requirements

System Center Operations Manager Management Server hardware requirements can be found on Microsoft System Center Operations Manager web pages System Requirements for System Center 2012 R2 (https://technet.microsoft.com/en-us/library/dn281925(v=sc.12).aspx) and in product’s manuals.

1.1.2. Software Requirements

Comtrade SCOM Management Pack for F5 BIG-IP import requirements

The sealed Comtrade BIG-IP management pack has the following dependencies:

Library Version

Microsoft.SystemCenter.DataWarehouse.Library 7.0.8427.0

Microsoft.SystemCenter.DataWarehouse.Report.Library 7.0.9538.0

Microsoft.SystemCenter.Library 7.0.8427.0

Microsoft.SystemCenter.NTService.Library 7.0.8560.0

Microsoft.SystemCenter.Visualization.Library 7.0.8560.0

Microsoft.SystemCenter.Visualization.ServiceLevelComponents 7.0.8560.0

Microsoft.Windows.Library 7.5.8501.0

System.Health.Library 7.0.8427.0

System.Library 7.5.8501.0

System.NetworkManagement.Library 7.0.8560.0

System.Performance.Library 7.0.8427.0

Table 1. Comtrade SCOM Management Pack for F5 BIG-IP dependencies

The versions stated in Table 1. are minimum versions.

Note Default management packs listed above should not be removed from a System Center Operations Manager Management Group due to the mentioned dependencies. If this removal does occur, default management packs can be imported from the System Center Operations Manager installation directory. For more information see: How to Import an Operations Manager Management Pack (https://technet.microsoft.com/en-us/library/hh212691(v=sc.12).aspx)

1.1.3. Installation Requirements

Comtrade SCOM Management Pack for F5 BIG-IP product requires .NET Framework version 4.0.

https://technet.microsoft.com/en-us/library/dn281925(v=sc.12).aspx

https://technet.microsoft.com/en-us/library/dn281925(v=sc.12).aspx

https://technet.microsoft.com/en-us/library/hh212691(v=sc.12).aspx




1.2. Pre-Installation Checks

The following must be ensured before starting with Comtrade SCOM Management Pack for F5 BIG-IP (SCOM MP for F5

BIG-IP) installation:

• Check Compatibility matrix document to ensure that SCOM MP for F5 BIG-IP supports your F5® BIG-IP®

appliance and Microsoft System Center Operation Manager versions. Compatibility matrix document can

be found in release .zip package in /doc directory.

• Microsoft System Center Operations Manager is correctly installed on the Management Server.

See Deploying System Center 2012 - Operations Manager (https://technet.microsoft.com/en-

us/library/hh278852(v=sc.12).aspx) for more details.

• If you are using Gateway Servers, see Deploying a Gateway Server (https://technet.microsoft.com/en-

us/library/hh456447(v=sc.12).aspx).

• Make sure that all Management Servers can access BIG-IP devices via SNMP (UDP 161) and HTTPS (TCP 443) port. Communication between Gateway Servers and Management Servers occurs over only one port (TCP 5723), and has to be opened if you are using Gateway Servers.





1.3. Configuring F5 BIG-IP devices

These steps must be performed on all BIG-IP devices.

1.3.1. Configure SNMP Access

1. Log on to the F5 BIG-IP Traffic Management Shell (tmsh) with administrator credentials through the command-line interface.

2. In tmsh, add SCOM management server as a SNMP agent: tmsh modify sys snmp allowed-addresses add { <IPAddress> }

Please replace the <IPAddress> placeholder with the IP Address of the Management Server from the Resource Pool that will be used to monitor BIG-IP devices.

example: “tmsh modify sys snmp allowed-addresses add { 10.81.9.67 }”

3. Check if SNMP community string is added on the BIG-IP device. If not add it by executing the following command : tmsh modify sys snmp communities add { test_community { community-name “<communityString>” source “<IPAddress>” } }

Please replace the <communityString> placeholder with the community string that will be used when discovering these BIG-IP devices in SCOM. <IPAddress> placeholder should also be replaced with the IP Address of the Management Server. This should be done for all management servers from the Resource Pool that will be used to monitor BIG-IP devices.

example: “tmsh modify sys snmp communities add { test_community { community-name “test” source

“10.81.9.67” } }”

4. Save configuration changes: save sys config

1.3.2. Configure iControl REST API Access

To be able to monitor F5 BIG-IP Devices with iControlREST service, either a local or external BIG-IP user account needs to be created on all BIG-IP devices that will be monitored by the Management Pack. The user needs to be associated with the administrator role and must have access to all partitions, if the BIG-IP version less than 11.6.0. This user needs Administrator role in order to access iControl REST API if the version of the F5 BIG-IP device is less than 11.6.0, and it will not be used by SCOM MP for F5 BIG-IP to modify the BIG-IP device in any other way. If the

Verification HTTPS accessibility can be checked by accessing the https://<IP Address> from each of the SCOM

Management Servers that will be used to monitor the BIG-IP Devices. The <IP Address> should be replaced

with the IP Address of the BIG-IP device. If the BIG-IP Web UI is displayed, then the BIG-IP can be accessed

from SCOM using HTTPS.


version of the F5 BIG-IP device is 11.6.0 or above, user does not need to have Administrator role and read only access can be configured. If you want to monitor the F5 BIG-IP using a Local Account, refer to A. Create a Local Account. If you want to monitor it using Remote Account, go to section B. Configure Remote Authentication. If you want to monitor it using Read-Only Account, go to section C. Configure F5 Big-IP MP for Monitoring Using Read-Only account.

Note It is not possible to use both local and external BIG-IP user on the same device. The only exception are built in root and admin accounts.

A. Create a Local Account

On each F5 BIG-IP device:

1. Log on to the F5 BIG-IP Traffic Management Shell (tmsh) with administrator credentials.

2. In tmsh, create a local user by executing the corresponding command given below.

In case of BIG-IP version 11.5.0, 11.5.1, 11.5.2 or 11.5.3, 11.5.4:

create auth user ComtradeBigIpMonitoringUser password <MyPassword> partition-access all role admin shell none

In case of BIG-IP version 11.6.0, 11.6.1, 12.0.0, 12.1.0, 12.1.1:

create auth user ComtradeBigIpMonitoringUser password <MyPassword> partition-access add { all-partitions { role admin } } shell none

Please replace the <MyPassword> placeholder with the password that you want to use for this account. This user must have access to all partitions.

3. Verify that the user is created using the following command in tmsh.

list auth user

Depending on the BIG-IP version, output should be similar to this:

auth user ComtradeBigIpMonitoringUser { description "ComtradeBigIpMonitoringUser" encrypted-password "$6$gjO9Xaj/$P2TkRsH4r2sdVbsdutM.FoeWPjk8gdJIIyPdhD/cV/vG5kqSl9LWvAUS.l.iAf7j8WmB61kKi8infxID1Y7CFEaX30" partition Common partition-access all role admin shell none } auth user ComtradeBigIpMonitoringUser { description ComtradeBigIpMonitoringUser encrypted-password $6$gjO9Xaj/$P2TkRsH4r2sdVbsdutM.FoeWPjk8gdJIIyPdhD/cV/vG5kqSl9LWvAUS.l.iAf7j8WmB61kKi8infxID1Y7CFEaX30 partition Common partition-access { all-partitions { role admin } } shell none }

4. Save system configuration.

save sys config


Verification

1. Open a web browser on one of the management servers that can access the BIG-IP device

2. Enter the following URL: https://<IP_Address>/mgmt/tm/cm/device?$select=version,managementIp

3. <IP_Address> should be replaced with the management IP address of the BIG-IP device

4. You will be prompted for the credentials. Here you should enter the username and password of the

monitoring account that you have configured previously 5. If the monitoring account has been configured properly the response from the device should be a valid

JSON object and it should look similar to the following response:

{ kind : "tm:cm:device:devicecollectionstate", selfLink :

"https://localhost/mgmt/tm/cm/device?$select=version,managementIp&ver=11.5.0", items : [{ managementIp : "10.49.14.127", version : "11.5.0" }] }

6. If the browser again prompts you for credentials or you get a 401: Authentication Response it is likely that either the credentials you have entered are not valid or the account has not been configured properly. In case when this happens, check that the account you are using is created on the BIG-IP device. If it is created, verify that credentials that you are using are correct, and that the account has Administrator role assigned to it.


B. Configure Remote Authentication

1. Contact your system administrator who is in charge for domain controller that you will be using and obtain a username for the user that will be used to monitor the BIG-IP devices. Account, which you are using for the external authentication, cannot be a member of the Remote Role Group.

2. On the BIG-IP device, login to its Web UI with the user that has tmsh Terminal Access and permission to create other users.

3. Navigate to System Users User List 4. Click on Create 5. Enter the User Name that you obtained from your system administrator 6. Select Administrator role. This user needs Administrator role in order to access iControl REST API if the version

of the F5 BIG-IP device is less than 11.6.0, and it will not be used by SCOM MP for F5 BIG-IP to modify the BIG-IP device in any other way. If the version of the F5 BIG-IP device is 11.6.0 or above , user does not need to have Administrator role and read only access can be configured. Please refer to C. Configure F5 Big-IP MP for Monitoring Using Read-Only account for more instructions. You must first complete these Remote Authentication configuration steps before you continue with the next section, but you can assign a guest role if you wish to configure read only access.

7. Click on Finished

Verification In order to verify if basic authentication account has been configured properly, perform the following procedure: 1. A user that you just created should be displayed in System Users Users List. If this user is not

displayed check if the user that you used to create this user has tmsh Terminal Access. Access the BIG-IP using SSH and execute the following command: list auth user

The output should look something like this:

You will need to delete the user that you just created using the following command: delete auth user domainuser

Verify that it has been deleted by again executing the following command: list auth user

Recreate the user by using the user that has permission to create users and that has access to tmsh.


C. Configure F5 Big-IP MP for Monitoring Using Read-Only account

This type of configuration is possible only for BIG-IP version 11.6.0 and above. Currently it is not possible to configure an account with Read-Only access to the iControl REST API using BIG-IP web UI. The following steps are required to perform this configuration: 1. Login to the BIG-IP Web UI 2. Navigate to System UsersUser List 3. Click on Create 4. Enter the Account User Name (for example, ComtradeMonitoringAccount) 5. If you are creating a local account, enter the password, since for external accounts you will not be able to enter the password 6. Select the appropriate role except No Access (for example, Guest role) 7. Click on Finished 8. Run the Set-ReadOnlyAccess.ps1 PowerShell script from management server, which can be found on this default location: C:\Program Files (x86)\Comtrade Software\Comtrade SCOM MP for F5 BIG-IP\Management

packs\Configuration tools. After you run the script, you need to enter the device IP address of the BIG-IP device on which you created the Account User Name (that is ComtradeMonitoringAccount). You will be prompted for the Admin credentials. After that, enter Account User Name, which you created before. To get more information about this script you can execute Get-Help .\Set-ReadOnlyAccess –detailed

Verification 2. If the user is visible on System UsersUsers List Open a web browser on one of the management

servers that can access the BIG-IP device

3. Enter the following URL: https://<IP_Address>/mgmt/tm/cm/device?$select=version,managementIp

4. <IP_Address> should be replaced with the management IP address of the BIG-IP device

5. You will be prompted for the credentials. Here you should enter the username and password of the monitoring account that you have configured previously

6. If the monitoring account has been configured properly the response from the device should be a valid JSON object and it should look similar to the following response:

{ kind : "tm:cm:device:devicecollectionstate", selfLink :

"https://localhost/mgmt/tm/cm/device?$select=version,managementIp&ver=11.5.0", items : [{ managementIp : "10.49.14.127", version : "11.5.0" }] }

7. If the browser again prompts you for credentials or you get a 401: Authentication Response it is likely that either the credentials you have entered are not valid or the account has not been configured properly. In case when this happens, check that the account you are using is created on the BIG-IP device. If it is created, verify that credentials that you are using are correct, and that the account has Administrator role assigned to it.


This will also show and example of how the script can be used.

Note Step number 8 can be executed by performing a PATCH request to the mgmt/shared/authz/roles/iControl_REST_API_User endpoint, with the following body: {"userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/ComtradeMonitoringAccount"}],"resources":[ {"resourceMask":"/*","restMethod":"GET"} ,{"resourceMask":"/*/*","restMethod":"GET"} ,{"resourceMask":"/*/*","restMethod":"GET"} ,{"resourceMask":"/*/*/*","restMethod":"GET"} ,{"resourceMask":"/*/*/*/*","restMethod":"GET"} ,{"resourceMask":"/*/*/*/*/*","restMethod":"GET"} ,{"resourceMask":"/*/*/*/*/*/*","restMethod":"GET"} ,{"resourceMask":"/*/*/*/*/*/*/*","restMethod":"GET"} ]} This will add GET permission to all endpoints to the ComtradeMonitoringAccount user. If you created an account with another username, replace the ComtradeMonitoringAccount in https://localhost/mgmt/shared/authz/users/ComtradeMonitoringAccount with the username of the account that you created.

Verification In order to verify if basic authentication account has been configured properly, perform the following procedure:

1. Open a web browser on one of the management servers that can access the BIG-IP device 2. Enter the following URL: https://<IP_Address>/mgmt/tm/cm/device?$select=version,managementIp 3. <IP_Address> should be replaced with the management IP address of the BIG-IP device 4. You will be prompted for the credentials. Here you should enter the username and password of the monitoring account that you have configured previously 5. If the monitoring account has been configured properly the response from the device should be a valid JSON object and it should look similar to the following response: { kind : "tm:cm:device:devicecollectionstate", selfLink : "https://localhost/mgmt/tm/cm/device?$select=version,managementIp&ver=11.5.0", items : [{ managementIp : "10.49.14.127", version : "11.5.0" }] }

https://localhost/mgmt/shared/authz/users/ComtradeMonitoringAccount


1.4. Create a SCOM resource pool

In order to achieve high availability monitoring of BIG-IP devices, a resource pool with at least two management servers should be created. This step is optional but highly recommended. To create a resource pool for monitoring BIG-IP devices, perform the following steps:

1. Navigate to Administration Resource Pools in System Center Operations Manager Console. 2. Right click the pane that appears and click Create Resource Pool. 3. Enter a name for this resource pool (e.g. BIG-IP Resource Pool or F5 Resource Pool). 4. Click Next. 5. Click Add. 6. Click Search. 7. Select servers that you wish to add to this resource pool and click Add. 8. Once you have added all the servers that you wish to put in this resource pool click OK. 9. Click Next. 10. Click Create.

Verification The resource pool with the name that was created should be visible in Administration Resource Pools view.


1.5. Discovering BIG-IP Device as a Network Device in System Center Operations Manager

As a prerequisite for BIG-IP MP, all F5 BIG-IP devices need to be discovered and monitored as Network Devices by the System Center Operations Manager. To achieve monitoring of BIG-IP devices in Sync-Failover device group all devices from Sync-Failover device group must be discovered with same Network Devices Discovery.

This is an example scenario for discovering BIG-IP device on SCOM 2012 server:

Go to Administration Network Management Discovery Rules and start the Network Devices Discovery Wizard to create a discovery rule.

1. Under General Properties, choose a discovery server and a resource pool (user-created) to be used for this

purpose. 2. Select discovery type, for example Explicit discovery. 3. Create an SNMP run as account. On Default Accounts wizard page, click on Create Account button. In

Create Run As Account Wizard enter the community string that is set on the BIG-IP. 4. On the Device page, add each BIG-IP device that should be monitored and associate it with appropriate

SNMP run as account created in the previous step. As SNMP version select, for example, v1 or v2. 5. Set the time to run the discovery rule or choose to be executed manually. 6. Confirm that settings are correct.

Verification All BIG-IP devices should be visible after the discovery has been executed in one of the following SCOM views: Monitoring Network Monitoring Network Devices Administration Network Management Network Devices If you encounter any issues during execution of these steps, please refer to general guidelines for network devices discovery by the System Center Operations Manager. For more information see How to Discover Network Devices in Operations Manager (https://technet.microsoft.com/en-us/library/hh278846.aspx).

http://technet.microsoft.com/en-us/library/hh278846.aspx

http://technet.microsoft.com/en-us/library/hh278846.aspx

https://technet.microsoft.com/en-us/library/hh278846.aspx

Chapter 2

2. Install and Configure Comtrade SCOM Management Pack for F5 BIG-IP

Install and Configure Comtrade SCOM Management Pack for F5 BIG-IP 17

2.1. Obtain latest version of the Installation Package

If you have access to the Comtrade download portal check: https://support.comtradesoftware.com/hc/en-us/categories/115000547149 Otherwise, go to the Comtrade product download page: https://comtradesoftware.com/free-trial/ For more information on how to upgrade from an earlier version, see 9.2. Upgrade procedure. For instructions on how to tweak System Center Operations Manager to monitor large environments, see 9.6 Monitoring large environments with System Center Operations Manager This product version complies with the FIPS 140-2 standard. For more information, see 9.7. Compliance with Federal Information Processing Standards (FIPS)

2.2. Install Comtrade SCOM Management Pack for F5 BIG-IP

Comtrade SCOM Management Pack for F5 BIG-IP (SCOM MP for F5 BIG-IP) consists of the following features: - - Comtrade Management Pack for F5 BIG-IP ASM (Core) - Comtrade Management Pack for F5 BIG-IP ASM (Reports) - Comtrade Management Pack for F5 BIG-IP Device (Core) - Comtrade Management Pack for F5 BIG-IP Device (Reports) - Comtrade Management Pack for F5 BIG-IP DNS (Core) - Comtrade Management Pack for F5 BIG-IP LTM (Core) - Comtrade Management Pack for F5 BIG-IP LTM (Reports) - Support tool - Licensing module - Legal documents - Documentation

Data Collector, Licensing module and Support tool must be installed on all SCOM management servers that were added to the Resource Pool dedicated for monitoring BIG-IP devices. Data Collector is a Windows service, which communicates with BIG-IP devices and collects configuration and statuses for Management Pack monitoring. It listens for Management Pack requests and serves as a proxy with a cache functionality. MP and Data Collector are communicating using http protocol. The default local communication port on management servers is 19703. However, this port can be changed during installation. SCOM MP for F5 BIG-IP can also be installed in quiet and passive mode. For more details, refer to 9.3. Comtrade SCOM Management Pack for BIG-IP quiet and passive installation. Legal documents contain all license and support information you need to know while using SCOM MP for F5 BIG-IP.

Documentation folder contains the following documents:

https://support.comtradesoftware.com/hc/en-us/categories/115000547149

https://comtradesoftware.com/free-trial/


- Comtrade_MPBIGIP_CompatibilityMatrix.pdf Contains information about F5 BIGIP and Microsoft SCOM versions compatible with this product.

- Comtrade_MPBIGIP_OpenSourceAndThirdPartyComponents.txt Contains information on open source and third party components/source codes used in this software.

- Comtrade_MPBIGIP_Reference.html Contains information on available discoveries, monitors, rules, tasks, scripts, etc. with default thresholds values that can be adjusted to better suit your environment.

- Comtrade_MPBIGIP_ReleaseNotes.txt Contains release log, product documentation, upgradability options information and known issues and workarounds.

- Comtrade_MPBIGIP_UserGuide.pdf This guide will walk you through the steps of using SCOM MP for F5 BIG-IP.

To install SCOM MP for F5 BIG-IP, perform the following steps on each Management server: 1. Unzip setup package. 2. Launch the Comtrade.SCOM.MP.F5.BIG-IP.msi setup package while logged in as user that has administrative

privileges.


3. Choose the setup type that you wish to install.

a. Typical Installs most common program features: - Data Collector - Device Management pack - LTM Management pack - ASM Management pack - ASM Report Management pack - DNS Management pack - LTM Reports Management pack - Device Reports Management pack - Support tool - Licensing module - Legal documents

b. Custom setup type lets you choose which features will be installed, and the location where the features will be installed. For more details, see Verification at the end of this section.


c. Complete setup type installs the following features:

- Data Collector - Device Management pack - LTM Management pack - ASM Management pack - ASM Reports Management pack - DNS Management pack - LTM Reports Management pack - Device Reports Management pack - Support tool - Licensing module - Legal documents - Documentation

4. If the Data Collector feature is chosen to be installed the following screen will appear:


This port number will be used by Comtrade SCOM Data Collector for F5 BIG-IP for listening to MP requests and it must not be used by any other application. If port is already taken, error message will be displayed. In that case, enter another available port.

5. If the Management Pack feature is chosen to be installed the following screen will appear:

Choose if you want to import Comtrade SCOM Management Pack for F5 BIG-IP automatically or this step will be performed manually. Automatic import can be performed only on a management server. If the installation is being performed on a server that isn’t a SCOM Management Server, select No for this step. If you would like to perform this step manually, please refer to 9.4. Manual Import of Management Pack Files to the Management Server

6. Click on Install to begin installation


7. If the installation was successful, the following screen will appear:


Verification After the installation has completed successfully, the Comtrade SCOM Management Pack for F5 BIG-IP program is added to the list of programs in the Programs and Features window. Depending on which features have been selected for installation the following directories will be created. <InstallDir> location is a default installation path. You can specify paths for each sub-directory during custom installation type step above. <InstallDir> locations:

%ProgramFiles(x86)%\Comtrade Software\Comtrade SCOM MP for F5 BIG-IP

<InstallDir> directory contains the following sub-directories: - Data Collector - Documentation - Legal documents - Licensing PowerShell scripts - Management packs - Support tool

Data Collector This is the location by default: <DataDir> locations:

%ProgramData%\Comtrade\Comtrade F5 Data collector

<DataDir> directory contains the following sub-directories: - Conf - data - log

Default location: %ProgramFiles(x86)%\Comtrade Software\Comtrade SCOM MP for F5 BIG-IP\Data Collector

Content of the Data Collector directory is: - Comtrade.F5.Agent.dll - Comtrade.F5.DataObjects.dll - Comtrade.F5.DeviceConnection.dll - Comtrade.F5.Json.dll - Comtrade.F5.Licensing.dll - Comtrade.F5.Logging.dll - Comtrade.F5.Properties.dll - Comtrade.F5.Service.exe - Comtrade.F5.Service.exe.config - Comtrade.F5.Snmp.dll - log4net.dll - Newtonsoft.Json.dll - SnmpSharpNet.dll

Management packs Default locations:

%ProgramFiles(x86)%\Comtrade Software\Comtrade SCOM MP for F5 BIG-IP\Management packs\Configuration tools %ProgramFiles(x86)%\Comtrade Software\Comtrade SCOM MP for F5 BIG-IP\Management packs

Content of the Configuration tools directory is: - bigIpRunAsAccountAndProfileSetup.ps1 - exampleFQDNAndCredentialsFile.txt - importmp.ps1 - Set-ReadOnlyAccess.ps1 - testcredentials.ps1

Content of the Management packs directory is: - Comtrade.SCOM.MP.F5.BIG-IP.ASM.mpb - Comtrade.SCOM.MP.F5.BIG-IP.Device.Reports.mpb - Comtrade.SCOM.MP.F5.BIG-IP.DNS.mpb - Comtrade.SCOM.MP.F5.BIG-IP.LTM.mpb - Comtrade.SCOM.MP.F5.BIG-IP.LTM.Reports.mpb - Comtrade.SCOM.MP.F5.BIG-IP.mpb - Comtrade.SCOM.MP.F5.BIG-IP.Reports.mpb


Verification

Support tool default location:

%ProgramFiles(x86)%\Comtrade Software\Comtrade SCOM MP for F5 BIG-IP\Support tool

Content of the Support tool directory is: - support.ps1

Licensing module Default locations:

%ProgramFiles(x86)%\Comtrade Software\Comtrade SCOM MP for F5 BIG-IP\Licensing PowerShell scripts\Comtrade.F5.LicensingModule %ProgramFiles(x86)%\Comtrade Software\Comtrade SCOM MP for F5 BIG-IP\Licensing PowerShell scripts

Content of the Comtrade.F5.LicensingModule directory is: - Comtrade.F5.LicensingModule.dll - log4net.dll - log4net.xml - Microsoft.EnterpriseManagement.Core.dll - Microsoft.EnterpriseManagement.OperationsManager.dll

Content of the Licensing PowerShell scripts directory is: - CreateRequestFile.ps1 - CreateRequestFileForSpecifiedBigIpDevices.ps1 - ImportLicenseFile.ps1 - LicensedBigIPDevices.ps1

Documentation Default location:

%ProgramFiles(x86)%\Comtrade Software\Comtrade SCOM MP for F5 BIG-IP\Documentation

Content of the Documentation directory is: - Comtrade_MPBIGIP_CompatibilityMatrix.pdf - Comtrade_MPBIGIP_OpenSourceAndThirdPartyComponents.txt - Comtrade_MPBIGIP_Reference.html - Comtrade_MPBIGIP_ReleaseNotes.txt - Comtrade_MPBIGIP_UserGuide.pdf

Legal documents Default location:

%ProgramFiles(x86)%\Comtrade Software\Comtrade SCOM MP for F5 BIG-IP\Legal documents

Content of the Legal documents directory is: - LibroLib-MIT-license.txt - LICENSE.md - log4netlicense.txt - mapgalleryofreportingserviceslicense.txt - snmpsharpnetlicense.txt - sshnetlicense.txt


Verification Verify the Import of the Management Pack to the Management Server In the Monitoring view of the System Center Operations Manager console, F5 BIG-IP Monitoring folder should appear:

Figure 1. Comtrade SCOM Management Pack for F5 BIG-IP elements

The content of this folder highly depends on which management packs are imported. In Reporting pane, Comtrade Management Pack for F5 BIG-IP ASM Reports (Comtrade F5 BIG-IP ASM User Sessions, report and Comtrade F5 BIG-IP ASM Attacks report) are created. .


2.3. Configure Comtrade BIG-IP Device Action Account

Comtrade BIG-IP Device Action Account is used by Comtrade SCOM Data Collector for F5 BIG-IP to access BIG-IP device through the BIG-IP iControl REST API. Follow the steps below to create Comtrade BIG-IP Device Action Account in SCOM console. If you want to create it using Windows PowerShell, refer to chapter 9.5. Set Up Action Accounts for the F5 BIG-IP Devices using Windows PowerShell. Create account for monitoring F5 BIG-IP devices:

1. On the Management Server1, start the System Center Operations Manager console. 2. Select Administration pane from Navigation pane. 3. Select Run As Configuration Accounts, and then Actions Create Run As Account. 4. Choose Basic Authentication or Windows authentication (used for external authentication) for Run As

Account Type. 5. Enter Display name and provide credentials for the account (user is created by following steps in the

1.3. Configuring F5 BIG-IP devices section). 6. For distribution security option, choose More secure and create account.

Assign accounts to devices:

1. Log on the Management Server as a user with Administrator rights and start the System Center Operations Manager console.

2. Select Administration pane from Navigation pane. 3. Select Run As Configuration Profiles, double click on Comtrade BIG-IP Device Action Account. Choose

Run As Accounts and click on the Add button. 4. From dropdown list, choose previously added account, check the second radio button (A selected class,

group, or object). Then, click on the Select button and choose Object. 5. In the Look for dropdown list, choose Node objects, so you can search for network devices.

1 Management Server where Comtrade SCOM Management Pack for F5 BIG-IP product is installed.


6. Run As Profile Window should look like this.

7. Add BIG-IPs discovered as network devices2 and save configuration. 8. Specify account distribution to the resource pool(s) where the network devices are discovered. 9. Complete account associating.

2 For more details see: 1.4. Discovering BIG-IP Device as a Network Device in System Center Operations Manager

Verification

Network Devices should be discovered using iControl REST API and visible in Monitoring pane F5 BIG-IP Monitoring MP Administration BIG-IP Network Devices view. This is a prerequisite for License Activation Procedure.


2.4. Set Up Data Warehouse Action Account for the F5 BIG-IP Device in System Center Operations Manager

In order to allow access to DW Operations database for ASM Event Requests Data Rule, Data Warehouse Account profile needs to be setup. Assign accounts for F5 Sync Failover Groups:

1. Log on the Management Server as a user with Administrator rights and start the System Center Operations Manager console.

2. Select Administration pane from Navigation pane. 3. Select Run As Configuration Profiles, double click on Data Warehouse Account. Choose Run As

Accounts and click on the Add button. 4. From dropdown list, choose Data Warehouse Action Account, check the second radio button (A selected

class, group, or object). Then, click on the Select button and choose Class. 5. In the Filter by text box, write F5 Sync Failover Group. Click on the Search button. In Available items,

select F5 Sync Failover Group and save configuration. Run As Profile Window should look like this.

6. Specify account distribution to the resource pool(s) where the network devices are discovered. Complete account associating.

7. Complete account associating.

Chapter 3

3. License Activation Procedure

License Activation Procedure 30

Prerequisites

Network Devices which you want to license must be discovered and visible in Monitoring pane F5 BIG-IP Monitoring MP Administration BIG-IP Network Devices view. Comtrade SCOM Data Collector for F5 BIG-IP and Licensing module must be installed on all Management Servers in resource pool that is dedicated for monitoring BIG-IP devices. To find Management Servers, that are monitoring BIG-IP devices, select Monitoring pane in SCOM Console and go to F5 BIG-IP Monitoring MP Administration Data Collector Administration.

3.1. Evaluation and universal license activation

On each of the Management Servers in the SCOM resource pool that is being used to monitor BIG-IP devices the following steps should be performed:

1. Copy mpbigip_licact_new.dat file to the %ProgramData%\Comtrade\Comtrade F5 Data collector folder on the SCOM server

2. This should be performed on all SCOM servers which have Comtrade SCOM Data Collector for F5 BIG-IP

Installed

To find Management Servers, that are monitoring BIG-IP devices, select Monitoring pane and go to F5 BIG-IP Monitoring MP Administration Data Collector Administration.

Verification The mpbigip_licact_new.dat located in %ProgramData%\Comtrade\Comtrade F5 Data collector directory should change name to mpbigip_licact.dat after 5 minutes. This will happen only if the Comtrade SCOM Data Collector for F5 BIG-IP is receiving requests from SCOM, which will happen only if the BIG-IP devices have been previously discovered.


3.2. Permanent license activation

To generate license request file for all unlicensed BIG-IP devices perform following steps on any of the Management Servers monitoring BIG-IP devices and has Comtrade SCOM Data Collector for F5 BIG-IP installed:

1. From Start menu/screen launch Windows PowerShell and navigate to C:\Program Files (x86)\Comtrade Software\Comtrade SCOM MP for F5 BIG-IP\Licensing PowerShell

scripts directory.

The location of the Licensing PowerShell scripts directory mentioned above is the default location. example: cd ‘C:\Program Files (x86)\Comtrade Software\Comtrade SCOM MP for F5 BIG-IP\Licensing PowerShell scripts’

2. To generate license request file (mpbigip_license_requests.dat), and save it to the desired location on disk, execute CreateRequestFile.ps1, pass company name and path where request file should be saved. example: .\CreateRequestFile.ps1 'company name' 'C:\'

3. To activate the license request file:

Go to the Licensing portal: http://managementpacks.comtrade.com/mp-licensing/ Register and upload previously saved license request file. The system will automatically process your request. You should receive the license activation file mpbigip_licact_new.dat by e-mail within 10 minutes. Save it on an appropriate location.

To generate license request file for desired BIG-IP devices perform following steps on any of the Management Servers monitoring BIG-IP devices and has Comtrade SCOM Data Collector for F5 BIG-IP installed:


scripts directory. The location of the Licensing PowerShell scripts directory mentioned above is the default location. example: cd C:\Program Files (x86)\Comtrade Software\Comtrade SCOM MP for F5 BIG-IP\Licensing PowerShell scripts

2. To generate license request file (mpbigip_license_requests.dat), and save it to the desired location on disk, execute CreateRequestFile.ps1, pass company name and path where request file should be saved and list of BIG-IP Management addresses of devices that should be licensed. example: \CreateRequestFileForSpecifiedBigIpDevices.ps1 'company name' 'C:\' '10.81.12.164','10.81.12.165'

Notes User running the CreateRequestFileForSpecifiedBigIpDevices.ps1 script should have write permissions on a directory where the request file will be created, or the command should be run with administrator privileges. This command should be executed by providing parameters in the exact order as given in example above.

http://managementpacks.comtrade.com/mp-licensing/


Permanent license activation keys are node locked and they are activated during product installation and configuration steps.

To apply the new license file mpbigip_licact_new.dat, perform following steps on each SCOM server:

1. Copy the new license file mpbigip_licact_new.dat on this Management Server on appropriate location if it does not already exist.

2. After the successful activation, when Data Collector detects new license file, it will convert it to

mpbigip_licact.dat or merge it with the previous one if it already exists. Devices and its configuration objects will be discovered, but monitors and rules provided by Comtrade SCOM Management Pack for F5 BIG-IP will not work without a valid license.

Note If the license activation procedure has not been done properly, it will have an effect on the whole Comtrade SCOM Management Pack for F5 BIG-IP monitoring. Monitors and rules provided by this product will not work without a valid license.

Verification The mpbigip_licact_new.dat located in %ProgramData%\Comtrade\Comtrade F5 Data collector directory should change name to mpbigip_licact.dat after 5 minutes. This will happen only if the Comtrade SCOM Data Collector for F5 BIG-IP is receiving requests from SCOM, which will happen only if the BIG-IP devices have been previously discovered.

Chapter 4

4. Functionality overview

Functionality overview 34

4.1. General Functionalities

4.1.1. Alerts

Alerts view provides an overview of all active alerts related to the F5 BIG-IP devices and applications delivered using F5 BIG-IP devices. Some of the scenarios that the Comtrade SCOM Management Pack for F5 BIG-IP will create alerts for are when the device does not have enough free space on storage, CPU utilization is high, local traffic virtual servers, local traffic pools and local traffic pool members have been marked as unavailable, or their status is unknown.

4.1.2. All Performance Graphs

This folder contains performance data graphs, such as CPU Performance, Disk Partition Utilization, Memory Utilization, Network Interface Performance, Local Traffic Virtual Server Performance, Local Traffic Pool Performance, Local Traffic and Pool Member Performance.

4.1.3. MP Administration

BIG-IP Network Devices shows all devices discovered by Comtrade SCOM Management Pack for F5 BIG-IP. Data Collector Administration pane enables Data Collector service management. Select Comtrade SCOM Data Collector for F5 BIG-IP and Comtrade SCOM Data Collector for F5 BIG-IP Service Tasks will be listed in Task Pane.

4.2. Comtrade Management Pack for F5 BIG-IP Device

Device Management pack locates issues in the BIG-IP device hardware components (CPU cores, disk partitions, TMM memory, other memory and network interfaces).

4.2.1. Device Performance view

This folder contains performance data graphs, such as CPU Performance, Disk Partition Utilization, Memory Utilization, Network Interface Performance and All Hardware Performance.

4.2.2. Device Diagram view

Device Diagram view displays topology view of the discovered BIG-IP devices along with its related Hardware objects, some of which are: CPU cores, disk partitions, TMM memory, other memory and network interfaces.

4.2.3. Hardware Alerts

Hardware Alerts view provides an overview of all active alerts related to the hardware components (CPU Cores, Disk partitions, Memory and Network Interfaces) of F5 BIG-IP devices.


4.3. Comtrade Management Pack for F5 BIG-IP Device Reports

To access Comtrade Management Pack for F5 BIG-IP Device Reports, do the following:

1. In the Monitoring pane, expand Monitoring and click Comtrade F5 BIG-IP.

2. Select a F5 BIG-IP Device in one of the following views: - MP Administration BIG-IP Network Devices - Device Device Diagram View

- LTM LTM Diagram View

- LTM Device - Local Traffic Virtual Server Dashboard

3. In Task pane, choose one of the available F5 BIG-IP Device Reports: - Device Traffic Report

This report shows traffic details on a specific BIG-IP device. You can choose if you want to show traffic only during business hours, and select the time and days of the week of your business cycle.

- Inbound License Utilization (Top N) This report shows license inbound utilization details for a specific device. You can choose algorithms from the drop-down list (Top N or Bottom N).

- Outbound License Utilization (Top N) This report shows license outbound utilization details for a specific device. You can choose algorithms from the drop-down list (Top N or Bottom N).

By selecting Top N algorithm, from either of the two reports, you can identify which devices utilize their license the most and you can plan ahead if you are going to need a better license by identifying growth trends on the report. By selecting Bottom N you can identify which devices utilize their license the least, and you can organize where your applications are deployed to better utilize this license

Note License utilization reports are only supported in versions 12.0.x and above.


4.4. Comtrade Management Pack for F5 BIG-IP LTM

LTM Management pack locates issues in the LTM infrastructure (virtual servers, pools, pool members), applications which are affected and discovers unutilized resources.

4.4.1. Dashboards

Device – Local Traffic Virtual Server Dashboard presents relationships between devices and virtual servers that the device contains. Local Traffic Pool – Pool Member Dashboard presents relationships between pools and pool members. Local Traffic Pool Members shows all Pool Members. Local Traffic Virtual Server – Pool Dashboard presents relationships between virtual servers and pools. SSL Certificate state view presents SSL certificate instances.

4.4.2. LTM Performance views

This folder contains performance data graphs, such as Local Traffic Virtual Server Performance, Local Traffic Pool Performance, Local Traffic and Pool Member Performance.

4.4.3. LTM Diagram view

LTM Diagram view displays topology view of the discovered BIG-IP devices along with its related LTM and Hardware objects, some of which are: traffic groups, devices (active and passive), local traffic virtual servers, local traffic pools and local traffic pool members.

4.4.4. Filtering Virtual Servers, Pools and Pool members

1. In Authoring pane, navigate to Management Pack Objects→Object Discoveries. 2. Right click on F5 Sync Failover Group Discovery, and select Overrides→Override the Object Discovery→For

all objects of class: Comtrade F5 BIG-IP Applications. 3. Override Ignore Pattern with one or more regular expressions separated with logical OR.

example : ^test_|Test12

This pattern will exclude all Virtual Servers, Pools and Pool members which names begin with “test_” OR contain “Test12”. Ignore Pattern parameter is case sensitive. Identified objects will not be discovered and monitored. All objects that are under the excluded object (that is Pool and Pool Members for Virtual Server, or Pool Members for Pool) will be excluded as well. SSL Certificates, which belong only to excluded Virtual Servers will be excluded as well. ASM Statistics dashboard will not show statistics for this object. ASM Security policies view and custom state views will not show these objects. Comtrade Management Pack for F5 BIG-IP ASM (Reports) will filter these objects from the moment you entered Ignore Pattern parameter.


4. Locate Include Pattern and check its Override checkbox. Fill the Override Value cell with one or more regular expressions separated with logical OR.

If you use the same pattern in the example above, only Virtual Servers, Pools and Pool members which names begin with “test_” OR contain “Test12” will be discovered. If the name of Virtual Server, Pool or Pool Member matches Include Pattern but does not match the Ignore Pattern it will be discovered in SCOM. If the name of Virtual Server, Pool or Pool Member matches both Include and Ignore Pattern it will not be discovered in SCOM. SSL Certificates that are being used by excluded Virtual Servers will not be discovered by Comtrade SCOM Management Pack for F5 BIG-IP. ASM Statistics Data will not be collected for excluded Virtual Servers.

4.4.5. HA Monitoring

Comtrade SCOM Management Pack for F5 BIG-IP (SCOM MP for F5 BIG-IP) discovers traffic groups on the F5 BIG-IP device, that contain at least one virtual server. These traffic groups will be visible in LTM Diagram View. Virtual servers that are contained within that traffic group will be shown in the diagram. Furthermore, it is possible to easily identify which devices are active and which are passive for that specific traffic group that is being displayed.

SCOM MP for F5 BIG-IP also monitors the health of a Sync Failover group. There are three monitors for Sync Failover Group:

Number of available devices in Sync Failover Group is below threshold - This monitor checks if number of available devices in Sync Failover group is less than predefined threshold. Monitor considers all devices that are in active or standby state available, and devices that are in any other state unavailable.

Inconsistent states are reported for devices in Sync Failover Group - This monitor checks if devices that are in the targeted sync failover group report the same state for each other.

Sync Failover Group is not available for monitoring - This monitor checks if a Sync Failover group is available for monitoring. There are several reasons why a Sync Failover group could be unavailable for monitoring some of which are:

- All BIG-IP devices from targeted Sync Failover group are offline and their status cannot be obtained.

- All BIG-IP devices from targeted sync failover group cannot be reached, because of connectivity issues between the management server and the BIG-IP device.

- All BIG-IP devices from targeted Sync Failover group cannot be reached because Comtrade SCOM Data Collector for F5 BIG-IP has been stopped.

- SCOM MP for F5 BIG-IP license was not applied for all BIG-IP devices from targeted Sync Failover group.


4.5. Comtrade Management Pack for F5 BIG-IP LTM Reports

To access Comtrade Management Pack for F5 BIG-IP LTM Reports, do the following:

1. In the Monitoring pane, expand Monitoring and click F5 BIG-IP Monitoring LTM.

2. Select a Virtual Server in one of the following views: - LTM Diagram View - Device - Local Traffic Virtual Server Dashboard - Local Traffic Virtual Server – Pool Dashboard

3. In Task pane Report Tasks choose Virtual Server Traffic Report This report shows traffic details on a specific Virtual Server. You can choose if you want to show traffic only during business hours, and select time and days of the week of your business cycle.

4.6. Comtrade Management Pack for F5 BIG-IP ASM

ASM Management pack identifies if application attack is in progress and visualizes attacks history.

4.6.1. ASM Statistics dashboard

BIG-IP Application Security Manager ASM protects against OWASP top 10 threats, application vulnerabilities, and zero-day attacks. Choose a device from device list which have ASM module, and then choose all virtual servers configured on that device or a specific virtual server identified by its full name.

Charts contain following statistical information:

- Number of blocked sessions

- Number of alarmed sessions

- Number of transactions

- Number of Brute Force attacks

- Number of Web Scraping attacks

4.6.2. ASM Security policies view

ASM Security policies shows all ASM Policies.

Note Following properties are not supported in BIG-IP version less than 11.6.0:

- LoginEnforcement - Brute Force Attack Prevention Reference - Geolocation Enforcement - Session Tracking Statuses


- Login Pages - IP Intelligence - CSRF Settings

4.7. Comtrade Management Pack for F5 BIG-IP ASM Reports

In Reporting pane, click Comtrade Management Pack for F5 BIG-IP ASM Reports. Available reports are listed below:

- Comtrade F5 BIG-IP ASM User Sessions This report shows details about all user sessions marked as invalid by ASM on a specific BIG-IP device, and can be filtered by Source IP or Request Id.

- Comtrade F5 BIG-IP ASM Attacks This report shows details about all infrastructure attacks marked by ASM on a specific BIG-IP device, and can be filtered by Attack Type, Date/Time, Source IP, Geo-Location, Virtual Server and Device.

4.8. Comtrade Management Pack for F5 BIG-IP DNS

4.8.1. Some of the F5 BIG-IP Devices in F5 DNS Sync Group are not in sync monitor

Monitors if all F5 BIG-IP Devices in F5 DNS Sync Group are in sync.

4.8.2. DNS Wide IP Performance view

This view contains DNS Wide IP performance data graphs.

4.8.3. Wide IPs view

Wide IPs view shows all Wide IPs and their health states.

4.8.4. Filtering DNS objects

1. In Authoring pane, navigate to Management Pack Objects→Object Discoveries. 2. Right click on F5 DNS Sync Group Discovery, and select Overrides→Override the Object Discovery→For all

objects of class: All F5 DNS Wide IPs group. 3. Find Ignore Pattern parameter and check its Override checkbox.

Fill Override Value cell with a regular expression. example : test_ This pattern will exclude all Wide IPs which name contains “test_”. Ignore Pattern parameter is


casesensitive. Identified objects will not be discovered and monitored. Find Include Pattern parameter and check its Override checkbox. Fill Override Value cell with a regularexpression. If name of DNS configuration object matches Include Pattern but does not match the Ignore Pattern it will be discovered in SCOM. If the name of DNS configuration object matches both Include and Ignore Pattern it will not be discovered in SCOM.

Chapter 5

5. Comtrade SCOM Management Pack for F5 BIG-IP Objects, Properties, and Relationships

Comtrade SCOM Management Pack for F5 BIG-IP Objects, Properties, and Relationships 42

Various BIG-IP objects, their status and relationships are discovered and are visible within Comtrade SCOM Management Pack for F5 BIG-IP (SCOM MP for F5 BIG-IP). Depending on BIG-IP configuration, the following objects may be discovered and visible under F5 BIG-IP Monitoring Management Pack:

F5 BIG-IP Devices are visible in views:

Monitoring F5 BIG-IP Monitoring MP Administration BIG-IP Network Devices

Monitoring F5 BIG-IP Monitoring Device Device Diagram View

Monitoring F5 BIG-IP Monitoring LTM LTM Diagram View

Monitoring F5 BIG-IP Monitoring LTM Device - Local Traffic Virtual Server Dashboard

F5 BIG-IP CPU Cores, Disk Partitions, Memory Units and Network Interfaces can be found in:

Monitoring F5 BIG-IP Monitoring Device Device Diagram View


F5 LTM Traffic Groups are visible in views:


F5 LTM Traffic Group Devices, Active and Passive Groups are visible in views:


F5 LTM Virtual Servers are visible in views:


Monitoring F5 BIG-IP Monitoring LTM Device - Local Traffic Virtual Server Dashboard

Monitoring F5 BIG-IP Monitoring LTM Local Traffic Virtual Server – Pool Dashboard

F5 LTM Pools and their relationships with Virtual Servers are observable in:

Monitoring F5 BIG-IP Monitoring LTM Local Traffic Virtual Server – Pool Dashboard


F5 LTM Pool Members and their relationships with LTM Pools are observable in:

Monitoring F5 BIG-IP Monitoring LTM Local Traffic Pool – Pool Members Dashboard

Monitoring F5 BIG-IP Monitoring LTM Local Traffic Pool Members

Monitoring F5 BIG-IP Monitoring LTM Local Traffic Virtual Server – Pool Dashboard Monitoring F5 BIG-IP Monitoring LTM LTM Diagram View

Comtrade SCOM Data Collector for F5 BIG-IP Services their related alerts are shown in:

Monitoring F5 BIG-IP Monitoring MP Administration Data Collector Administration

BIG-IP SSL Certificates are observable in: Monitoring F5 BIG-IP Monitoring LTM SSL Certificate Dashboard Monitoring F5 BIG-IP Monitoring LTM Diagram View

BIG-IP ASM Security Policies are observable in:

Monitoring F5 BIG-IP Monitoring ASM ASM Security Policies Monitoring F5 BIG-IP Monitoring ASM ASM Statistics Dashboard

BIG-IP DNS Wide IP are observable in: Monitoring F5 BIG-IP Monitoring DNS Wide IPs

BIG-IP device and its components related alerts are displayed in Monitoring F5 BIG-IP Monitoring Alerts, while statuses of recently executed SCOM MP for F5 BIG-IP tasks are shown in Monitoring F5 BIG-IP Monitoring Task Status view.

Chapter 6

6. Uninstallation

Uninstallation 44

6.1. Uninstallation Overview

To uninstall Comtrade SCOM Management Pack for F5 BIG-IP, the following order is recommended:

Remove management packs from SCOM.

Uninstall Comtrade SCOM Management Pack for F5 BIG-IP from all Management Servers, which have this product installed.

6.2. Remove the Management Pack from SCOM

To remove BIG-IP MP from the System Center Operations Manager console, perform the following steps:

1. In the System Center Operations Manager console, click the Administration button.

2. In the Administration pane, click Management Packs.

3. Remove reference to Comtrade.F5.BigIp from Microsoft.SystemCenter.SecureReferenceOverride Management Pack:

Export Microsoft.SystemCenter.SecureReferenceOverride Management Pack.

Make a copy of Management Pack exported in previous step.

Edit exported Microsoft.SystemCenter.SecureReferenceOverride Management Pack and remove all dependencies on Comtrade.F5.BigIp Management Pack.

Import back the modified Microsoft.SystemCenter.SecureReferenceOverride Management Pack.

4. In the Management Packs pane, right-click the management pack you would like to remove), and then click Delete. Remove management packs in this order

- Comtrade Management Pack for F5 BIG-IP ASM (Core) - Comtrade Management Pack for F5 BIG-IP ASM (Reports) - Comtrade Management Pack for F5 BIG-IP DNS (Core) - Comtrade Management Pack for F5 BIG-IP LTM (Core) - Comtrade Management Pack for F5 BIG-IP LTM (Reports) - Comtrade Management Pack for F5 BIG-IP Device (Reports) - Comtrade Management Pack for F5 BIG-IP Device (Core)

Chapter 7

7. Troubleshooting

Troubleshooting 46

7.1. Workflow Not Triggered for Comtrade SCOM Management Pack for F5 BIG-IP

Case 1 Symptoms No discovery, rule or monitor workflow is triggered on a SCOM server for SCOM MP for F5 BIG-IP.

Possible resolution steps

Check whether there is any pending update for the windows or SCOM server. If so, apply the update(s), and restart the server if required.

Case 2 Symptoms SCOM MP for F5 BIG-IP rules/monitors appear to be working only on certain objects. For example, some virtual servers, discovered by BIG-IP MP, are monitored while others are not (have no health status).


A possible reason is that BIG-IP iControlREST service, used for monitoring of BIG-IP devices, does not respond to ComtradeF5 BIG-IP MP requests correctly, or on time, for the particular object. If the BIG-IP device is a standalone device, restarting BIG-IP iControlREST service might help. Log in to the BIG-IP device though the command-line interface and in BIG-IP terminal shell (tmsh) execute the restart /sys service icrd command.

7.2. Alerts are not generated by Comtrade SCOM Management Pack for F5 BIG-IP or performance data is not collected

Symptoms Monitoring does not work. Performance data is not collected. All objects have healthy status.

Possible resolution step Check if 3. License Activation Procedure is done properly. To list all correctly licensed BIG-IP devices, perform following steps:


scripts directory. The location of the Licensing PowerShell scripts directory mentioned above is the default location. example: cd C:\Program Files (x86)\Comtrade Software\Comtrade SCOM MP for F5 BIG-IP\Licensing PowerShell scripts

Troubleshooting 47

2. execute LicensedBigIPDevices.ps1 example: .\ LicensedBigIPDevices.ps1

7.3. BIG-IP Devices Not Discovered by Comtrade SCOM Management Pack for F5 BIG-IP

Symptoms One or more BIG-IP devices are not discovered and are missing from Monitoring F5 BIG-IP Monitoring MP Administration BIG-IP Network Devices view.


1. Check whether missing BIG-IP devices are discovered in SCOM as network devices in Administration Network Management Network Devices. If the BIG-IP devices are not already discovered as network devices, refer to 7.1. Workflow Not Triggered for Comtrade SCOM Management Pack for F5 BIG-IPsection.

2. If the BIG-IP devices are already discovered as network devices, check System Object ID in Network Device Properties for each undiscovered BIG-IP device.

Troubleshooting 48

Figure 2. BIG-IP Network Device Properties

If System Object ID does not contain leading part “.1.3.6.1.4.1.3375”, then

Log in to the BIG-IP device and apply the latest hotfix available for the particular BIG-IP version.

After applying the hotfix, make sure to set the boot location disk volume that you used to apply the hotfix (e.g. from Advanced/Bash shell, switchboot -b HD1.2).

Reboot the BIG-IP device.

Rediscover the BIG-IP device as network device in SCOM.

Override F5 BIG-IP Device Discovery to force Comtrade SCOM Management Pack for F5 BIG-IP to rediscover BIG-IP device.

Troubleshooting 49

Figure 3. F5 BIG-IP Device Discovery

3. Check whether Comtrade SCOM Data Collector for F5 BIG-IP is installed on all required nodes. Refer to 2.2. Install Comtrade SCOM Management Pack for F5 BIG-IP section.

4. Make sure that a BIG-IP monitoring account is set up and configured correctly in SCOM. Refer to section.

5. Make sure that a local BIG-IP account with the administrator role assigned is used as the 2.3 Configure

Comtrade BIG-IP Device Action Account action (monitoring) account with Comtrade SCOM Management Pack for F5 BIG-IP.

6. Make sure that BIG-IP device accepts REST calls from the Comtrade SCOM Management Pack for F5 BIG-IP

data collector machine (Comtrade SCOM Data Collector for F5 BIG-IP service). Verify that the BIG-IP device can communicate with the host where Comtrade SCOM Data Collector for F5 BIG-IP is installed via https protocol on port 443. For example, check whether the following URL is accessible from the data collector host machine: https://<BIGIPDeviceAddress>/mgmt/tm/cm/device.

Troubleshooting 50

7.4. Recalculating the Health of a Monitor

The recalculate option found under Health Explorer may appear that it has completed the recalculation process, but this option is not implemented in the background and will not have any effect on health status. Alternatively, you may use the option for resetting health status.

Figure 4. Health Explorer and result of the health recalculation process BIG-IP Devices are not discovered

Symptoms BIG-IP Devices are not discovered and are not visible in:

Monitoring F5 BIG-IP Monitoring Diagram View

Monitoring F5 BIG-IP Monitoring MP Administration BIG-IP Network Devices

Possible resolution steps Please make sure that the BIG-IP devices have been properly configured for monitoring by referring to the 1.3. Configuring F5 BIG-IP devices section. If the BIG-IP devices have been properly configured for monitoring but the discovery is still not working please make sure that the Action Account has been configured properly by referring to 2.3. Configure Comtrade BIG-IP Device Action Account section.

Troubleshooting 51

7.5. Missing registry key error appears in event log when upgrading Comtrade SCOM Management Pack for F5 BIG-IP

Symptoms Error with ID 16010 appears in the event log with the following message:

MPBigIpGenericPropertyBagExtendedProbe.js : Issue with taking property InstallDir from registry. Error message:Invalid root in registry key "HKLM\SOFTWARE\Wow6432Node\Comtrade\BIG-IP MP\InstallDir

Possible resolution steps When upgrade of Comtrade SCOM Management Pack for F5 BIG-IP is performed, registry values are deleted and created again. During this period some workflows that are trying to read these values might fail, which will cause the error with ID 16010 to appear in the event log. If this error continues to appear after the upgrade is completed check if these values exist in the registry. If these values are not present in the registry, this means that Comtrade SCOM Data Collector for F5 BIG-IP was not installed properly. Reinstalling the Comtrade SCOM Data Collector for F5 BIG-IP should solve this issue.

7.6. Data is not displayed in ASM statistics dashboard

Symptoms

Data is not displayed in ASM statistics dashboard

Event with IDs 31569, 31557, 31552, 31563, 31561 keep showing up in Event Log

Event with ID 31551 with message Failed to store data in the Data Warehouse keeps showing in Event Log

Failed to store data in the Data Warehouse. The operation will be retried. Exception 'SqlException': Cannot open database "OperationsManagerDW" requested by the login. The login failed. Login failed for user 'MPLAB\scomAA'. One or more workflows were affected by this. Workflow name: Comtrade.F5.BigIp.ASM.ASM.Event.RequestsRule Instance name: big_ip_11_6_0_milan_3.hermes.si Instance ID: {40992CC2-2E3F-864B-E1C6-58C3C42C4775} Management group: SCOM2012_SARD_group

Possible resolution steps Please make sure that Data Warehouse Account has been properly configured. Refer to 2.4. Set Up Data Warehouse Action Account for the F5 BIG-IP Device in System Center Operations Manager for detailed instructions on how to setup the Data Warehouse account.

Troubleshooting 52

7.7. Data from certain Virtual Server is missing in ASM statistics dashboard

Symptoms Data for specific Virtual Server is missing in ASM Statistics dashboard

Possible resolution steps Comtrade Management Pack for F5 BIG-IP ASM (Core) collects statistics about attacks that were detected by ASM module using iControl REST API. In order for illegal requests data to be available on iControl REST API Log Profile must be configured on the Local Traffic Virtual Server. In order to do this login to the BIG-IP Web UI and navigate to Local Traffic Virtual Servers. Click on the Virtual Server that the issue is related to. Select Security Policies from the top menu. In Log Profile section select Enabled and move Log Illegal requests from the available profiles to Selected log profiles. Click Update.

7.8. ASM Statistics dashboard is not working in SCOM Web Console

Symptoms ASM Statistics dashboard is not working in SCOM Web Console

Possible resolution steps Using ASM Statistics dashboard in SCOM Web Console is currently not supported.

7.9. Self IP Address property is empty

Symptoms Self IP Address is empty on following versions of BIG-IP devices:

F5 BIG-IP 11.5.4

Possible resolution steps In order to discover this property restart iControl REST API service by executing the following commands: tmsh stop sys service restjavad tmsh start sys service restjavad

7.10. Rest Framework Version and Is Virtual properties are empty

Symptoms Rest Framework Version and Is Virtual are empty on following version of BIG-IP devices:

F5 BIG-IP 11.5.4

Possible resolution steps Currently, there are no possible workarounds. Rest API on version 11.5.4 does not support these properties.

Support Services and Product Information 53

None, ASM Statistics dashboard will not work when using SCOM Web Console.

8. Support Services and Product Information

Chapter 8


8.1. Contacting Product Support Services

Depending on information or support service that is needed, use the corresponding section:

If assistance is needed while evaluating the product, please contact your Account Owner and Sales

Representative.

If you have purchased the product directly from Comtrade Software, and are experiencing a problem, search

for a solution on the following webpage:

support.comtradesoftware.com

In the absence of an article addressing your problem, ask Comtrade Software Customer Support for assistance:

on the webpage, click Submit a request and fill in the request form. You must be signed in with a valid account

prior to submission. Apply for an account at the following email address:

[email protected]

8.1.1. Licensing

Depending on the licensing related service that is needed, refer to the following:

To generate license request file(s) and activate it, follow the steps in 3.License Activation Procedure section.

To redesignate (deactivate existing) license(s), use the Licensing Portal:

http://managementpacks.comtrade.com/mp-licensing/index.hsl Sign in to your account and follow the License Redesignation steps.

For any license related issues or questions about the licensing process, send an email with question or

detailed explanation (including symptoms, screenshots, expected behavior, etc.) to

[email protected].

Note When contacting Licensing Department, make sure to include your company information (company name and Purchase Order number).

https://support.comtradesoftware.com/hc/en-us

mailto:[email protected]

http://spi.comtrade.com/mp-licensing/index.hsl

http://spi.comtrade.com/mp-licensing/index.hsl



8.1.2. Support

When contacting the Support Department regarding product or monitored environment issue, gather the following required support information:

1. Provide general information about the company (your company name, PO number).

2. Provide basic information about the environment (product evaluation, prod/dev environment, current version of installed BIG-IP MP, System Center Operations Manager (SCOM) version, OS, etc). Also, let us know:

When was product installation and last reconfiguration performed?

Is this a new installation or an update of an existing installation?

Is this a production or development environment?

When were the symptoms observed for the first time?

Were any updates done lately to operating system or managed F5 BIG-IP application?

Which versions are running in your environment?

Which version of Comtrade product (in Control Panel look for Comtrade Management Pack for F5 BIG-IP and for Comtrade Management Pack Agent for F5 BIG-IP)?

Which version of System Center Operations Manager (SCOM) server?

Which version of managed F5 BIG-IP?

On which operating systems?

3. Collect support log files from the affected nodes.

Open SCOM console.

Navigate to F5 BIG-IP Monitoring > MP Administration > Data Collector Administration monitoring view.

Select appropriate monitoring node under Comtrade BIG-IP MP Agent Status.

Run Collect Support Information task using Run As Account with elevated permissions.

Output directory MPBIGIPSupport_NODENAME_DATE_TIME will be created by default in the %ProgramData%\Comtrade\Support tool output\ directory.

ZIP the MPBIGIPSupport_NODENAME_DATE_TIME directory

4. Prepare detailed explanation of recognized issue (symptoms, screenshots, expected behavior, already performed troubleshooting steps).

Use collected and prepared information to fill out our contact support web form and submit your support case. After submit our support engineers will contact you shortly.

Note In case gathered outputs are too large or rejected by mail server, upload them on Comtrade File Sharing server using the following steps:

1. Open site: https://filex.comtrade.com.

2. Click on Share a file now.

3. Browse for your zipped files and hit the Upload Now button.

4. When filling out the form, fill out only the To field with [email protected]

5. Navigate to the end of page and type in the given Anti-SPAM code.

6. Click the Process Details Now button.

https://support.comtradesoftware.com/hc/en-us

https://filex.comtrade.com/



8.2. Get More Information about Comtrade Products and Services

For more information about the product, visit BIG-IP Management Pack Web Page: https://comtradesoftware.com/f5-monitoring/scom-big-ip-management-pack/ For latest version of product and user documentation, visit Product Download Page: https://support.comtradesoftware.com/hc/en-us/categories/115000547149 For more product related information, check out videos on Comtrade Management Products YouTube channel: https://www.youtube.com/user/comtradeproducts For more information about the company and other MPs, visit Comtrade Web Site at: www.comtradesoftware.com

8.3. Provide Feedback

For any suggestions and comments regarding this product or its documentation, send us an e-mail to: [email protected] We would be glad to hear from you!

https://comtradesoftware.com/f5-monitoring/scom-big-ip-management-pack/

https://support.comtradesoftware.com/hc/en-us/categories/115000547149

https://www.youtube.com/user/comtradeproducts

http://www.comtradeproducts.com/



None, ASM Statistics dashboard will not work when using SCOM Web Console.

9. Appendix

Chapter 9

Appendix 58

9.1. Create a New Management Pack for Overrides

Most vendor management packs are sealed for changes so it is not possible to change any of the original settings in the management pack file. However, customizations can be created, such as overrides or new monitoring objects, and saved to a different management pack. By default, System Center Operations Manager saves all customizations to the default management pack. As a best practice, create a separate management pack for each sealed management pack you want to customize. Creating a new management pack for storing overrides has the following advantages:

It simplifies the process of customizations export created in your test and pre-production environments to your production environment. For example, instead of exporting the default management pack containing customizations from multiple management packs, you can export the management pack containing customizations of a single management pack.

You can delete the original management pack without first needing to delete the default management pack. A management pack containing customizations is dependent on the original management pack. This dependency requires deleting the management pack with customizations before deleting the original management pack. If all of your customizations are saved to the default management pack, export the default management pack, delete the customizations from the default management pack and reimport the default management pack again before deleting the management pack.

It is easier to track and to update customizations of individual management packs.

9.2. Upgrade procedure

9.2.1. Upgrading from any version later than 3.0

1. Run new setup package. 2. Follow the installation steps. 3. Version of BIG-IP MP in Control Panel should be upgraded. 4. In SCOM Console, reimport Management Packs, if they have not been automatically imported already. To

import the Comtrade SCOM Management Pack for F5 BIG-IP to System Center Operations Manager read 9.4. Manual Import of Management Pack Files to the Management Server.

5. Version of Management Packs on SCOM should be upgraded.

9.2.2. Upgrading from any version earlier than 3.0

1. Comtrade SCOM Management Pack for F5 BIG-IP 3.0 is not upgradable to any of previous versions, meaning that any earlier versions have to be uninstalled before Comtrade SCOM Management Pack for F5 BIG-IP 3.0 can be installed. For more information on how to uninstall this product, see chapter 6. Uninstallation.

2. After the uninstallation process has been completed run the new setup package. 3. Follow the installation steps. 4. After the installation process has been completed, the version of Comtrade SCOM Management Pack for F5

BIG-IP in Control Panel should be 3.0. 5. In SCOM Console, import Management Packs, if they have not been automatically imported already. 6. Continue your installation with chapter 2.3. Configure Comtrade BIG-IP Device Action Account

Appendix 59

If you have version less than version 3.0 and run Comtrade SCOM Management Pack for F5 BIG-IP installer the installer will show you the error displayed on the screenshot below. In order to continue with the installation please uninstall any earlier versions.

Appendix 60

9.3. Comtrade SCOM Management Pack for F5 BIG-IP quiet and passive installation

When performing quiet and passive installation, typical features will be installed using default values. This means the following features will be installed:

- Data Collector - Device Management pack - Device Reports Management pack - DNS Management pack - LTM Management pack - LTM Reports Management pack - ASM Management pack - ASM Reports Management pack - Support tool - Licensing module

Default port value for Comtrade SCOM Data Collector for F5 BIG-IP is 19703 and it will be used during quiet and passive installation. When running quiet and passive installations management pack will be imported, which means that quiet and passive installations should be performed only on management servers. Quiet installation installs Comtrade SCOM Management Pack for F5 BIG-IP (SCOM MP for F5 BIG-IP) without any user interaction. To install SCOM MP for F5 BIG-IP in quiet mode perform this following step on desired Management Server:

- From Start menu/screen launch Windows PowerShell as administrator and locate Comtrade.F5.BIG-IP.Setup file. example: cd C:\Downloads\MPBIGIP_3.0 msiexec.exe /i Comtrade.F5.BIG-IP.Setup.msi /quiet

Passive installation installs SCOM MP for F5 BIG-IP in unattended mode, which means that it will display the progress of the installation but it will not require any user interaction. To install SCOM MP for F5 BIG-IP in passive mode perform this following step on desired Management Server:

- From Start menu/screen launch Windows PowerShell as administrator and locate Comtrade.F5.BIG-IP.Setup file. example: cd C:\Downloads\MPBIGIP_3.0 msiexec.exe /i Comtrade.F5.BIG-IP.Setup.msi /passive

Continue your installation with chapter 2.3 Configure Comtrade BIG-IP Device Action Account

Note The quiet and passive installation will not work on version 3.0 if there is already installed SCOM MP for F5 BIG-IP with version less than 3.0. It has to be made as clean installation.

Appendix 61

9.4. Manual Import of Management Pack Files to the Management Server

To import the SCOM MP for F5 BIG-IP to System Center Operations Manager, perform the following steps: 1. Log on to the Management Server3 and start the System Center Operations Manager console. 2. In the Administration navigation pane, click Management Packs. 3. In the Actions task pane, select Import management packs. 4. Locate the management pack and click Open.

Default SCOM MP for F5 BIG-IP location: C:\Program Files (x86)\Comtrade Software\Comtrade SCOM MP for F5 BIG-IP\Management packs

5. Import Comtrade.SCOM.MP.F5.BIG-IP.ASM.mpb Comtrade.SCOM.MP.F5.BIG-IP.Device.Reports.mpb Comtrade.SCOM.MP.F5.BIG-IP.DNS.mpb Comtrade.SCOM.MP.F5.BIG-IP.LTM.mpb Comtrade.SCOM.MP.F5.BIG-IP.LTM.Reports.mpb Comtrade.SCOM.MP.F5.BIG-IP.mpb Comtrade.SCOM.MP.F5.BIG-IP.Reports.mpb

6. Click on Install to complete the import procedure. If the same version of the SCOM MP for F5 BIG-IP has already been imported, SCOM Console will show the following status: “A management pack contained in Comtrade SCOM Management Pack for F5 BIG-IP bundle (version major.minor.build) has already been imported” Continue your installation with chapter 2.3. Configure Comtrade BIG-IP Device Action Account

9.5. Set Up Action Accounts for the F5 BIG-IP Devices using Windows PowerShell

From Start menu/screen launch Windows PowerShell and navigate to C:\Program Files (x86)\Comtrade

Software\Comtrade SCOM MP for F5 BIG-IP\Management packs\Configuration tools directory. This Management packs directory location is the default location.

example: cd ‘C:\Program Files (x86)\Comtrade Software\Comtrade SCOM MP for F5 BIG-IP\Management packs\Configuration Tools’

Note When running bigIpRunAsAccountAndProfileSetup.ps1 script.by default all Management Server resource pool is used to distribute accounts. Gateways are not in all Management Server resource pool, so if you are using gateways make sure to choose a custom resource pool to distribute accounts.

To set up RunAs accounts and distribute them to all Management Servers (user input required), do the following:

1. Create a file containing fully qualified domain name (FQDN), username and password for all BIG-IP devices in the following format: domainName1,username1,password1 domainName2,username2,password2

3 Management Server where Management Pack feature of the Comtrade SCOM Management Pack for F5 BIG-IP is installed.

Appendix 62

domainName3,username3,password3 Make sure not to have an empty new line at the end of the file.

Note You can modify exampleFQDNAndCredentialsFile.txt file which is located in the same directory, instead of creating a new one. Refer to exampleFQDNAndCredentialsFile.txt for more examples.

2. Run the following command on the Management Server: bigIpRunAsAccountAndProfileSetup.ps1 -FQDNAndCredentialsFile C:\myCredentialsFile.txt

To set up RunAs accounts and distribute them to all Management Servers (without user input), do the following:

1. Create a file containing fully qualified domain name (FQDN), username and password for all BIG-IP devices in the following format: domainName1,username1,password1 domainName2,username2,password2 domainName3,username3,password3 Make sure not to have an empty new line at the end of the file.

2. Run the following command on the Management Server: bigIpRunAsAccountAndProfileSetup.ps1 -FQDNAndCredentialsFile C:\myCredentialsFile.txt -DistributeToAll

To set up RunAs accounts and distribute them to all Management Servers in a specific resource pool, do the following:

1. Create a file containing fully qualified domain name (FQDN), username and password for all BIG-IP devices in the following format: domainName1,username1,password1 domainName2,username2,password2 domainName3,username3,password3 Make sure not to have an empty new line at the end of the file.

2. Run the following command on the Management Server: bigIpRunAsAccountAndProfileSetup.ps1 -FQDNAndCredentialsFile C:\myCredentialsFile.txt -ResourcePoolName myResourcePoolName

If the username(s) and/or password(s) contain comma (,) you can specify another separator (You cannot mix different separators in the file containing credentials)

1. Create a file containing fully qualified domain name (FQDN), username and password for all BIG-IP devices in the following format: domainName1;username1;password1 domainName2;username2;password2 domainName3;username3;password3 Make sure not to have an empty new line at the end of the file.

2. Run the following command on the Management Server: bigIpRunAsAccountAndProfileSetup.ps1 -FQDNAndCredentialsFile C:\myCredentialsFile.txt -Separator ";"

If you want to test if the credentials for each device are correct, do the following:

1. Create a file containing fully qualified domain name (FQDN), username and password for all BIG-IP devices in the following format: domainName1,username1,password1 domainName2,username2,password2 domainName3,username3,password3

Appendix 63

Make sure not to have an empty new line at the end of the file.

2. Run the following command on the Management Server:

bigIpRunAsAccountAndProfileSetup.ps1 -FQDNAndCredentialsFile C:\myCredentialsFile.txt –TestCredentials

Note The Action Account will not be associated with the devices, for which the credentials of the Action Account are not correct.

If you want to set up RunAs Account from a device which is not a Management Server, do the following:

1. Create a file containing fully qualified domain name (FQDN), username and password for all BIG-IP devices in the following format: domainName1,username1,password1 domainName2,username2,password2 domainName3,username3,password3

Make sure not to have an empty new line at the end of the file.

2. Run the following command: bigIpRunAsAccountAndProfileSetup.ps1 -FQDNAndCredentialsFile C:\myCredentialsFile.txt -ManagementServerName myManagementServerName -ManagementServerCredentials (Get-Credential) This operation requires user input. or $password = ConvertTo-SecureString –String myPassword –AsPlainText –Force $credentials = New-Object –TypeName System.Management.Automation.PSCredential –ArgumentList myDomainName\myUserName, $password bigIpRunAsAccountAndProfileSetup.ps1 -FQDNAndCredentialsFile C:\myCredentialsFile.txt -ManagementServerName myManagementServerName -ManagementServerCredentials $credentials

This operation does not require user input.

Note This script will automatically configure Data Warehouse Action Account. You can find more information about this configuration in section 2.4. Set Up Data Warehouse Action Account for the F5 BIG-IP Device in System Center Operations Manager.

9.6. Monitoring large environments with System Center Operations Manager

When monitoring large environments with System Center Operations Manager (SCOM) it is possible that SCOM services will consume more resources than they would consume in a typical environment. This might cause these services to restart which in turn would cause monitoring to stop for a certain period.

Appendix 64

To prevent this from happening certain overrides need to be created in SCOM. In order to do this, please perform the following steps:

1. Open System Center Operations Manager Console 2. Navigate to Monitoring Operations Manager Management Server Management Servers State 3. Right click on one of the management servers and open health explorer for it

4. Click on the x next to the Scope is only unhealthy child monitors to show all monitors 5. Navigate to Performance System Center Management Health Service Performance System Center

Management Health Service Memory Utilization

6. Right click on Health Service Handle Count Threshold and select Monitor Properties option 7. Select the Overrides tab, click on the override button and select For all objects of class: Health Service

option

Appendix 65

8. Override the Agent Performance Monitor Type (Consecutive Samples) – Threshold parameter to 30000 9. Select a management pack that you wish to save this to and click OK 10. Open the overrides for Health Service Private Bytes Threshold 11. Override the Agent Performance Monitor Type (Consecutive Samples) – Threshold parameter to

6442450944. 12. Select a management pack that you wish to save this to and click OK.

Note Suggested thresholds (Agent Performance Monitor Type (Consecutive Samples) – Threshold and Agent Performance Monitor Type (Consecutive Samples) – Threshold) are calculated for a monitored environment with 150 Big-IP Devices. Management packs used for these calculations are listed below: - Comtrade Management Pack for F5 BIG-IP Device (Core) - Comtrade Management Pack for F5 BIG-IP LTM (Core) - Comtrade Management Pack for F5 BIG-IP ASM (Core) - Comtrade Management Pack for F5 BIG-IP ASM (Reports)

Appendix 66

9.7. Compliance with Federal Information Processing Standards (FIPS)

Comtrade SCOM Management Pack for F5 BIG-IP does not require special configuration steps for operation in environments that are compliant with the FIPS 140-2 standard. Such environments include the following:

Microsoft Windows operating system where the security setting for FIPS compliance is enabled in the effective policy

Microsoft System Center Operations Manager that is running in FIPS-compliant mode

comtrade scom management pack for f5 big-ip€¦ · 1 . user guide comtrade scom management pack...

Documents