ANS

ISACA CISM

Huawei

Palo Alto

Aruba

Juniper

Comptia

Fortinet

Microsoft

F5

GCIH

Oracle

Itil-v4

CWNA

Opengroup

we’ll explore five primary methods—GUI, UCS archives, TMOS Configuration Files (SCF), direct file copy, and the iControl REST API—so you can choose the approach that best fits your environment. We’ll reference both official F5 guidance and community-driven best practices to give you a comprehensive, professional workflow.

1. GUI-Based Export (Configuration Utility)

The BIG-IP Configuration Utility provides a point-and-click way to grab a UCS archive:

  1. Log in to the Configuration Utility at https://<management-IP>.
  2. Navigate to SystemArchives.
  3. Click Create and enter a unique file name for your archive.
    • Optional: Enable encryption and set a passphrase.
    • Optional: Exclude SSL private keys if you plan to share the UCS with F5 Support.
  4. Click Finished, wait for the operation to complete, then click OK.
  5. Download the resulting .ucs file to your local system or a secure archive location.

This GUI method is ideal for one-off backups or when you want to visually monitor progress. It produces a single tarball containing all configuration objects, licenses, user accounts, and filestore items (certificates, iApps, custom scripts).

2. UCS Archive via tmsh (CLI)

For automation and scripting, the Traffic Management Shell (tmsh) is the workhorse:

shell
# Enter tmsh
tmsh

# Save a UCS archive (unencrypted)
save /sys ucs /var/local/ucs/MyBackup.ucs

# Save with encryption
save /sys ucs /var/local/ucs/MySecureBackup.ucs passphrase YourPassphrase

# Exclude private keys
save /sys ucs /var/local/ucs/MyNoKeyBackup.ucs no-private-key

After creating the archive, use scp or rsync to copy the .ucs file o

shell
scp /var/local/ucs/MyBackup.ucs backup@storage:/backups/f5/

This CLI approach can be scheduled via cron or orchestration tools. It’s precisely the same data you’d get from the GUI, but fully scriptable.

Tip: If you see a timeout during UCS creation, it may be due to large iApp LX data; consider temporarily disabling those apps or increasing your timeout settings.

3. Full Config Dump (SCF Method)

A Single Config File (SCF) gives you a text-based snapshot of your BIG-IP config—perfect for diff’ing over time or migrating subsets:

shell
tmsh save sys config file /var/local/scf/fullconfig no-passphrase

This creates two files:

  • /var/local/scf/fullconfig — a line-oriented TMOS config script.
  • /var/local/scf/fullconfig.tar — a tarball of /config/filestore/ (certs, scripts, etc.).

You can then version-control the plain-text SCF and store the tarball in your secure binary repository. Unlike UCS archives, SCFs do not include licenses or user accounts—just the raw TMOS configuration.

When to use SCF:

  • You need human-readable diffs of config changes.
  • You’re migrating only LTM or GTM objects (not full system state).
  • You prefer separate handling of certificates and keys.

4. Direct File Export (bigip.conf & Partitions)

Under the covers, BIG-IP stores configuration in several files:

  • /config/bigip_base.conf — default settings.
  • /config/bigip_sys.conf — system-level config.
  • /config/partitions/<partition>/bigip.conf — per-partition LTM/GTM objects.

You can copy these directly via scp:

shell
scp root@bigip:/config/bigip_base.conf backup@storage:/backups/f5/
scp root@bigip:/config/bigip_sys.conf backup@storage:/backups/f5/
scp root@bigip:/config/partitions/Common/bigip.conf backup@storage:/backups/f5/

However, this method does not capture filestore items (certs, iApps) or licenses. Use it only if you need raw config fragments.

5. iControl REST API

For integration with CMDBs or custom dashboards, F5’s REST API can create and retrieve UCS archives:

  • Authenticate and obtain a token.
  • Create a UCS archive:
http
POST https://<BIG-IP>/mgmt/tm/sys/ucs
Authorization: Bearer <token>
Content-Type: application/json

{
  "name": "AutomatedBackup.ucs",
  "options": {
    "noPrivateKey": true
  }
}
  • Download the resulting archive:
http
GET https://<BIG-IP>/mgmt/tm/sys/ucs/AutomatedBackup.ucs/download
Authorization: Bearer <token>
  • Delete old archives to conserve space:
http
DELETE https://<BIG-IP>/mgmt/tm/sys/ucs/OldBackup.ucs

This API-driven approach fits neatly into CI/CD pipelines, letting you pull, store, and rotate backups programmatically.

6. Spot-Checks with “show running-config”

If you only need to view certain objects quickly (without exporting), the following command lists /Common-partition configs:

shell
tmsh show running-config

Be aware it only covers the /Common partition by default—not full multi-partition environments. For a full-partition view, you’d need SCF or UCS methods.

Please follow and like us:
Tweet
fb-share-icon
Last modified: May 26, 2025

Author

Comments

Write a Reply or Comment

Your email address will not be published.