F5 BIG-IP
Description
The F5 BIG-IP connector uses the iControl REST API over HTTPS with HTTP Basic authentication to discover local administrative user accounts on an F5 BIG-IP appliance or Virtual Edition. It enumerates user accounts, their assigned partition roles, and maps these to entitlements with privilege classification.
System Type Classification
| Field | Value |
|---|---|
| System Type | Infrastructure |
| Default Scan Priority | 200 |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Supported Protocol
| Protocol | Port | Notes |
|---|---|---|
| iControl REST API (HTTPS) | 443 TCP | HTTP Basic authentication; self-signed certificates are accepted |
What OrbisID Discovers
| Data | Source |
|---|---|
| BIG-IP user accounts | GET /mgmt/tm/auth/user |
| Partition roles | partitionAccess[].role per user |
| Shell assignment | shell field (tmsh, bash, none) |
| Memberships | Derived from user partition access list |
Connection Requirements
Required Permissions
The scanning credential must belong to a BIG-IP user with at least Operator role on the relevant partition.
Minimum permissions:
- Operator role or higher on the target partition(s)
- Read access to
/mgmt/tm/auth/user
tip
For complete visibility across all partitions, use a user with Administrator role on all-partitions.
Credential Mapping
| OrbisID Field | Value |
|---|---|
credential.username | BIG-IP local username |
credential.password | BIG-IP password |
system.hostname | BIG-IP management IP or hostname |
Network Requirements
The OrbisID server must have HTTPS access to the BIG-IP management interface on port 443. BIG-IP appliances commonly present self-signed TLS certificates — OrbisID accepts these automatically.
Configuration Steps
- Create a dedicated read-only service account on the BIG-IP:
- Navigate to System → Users → User List → Create
- Assign Operator role on the relevant partition(s)
- Create a Credential in OrbisID:
- Username: BIG-IP username
- Password: BIG-IP password
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., F5 BIG-IP – Production Load Balancer) |
| OS Type | F5BigIp |
| System Type | Infrastructure |
| Hostname | BIG-IP management IP or hostname |
| Credential | The scanning credential |
- Click Test Connection
- Click Save
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
Authentication failed | Invalid credentials | Verify username and password; check that the account is not locked |
| No accounts returned | Insufficient role assignment | Ensure the scanning user has Operator or Administrator access |
| Cannot connect | iControl REST not enabled | Enable REST API: System → Platform → REST API |
401 Unauthorized | Password expired | Reset the service account password |