F5 BIG-IP iRules

Deploy Centinel Analytica on F5 BIG-IP load balancers using iRules for bot detection.

Overview

The Centinel F5 BIG-IP iRule intercepts HTTP traffic at the load balancer, validates requests against the Centinel API, and enforces security decisions (allow/block/redirect).

Prerequisites

Centinel secret key (from your dashboard)
F5 BIG-IP device with LTM module (v11.5+ recommended)
SSH or TMSH access to the F5 device
DNS servers configured in TMM (needed for API hostname resolution)
Two iRule files (provided by Centinel support)

DNS configuration required

The iRule uses RESOLV::lookup to resolve validator.centinelanalytica.com. This runs in TMM (Traffic Management Microkernel) which requires DNS servers configured via tmsh sys dns.

Shell DNS (/etc/resolv.conf) and TMM DNS are separate systems. Even if curl works from the F5 shell, TMM won't resolve hostnames without proper DNS configuration.

Verify DNS is configured:

tmsh list sys dns

If no name-servers are shown:

tmsh modify sys dns name-servers add { 8.8.8.8 1.1.1.1 }
tmsh save sys config

Download required files

Download the Centinel F5 iRules package:

Centinel.tcl - Main iRule with API integration (1,440 lines)
Centinel-SSL-Helper.tcl - SSL connection handler (61 lines)
README.md - Technical implementation guide

Download: centinel-f5-irules.tar.gz

Installation

Download and extract the iRule package

Download the Centinel F5 iRules package:

# Download the package
curl -O https://docs.centinelanalytica.com/downloads/centinel-f5-irules.tar.gz

# Extract files
tar -xzf centinel-f5-irules.tar.gz

# You should see:
# - Centinel.tcl
# - Centinel-SSL-Helper.tcl
# - README.md

Or download via browser: centinel-f5-irules.tar.gz

Upload the iRule files

Log into your F5 BIG-IP management interface and upload both iRule files:

Via Web UI:

Navigate to Local Traffic → iRules → iRules List
Click Create
Enter name: Centinel
Paste the contents of Centinel.tcl
Click Finished
Repeat for Centinel-SSL-Helper with Centinel-SSL-Helper.tcl

Via TMSH:

# Upload files to /var/tmp/ first
tmsh create ltm rule Centinel from-file /var/tmp/Centinel.tcl
tmsh create ltm rule Centinel-SSL-Helper from-file /var/tmp/Centinel-SSL-Helper.tcl

Configure your API key

Edit the Centinel iRule and update the secret key on line 10:

# Replace with your actual API key
set static::CENTINEL_SECRET_KEY "sk_live_your_key_here"

Via Web UI:

Navigate to Local Traffic → iRules → iRules List
Click on Centinel
Click Edit
Update line 10 with your secret key
Click Finished

Via TMSH:

tmsh edit ltm rule Centinel
# Update the key, then save and exit

Create the API virtual server

Create a virtual server for making outbound HTTPS calls to the Centinel API:

Via Web UI:

Navigate to Local Traffic → Virtual Servers → Virtual Server List
Click Create
Configure:
- Name: centinel_api_ssl_vs
- Destination Address/Mask: 0.0.0.0/0 (any)
- Service Port: 443
- Protocol: TCP
- HTTP Profile (Client): http
- SSL Profile (Server): serverssl-insecure-compatible
- Source Address Translation: Auto Map
- Address Translation: Disabled
- Port Translation: Disabled
Click Finished

Via TMSH:

tmsh create ltm virtual centinel_api_ssl_vs \
    destination 0.0.0.0:443 \
    ip-protocol tcp \
    mask 0.0.0.0 \
    profiles add { tcp http { context all } serverssl-insecure-compatible { context serverside } clientssl-insecure-compatible { context clientside } }
    source 0.0.0.0/0 \
    source-address-translation { type automap } \
    translate-address disabled \
    translate-port disabled

Apply SSL helper to API virtual server

Attach the Centinel-SSL-Helper iRule to the API virtual server:

Via Web UI:

Navigate to Local Traffic → Virtual Servers
Click on centinel_api_ssl_vs
Go to Resources tab
Under iRules, click Manage
Move Centinel-SSL-Helper from Available to Enabled
Click Finished

Via TMSH:

tmsh modify ltm virtual centinel_api_ssl_vs rules { Centinel-SSL-Helper }

Apply main iRule to application virtual server

Attach the Centinel iRule to your application's virtual server(s):

Via Web UI:

Navigate to Local Traffic → Virtual Servers
Click on your application virtual server (e.g. www_vs)
Go to Resources tab
Under iRules, click Manage
Move Centinel from Available to Enabled
Click Finished

Via TMSH:

tmsh modify ltm virtual your_application_vs rules { Centinel }

The Centinel iRule can be applied to multiple virtual servers.

Save configuration

Save your changes to persistent storage:

Via Web UI: Click System → Configuration → Save Configuration

Via TMSH:

tmsh save sys config

Verify DNS configuration

Make sure TMM has DNS servers configured (needed for RESOLV::lookup in the iRule):

tmsh list sys dns

Expected output:

sys dns {
    name-servers { 8.8.8.8 1.1.1.1 }
    search { example.com }
}

If no name-servers are shown, add DNS servers:

tmsh modify sys dns name-servers add { 8.8.8.8 1.1.1.1 }
tmsh save sys config

Test DNS resolution:

run /util dig validator.centinelanalytica.com

You should see an ANSWER SECTION with IP addresses.

Use your organization's internal DNS servers instead of public DNS (8.8.8.8) for better performance and security.

Verify deployment

Test the integration:

Check logs: Monitor for Centinel activity
```
tail -f /var/log/ltm
```
Test normal traffic: Visit your application to confirm requests work normally
Check statistics: View iRule execution stats
```
tmsh show ltm rule Centinel
```
Monitor Centinel dashboard: Verify requests appear in your Centinel dashboard

Advanced configuration

URI path filtering

By default, static assets (images, CSS, JS, fonts) are excluded from validation for better performance.

Exclude additional paths:

Edit the Centinel iRule and update CENTINEL_URI_REGEX_EXCLUSION (line 28):

# Example: Exclude health checks and metrics
set static::CENTINEL_URI_REGEX_EXCLUSION {(?i)\.(avi|flv|mka|mkv|mov|mp4|mpeg|mpg|mp3|flac|ogg|ogm|opus|wav|webm|webp|bmp|gif|ico|jpeg|jpg|png|svg|svgz|swf|eot|otf|ttf|woff|woff2|css|less|js)$|^/health$|^/metrics$}

Protect only specific paths:

Add a CENTINEL_URI_REGEX variable to protect only certain paths:

# Only protect paths starting with /api/ or /admin
set static::CENTINEL_URI_REGEX {^/(api|admin)/}

Timeout configuration

Adjust API timeout for your network. Default is 150ms.

Edit line 24 in the Centinel iRule:

# Increase timeout to 300ms for slower networks
set static::CENTINEL_timeout 300

Recommendations:

Low latency networks (same region): 100-150ms
Cross-region: 200-300ms
High latency: 400-500ms (max recommended)

Debug logging

Enable detailed logging for troubleshooting:

Edit the Centinel iRule and set these variables (around lines 32-36):

# Enable debug logging
set static::CENTINEL_LOG_REQUEST_HEADERS 1
set static::CENTINEL_LOG_RESPONSE_HEADERS 1
set static::CENTINEL_LOG_REQUEST_TIME 1

View logs:

# Real-time log monitoring
tail -f /var/log/ltm | grep CENTINEL

# Search for errors
grep "CENTINEL ERROR" /var/log/ltm

High-speed logging (optional):

For high-traffic environments, configure High-Speed Logging (HSL):

set static::CENTINEL_LOG_PUBLISHER "/Common/remote_log_publisher"

Performance optimization

For high-traffic sites (10,000+ req/s):

Use connection pooling - The iRule automatically reuses connections to the Centinel API

Adjust virtual server connection limits:

tmsh modify ltm virtual centinel_api_ssl_vs connection-limit 10000

Monitor iRule execution time:
```
tmsh show ltm rule Centinel
```
Average execution time should be < 5ms for local processing.
Scale horizontally - Apply to multiple F5 devices in an HA pair or cluster

Connection pooling is handled automatically by the HTTP Super SIDEBAND Requestor (HSSR).

Security decisions

The Centinel API returns one of four decisions:

Decision	Action	Description
`allow`	Request proceeds	Clean traffic, forward to origin
`block`	403 Forbidden	Malicious bot detected, request blocked
`redirect`	Challenge page	Suspicious traffic, present challenge
`not_matched`	Request proceeds	No rule matched, allow by default

Challenge flow (redirect decision)

When a redirect decision is returned:

F5 serves a base64-encoded HTML challenge page to the client
Browser executes JavaScript challenge
Challenge validation cookie is set
Client is redirected back to original URL
Subsequent request includes validation cookie
Centinel validates cookie and allows request

Configuration reference

Main iRule variables

Edit these in the Centinel iRule (lines 5-36):

Variable	Default	Description
`CENTINEL_SECRET_KEY`	(required)	Your API key from Centinel dashboard
`CENTINEL_MODULE_VERSION`	`1.0.0`	Module version (informational)
`CENTINEL_vs`	`/Common/centinel_api_ssl_vs`	Name of API virtual server
`CENTINEL_timeout`	`150`	API timeout in milliseconds
`CENTINEL_URI_REGEX_EXCLUSION`	(see code)	Regex pattern for paths to skip
`CENTINEL_LOG_REQUEST_HEADERS`	`0`	Log outbound request headers (0=off, 1=on)
`CENTINEL_LOG_RESPONSE_HEADERS`	`0`	Log API response headers (0=off, 1=on)
`CENTINEL_LOG_REQUEST_TIME`	`0`	Log request timing (0=off, 1=on)

API endpoint

The iRule connects to: https://validator.centinelanalytica.com/validate

This is hardcoded in the iRule.

DNS dependency: The iRule uses RESOLV::lookup to resolve the API hostname. This requires DNS servers configured in TMM (tmsh sys dns). See the DNS Configuration Required warning in Prerequisites.

Network requirements:

DNS servers configured in TMM (not just shell /etc/resolv.conf)
Outbound HTTPS (port 443) allowed from F5 device
TLS 1.2+ support (handled by serverssl-insecure-compatible profile)

Troubleshooting

Start with diagnosis, not solutions.

Don't assume you know the problem. The symptoms (redirect loops, HTTP 555, timeouts) can have multiple causes. Follow the diagnostic steps below to identify what's actually broken.

Most common causes:

TMM DNS not configured (60% of issues)
API virtual server misconfigured or missing (20%)
SSL-Helper not attached (10%)
Network/firewall blocking (5%)
API key incorrect (3%)
Other (2%)

Systematic diagnosis

Before jumping to solutions, figure out what's actually failing:

Step 1: Confirm the symptom

What are you seeing?

Run these commands to gather data:

# Check if iRules are applied
tmsh list ltm virtual your_application_vs rules

# Check recent logs
tail -100 /var/log/ltm | grep -E "CENTINEL|error|Error"

# Test a request and watch logs
tail -f /var/log/ltm | grep CENTINEL &
curl -I https://your-application.com

Common symptoms:

Browser shows redirect loop / ERR_TOO_MANY_REDIRECTS
HTTP 555 errors in logs
"Cannot resolve" errors in logs
Requests timing out
No logs appearing at all
Requests work but don't show in Centinel dashboard

Step 2: Test each component

Work through this checklist:

A. Is the iRule executing at all?

# Check iRule statistics
tmsh show ltm rule Centinel

# Look for "Total Executions" > 0

If Total Executions = 0: iRule not attached to virtual server, or virtual server not receiving traffic
If Total Executions > 0: iRule is running, proceed to next test

B. Can the F5 shell reach the API?

# Test from F5 shell (uses /etc/resolv.conf, NOT TMM DNS)
curl -v --max-time 5 https://validator.centinelanalytica.com/validate \
  -H "X-Centinel-Secret-Key: your_secret_key"

If this works: Shell networking is fine, problem is probably TMM-specific (DNS, virtual server, SIDEBAND)
If this fails: Network/firewall issue affecting the entire F5 device

C. Is TMM DNS configured?

# Check TMM DNS configuration
tmsh list sys dns

If no name-servers shown: DNS not configured—TMM can't resolve hostnames
If name-servers present: DNS is configured, test if it works:

# Test DNS resolution using TMM
run /util dig validator.centinelanalytica.com

If dig fails: DNS servers are configured but not reachable or not working
If dig succeeds: DNS is working, problem is elsewhere

D. Does the API virtual server exist?

# Check if API virtual server exists and is configured correctly
tmsh list ltm virtual centinel_api_ssl_vs

If "not found": Virtual server doesn't exist—create it (see Installation)
If exists, check these fields:
- destination 0.0.0.0:443
- translate-address disabled
- translate-port disabled
- source-address-translation { type automap }

E. Is SSL-Helper attached to API virtual server?

# Check if SSL-Helper iRule is attached
tmsh list ltm virtual centinel_api_ssl_vs rules

If no rules or wrong rule: Attach Centinel-SSL-Helper (see Installation Step 5)
If Centinel-SSL-Helper present: SSL-Helper is attached correctly

F. Is the API key correct?

# Check the configured API key
tmsh list ltm rule Centinel | grep CENTINEL_SECRET_KEY

If key looks wrong or is default: Update the key (see Installation Step 3)
If key looks correct: Test it manually:

curl -v https://validator.centinelanalytica.com/validate \
  -H "X-Centinel-Secret-Key: sk_live_your_actual_key" \
  -H "X-Centinel-Client-IP: 1.2.3.4" \
  -H "X-Centinel-Request-URI: /test"

Should return JSON with "decision":"not_matched" or similar.

Step 3: Analyze the results

Based on your test results:

Test results	Root cause	Solution
iRule not executing	Virtual server not receiving traffic or iRule not attached	Verify virtual server is active and iRule is in the rules list
Shell curl fails	Network/firewall blocking outbound HTTPS	Check firewall rules, routing, NAT configuration
TMM DNS not configured	DNS servers missing from `tmsh sys dns`	Configure DNS: `tmsh modify sys dns name-servers add { 8.8.8.8 }`
DNS configured but dig fails	DNS servers unreachable or wrong	Check DNS server IPs, verify port 53 allowed, test with different DNS servers
API virtual server missing	Installation incomplete	Create virtual server (Installation Step 4)
API virtual server misconfigured	Wrong settings	Verify destination, translation settings, SNAT
SSL-Helper not attached	Installation incomplete	Attach SSL-Helper to API virtual server (Installation Step 5)
API key wrong	Configuration error	Update CENTINEL_SECRET_KEY in iRule
API key test fails	Key invalid or network issue	Verify key in Centinel dashboard, check logs for 401/403 errors
Everything passes but still failing	Complex issue	See "Advanced diagnostics" section below

iRule compilation errors

Error: line X: syntax error

Solution: Make sure you copied the entire iRule file without truncation. Check for special characters or encoding issues.

# Validate iRule syntax before uploading
tmsh create ltm rule test_rule from-file /var/tmp/Centinel.tcl
tmsh delete ltm rule test_rule

API virtual server not working

Error: Unable to connect to Centinel API

Solution: Verify the API virtual server is configured correctly:

# Check virtual server status
tmsh show ltm virtual centinel_api_ssl_vs

# Test DNS resolution
tmsh run util dig validator.centinelanalytica.com

# Test HTTPS connectivity
tmsh run util curl https://validator.centinelanalytica.com/validate

SSL certificate errors

Error: SSL handshake failed

Solution: Use the serverssl-insecure-compatible profile (as shown in installation). This profile allows outbound HTTPS without client certificates.

If you need custom SSL validation:

# Create custom server SSL profile
tmsh create ltm profile server-ssl centinel-serverssl \
    defaults-from serverssl \
    server-name validator.centinelanalytica.com \
    ca-file /config/ssl/ssl.crt/ca-bundle.crt

High latency or timeouts

Symptom: Requests are slow or timing out

Solution:

Increase timeout:
```
set static::CENTINEL_timeout 300
```

Check network path:

# From F5, test API latency
tmsh run util curl -w "@-" -o /dev/null -s \
  https://validator.centinelanalytica.com/validate \
  <<< "time_total: %{time_total}s"

Make sure no firewall blocking - Outbound HTTPS (port 443) must be allowed

No requests showing in dashboard

Symptom: F5 logs show API calls, but Centinel dashboard shows no activity

Solution:

Verify API key: Check that CENTINEL_SECRET_KEY is correct
Check API response: Enable debug logging to see API responses:
```
set static::CENTINEL_LOG_RESPONSE_HEADERS 1
```

Confirm virtual server is receiving traffic:

tmsh show ltm virtual your_application_vs

Redirect loop or too many redirects

Symptom: Browser shows ERR_TOO_MANY_REDIRECTS or "This page isn't working"

Multiple possible causes. Don't assume this is a DNS issue. This symptom can be caused by:

TMM DNS not configured (most common)
API virtual server misconfigured
SSL-Helper not attached
Network/firewall blocking
Wrong API virtual server name in iRule config

Run through the diagnostic steps above first to identify the actual root cause.

If you've confirmed this is a DNS issue, here's the typical error chain:

TMM DNS not configured → RESOLV::lookup fails
Can't resolve validator.centinelanalytica.com
SSL-Helper can't connect to API → HTTP 555 error
Fail-open allows the request through
Application redirects → loop continues

DNS-specific solution:

Check DNS configuration:
```
tmsh list sys dns
```

Add DNS servers if missing:

tmsh modify sys dns name-servers add { 8.8.8.8 1.1.1.1 }
tmsh save sys config

Test DNS resolution:
```
run /util dig validator.centinelanalytica.com
```
You should see an ANSWER SECTION with IP addresses.
Verify logs show success:
```
tail -f /var/log/ltm | grep CENTINEL
```
Look for successful API responses instead of HTTP 555 errors.

TMM vs Shell DNS: The F5 BIG-IP has two separate DNS systems:

Shell DNS (/etc/resolv.conf) - Used by bash commands like curl, dig, nslookup
TMM DNS (tmsh sys dns) - Used by iRules via RESOLV::lookup

Even if curl https://validator.centinelanalytica.com works from the F5 shell, the iRule needs TMM DNS configured to resolve hostnames.

HTTP 555 errors in logs

Symptom: Logs show API returned HTTP 555 or SIDEBAND connection failed

What it means: HTTP 555 isn't a standard status code. In F5, it indicates a SIDEBAND connection failure (the iRule couldn't connect to the API virtual server).

Why this happens: SIDEBAND connections fail when any part of the connection chain is broken:

DNS can't resolve the hostname
API virtual server doesn't exist or is misconfigured
SSL-Helper iRule not attached to API virtual server
Network/firewall blocking the connection
Wrong virtual server name in CENTINEL_vs variable

Use systematic diagnosis: Rather than guessing, run through the diagnostic steps above (Step 2, tests A-F) to pinpoint which component is failing.

Quick diagnostic steps:

Check DNS configuration:
```
tmsh list sys dns
```
If no name-servers shown, configure DNS (see "DNS resolution failures" section).

Verify API virtual server exists:

tmsh list ltm virtual centinel_api_ssl_vs

Test network connectivity:

curl -v https://validator.centinelanalytica.com/validate

Check firewall rules: Make sure outbound HTTPS (port 443) is allowed from the F5 device

Enable debug logging:

set static::CENTINEL_LOG_REQUEST_HEADERS 1
set static::CENTINEL_LOG_RESPONSE_HEADERS 1

Quick checklist:

TMM DNS configured (tmsh list sys dns)
API virtual server exists (centinel_api_ssl_vs)
SSL-Helper iRule attached to API virtual server
DNS resolves hostname (run /util dig validator.centinelanalytica.com)
Outbound port 443 allowed
API key is correct in CENTINEL_SECRET_KEY

DNS resolution failures

Error: cannot resolve validator.centinelanalytica.com in logs

Solution:

Configure TMM DNS servers:

# Add public DNS servers
tmsh modify sys dns name-servers add { 8.8.8.8 1.1.1.1 }
tmsh save sys config

Verify configuration:

tmsh list sys dns

Expected:

sys dns {
    name-servers { 8.8.8.8 1.1.1.1 }
}

Test resolution:

run /util dig validator.centinelanalytica.com

Expected output should include:

;; ANSWER SECTION:
validator.centinelanalytica.com. 300 IN A 13.248.169.98
validator.centinelanalytica.com. 300 IN A 76.223.95.45

Verify iRule can now resolve:
```
tail -f /var/log/ltm | grep CENTINEL
```
You should no longer see DNS resolution errors.

Use your organization's internal DNS servers instead of public DNS for better performance, security, and compliance. Internal DNS servers are typically faster and allow you to resolve internal hostnames if needed.

Still having issues after DNS configuration?

If DNS is configured but you're still having problems, do advanced diagnostics:

1. Verify DNS is actually working in TMM

Test DNS resolution from within the iRule context:

# Enable detailed iRule logging
tmsh modify ltm rule Centinel
# Add this line temporarily after line 10:
# log local0. "DNS TEST: [RESOLV::lookup @validator.centinelanalytica.com]"

Watch the logs:

tail -f /var/log/ltm | grep "DNS TEST"

Expected: You should see IP addresses like 13.248.169.98 76.223.95.45

If empty or error: DNS resolution is failing in TMM even though tmsh list sys dns shows servers.

2. Capture network traffic

Use tcpdump to see if HTTPS requests are actually being sent:

# Capture outbound traffic to Centinel API
tcpdump -i 0.0 -n host validator.centinelanalytica.com -w /var/tmp/centinel-traffic.pcap

Generate some traffic to your application, then:

# Stop tcpdump (Ctrl+C), then analyze
tcpdump -r /var/tmp/centinel-traffic.pcap -n

Look for:

DNS queries (port 53) - Should see A record requests
SYN packets to port 443 - Should see connection attempts
TLS handshakes - Should see successful SSL negotiation

If you see no traffic: The SIDEBAND connection isn't being attempted at all.

3. Check for firewall/routing issues

# Test routing to API
tmsh run util traceroute validator.centinelanalytica.com

# Check if firewall is blocking
tmsh run util curl -v --connect-timeout 5 https://validator.centinelanalytica.com/validate

If curl hangs or times out: Network path is blocked (firewall, routing, NAT issues).

4. Verify virtual server is actually listening

# Check if API virtual server is accepting connections
tmsh show ltm virtual centinel_api_ssl_vs

# Look for these fields:
# - Availability: available (should be green)
# - State: enabled
# - Reason: The virtual server is available

If unavailable: Virtual server configuration is wrong.

5. Enable maximum debug logging

Edit the Centinel iRule and enable all debug flags:

set static::CENTINEL_LOG_REQUEST_HEADERS 1
set static::CENTINEL_LOG_RESPONSE_HEADERS 1
set static::CENTINEL_LOG_REQUEST_TIME 1

Also, add detailed logging around the SIDEBAND call (around line 800-850 in the iRule):

# Find the SIDEBAND::connect line and add logging before/after
log local0. "CENTINEL DEBUG: Attempting SIDEBAND connection to $raddr"
set conn [SIDEBAND::connect ...]
log local0. "CENTINEL DEBUG: SIDEBAND result: [SIDEBAND::state $conn]"

Watch logs for detailed connection flow:

tail -f /var/log/ltm | grep -E "CENTINEL|SIDEBAND"

6. Test with hardcoded IP (temporary workaround)

As a diagnostic test, temporarily bypass DNS by hardcoding the IP:

# In Centinel iRule, around line 780-790, replace:
set raddr [RESOLV::lookup @validator.centinelanalytica.com]

# With:
set raddr "13.248.169.98"

If this works: Confirms DNS is the issue. Investigate why TMM DNS isn't resolving.

If this still fails: The problem isn't DNS—it's network connectivity, virtual server config, or SSL profile.

Don't use hardcoded IPs in production. This is for diagnostics only. The API uses load balancing and IPs may change.

7. Check for TMM resource exhaustion

# Check TMM memory and connection limits
tmsh show sys tmm-info
tmsh show sys connection

# Check for error messages
grep -i "memory\|exhausted\|limit" /var/log/ltm

If TMM is resource-constrained: You may need to increase connection limits or add more resources.

8. Verify TLS compatibility

Test TLS handshake explicitly:

# Test TLS connection from F5
openssl s_client -connect validator.centinelanalytica.com:443 -showcerts

# Check for successful handshake and certificate chain

Look for: Verify return code: 0 (ok) or certificate verification errors.

Information to gather for support

If nothing above resolves your issue, collect this information before contacting Centinel support:

# 1. System information
tmsh show sys version
tmsh show sys provision

# 2. DNS configuration
tmsh list sys dns

# 3. Virtual server configs
tmsh list ltm virtual centinel_api_ssl_vs all-properties
tmsh list ltm virtual your_application_vs all-properties

# 4. iRule status
tmsh show ltm rule Centinel
tmsh show ltm rule Centinel-SSL-Helper

# 5. Recent logs (last 200 lines with CENTINEL)
grep CENTINEL /var/log/ltm | tail -200

# 6. Network test results
run /util dig validator.centinelanalytica.com
run /util curl -v https://validator.centinelanalytica.com/validate

# 7. Active connections
tmsh show ltm virtual centinel_api_ssl_vs

Package this information and include:

Description of the problem (exact error messages)
When it started (after config change? Always?)
Traffic patterns (all requests failing? Intermittent?)
Any recent changes to F5 configuration

Common edge cases:

Multiple DNS servers, some unreachable: F5 may try unreachable servers first, causing delays. Remove unreachable servers.
DNS servers behind firewall: Make sure F5 can reach DNS servers on port 53 (UDP/TCP).
IPv6-only DNS responses: If API returns only AAAA records and F5 doesn't have IPv6, add IPv4 DNS servers.
Proxy/NAT environments: Make sure F5's outbound IP is allowed through proxy/NAT rules.
Certificate verification failures: Use serverssl-insecure-compatible profile (as documented) or configure proper CA bundle.

Fail-open architecture

The integration uses fail-open behavior for maximum reliability:

API timeout → Request allowed
API unreachable → Request allowed
Network error → Request allowed
DNS failure → Request allowed
SSL error → Request allowed

Only when the API explicitly returns block is traffic blocked.

F5 BIG-IP iRules

On this page