Applies To:

Show Versions Show Versions

Manual Chapter: Maintaining OPSWAT Libraries with a Sync-Failover Device Group
Manual Chapter
Table of Contents   |   Next Chapter >>

Overview: Updating antivirus and firewall libraries with a Sync-Failover device group

This implementation describes how to upload antivirus and firewall libraries from OPSWAT to one BIG-IP® Access Policy Manager® device, and to install an antivirus and firewall library to that device, or to multiple devices in a device group.

To download OPSWAT OESIS library updates, you must have an account with OPSWAT, and be able to download software updates.

To synchronize installation between multiple devices, you configure a Sync-Failover device group, which includes the devices between which you want to synchronize installation of updates. Device group setup requires establishing trust relationships between devices, creating a device group, and synchronization of settings.

About device groups and synchronization

When you have more than one BIG-IP device in a local trust domain, you can synchronize BIG-IP configuration data among those devices by creating a device group. A device group is a collection of BIG-IP™ devices that trust each other and synchronize their BIG-IP configuration data. If you want to exclude certain devices from config sync, you can simply exclude them from membership in that particular device group.

You can synchronize some types of data on a global level across all BIG-IP devices, while synchronizing other data in a more granular way, on an individual application level to a subset of devices.

Important: To configure redundancy on a device, you do not need to explicitly specify that you want the BIG-IP device to be part of a redundant configuration. Instead, this occurs automatically when you add the device to an existing device group.

Before you configure device trust

Before you configure device trust, you should consider the following:

  • Only version 11.x or later systems can join the local trust domain.
  • You can manage device trust when logged in to a certificate signing authority only. You cannot manage device trust when logged in to a subordinate non-authority device.
  • If you reset trust authority on a certificate signing authority by retaining the authority of the device, you must subsequently recreate the local trust domain and the device group.
  • As a best practice, you should configure the config sync and mirroring addresses on a device before you add that device to the trust domain.

Task summary

The configuration process for a BIG-IP® system entails adding the OPSWAT library update to one system, then installing it to that same system, or to a device group. You must pre-configure a device group to install the update to multiple systems.

Establishing device trust

Verify that each BIG-IP® device that is to be part of a local trust domain has a device certificate installed on it.
This task establishes a local trust domain between the local device (that is, the device you are logged in to) and devices you specify during the process. A local trust domain is any number of BIG-IP devices that have a trust relationship with one another. Perform this task on any one of the BIG-IP devices that are in the same device group.
  1. On the Main tab, click Device Management/Device Trust, and then either Peer List or Subordinate List.
  2. In the Peer Authority Devices or the Subordinate Non-Authority Devices area of the screen, click Add.
  3. Type an IP address, administrator user name, and administrator password for the remote BIG-IP® device. This IP address can be either a management IP address or a self IP address.
  4. Click Retrieve Device Information.
  5. Verify that the certificate of the remote device is correct.
  6. Verify that the name of the remote device is correct.
  7. Verify that the management IP address and name of the remote device are correct.
  8. Click Finished.

Adding a device to the local trust domain

Verify that each BIG-IP® device that is to be part of a local trust domain has a device certificate installed on it.
Follow these steps to log in to any BIG-IP® device on the network and add one or more devices to the local system's local trust domain.
Note: Any BIG-IP devices that you intend to add to a device group at a later point must be members of the same local trust domain.
  1. On the Main tab, click Device Management/Device Trust, and then either Peer List or Subordinate List.
  2. In the Peer Authority Devices or the Subordinate Non-Authority Devices area of the screen, click Add.
  3. Type an IP address, administrator user name, and administrator password for the remote BIG-IP® device. This IP address can be either a management IP address or a self IP address.
  4. Verify that the certificate of the remote device is correct.
  5. Verify that the name of the remote device is correct.
  6. Verify that the management IP address and name of the remote device are correct.
  7. Click Retrieve Device Information.
The local device and the devices you specified in this procedure now have a trust relationship and are therefore qualified to join a device group.

Creating a Sync-Failover device group

This task establishes failover capability between two or more BIG-IP devices. If the active device in a Sync-Failover device group becomes unavailable, the configuration objects fail over to another member of the device group and traffic processing is unaffected. You can perform this task on any authority device within the local trust domain.
  1. On the Main tab, click Device Management > Device Groups . The Device Groups screen displays a list of existing device groups.
  2. On the Device Group List screen, click Create.
  3. Type a name for the device group, select the device group type Sync-Failover, and type a description for the device group.
  4. In the Configuration area of the screen, select a host name from the Available list for each BIG-IP device that you want to include in the device group. Use the Move button to move the host name to the Selected list. The Available list shows any devices that are members of the device's local trust domain but not currently members of a Sync-Failover device group. A device can be a member of one Sync-Failover group only.
  5. For Network Failover, select the Enabled check box.
  6. Click Finished.
You now have a Sync-Failover type of device group containing BIG-IP devices as members.

Uploading an OPSWAT update to Access Policy Manager

When new updates to OPSWAT antivirus and firewall libraries are made available, you can add these updates to the BIG-IP system. To upload an update to the BIG-IP system, you must first download an update, using a registered account, from the OPSWAT web site.
  1. On the Main tab, click System > Software Management > Antivirus Check Updates . The Antivirus Check Updates screen displays a list of OPSWAT packages available on the device.
  2. Click the Upload button to add an OPSWAT update. The Upload Package screen appears.
  3. Click Browse and select an OPSWAT package ZIP file to upload.
  4. Select an install option from the list.
    • Select Do Not Install to upload the package to the local device, but without installing the OPSWAT package on the system.
    • Select Install on this device to upload the package to the local device, and then install the OPSWAT package to this device.
    • Select Install on device group to upload the package to the local device, and then install the OPSWAT package on the device group. A list of available device groups appears, and you can select the device group on which to install.
  5. Click Ok.
The OPSWAT package file is added to the list on the System > Software Management > Antivirus Check Updates page. You can install or delete OPSWAT packages from this page.

Installing an OPSWAT update on one or more Access Policy Manager devices

After you have uploaded an OPSWAT antivirus and firewall library update to the BIG-IP system, you can install the update to one or more BIG-IP systems in a device group.
  1. On the Main tab, click System > Software Management > Antivirus Check Updates . The Antivirus Check Updates screen displays a list of OPSWAT packages available on the device.
  2. Double-click an OPSWAT package to view details about the update and included firewall or antivirus libraries.
  3. Select an OPSWAT package and click Install. The Install Package screen opens.
  4. Select Install on device group to upload the package to the local device, and then install the OPSWAT package on the device group. A list of available device groups appears, and you can select the device group on which to install.
  5. Click Ok.
The OPSWAT update is installed on the selected systems. You can view the installed and available OPSWAT versions on the Software Management > Antivirus Check Updates screen.

Viewing antivirus and firewall support in the installed OPSWAT version

After you install an OPSWAT update to one or more systems, from the system that performed the update, you can view details of the OPSWAT version, including supported antivirus and firewall features for all supported platforms.
  1. On the Main tab, click System > Software Management > Antivirus Check Updates . The Package Status screen displays a list of OPSWAT packages available on the device.
  2. Click the Device Status button. The Device Status screen appears and shows the installed OPSWAT version.
  3. To select a different device group on which to view the installed OPSWAT version, select the device group from the Local Device/Device Group list.
  4. Under Installed OESIS version, click the version number for which you want to view the OPSWAT features chart. The OPSWAT Integration web page opens in a new browser tab or window. By default, this page shows Antivirus Integration for Windows.
  5. From the list boxes at the top of the screen, select the page to view. You can select Antivirus or Firewall, and you can select to view supported products for Windows, Mac, or Linux.
  6. Click the Show button to view the list of supported products for the type and platform you selected.
A page displays all supported products and implemented features for the OPSWAT version you specified.

Implementation result

To summarize, you now have uploaded an OPSWAT update to one BIG-IP system, and installed it to one system, or to multiple systems in a device group.

You can view the installed and available OPSWAT versions on the Software Management > Antivirus Check Updates screen.

Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)