Manual Chapter : Evaluating and Deploying Changes

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.0.0
Manual Chapter

How do I evaluate changes made to managed objects?

To change the object settings on a managed device, there are four tasks to perform.

This figure illustrates the workflow you perform to manage the objects on BIG-IP® devices. Evaluating the changes you have made is the third step in this process.

Evaluate object changes

Overview of evaluating changes made to managed objects

Note: If you need to make an urgent change, you can skip the evaluation step. However, we highly recommend evaluation in all but emergency situations. See Making an urgent deployment for details.

How do I deploy changes made to managed objects?

Deploying changes applies the revisions that you have made on the BIG-IQ® to the managed BIG-IP® devices.

Note: Before the BIG-IQ deploys configuration changes, it first reimports the configuration from the managed device to ensure there are no unexpected differences. If there are issues, the default behavior is to discard any changes made on the managed device and then deploy the configuration changes.
  • To accept the default, proceed with the deployment. The settings from the managing BIG-IQ overwrite the settings on the managed BIG-IP device.
  • To override the default, rediscover the device and reimport the service. Any changes that have been made using the BIG-IQ are overwritten with the settings from the managed BIG-IP device.

This figure illustrates the workflow you perform to manage the objects on BIG-IP devices. Deploying the settings is the last step in this process.

Deploy object changes

Change managed object workflow

How does deployment to devices in a cluster work?

When you created a cluster in BIG-IQ® inventory, you chose a deployment option for the devices in that cluster.

If you chose to initiate BIG-IP® DSC® sync, and the Sync-Failover group on the BIG-IP system is configured for manual sync, after deployment to either device in the HA pair, Access kicks off manual sync to the other device. If manual sync succeeds, the deployment is successful. Otherwise, the deployment status shows an error.

If you chose to initiate BIG-IP DSC sync and the Sync-Failover group on the BIG-IP system is configured for automatic sync, after deploying to either device in the HA pair, automatic sync propagates the configuration to the other device. If automatic sync succeeds, the deployment is successful. Otherwise, the deployment status shows an error.

If you chose to ignore BIG-IP DSC sync, you must deploy the configuration from BIG-IQ to both devices in the cluster.

Note: It is possible that after this, conflicts in DSC sync for these devices will occur.

Evaluating Access configuration changes

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.
Note: Critical errors are issues with a configuration change that cannot be deployed successfully. Verification warnings are less serious in that they may not cause the deployment to fail, but should be reviewed nonetheless.
Note: If you have Local Traffic & Network (LTM) changes to deploy, deploy the LTM changes before deploying changes to other components, or those deployments may fail.
  1. Log in to the BIG-IQ system with your user name and password.
    Important: You must log in as a user with Administrator or Access Manager or Access Deployer access to perform this task.
  2. At the top left of the screen, select Change Management from the BIG-IQ menu.
  3. On the left, expand EVALUATE & DEPLOY.
  4. Under EVALUATE & DEPLOY, select Access.
    The screen opens a list of Access evaluations and deployments that have been created on this device.
  5. Under Evaluations, click Create.
    The Create Evaluation screen opens.
  6. In the Name field, type in a name for the evaluation task you are creating.
  7. In the Description field, type in a brief description for the evaluation task you are creating.
  8. For the Source, select what you want to evaluate.
    • To compare the object settings currently on the managed device with the object settings in the pending version, select Current Changes.
    • To compare the object settings currently on the managed device with the object settings in a stored snapshot, select Existing Snapshot, then choose the snapshot you want to use.
  9. In the Target settings, from the Group list, select the Access group that you want to evaluate.
    Devices in the group display in the Available field.
  10. Move the devices that you want to evaluate to the Selected field.
    Note: If you are evaluating a device that is a member of a cluster set to initiate BIG-IP DSC sync at deployment, you can select either member of the HA pair.
    Note: If you are evaluating a device that is a member of a cluster set to ignore BIG-IP DSC sync, you should select both devices in the cluster.
  11. If you want to apply access policies on each BIG-IP device after deployment, select Automatically apply policies after deployment.
  12. Review the evaluation to determine whether you are going to deploy it or not.
    1. If there are critical errors, you cannot deploy these changes. Click each error to see what it is, and then go back to where you made the change to fix it.
      After resolving any critical errors, you can come back and repeat the evaluation.
    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. Click each warning to see what it is, and then go back to where you made the change to fix it.
      After resolving any verification warnings, you can come back and repeat the evaluation.
    3. If there are no critical errors or verification warnings, review the changes by clicking the Difference link.
      Each change is listed. You can review each one by clicking the name.
  13. If the evaluation shows that you must evaluate and deploy Local Traffic configurations, do that before you deploy this evaluation.

To apply the object changes to the managed device, you must deploy them.

Evaluating LTM configuration changes

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.
Note: Critical errors are issues with a configuration change that cannot be deployed successfully. Verification warnings are less serious in that they may not cause the deployment to fail, but should be reviewed nonetheless.
Note: If you have Local Traffic & Network (LTM) changes to deploy, deploy the LTM changes before deploying changes to other components, or those deployments may fail.
  1. Log in to the BIG-IQ® system with your user name and password.
    Important: You must log in as an Administrator, ADC Manager, or ADC Deployer to perform this task.
  2. At the top left of the screen, select Change Management from the BIG-IQ menu.
  3. On the left, expand EVALUATE & DEPLOY.
  4. Under EVALUATE & DEPLOY, select Local Traffic & Network.
    The screen opens to show a list of LTM evaluations and deployments that have been created on this device.
  5. Under Evaluations, click Create.
    The Create Evaluation screen opens.
  6. In the Name field, type in a name for the evaluation task you are creating.
  7. In the Description field, type in a brief description for the evaluation task you are creating.
  8. For the Source, select what you want to evaluate.
    • To compare the object settings currently on the managed device with the object settings in the pending version, select Current Changes.
    • To compare the object settings currently on the managed device with the object settings in a stored snapshot, select Existing Snapshot, then choose the snapshot you want to use.
  9. For the Target setting, identify the devices for which you want to evaluate changes.
    1. If the devices are in a device group, select Group, and select the group from the list.
    2. If the devices are not in a device group, select Device.
    3. Select the devices from the Available list, and use the arrow button to move the devices to the Selected list.
      Important: If you deploy changes to a device that is in a DSC® cluster, you must include both devices before you can create the evaluation.
      Important: If the device in the Selected list has a filled circle in front of it, a deployment is needed for the BIG-IP device configuration to match the BIG-IQ working configuration for that BIG-IP device. This notification occurs only when creating Web Application Security evaluations.
  10. Click the Create button at the bottom of the screen.
    The system adds the new evaluation to the list, and analyzes the changes for errors. When the configuration evaluation completes, you will see how many changes or errors the evaluation found.
  11. Review the evaluation to determine whether you are going to deploy it or not.
    1. If there are critical errors, you cannot deploy these changes. Click each error to see what it is, and then go back to where you made the change to fix it.
      After resolving any critical errors, you can come back and repeat the evaluation.
    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. Click each warning to see what it is, and then go back to where you made the change to fix it.
      After resolving any verification warnings, you can come back and repeat the evaluation.
    3. If there are no critical errors or verification warnings, review the changes by clicking the Difference link.
      Each change is listed. You can review each one by clicking the name.

To apply the object changes to the managed device, you must deploy them.

Deploying LTM configuration changes

When a BIG-IQ® system evaluation of the Access configuration advises you to, you should deploy LTM®before you deploy Access.

  1. Log in to the BIG-IQ® system with your user name and password.
    Important: You must log in as an Administrator or ADC Deploy to perform this task.
  2. At the top left of the screen, select Change Management from the BIG-IQ menu.
  3. On the left, expand EVALUATE & DEPLOY.
  4. Under EVALUATE & DEPLOY, select Local Traffic & Network.
    The screen displays a list of LTM evaluations and deployments defined on this device.
  5. Click the name of the evaluation that you want to deploy.
    The View Evaluation screen opens.
  6. Specify whether you want to deploy the changes immediately or schedule deployment for later.
    • To deploy this change immediately:
      1. Select Deploy Now.
      2. Click Deploy to confirm.
    • To deploy this change later:
      1. Select Schedule for later.
      2. Select the date and time.
      3. Click Schedule Deployment.
      4. Click Schedule Deployment again to confirm.
    The process of deploying changes can take some time, especially if there are a large number of changes. During this time, you can click Cancel to stop the deployment process.
    Important: If you cancel a deployment, some of the changes may have already deployed. Cancel does not roll back these changes.
The evaluation you chose is added to the list of deployments on the bottom half of the screen.
  • If you chose to deploy immediately, the changes begin to deploy and the Status column updates as it proceeds.
  • If you choose to delay deployment, the Status column displays the scheduled date and time.

Deploying the Access configuration

To apply the Access configuration on the BIG-IQ system to your managed devices, you deploy the configuration.
  1. Log in to the BIG-IQ® system with your user name and password.
    Important: You must log in as an Administrator, Access Manager, or Access Deployer user to perform this task.
  2. At the top left of the screen, select Change Management from the BIG-IQ menu.
  3. On the left, expand EVALUATE & DEPLOY.
  4. Under EVALUATE & DEPLOY, select Access.
    The screen displays a list of Access evaluations and deployments defined on this device.
  5. Click the name of the evaluation that you want to deploy.
    The View Evaluation screen opens.
  6. Specify whether you want to deploy the changes immediately or schedule deployment for later.
    • To deploy this change immediately:
      1. Select Deploy Now.
      2. Click Deploy to confirm.
    • To deploy this change later:
      1. Select Schedule for later.
      2. Select the date and time.
      3. Click Schedule Deployment.
      4. Click Schedule Deployment again to confirm.
    The process of deploying changes can take some time, especially if there are a large number of changes. During this time, you can click Cancel to stop the deployment process.
    Important: If you cancel a deployment, some of the changes may have already deployed. Cancel does not roll back these changes.
The evaluation you chose is added to the list of deployments on the bottom half of the screen.
  • If you chose to deploy immediately, the changes begin to deploy and the Status column updates as it proceeds.
  • If you choose to delay deployment, the Status column displays the scheduled date and time.

Access deployment errors and warnings: causes and resolutions

Problem Description Resolution
Access profile type mismatch The deployment process imports an access profile from the source device to the other devices in the Access group. If an access profile of the same name exists on a non-source device, the access profile types must match. If it does not, a critical error occurs and deployment fails. On the non-source BIG-IP® device, delete the access profile. Then, redeploy on the BIG-IQ® system.
Sandbox object outside of the /Common partition If partitions exist on the source device in addition to the /Common partition, they contain sandbox objects by default. When the deployment process tries to create the sandbox objects, if the same partitions do not exist on the non-source devices, a critical error occurs and deployment fails. On each non-source BIG-IP device, create the same partitions that exist on the source device. Then, redeploy on the BIG-IQ system.
Machine account A machine account exists on the source device, but does not exist on a non-source device. A critical error occurs when the deployment process tries to create a machine account on non-source BIG-IP system. On each non-source BIG-IP device, create a machine account of the same name as the one on the source device. Then, redeploy on the BIG-IQ system.
Non-Access objects The deployment evaluation process finds that certain virtual servers, SSL profiles, and other objects are used by access policies on the source device but are not present on a non-source device. A critical error occurs because the deployment process cannot create objects not managed by Access. Create the objects on the non-source BIG-IP devices where needed. Then, redeploy on the BIG-IQ system.
Pools, pool members, self IPs, route domains Access objects refer to pools, pool members, self IP addresses, and route domains, all of which are managed in ADC. If any of these objects is not present on the source device, evaluation provides a warning that LTM® must be deployed before Access can be deployed. If the warning is ignored, Access deployment fails. Deploy LTM. Then re-discover LTM before trying to deploy Access.
Adding or updating an OAM server An Oracle Access Manager (OAM) AAA server exists on the source device. If the deployment process must add or update the OAM server on a non-source device, a message displays advising that the eam service on the BIG-IP device must be restarted. The deployment succeeds. After the deployment completes, restart the eam service on the non-source BIG-IP device.