Manual Chapter : Managing Access Groups

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.1.0
Manual Chapter

How do I start to centrally manage APM configurations from BIG-IQ?

Here is an overview of your first steps for setting up an Access Policy Manager® (APM®) configuration once, and then being able to deploy that configuration from the BIG-IQ® system to other BIG-IP® devices.

Step 1. Add the BIG-IP device to the inventory list on the BIG-IQ system. You enter the IP address and credentials of the BIG-IP device you're adding, and associate it with a cluster (if applicable.

Step 2. Discover the APM and the Local Traffic Manager™ (LTM) configurations. You must discover LTM first, because APM uses some resources that are managed by LTM.

Step 3. Import the LTM configuration into the BIG-IQ system.

Step 4. Import the APM configuration into the BIG-IQ system. Importing the APM configuration requires that the device be added to an Access Group. You can create a new Access Group with the device as source-device, or you can add the device to another Access Group as non-source device.

What is the best way to create an Access group?

After you add devices to the BIG-IQ® system and discover them, you can create an Access group in either of two ways. Use whichever you prefer, based on your requirements.

  • From the Access user interface, you can add multiple devices to an Access group at once. Using this method, you select multiple devices, with one device specified as the source device. Access then imports configurations from the devices, and creates the Access group.
  • From the Device Management user interface, you can add one device at a time to an Access group when you import the APM service from each device.

Adding devices to the BIG-IQ inventory

Before you can add BIG-IP® devices to the BIG-IQ® inventory:

  • The BIG-IP device must be located in your network.
  • The BIG-IP device must be running a compatible software version. Refer to https://support.f5.com/kb/en-us/solutions/public/14000/500/sol14592.html for more information.
  • Port 22 and 443 must be open to the BIG-IQ management address, or any alternative IP address used to add the BIG-IP device to the BIG-IQ inventory. These ports and the management IP address are open by default on BIG-IQ.
Note: A BIG-IP device running versions 10.2.0 - 11.4.1 is considered a legacy device and cannot be discovered from BIG-IQ version 5.0. If you were managing a legacy device in previous version of BIG-IQ and upgraded to version 5.0, the legacy device displays as impaired with a yellow triangle next to it in the BIG-IP Devices inventory. To manage it, you must upgrade it to 11.5.0 or later. For instructions, refer to the section titled, Upgrading a Legacy Device.
Note: Access supports BIG-IP system software version 12.1 only.
You add BIG-IP devices to the BIG-IQ system inventory as the first step to managing them.
  1. Log in to F5® BIG-IQ® Centralized Management with your user name and password.
  2. At the top left of the screen, select Device Management from the BIG-IQ menu.
  3. Click the Add Device button.
  4. In the IP Address field, type the IPv4 or IPv6 address of the device.
  5. In the User Name and Password fields, type the user name and password for the device.
  6. To add this device to a new cluster:
    Important: If a device is not a member of a Sync-Failover group that you configured to support an Active-Standby configuration for APM, do not add it to a cluster.
    If the device is the first member of a Sync-Failover group that you have added to the BIG-IQ system, add it to a new cluster. It does not matter whether this device is the Active or the Standby member of the group.
    1. From the Cluster Display Name list, select Create New, and then type a new name for this new cluster.
      A cluster name must be unique on the BIG-IQ system. It does not need to match the name of the Sync-Failover group on the BIG-IP device. However, ensuring some similarity between the names might be useful to you, because when you add the second member of the group, you must add it to the same cluster.
    2. Select an option from the Deployment Settings:
    • Initiate BIG-IP DSC sync when deploying configuration changes (Recommended) Select this option to prompt BIG-IQ to start the DSC synchronization process so that any configuration change made to this device is synchronized with other members of the DSC. This option makes sure all members of the DSC have the most current configuration.
    • Ignore BIG-IP DSC sync when deploying configuration changes Select this option to have BIG-IQ deploy any configuration changes for this device to all cluster members. Use this option only if this device is not configured in a DSC Sync-Failover device group, or if any members of the cluster are disabled.
  7. To add this device to an existing cluster:
    If the device is the second member of a Sync-Failover group that you have added to the BIG-IQ system, add the device to the existing cluster for that Sync-Failover group.
    1. From the Cluster Display Name list, select Use Existing, and then select the cluster from the list.
    2. Select an option from the Deployment Settings:
    • Initiate BIG-IP DSC sync when deploying configuration changes (Recommended) Select this option to prompt BIG-IQ to push any configuration changes to this device to other members of the DSC. This option makes sure all members of the DSC have the most current configuration.
    • Ignore BIG-IP DSC sync when deploying configuration changes Select this option to have BIG-IQ deploy any configuration changes for this device to all cluster members. Use this option only if this device is not configured in a DSC Sync-Failover device group, or if any members of the cluster are disabled.
  8. Click the Add button at the bottom of the screen.
    The BIG-IQ system opens communication to the BIG-IP device, and checks its framework.
    Note: The BIG-IQ system can properly manage a BIG-IP device only if the BIG-IP device is running a compatible version of the REST framework.
  9. Click the Add button at the bottom of the screen.
    When complete, a popup screen displays a status and options to discover service configurations immediately.
  10. To discover configurations for APM® and LTM® now, select Access Policy Manager (APM), and the Local Traffic Manager (LTM) check box is selected automatically; click Discover.
    You can discover service configurations now or do it later.
    BIG-IQ discovers the configurations for the APM and LTM services.
BIG-IQ displays a discovering message in the Services column of the inventory list.

Discovering the LTM and APM service configurations

Before you can import configurations from a device, you must first discover them. To prepare to create an Access configuration on the BIG-IQ ®system, you must discover the Local Traffic Manager™ (LTM®) service configuration, and then discover the Access Policy Manager® (APM) service configuration.
  1. Log in to F5® BIG-IQ® Centralized Management with your user name and password.
  2. At the top left of the screen, select Device Management from the BIG-IQ menu.
  3. Click the name of the device you want to discover the service configuration from.
  4. On the left, click Services.
  5. For Local Traffic Manager (LTM), click Discover.
    You must wait for discovery to complete before you continue.
  6. For Access Policy Manager (APM), click Discover.

Importing the LTM service configuration

You must discover a service configuration before you can import it.
Before you can import the Access Policy Manager® (APM) service configuration from a discovered device, you must import the Local Traffic Manager™ (LTM®) service configuration.
Important: You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  1. Log in to F5® BIG-IQ® Centralized Management with your user name and password.
  2. At the top left of the screen, select Device Management from the BIG-IQ menu.
  3. Click the name of the device you want to import the service configuration from.
  4. On the left, click Services.
  5. For Local Traffic Manager (LTM), select the Create a snapshot of the current configuration before importing check box to save a copy of the device's current configuration.
    You're not required to create a snapshot, but it is a good idea in case you have to revert to the previous configuration for any reason.
  6. For Local Traffic Manager (LTM), click Import.
The LTM service configuration is imported.

Importing the APM configuration into an Access group

You must discover a service configuration before you can import it.
You import Access Policy Manager® (APM) configuration objects from a device to manage the device configuration from the BIG-IQ® system. As part of the import process, you select an Access group.
Important: You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  1. Log in to F5® BIG-IQ® Centralized Management with your user name and password.
  2. At the top left of the screen, select Device Management from the BIG-IQ menu.
  3. Click the name of the device you want to import the service configuration from.
  4. On the left, click Services.
  5. For Access Policy (APM), select the Create a snapshot of the current configuration before importing. check box to save a copy of the device's current configuration.
    You're not required to create a snapshot, but it is a good idea in case you have to revert to the previous configuration for any reason.
  6. For Access Policy (APM), click Import.
  7. On the Add to Access Group popup screen, specify either a new or existing Access group:
    • Select Create New, in the Name field, type a name, and click Add.
    • Select Add to existing, select a name from the Name list, and click Add.
    Important: You must add both members of an HA pair to the same Access group.
    The device in the Group Source Device provides the shared configuration for all devices in the Access group.
    If you add the device to a new Access group, it becomes the source device; its shared resources and device-specific resources are imported. If you add the device to an existing Access group, it becomes a non-source device; its device-specific resources are imported.
The APM service configuration is imported.

Creating an Access group

Before you can create an Access group, you must have at least one device discovered. You must have imported the LTM® service configuration from a device before you can add that device to an Access group
You create an Access group to start to manage the Access configuration for a group of devices.
Note: When you create an Access group, the service configurations for the devices are imported.
Important: You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  1. Log in to F5® BIG-IQ® Centralized Management with your user name and password.
  2. At the top left of the screen, select Access from the BIG-IQ menu.
  3. Click the Create button.
    The New Group screen opens.
  4. In the Name field, type a name for the Access group.
  5. From Source Device, select the device to be the source of the shared configuration for other devices in the group.
  6. If there are devices in the Managed BIG-IP APM Devices setting that you want to add to the group now, move them to the Selected list.
  7. Click Create & Import.
    The Access Groups screen opens. Progress information displays in the Status column.
  8. If the system discovers differences between a source device and non-source devices, you can see them by clicking the View Differences link in the Status column.

Adding a device to an existing Access group

Before you start, you must have at least one device with the APM® service discovered. You must also have imported the LTM® service configuration from the device before you can add that device to an Access group
You add a device to an Access group so you can manage its configuration from Access. When you add a device to an existing Access group, its device-specific configuration resources are imported into Access. Access also creates any device-specific resources that it is missing, from the source device configuration.
  1. Log in to F5® BIG-IQ® Centralized Management with your user name and password.
  2. At the top left of the screen, select Access from the BIG-IQ menu.
  3. Click the name of the Access group you want to change.
    The properties screen for that group opens, listing the devices in the Access group.
  4. Click Add.
    An Add Devices popup screen opens.
  5. Move the devices you want to add to the Selected list.
  6. Click Select.
    The popup screen closes, showing the Access Groups screen. Progress information displays in the Status column.
  7. If the system discovers differences between a source device and non-source devices, you can see them by clicking the View Differences link in the Status column.

Changing the source device for an Access group

You might need to make a change when the existing source device is going to be decommissioned. Or, you might do this if the source device is down and a configuration change must be made and deployed in an emergency.
  1. Log in to F5® BIG-IQ® Centralized Management with your user name and password.
  2. At the top left of the screen, select Access from the BIG-IQ menu.
  3. Click the name of the Access group that you want to change.
    The properties screen for that group opens, listing the devices in the Access group.
  4. Select a non-source device.
    An asterisk marks the name of the source device
  5. Click Make Source.
    A screen displays, prompting you to confirm the source change.
  6. Click Save.
    The Access Group screen displays while the shared configuration is imported from the newly selected source device. Access evaluates the configuration.
  7. If the Status field shows that differences were found, click the View Differences link to review them, and accept or deny the changes:
    • Click Accept to update the Access group with the configuration changes.
    • Click Deny to not update the Access group with the configuration changes.

Removing a device from an Access group

You remove a device from an Access group if you no longer want to manage the Access configuration for the device, or if you want to add the device to a different Access group.
  1. Log in to F5® BIG-IQ® Centralized Management with your user name and password.
  2. At the top left of the screen, select Access from the BIG-IQ menu.
  3. Click the name of the Access group you want to change.
    The properties screen for that group opens, listing the devices in the Access group.
  4. Select the check box for that device and click Remove.
    A confirmation popup screen opens.
  5. Confirm that you want to remove the device.
    The device no longer displays in the Access group. The APM service configuration on the device is no longer managed.
Before you can see new data from the device in Access reports or add the device to another Access group, you must discover the APM service configuration on the device.