BIG-IQ® Network Security is a platform designed for the central management of security firewalls for multiple BIG-IP® systems, where firewall administrators have installed and provisioned the Advanced Firewall Manager™ (AFM™) module.
The BIG-IQ Network Security system provides:
Managing a firewall configuration includes discovering, importing, editing, and deploying changes to the firewall configuration, as well as consolidation of shared firewall objects (policies, rule lists, rules, address lists, port lists, and schedules). BIG-IQ Network Security provides a centralized management platform so you can perform all these tasks from a single location. Rather than log in to each device to manage the security policy locally, it is more expedient to use one interface to manage many devices. Not only does this simplify logistics, but you can maintain a common set of firewall configuration objects and deploy a common set of policies, rule lists, and other shared objects to multiple, similar devices from a central interface.
Bringing a device under central management means that its configuration is stored in the BIG-IQ Network Security database, which is the authoritative source for all firewall configuration entities. This database is also known as the working configuration or working-configuration set.
Once a device is under central management, do not make changes locally (on the BIG-IP device) unless there is an exceptional need. If changes are made locally for any reason, reimport the device to reconcile those changes with the BIG-IQ Network Security working configuration set. Unless local changes are reconciled, the deployment process overwrites any local changes.
In addition, BIG-IQ Network Security is aware of functionality that exists in one BIG-IP system version but not in another. This means, for example, that it prohibits using policies on BIG-IP devices that do not have the software version required to support them.
BIG-IQ® Security contains several groups of capabilities. The Shared Security group contains capabilities that can be used by objects in Network Security and by objects in Web Application Security.
You can manage each object using the Shared Security panels that BIG-IQ Security provides:
BIG-IQ® Web Application Security enables enterprise-wide management and configuration of multiple BIG-IP® devices from a central management platform. You can centrally manage BIG-IP devices and security policies, and import policies from files on those devices.
For each device that it discovers, the system creates an additional virtual server to hold all security policies that are not related to any virtual server on the device. To deploy a policy to a device, the policy must be attached to one of the device's virtual servers. You can deploy policies to a device that already has the policy by overwriting it. If the policy does not yet exist on the device, you have the option to deploy it as a new policy attached to an available virtual server or as an inactive policy.
From this central management platform, you can perform the following actions:
The BIG-IQ® Security system interface provides many features to assist you in completing tasks.
Using filtering, you can rapidly narrow the search scope to more easily locate an entity within the system interface. Each frame in the system interface has its own filter text entry field.
You can filter from the Overview frame or you can filter from the Policy Editor frame. You can also search for related items in the Policy Editor frame.
You can filter the contents of panels within each frame to reduce the set of data that is visible in the system interface. Filtering techniques can be important for troubleshooting.
You can easily clear the filters for all panels in BIG-IQ® Network Security Overview, using Clear All.
There are several filter fields you can use to select the data displayed by the Policy Editor. The filter text you enter is used to perform a search of the underlying object's representation in storage (in JSON), which includes not only the name and other displayed data, but also metadata for the object, such as timestamps. Make the text you enter in the filter field specific enough to uniquely identify the one or more objects you want to display.
|Filter field above navigation list on left||Use the filter field above the navigation list on the left to search objects and
list those that match the filter. By default, the filter matches any object that
contains the string entered. You select filter options by clicking the arrow to the
right of the filter field, and selecting an option.
A count of the matching objects appears to the right of each object type in the navigation list. To remove the filter, click the X to the right of the filter expression area near the filter field.
|Filter field at top right of Policy Editor||Use the filter field at the right top of the Policy Editor to search only the
displayed objects for a match to the filter. You select filter options by clicking the
arrow to the right of the filter field, and then selecting an option from each option
group. The top options in the list control whether the filter text must be a partial
match or an exact match.
The bottom options in the list control which objects are filtered. Not all options are displayed on all screens; if none of these options are displayed (IP Address, Name or Port), the default is All.
If the navigation list is displayed, a count of the matching objects appears to the right of each object type in the navigation list.
To remove the filter, click the X to the right of the filter expression area near the filter field.
|Filter field in Policy Editor Toolbox at bottom||Use the filter field in the upper right of the Policy Editor toolbox (displayed at the bottom of the page when active) to search the shared resources list in the toolbox and display only those that have a full or partial match to the filter. To remove the filter, click the X to the right of the filter expression area near the filter field.|
When specifying a date in a filter, only these date and time formats are supported:
You can filter the contents of panels within the Policy Editor frame to show objects related to a selected object.
BIG-IQ® Security system panels expand to display details such as settings or properties for a particular device or shared object. These expanded panels include a triangle slanted at a 45-degree angle on the right side of their headers. If the triangle is slanted up, you can click it to widen the panel. If the triangle is slanted down, you can click it to collapse the panel. You can also click Cancel to close the panel without saving edits or initiating actions.
F5® recommends a minimum screen resolution of 1280 x 1024 to properly display and use the panels efficiently.
It is possible to shrink the browser screen so that system interface elements (panels, scroll bars, icons) no longer appear in the visible screen. Should this occur, use the browser's zoom-out function to shrink the panels and controls.
For example, you can customize the set of panels displayed for a particular user. If that user never performs deployments, you might decide to hide the Deployments panel.
User preference settings persist across sessions. If users log out, they see the same settings when logging back in.
By default, BIG-IQ Network Security replicates user preferences in BIG-IQ high-availability (HA) scenarios.
|Rule Grid Columns||Select or clear the check boxes as required. By default, the system interface displays all columns.|
|Show Panels||Select or clear the check boxes as required. By default, the system interface displays all panels.|
|Show Firewall Types||Select or clear the check boxes as required. By default, the system interface displays all firewall contexts in the Firewall Contexts panel.|
Within the BIG-IQ® Security system, one or more users may edit firewall security or web application security objects simultaneously. A locking mechanism is used to avoid problems with conflicting changes to objects.
Initially, the user interface displays all objects as read-only. When a user initiates an editing session, the object is locked. Once locked, no one can modify or delete that object except the holder of the lock, or a user with privileges sufficient to break the lock:
BIG-IQ Security uses a single repository to hold policy objects and saves each editorial change. With this single-copy design, multiple editors can share the editing task through a locking mechanism.
Each editor has her own copy of a policy (a point-in-time snapshot of the policy managed by BIG-IQ across all devices) and can make changes. When done, an editor can push the changes to the preferred state as one, complete set of changes. Then, an administrator can review a policy change as a single entity before committing it.
If an editor wants to edit an object that is already locked, the system informs the editor that the object is locked and provides a way to clear the lock if the editor has sufficient privileges. When the lock is cleared, the next firewall editor receives the latest version of the object and any referenced shared objects. Thus, merges and conflicts are avoided. Deleting an object automatically clears all locks associated with it.
BIG-IQ Security supports: