Applies To:

Show Versions Show Versions

Manual Chapter: Overview BIG-IQ Security
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Understanding BIG-IQ Network Security and firewall management

BIG-IQ® Network Security is a platform designed for the central management of security firewalls for multiple BIG-IP® systems, where firewall administrators have installed and provisioned the Advanced Firewall Manager™ (AFM™) module.

The BIG-IQ Network Security system provides:

  • Device discovery with import of firewalls referenced by discovered devices
  • Management of shared objects (address lists, port lists, rule lists, policies, and schedules)
  • L3/L4 firewall policy support, including staged and enforced policies
  • Firewall audit log used to record every firewall policy change and event
  • Role-based access control
  • Deployment of configurations from snapshots, and the ability to preview differences between snapshots
  • Multi-user editing through a locking mechanism
  • Monitoring of rules
  • Reports on security

Managing a firewall configuration includes discovering, importing, editing, and deploying changes to the firewall configuration, as well as consolidation of shared firewall objects (policies, rule lists, rules, address lists, port lists, and schedules). BIG-IQ Network Security provides a centralized management platform so you can perform all these tasks from a single location. Rather than log in to each device to manage the security policy locally, it is more expedient to use one interface to manage many devices. Not only does this simplify logistics, but you can maintain a common set of firewall configuration objects and deploy a common set of policies, rule lists, and other shared objects to multiple, similar devices from a central interface.

Bringing a device under central management means that its configuration is stored in the BIG-IQ Network Security database, which is the authoritative source for all firewall configuration entities. This database is also known as the working configuration or working-configuration set.

Once a device is under central management, do not make changes locally (on the BIG-IP device) unless there is an exceptional need. If changes are made locally for any reason, reimport the device to reconcile those changes with the BIG-IQ Network Security working configuration set. Unless local changes are reconciled, the deployment process overwrites any local changes.

In addition, BIG-IQ Network Security is aware of functionality that exists in one BIG-IP system version but not in another. This means, for example, that it prohibits using policies on BIG-IP devices that do not have the software version required to support them.

Understanding Shared Security in BIG-IQ Security

BIG-IQ® Security contains several groups of capabilities. The Shared Security group contains capabilities that can be used by objects in Network Security and by objects in Web Application Security.

You can manage each object using the Shared Security panels that BIG-IQ Security provides:

  • Virtual Servers
  • Self IPs
  • Route Domains
  • Logging Profiles
  • DoS Profiles
  • Device DoS

Understanding BIG-IQ Web Application Security and application management

BIG-IQ® Web Application Security enables enterprise-wide management and configuration of multiple BIG-IP® devices from a central management platform. You can centrally manage BIG-IP devices and security policies, and import policies from files on those devices.

For each device that it discovers, the system creates an additional virtual server to hold all security policies that are not related to any virtual server on the device. To deploy a policy to a device, the policy must be attached to one of the device's virtual servers. You can deploy policies to a device that already has the policy by overwriting it. If the policy does not yet exist on the device, you have the option to deploy it as a new policy attached to an available virtual server or as an inactive policy.

From this central management platform, you can perform the following actions:

  • Import Application Security Manager™ (ASM) policies from files.
  • Import ASM™ policies from discovered devices.
  • Distribute policies to devices.
  • Export policies, including an option to export policy files in XML format.
  • Manage configuration snapshots.

About the BIG-IQ Security system interface

The BIG-IQ® Security system interface provides many features to assist you in completing tasks.

About filtering

Using filtering, you can rapidly narrow the search scope to more easily locate an entity within the system interface. Each frame in the system interface has its own filter text entry field.

Note: When you begin typing in the text entry field, you may notice that your browser has cached entries from previous sessions. You can select from the list or continue typing.

You can filter from the Overview frame or you can filter from the Policy Editor frame. You can also search for related items in the Policy Editor frame.

Filtering the Overview frame

You can filter the contents of panels within each frame to reduce the set of data that is visible in the system interface. Filtering techniques can be important for troubleshooting.

  1. Log in to BIG-IQ® Network Security.
  2. Navigate to Network Security > Overview .
  3. In the filter text field, type the text you want to filter on and click Apply.
    Filtering works by performing a wildcard search of the underlying JSON, not just the name of the object. For example, if you type a 1 (the number one) in the filter, the system will display any object with a 1 in it anywhere in its JSON.
    Note that the system populates the top of each panel (under the Filter field) with the text you entered inside a gray box.
All panels are filtered on the text entered.

Clearing the filter in the Overview frame

You can easily clear the filters for all panels in BIG-IQ® Network Security Overview, using Clear All.

  1. Log in to BIG-IQ Network Security.
  2. Navigate to Network Security > Overview .
  3. In the filter text field at the top of the interface, type the text you want to filter on and click Apply.
    Note that the system filters each panel (Devices, Deployments, and Snapshots). It also populates the top of each panel (under the Filter field) with the text you entered inside a gray box.
  4. Clear all text in the filter by clicking Clear All.
    Clear the filter for each individual panel by clicking the X to the right of the test at the top of the panel.
This action resets all panels and returns the system interface to a display of all objects.

Filtering content in the Policy Editor

There are several filter fields you can use to select the data displayed by the Policy Editor. The filter text you enter is used to perform a search of the underlying object's representation in storage (in JSON), which includes not only the name and other displayed data, but also metadata for the object, such as timestamps. Make the text you enter in the filter field specific enough to uniquely identify the one or more objects you want to display.

  1. To filter the contents of the Policy Editor frame, log in to BIG-IQ® Security.
  2. Navigate to Network Security > Policy Editor .
  3. In the appropriate filter text field, type the text you want to filter on and press Return.
    Option Description
    Filter field above navigation list on left Use the filter field above the navigation list on the left to search objects and list those that match the filter. By default, the filter matches any object that contains the string entered. You select filter options by clicking the arrow to the right of the filter field, and selecting an option.
    • Contains indicates that the filter text matches any object that contains it. This is the default. When searching for times or dates, such as those in a schedule, a partial time, such as September, may be specified.
    • Exact indicates that the filter text matches any object that exactly matches it. When searching for times or dates such as those in a schedule, the complete time and date must be specified.

    A count of the matching objects appears to the right of each object type in the navigation list. To remove the filter, click the X to the right of the filter expression area near the filter field.

    Filter field at top right of Policy Editor Use the filter field at the right top of the Policy Editor to search only the displayed objects for a match to the filter. You select filter options by clicking the arrow to the right of the filter field, and then selecting an option from each option group. The top options in the list control whether the filter text must be a partial match or an exact match.
    • Contains indicates that the filter text matches any object that contains it. This is the default. When searching for times or dates, such as those in a schedule, a partial time, such as September, may be specified.
    • Exact indicates that the filter text matches any object that exactly matches it. When searching for times or dates, such as those in a schedule, the complete time and date must be specified.

    The bottom options in the list control which objects are filtered. Not all options are displayed on all screens; if none of these options are displayed (IP Address, Name or Port), the default is All.

    • All indicates that all objects should be filtered using the filter text.
    • IP Address indicates that only IP address objects should be filtered using the filter text. A complete IPV4 or IPV6 address must be entered as the filter text.
      • When used with the Contains option, the filter text is matched by an IPV4 or IPV6 address that is the same as the filter text, or an IPV4 address range or subnet that includes the filter text. IPV6 addresses can not be found within a range or subnet.
      • When used with the Exact option, the filter text is matched by an IPV4 or IPV6 address that is the same as the filter text only.
    • Name indicates that only object names should be filtered using the filter text.
    • Port indicates that only port objects should be filtered using the filter text. A complete port number must be entered as the filter text.
      • When used with the Contains option, the filter text is matched by a port number that is the same as the filter text, or a port number range that includes the filter text.
      • When used with the Exact option, the filter text is matched by a port number that is the same as the filter text only.

    If the navigation list is displayed, a count of the matching objects appears to the right of each object type in the navigation list.

    To remove the filter, click the X to the right of the filter expression area near the filter field.

    Filter field in Policy Editor Toolbox at bottom Use the filter field in the upper right of the Policy Editor toolbox (displayed at the bottom of the page when active) to search the shared resources list in the toolbox and display only those that have a full or partial match to the filter. To remove the filter, click the X to the right of the filter expression area near the filter field.

    When specifying a date in a filter, only these date and time formats are supported:

    • Sep 1, 2015 2:05:04 PM
    • Sep 1, 2015 2:05:04 AM
    • Sep 1, 2015 14:05:04
    • Sep 1, 2015 2:05
    • Sep 1, 2015
    • Sep 1 2015
    • Sep 1
    • September 1
    • 2015-09-01T14:05:04
    • 2015-09-01T14:05
    • 2015-09-01 2015-09
    • 2015
    You can also use the Filter 'related to' option to display objects that are related to that object. Right-click on an object in the initially displayed list of objects and select Filter 'related to' to display the objects related to that object. This option is not available in all screens.
    You clear filter fields by clicking the X to the right of the filter field.
Objects are filtered on the text entered and a count for each appears to the right of each object type.
Note: Filter matches are only displayed for an object and its containing object. For example, when a filter matches a rule name in a rule list within a policy, only the rule and rule list will be shown as matching, but the policy will not.

Filtering the Policy Editor toolbox frame

You can filter the contents of panels within the Policy Editor, such as the toolbox frame, to reduce the amount of data displayed. Filtering techniques can be important for troubleshooting. There are several filter fields you can use within the Policy Editor. The filter text you enter is used to perform a wildcard search of the underlying object's representation in storage (in JSON), which includes not only the name and other displayed data, but also metadata for the object, such as timestamps. Make the text you enter in the filter field specific enough to uniquely identify the one or more objects you want to display.
  1. To filter the contents within the Policy Editor toolbox, log in to BIG-IQ® Security.
  2. Navigate to Network Security > Policy Editor .
  3. Use the Filter field in the upper right of the Policy Editor toolbox (the toolbox is displayed at the bottom of the page when active) to search the shared resources list in the toolbox and display only those objects that have a full or partial match to the filter.
    You clear the active filter and make all data viewable by clicking the X to the right of the filter expression near the filter field.

Filtering the Policy Editor for related objects

You can filter the contents of panels within the Policy Editor frame to show objects related to a selected object.

  1. To filter for related objects within the Policy Editor frame, log in to BIG-IQ® Network Security.
  2. Navigate to Network Security > Policy Editor .
  3. Locate the object you want to filter on. in either the left panel or in the toolbox at the bottom of the right frame.
  4. Right-click the object.
  5. Click Filter 'related to'.
    You can clear the Related to filter by clicking the X to the right of the text near the filter field. This option is not available for all objects.
All object types in the left frame are filtered and a count of each related to object found appears to the right of each object type.

About panels

BIG-IQ® Security system panels expand to display details such as settings or properties for a particular device or shared object. These expanded panels include a triangle slanted at a 45-degree angle on the right side of their headers. If the triangle is slanted up, you can click it to widen the panel. If the triangle is slanted down, you can click it to collapse the panel. You can also click Cancel to close the panel without saving edits or initiating actions.

Expanding panels

You can expand the BIG-IQ® system panels to display settings or properties for a particular device or shared object.
  1. Hover over the panel header and click the + icon to widen the panel and create the object (device, deployment, snapshot, and so on).
  2. Hover over the object name and click the gear icon to expand the panel and view properties for the object, to edit the object, or to initiate other actions.

Reordering panels

You can customize the BIG-IQ® system interface by arranging the panels to suit your needs.
To reorder panels, drag and drop them to the new locations of your choice.
The customized order persists until you clear the browser history/cache/cookies.

About browser resolution

F5® recommends a minimum screen resolution of 1280 x 1024 to properly display and use the panels efficiently.

It is possible to shrink the browser screen so that system interface elements (panels, scroll bars, icons) no longer appear in the visible screen. Should this occur, use the browser's zoom-out function to shrink the panels and controls.

Setting user preferences

As a firewall policy editor, you can customize the BIG-IQ® Network Security system interface to minimize the information displayed, and to simplify routine editing sessions.
Note: Setting user preferences is not available through the BIG-IQ Web Application Security system interface.

For example, you can customize the set of panels displayed for a particular user. If that user never performs deployments, you might decide to hide the Deployments panel.

Note: This customization does not create an access issue. Users still have access to the resources required by their roles; they just choose not to display them.

User preference settings persist across sessions. If users log out, they see the same settings when logging back in.

By default, BIG-IQ Network Security replicates user preferences in BIG-IQ high-availability (HA) scenarios.

  1. Log in to the BIG-IQ® Network Security system.
  2. At the top-right of the screen in the black banner, hover over the admin icon.
  3. When User settings appears, click it to display the Settings popup screen.
  4. Edit the check box options as required for your role.
    Option Description
    Rule Grid Columns Select or clear the check boxes as required. By default, the system interface displays all columns.
    Show Panels Select or clear the check boxes as required. By default, the system interface displays all panels.
    Show Firewall Types Select or clear the check boxes as required. By default, the system interface displays all firewall contexts in the Firewall Contexts panel.
  5. Click Save to save your preferences or click Close to close the popup screen without saving your selections.
Selected preferences are now in effect and persist across user sessions. If you log out, you will see the same settings when you log back in.

About multi-user editing and locking

Within the BIG-IQ® Security system, one or more users may edit firewall security or web application security objects simultaneously. A locking mechanism is used to avoid problems with conflicting changes to objects.

Initially, the user interface displays all objects as read-only. When a user initiates an editing session, the object is locked. Once locked, no one can modify or delete that object except the holder of the lock, or a user with privileges sufficient to break the lock:

  • To unlock a locked firewall security object requires the Administrator, Network_Security_Manager, or Security_Manager role.
  • To unlock a locked Web application security object requires the Administrator, Web_App_Security_Manager, or Security_Manager role.
  • To unlock a locked shared security object, requires the Administrator, Network_Security_Manager, Web_App_Security_Manager, or Security_Manager role.

BIG-IQ Security uses a single repository to hold policy objects and saves each editorial change. With this single-copy design, multiple editors can share the editing task through a locking mechanism.

Each editor has her own copy of a policy (a point-in-time snapshot of the policy managed by BIG-IQ across all devices) and can make changes. When done, an editor can push the changes to the preferred state as one, complete set of changes. Then, an administrator can review a policy change as a single entity before committing it.

For example:

  1. If a firewall editor needs to edit Portlist_1, AddressList_2, and Rulelist_5, the editor locks those objects.
  2. When the edit pass is complete, the editor saves the object, which clears the lock.

If an editor wants to edit an object that is already locked, the system informs the editor that the object is locked and provides a way to clear the lock if the editor has sufficient privileges. When the lock is cleared, the next firewall editor receives the latest version of the object and any referenced shared objects. Thus, merges and conflicts are avoided. Deleting an object automatically clears all locks associated with it.

BIG-IQ Security supports:

  • Multiple, independent locks.
  • Locking or unlocking on an object-by-object basis.
  • Locks in panels, in the firewall security Policy Editor, and in the Web application security Policy Editor.
  • Lock management of firewall security objects using the Locked Objects panel of the firewall security Policy Editor. This panel displays firewall and shared security objects that are locked, the user who locked each object, and when the lock was created. User privileges (assigned by user roles) determine what locks are visible to the user. If you have sufficient privileges, you can use the Locked Objects panel to view and remove multiple firewall and shared security object locks.

Viewing locks on configuration objects

BIG-IQ® Security allows you to view individual locks, and for firewall and shared security objects, allows you to view multiple locks from the Locked Objects panel of the firewall security policy editor.
  1. Examine all objects in the BIG-IQ Security panels and policy editors to locate any locked configuration objects.
  2. For each locked object, review the lock information on the panel or in the policy editor.
    The displayed lock header displays the owner of the lock and the date and time the lock was created.
  3. To view all locked firewall security or shared security objects, use the Locked Objects panel of the firewall security policy editor.
    For each locked object, the Locked Objects panel displays the object name, partition, kind of object, user who locked the object, and when the lock was created.

Clearing locks on configuration objects

The owner of a lock can always clear that lock to enable editing by other users. Other roles (such as Administrator, Network_Security_Manager, Security_Manager, or Web_App_Security_Manager) also carry sufficient privileges to clear locks held by any user. BIG-IQ® Security allows you to clear individual locks, and for firewall and shared security objects, allows you to clear multiple locks from the Locked Objects panel of the firewall security policy editor.
  1. Examine all objects in the BIG-IQ Security panels and policy editors to locate any locked configuration objects.
  2. For each locked object, review the lock information on the panel or in the policy editor.
    The displayed lock header displays the owner of the lock and the date and time the lock was created. If your role carries sufficient privileges, you will also see a link labeled Unlock.
  3. In the lock header, click Unlock.
  4. To clear one or more locked firewall security or shared security objects from a single panel, select the one or more locked objects from the Locked Objects panel of the firewall security policy editor and click Unlock.
The lock is cleared; if multiple locks were selected, the locks are cleared.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)