Applies To:

Show Versions Show Versions

Manual Chapter: Deploying Configuration Changes
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About BIG-IQ Security deployments

The BIG-IQ® Security system displays individual deployments and their status (one action per row in the Deployments panel).

After you have completed edits to firewall contexts, objects, or policies you can create a deployment to distribute those changes to selected BIG-IP® devices from the Deployments panel.

Note: You can deploy security policies to a device that already has the policy by overwriting the existing security policy. If the security policy does not yet exist on the device, you can deploy it as a new policy attached to an available virtual server or you can deploy it as an inactive policy.

The system displays changes as follows:

  • ADDED. New shared objects added to a rule and called by an existing rule list, policy, or firewall are counted as ADDED. Newly-created shared objects that are not referenced in a firewall are not counted and are not distributed.
  • MODIFIED. Existing objects already used by an existing rule list, policy, or firewall, and subsequently edited, are counted as MODIFIED.
  • REMOVED. Existing objects used by an existing rule list, policy, or firewall, and subsequently removed, are counted as REMOVED. If a shared object is removed from a rule and is no longer being used by any other rules, it is marked for removal from the selected devices. It is not removed from the BIG-IQ Security system unless expressly deleted.
Note: If an individual rule in a rule list, policy, or firewall has been changed, added, or removed, the entire modified object (rule list, policy, or firewall) is marked for deployment. This also applies to adding, modifying, or removing ports in a port list, or addresses in an address list.

During the distribution phase, configuration changes and security policies are pushed out to remote BIG-IP devices. The working-configuration set is deployed, or the selected BIG-IP device is rolled back, to the state reflected in the snapshot. Any changes made locally to the BIG-IP device are overwritten.

With BIG-IQ Security, you can deploy up to 20 devices in a single deployment.

Filtering on deployment tasks

To filter the Deployments panel, type text in the filter field and press the Enter key. Clear the filter by clicking the X to the right of the text in the gray box under the filter.

To filter on a specific deployment, hover over the deployment task and when the gear icon appears, click it. Then, select Show Only Related Objects to filter by deployment task.

Evaluation process steps

During the evaluation process, BIG-IQ Security:

  1. Contacts the selected remote BIG-IP devices and synchronizes the working-configuration sets for all.
  2. Takes a snapshot of the working-configuration set for each BIG-IP device.
  3. Compares the remote and local configurations.
  4. Calculates the set of changes to be deployed (number and type of each change).
  5. Displays the number and type of each change.

About deployment process states

When a firewall security policy or a web application security policy is deployed, that policy goes through several deployment states. Reviewing these states may be useful when a deployment task fails. Note that not all states may appear in the log, since what states are displayed depends on how the deployment was processed. You can view the deployment states using the following:

  • Review the restjavad.n.log file to view deployment states for either a firewall security policy or a web application security policy. This information is also available from the audit logs.
  • Review the firewall audit log to view deployment states for a firewall security policy and any shared security objects. Within the firewall audit log, click on the name of the object being deployed, and the deployment states will be listed as part of the JSON differences display.
  • Review the web application security audit log to view deployment states for a web application security policy and any shared security objects. Within the web application security audit log Deployment tab, click on the Details link of the object being deployed, and the deployment states will be listed as part of the JSON differences display.

Device deployment states

This table displays states that can occur during the deployment process, and a brief description of each state.

Table 1. Deployment States
State Description
CHECK_LICENSE Licenses for BIG-IQ systems are checked to be valid.
CHECK_OTHER_RUNNING_TASKS Verifies that no tasks are running that could cause errors during deployment. Tasks that could cause errors include:
  • Other BIG-IQ Security deployment tasks running at the same time as this deployment, even if they are different modules.
  • Tasks to declare management authority over a BIG-IP device.
  • Tasks that rescind management authority of a BIG-IP device.
GET_DEVICES Finds all devices managed by the BIG-IQ Security system.
REFRESH_CURRENT_CONFIG_SOAP Using the SOAP API, refreshes the current configuration for all devices included in the deployment. This process adds any new configuration items from the BIG-IP® device to the current configuration.
REFRESH_CURRENT_CONFIG_REST Using the REST API, refreshes the current configuration for all devices included in deployment. This process adds any new configuration items from the BIG-IP® device to the current configuration.
CREATE_SNAPSHOT Creates a snapshot of the working configuration.
CREATE_DIFFERENCE Generates the differences between the snapshot taken and the current configuration.
VERIFY_CONFIG Verifies that devices to be deployed do not have configuration problems that could lead to deployment errors.
GET_CHILD_DEPLOY_DEVICES Finds all devices managed by Shared Security objects. These devices are considered to be child deployments of a parent firewall security or web application security deployment.
START_CHILD_DEPLOY Starts the deployment of devices managed by Shared Security objects.
WAIT_FOR_CHILD_DEPLOY Waits for deployment of devices managed by Shared Security objects to complete.
DISTRIBUTE_CONFIG Distributes configuration changes to the specified devices.
DISTRIBUTE_CONFIG_SOAP Using the SOAP API, distributes configuration changes to the specified devices.
DISTRIBUTE_CONFIG_REST Using the REST API, distributes configuration changes to the specified devices.
DONE Indicates the deployment process has completed.

Checking your Web Application Security changes before deployment

After you have changed the configuration, but before you perform a deployment, it may be useful to examine the changes you have made, to verify that they are correct.
  1. Navigate to Security > Web Application Security > Overview .
  2. Hover over a snapshot in the Snapshots panel, click the gear icon to display the expanded properties screen.
  3. Select Working Config in the Compare Against field.
  4. At ASM Differences, click the View link to see the differences between this snapshot and the current working configuration for Web Application Security.
    A popup appears. First it has a title of Calculating Differences, and the title changes to Snapshot Differences when the calculation is done. The popup contains a table of differences, if there are any, with one row for each difference.
  5. At Shared Differences, click the View link to see the differences between this snapshot and the current working-config for Shared Security.
    The same popup and table appears.
  6. To display the JSON for each difference found, click a row in the table.
    Textual JSON appears for each difference found; snapshot on the left and working configuration, or second snapshot on the right.

    Differences are listed by: name (name of the shared object), type (type of object), change (added, modified, deleted), and device (blank unless the type is firewall).

If you are sure the configuration changes are correct, you are ready for a configuration deployment.

Deploying your Web Application Security changes

When you have completed edits to any part of your Web Application Security configuration, you can deploy the change to one or more discovered BIG-IP® devices. To deploy your changes, create a deployment task and choose a target device.
  1. Navigate to the Deployments panel.
  2. Hover over the Deployments header and click the + icon.
    The Deployments panel expands to show the New Deployment screen.
  3. Complete the fields as required. Your changes are saved automatically.
    Option Description
    Deployment Name Name for the deployment that indicates its purpose. It can be useful to develop a convention such as ticket numbers.
    Description Optional description, including the purpose of the deployment or other relevant information.
    Run Manual Sync When selected, synchronizes the configuration of the nodes in the BIG-IP cluster as part of the deployment. The ASM configuration is deployed to the active device and then synchronized with the standby device.
    Select Devices to Evaluate Available devices are listed to the right of the field. Select or clear check boxes to specify BIG-IP devices that you want to evaluate for this deployment. Devices with known changes are already checked off.
  4. To evaluate differences between the working configuration (BIG-IQ® Security) and the configuration on the BIG-IP® device, click Evaluate.
    The Deployments panel returns to its original dimensions. The new deployment task appears in the Deployments panel, showing updated status as the operation proceeds.
    During the evaluation, the BIG-IQ system queries the BIG-IP devices about their current configurations, updates its current-config, compares the working-config objects to the updated current-config objects, and then shows you all of the differences that would result from an actual deployment. On successful completion, the status shows Evaluation Completed.
  5. Hover over the header of the deployment you want to manage, and click the gear icon to expand the panel and display task properties.
    Option Description
    Deployment Name User-provided name of the deployment task.
    Description Optional description, including the purpose of the deployment or other relevant information.
    Task Status Status for deployment phases (evaluation and distribution).
    Start Time Time the deployment started in the format yyyy-mm-ddThh:mm:ss-hours-off-GMT. Example: 2013-05-31T08:16:17-07:00
    End Time Time the deployment ended in the format yyyy-mm-ddThh:mm:ss-hours-off-GMT. Example: 2013-05-31T08:16:36-07:00
    Available Devices List of BIG-IP® devices that can be selected for deployment.
  6. Click View Diff if you want to check all the configuration differences that would be sent to the BIG-IP devices in the final deployment.
    A modal window with the list of all the added, removed, and modified objects appears. You can expand the view to see a line-by-line difference for the objects:
    • Any new policy (and any child objects contained by that policy) will be listed in the differences view as a single added policy. The child objects are not shown.
    • Any modified policy will be listed as a changed policy, and any children of that policy which have been modified will also be listed as changed.
  7. Click Close to close the modal Window.
  8. Click Deploy.
    The Deployment screen returns to its original dimensions. The new deployment task appears in the Deployments panel, showing updated status as the operation proceeds.
    On successful completion, the status shows Deployment Completed.

Deploying your Network Security changes

When you have completed edits to any part of your Network Security configuration, you can deploy the change to one or more discovered BIG-IP® devices. To deploy your changes, create a deployment task and choose a target device.
  1. Navigate to the Deployments panel.
  2. Hover over the Deployments header and click the + icon, then click Add Deployment.
    The Deployments panel expands to show the Add Deployment screen.
  3. Complete the fields as required.
    Your changes are saved automatically.
    Option Description
    Deployment Name Name for the deployment that indicates its purpose. It can be useful to develop a convention such as ticket numbers.
    Description Optional description, including the purpose of the deployment or other relevant information.
    Deployment Source Choose between Working Config and Snapshot. To deploy the working configuration currently on the BIG-IQ® system, select Working Config and click Evaluate. To deploy from a snapshot, select Snapshot, and from the popup screen, select the snapshot you want to deploy from, and click Evaluate.
    Select Devices to Evaluate; Available Devices Available devices are listed. Select or clear check boxes as appropriate.
  4. To evaluate differences between the working configuration (BIG-IQ® Security) and the configuration on the BIG-IP® device, click Evaluate.
    The Deployments panel returns to its original dimensions. The new deployment task appears in the Deployments panel, showing updated status as the operation proceeds.
    During the evaluation, the BIG-IQ system queries the BIG-IP devices about their current configurations, updates its current-config, compares the working-config objects to the updated current-config objects, and then shows you all of the differences that would result from an actual deployment. On successful completion, the status shows Evaluation Completed.
  5. When you see the message READY TO DEPLOY under the deployment name in the Deployments panel, click the gear icon and select Properties to expand the panel.
    1. Under the text Evaluate found the following changes: you will see a device name followed by the number of differences, verification errors, and critical errors for both Firewall and for Shared Security.
    2. Click a non-zero number to display the differences or errors.
      A modal window with the list of differences or errors appears.
    3. For differences, click an object name to view the JSON in the table under the list of differences.
      When viewing the objects:
      • Any new policy and any child objects contained by that policy are listed.
      • Any modified policy will be listed as a changed policy, and any children of that policy which have been modified will also be listed as changed.
  6. To create the deployment task, click Deploy on the expanded Deployment properties screen.
    The Deployment screen returns to its original dimensions. The new deployment task appears in the Deployments panel, showing updated status as the operation proceeds.
    If the deployment status is No Changes to Deploy, or some other status that does not permit deployment, Deploy is not displayed.

Deleting Network Security deployments

When you have multiple Network Security deployments, you may want to delete those that you no longer need.
  1. Navigate to the Deployments panel.
  2. Hover over the Deployments header and click the + icon, then click Delete Deployments.
    The Deployments panel expands to show the All Deployments screen which displays all Network Security deployments, including their name, status, creation date, and the account used to create the deployment.
  3. Select the check box to the left of the one or more deployments to delete and click Remove. The Confirm Delete dialog box opens and asks for confirmation; click Confirm to proceed with the deletion.
    To select all deployments for deletion, click the top most check box.
    The one or more deployments are removed.

Managing deployments

When a deployment displays a status of READY TO DEPLOY, you can distribute configuration changes to managed BIG-IP® devices. If there are no changes to deploy, a message confirms this.
  1. Navigate to the Deployments panel.
  2. Hover over the header of the deployment you want to manage and click the gear icon to open the screen and display task properties.
    Option Description
    Deployment Name User-provided name of the deployment task.
    Description Optional description, including the purpose of the deployment or other relevant information.
    User Name of the user who initiated the deployment.
    Task Status Status for deployment phases (evaluation and distribution).
    Start Time Time the deployment started in the format yyyy-mm-ddThh:mm:ss-hours-off-GMT. Example: 2013-05-31T08:16:17-07:00
    End Time Time the deployment ended in the format yyyy-mm-ddThh:mm:ss-hours-off-GMT. Example: 2013-05-31T08:16:36-07:00
    Select Devices to Evaluate Available devices are listed to the right of the field. Select or clear check boxes as appropriate.
  3. Click Evaluate to evaluate differences between the selected snapshot and the current configuration.
  4. Click View Diffs to view differences between the configuration on BIG-IQ® Web Application Security and the BIG-IP device.
    A dialog box opens displaying the differences. The display shows four columns: Type (type of entity changed), Change (add, modify, remove), On BIG-IQ (name of the entity on BIG-IQ Web Application Security), and On BIG-IP (name of the entity on the BIG-IP® device).
  5. When ready to deploy, click Deploy to push changes to the selected BIG-IP device.
Deployment states are displayed during the deployment process. At the end of the deployment process, the working-configuration set is deployed to selected BIG-IP® device(s) or, if a snapshot was selected, the BIG-IP device is rolled back to the state reflected in the snapshot.

Deploying from snapshots

During deployment, use snapshots to restore a specific configuration state or to deploy a specific set of working configuration edits back to the BIG-IP® device.
  1. Navigate to the Deployments panel.
  2. Hover over the Deployments header and click the + icon, then click Add Deployment.
    The Deployments panel expands to show the Add Deployment screen.
  3. Complete the fields as required.
    Your changes are saved automatically.
    Option Description
    Deployment Name Name for the deployment that indicates its purpose. It can be useful to develop a convention such as ticket numbers.
    Description Optional description, including the purpose of the deployment or other relevant information.
    Deployment Source Choose between Working Config and Snapshot. To deploy the working configuration currently on the BIG-IQ® system, select Working Config and click Evaluate. To deploy from a snapshot, select Snapshot, and from the popup screen, select the snapshot you want to deploy from, and click Evaluate.
    Select Devices to Evaluate; Available Devices Available devices are listed. Select or clear check boxes as appropriate.
  4. When you see the message READY TO DEPLOY under the deployment name in the Deployments panel, click the gear icon and select Properties to expand the panel.
    1. Under the text Evaluate found the following changes: you will see a device name followed by the number of differences, verification errors, and critical errors for both Firewall and for Shared Security.
    2. Click a non-zero number to display the differences or errors.
      A modal window with the list of differences or errors appears.
    3. For differences, click an object name to view the JSON in the table under the list of differences.
      When viewing the objects:
      • Any new policy and any child objects contained by that policy are listed.
      • Any modified policy will be listed as a changed policy, and any children of that policy which have been modified will also be listed as changed.
  5. When ready to deploy, click Deploy to push changes to the selected BIG-IP device.
The selected snapshot or the specific set of working-configuration edits is deployed to the selected BIG-IP device.

Verifying firewall rules have compiled on all BIG-IP devices

Once a firewall deployment has completed successfully, Check Rule Compilation is enabled on the Deployments panel.
Use Check Rule Compilation to verify that your firewall rules are active on the BIG-IP devices to which you deployed those rules.
  1. Click Check Rule Compilation to determine if rules have been compiled on all the BIG-IP devices in the firewall deployment.
    The current status and last activation time for each BIG-IP device included in the deployment are listed.
  2. Verify that the last activation time for each BIG-IP device is after the end time of the BIG-IQ deployment task to ensure that firewall rules have been compiled on each BIG-IP devices. You can repeat this step multiple times.
    Review the following considerations when using Check Rule Compilation:
    • Be aware of any time differences, due to time zones and so on, between the BIG-IQ system and the BIG-IP device.
    • BIG-IP device versions earlier than 11.5.1 HF4 do not support the compilation statistics used by this feature and will display the message, Compilation stats not provided for this version of BIG-IP.
    • If the Check Rule Compilation feature is used with an older deployment, where the state of the BIG-IP device has changed since the deployment, the status returned will include all active firewall rule changes on the BIG-IP device since the deployment.
    • If the Check Rule Compilation feature returns the message Local Last Activation Time or the message No stats found on device, then the state of the BIG-IP device has changed since the deployment, and compilation statistics have been reset. This can be caused by a reboot of the BIG-IP device.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)