Applies To:

Show Versions Show Versions

Manual Chapter: Overview BIG-IQ Security
Manual Chapter
Table of Contents   |   Next Chapter >>

Understanding BIG-IQ Network Security and firewall management

BIG-IQ® Network Security is a platform designed for the central management of security firewalls for multiple BIG-IP® systems, where firewall administrators have installed and provisioned the Advanced Firewall Manager™ (AFM™) module.

The BIG-IQ Network Security system provides:

  • Device discovery with import of firewalls referenced by discovered devices
  • Management of shared objects (address lists, port lists, rule lists, policies, and schedules)
  • L3/L4 firewall policy support, including staged and enforced policies
  • Firewall audit log used to record every firewall policy change and event
  • Role-based access control
  • Deployment of configurations from snapshots, and the ability to preview differences between snapshots
  • Multi-user editing through a locking mechanism
  • Monitoring of rules
  • Reports on security

Managing a firewall configuration includes discovering, importing, editing, and deploying changes to the firewall configuration, as well as consolidation of shared firewall objects (policies, rule lists, rules, address lists, port lists, and schedules). BIG-IQ Network Security provides a centralized management platform so you can perform all these tasks from a single location. Rather than log in to each device to manage the security policy locally, it is more expedient to use one interface to manage many devices. Not only does this simplify logistics, but you can maintain a common set of firewall configuration objects and deploy a common set of policies, rule lists, and other shared objects to multiple, similar devices from a central interface.

Bringing a device under central management means that its configuration is stored in the BIG-IQ Network Security database, which is the authoritative source for all firewall configuration entities. This database is also known as the working configuration or working-configuration set.

Once a device is under central management, do not make changes locally (on the BIG-IP device) unless there is an exceptional need. If changes are made locally for any reason, reimport the device to reconcile those changes with the BIG-IQ Network Security working configuration set. Unless local changes are reconciled, the deployment process overwrites any local changes.

In addition, BIG-IQ Network Security is aware of functionality that exists in one BIG-IP system version but not in another. This means, for example, that it prohibits using policies on BIG-IP devices that do not have the software version required to support them.

Understanding Shared Security in BIG-IQ Security

BIG-IQ® Security contains several groups of capabilities. The Shared Security group contains objects that can be used with Network Security objects and with Web Application Security objects.

Understanding BIG-IQ Web Application Security and application management

BIG-IQ® Web Application Security enables enterprise-wide management and configuration of multiple BIG-IP® devices from a central management platform. You can centrally manage BIG-IP devices and security policies, and import policies from files on those devices.

For each device that it discovers, the BIG-IQ system creates a logical container to hold all security policies that are not related to any virtual server on the device. This logical container is called the inactive virtual server, and is only used to track policies that are not directly attached to other virtual servers on that device. Policies attached to the inactive virtual server that are distributed are not enforced.

In order for you to deploy a policy to a BIG-IP device, the policy must be attached to one of the device's virtual servers, or to the inactive virtual server. You can deploy policies to a device that already has the policy by overwriting it. If the policy does not yet exist on the device, you can either deploy it as a new policy attached to an available virtual server, or deploy it as a policy attached to the inactive virtual server (which will deploy the policy to the BIG-IP device without attaching it to a virtual server).

From this central management platform, you can perform the following actions:

  • Import Application Security Manager™ (ASM) policies from files.
  • Import ASM™ policies from discovered devices.
  • Distribute policies to BIG-IP devices.
  • Export policies, including an option to export policy files in XML format.
  • Manage configuration snapshots.
  • Edit policy settings. Refer to the table in About security policies in BIG-IQ Web Application Security for the supported settings.
  • Manage and distribute custom signature sets.
  • Manage and distribute custom signatures.
  • Distribute signature files to BIG-IP devices.

About the BIG-IQ Security system interface

The BIG-IQ® Security system interface provides many features to assist you in completing tasks.

About filtering

Using filtering, you can rapidly narrow the search scope to more easily locate an entity within the system interface. Each frame in the system interface has its own filter text entry field.

Note: When you begin typing in the text entry field, you may notice that your browser has cached entries from previous sessions. You can select from the list or continue typing.

About browser resolution

F5® recommends a minimum screen resolution of 1280 x 1024 to properly display and use the screens efficiently.

It is possible to shrink the browser screen so that system interface elements (screens, scroll bars, icons) no longer appear in the visible screen. Should this occur, use the browser's zoom-out function to shrink the screens and controls.

Setting user preferences

As a firewall policy editor, you can customize the BIG-IQ® Network Security system interface to minimize the information displayed, and to simplify routine editing sessions.
Note: Setting user preferences is not available through the BIG-IQ Web Application Security system interface.

For example, you can customize the columns displayed for a particular user in the policy editor.

Note: This customization does not create an access issue. Users still have access to the resources required by their roles; they just choose not to display them.

User preference settings persist across sessions. If users log out, they see the same settings when logging back in.

By default, BIG-IQ Network Security replicates user preferences in BIG-IQ high-availability (HA) scenarios.

  1. Log in to the BIG-IQ® Security system.
  2. At the top-right of the screen, hover over the admin icon to display the options.
    The options displayed when you hover over the admin vary, depend on whether you have Network Security, Shared Security, or Web Application Security selected.
    • If Network Security is selected, Global User Settings, Security User Settings, and Log out are displayed.
    • If Shared Security is selected, Global User Settings, and Log out are displayed.
    • If Web Application Security is selected, Log out only is displayed and no user settings can be modified.
  3. To change Network Security user settings, select Security User Settings if it is displayed and select the appropriate options.
    Option Description
    Firewall Types Select or clear the check boxes as required. By default, the interface displays all firewall contexts in the Firewall Contexts screen.
    Rule Editor Select or clear the check boxes as required to modify the policy editor settings. You can set whether to automatically expand rule lists and select which columns to display in the policy editor. By default, the all columns are displayed.
    Changing what columns, or contexts are displayed to the user does not create an access issue. Users still have access to the resources required by their roles; they just choose not to display them.
  4. To change global user settings, select Global User Settings if it is displayed and select the appropriate options.
    Option Description
    Idle Timeout (minutes) Specify a number indicating how many minutes the BIG-IQ Security user interface can be idle before a user is logged out. The default value is 20.
    Default View Select what part of the BIG-IQ user interface should be initially displayed when a user logs in to the system. The default is Last Visited which indicates that the last page used by this user should be displayed when they log in to the system.
  5. Click Save to save your preferences on either the Global User Settings or Security Settings popup screen. Click Close to close the Security Settings popup screen without saving your selections.
Selected preferences are now in effect and persist across user sessions. If you log out, you will see the same settings when you log back in.

About multi-user editing and locking

Within the BIG-IQ® Security system, one or more users may edit firewall security or web application security objects simultaneously. A locking mechanism is used to avoid problems with conflicting changes to objects.

Initially, the user interface displays all objects as read-only. When a user initiates an editing session, the object is locked. Once locked, no one can modify or delete that object except the holder of the lock, or a user with privileges sufficient to break the lock:

  • To unlock a locked firewall security object requires the Administrator, Network_Security_Manager, or Security_Manager role.
  • To unlock a locked Web application security object requires the Administrator, Web_App_Security_Manager, or Security_Manager role.
  • To unlock a locked shared security object, requires the Administrator, Network_Security_Manager, Web_App_Security_Manager, or Security_Manager role.

BIG-IQ Security uses a single repository to hold policy objects and saves each editorial change. With this single-copy design, multiple editors can share the editing task through a locking mechanism.

Each editor has her own copy of a policy (a point-in-time snapshot of the policy managed by BIG-IQ across all devices) and can make changes. When done, an editor can push the changes to the preferred state as one, complete set of changes. Then, an administrator can review a policy change as a single entity before committing it.

For example:

  1. If a firewall editor needs to edit Portlist_1, AddressList_2, and Rulelist_5, the editor locks those objects.
  2. When the edit pass is complete, the editor saves the object, which clears the lock.

If an editor wants to edit an object that is already locked, the system informs the editor that the object is locked and provides a way to clear the lock if the editor has sufficient privileges. When the lock is cleared, the next firewall editor receives the latest version of the object and any referenced shared objects. Thus, merges and conflicts are avoided. Deleting an object automatically clears all locks associated with it.

BIG-IQ Security supports:

  • Multiple, independent locks.
  • Locking or unlocking on an object-by-object basis.
  • Locks in screens, in the firewall security Policy Editor, and in the Web application security Policy Editor.
  • Lock management of firewall security objects using the Locked Objects screen of the firewall security Policy Editor. This screen displays firewall and shared security objects that are locked, the user who locked each object, and when the lock was created. User privileges (assigned by user roles) determine what locks are visible to the user. If you have sufficient privileges, you can use the Locked Objects screen to view and remove multiple firewall and shared security object locks.

Viewing locks on configuration objects

BIG-IQ® Security allows you to view individual locks, and for firewall and shared security objects, allows you to view multiple locks from the Locked Objects screen of the firewall security policy editor.
  1. Examine all objects in the BIG-IQ Security screens and policy editors to locate any locked configuration objects.
  2. For each locked object, review the lock information on the screen or in the policy editor.
    The displayed lock header displays the owner of the lock and the date and time the lock was created.
  3. To view all locked firewall security or shared security objects, use the Locked Objects screen of the firewall security policy editor.
    For each locked object, the Locked Objects screen displays the object name, partition, kind of object, user who locked the object, and when the lock was created.

Clearing locks on configuration objects

The owner of a lock can always clear that lock to enable editing by other users. Other roles (such as Administrator, Network_Security_Manager, Security_Manager, or Web_App_Security_Manager) also carry sufficient privileges to clear locks held by any user. BIG-IQ® Security allows you to clear individual locks, and for firewall and shared security objects, allows you to clear multiple locks from the Locked Objects screen of the firewall security policy editor.
  1. Examine all objects in the BIG-IQ Security screens and policy editors to locate any locked configuration objects.
  2. For each locked object, review the lock information on the screen or in the policy editor.
    The displayed lock header displays the owner of the lock and the date and time the lock was created. If your role carries sufficient privileges, you will also see a link labeled Unlock.
  3. In the lock header, click Unlock.
  4. To clear one or more locked firewall security or shared security objects from a single screen, select the one or more locked objects from the Locked Objects screen of the firewall security policy editor and click Unlock.
The lock is cleared; if multiple locks were selected, the locks are cleared.

About user roles

As a security system manager, you need to differentiate between types of users, and to limit user privileges based on user responsibilities. To assist you, the BIG-IQ® system provides a default set of roles. You can associate multiple roles with a given user; for example, you can grant a user the edit (Network_Security_Edit) and the deploy (Network_Security_Deploy) roles for network security functions. Roles persist and are available after a BIG-IQ system failover.

To view the defined roles, both default and locally-defined, log in to BIG-IQ System as administrator, and navigate to the Roles screen.

Select System Management from the BIG-IQ menu and then click USER MANAGEMENT > Roles .

The Roles screen lists each defined role and a description of that role. Refer to the Roles online help or to the BIG-IQ® Centralized Management: Licensing and Initial Setup guide for more information on roles and their use.

About BIG-IQ configuration sets

BIG-IQ® system security uses the following terminology to refer to configuration sets for a centrally-managed BIG-IP® device:

Current configuration set
The configuration of the BIG-IP® device as discovered by BIG-IQ. The current configuration is updated during a reimport or rediscovery and before calculating differences during the deployment process.
Working configuration set
The configuration as maintained by the BIG-IQ system. The working configuration is the configuration that is edited on the BIG-IQ system and deployed back to BIG-IP devices. The working configuration for the device is the same as the current configuration when the device is initially managed and when the device is reimported or rediscovered.

The working configuration is created when the administrator first manages the BIG-IP device from the BIG-IQ system. The working configuration is updated when a device is reimported or rediscovered.

If conflicts are observed during reimport or rediscovery, the object in conflict is only updated in the working configuration when the Use BIG-IP resolution conflict option is used.

Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)