F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Centralized Management
  4. BIG-IQ Centralized Management: Security
  5. Deploying Changes
Manual Chapter : Deploying Changes

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.0.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

How do I evaluate changes made to managed objects?

To change the object settings on a managed device, there are four tasks to perform.

This figure illustrates the workflow you perform to manage the objects on BIG-IP® devices. Evaluating the changes you have made is the third step in this process.

Evaluate object changes

Overview of evaluating changes made to managed objects

Note: If you need to make an urgent change, you can skip the evaluation step. However, we highly recommend evaluation in all but emergency situations. See Making an urgent deployment for details.

Evaluating configuration changes

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.
Note: Critical errors are issues with a configuration change that cannot be deployed successfully. Verification warnings are less serious in that they may not cause the deployment to fail, but should be reviewed nonetheless.
Note: If you have Local Traffic & Network (LTM) changes to deploy, deploy the LTM changes before deploying changes to other components, or those deployments may fail.
  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select Change Management from the BIG-IQ menu.
  3. On the left, expand EVALUATE & DEPLOY.
  4. Under EVALUATE & DEPLOY, select the type of evaluation and deployments to view. Select Network Security or Web Application Security, whichever is appropriate.
    The list of evaluations and deployments that have been created on this device opens.
  5. Under Evaluations, click Create.
    The Create Evaluation screen opens.
  6. In the Name field, type in a name for the evaluation task you are creating.
  7. In the Description field, type in a brief description for the evaluation task you are creating.
  8. For the Source, select what you want to evaluate.
    • To compare the object settings currently on the managed device with the object settings in the pending version, select Current Changes.
    • To compare the object settings currently on the managed device with the object settings in a stored snapshot, select Existing Snapshot, then choose the snapshot you want to use.
  9. For the Target setting, identify the devices for which you want to evaluate changes.
    1. If the devices are in a device group, select Group, and select the group from the list.
    2. If the devices are not in a device group, select Device.
    3. Select the devices from the Available list, and use the arrow button to move the devices to the Selected list.
      Important: If you deploy changes to a device that is in a DSC® cluster, you must include both devices before you can create the evaluation.
      Important: If the device in the Selected list has a filled circle in front of it, a deployment is needed for the BIG-IP device configuration to match the BIG-IQ working configuration for that BIG-IP device. This notification occurs only when creating Web Application Security evaluations.
  10. Click the Create button at the bottom of the screen.
    The system adds the new evaluation to the list, and analyzes the changes for errors. When the configuration evaluation completes, you will see how many changes or errors the evaluation found.
  11. Review the evaluation to determine whether you are going to deploy it or not.
    1. If there are critical errors, you cannot deploy these changes. Click each error to see what it is, and then go back to where you made the change to fix it.
      After resolving any critical errors, you can come back and repeat the evaluation.
    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. Click each warning to see what it is, and then go back to where you made the change to fix it.
      After resolving any verification warnings, you can come back and repeat the evaluation.
    3. If there are no critical errors or verification warnings, review the changes by clicking the Difference link.
      Each change is listed. You can review each one by clicking the name.

To apply the object changes to the managed device, you must deploy them.

How do I deploy changes made to managed objects?

Deploying changes applies the revisions that you have made on the BIG-IQ® to the managed BIG-IP® devices.

Note: Before the BIG-IQ deploys configuration changes, it first reimports the configuration from the managed device to ensure there are no unexpected differences. If there are issues, the default behavior is to discard any changes made on the managed device and then deploy the configuration changes.
  • To accept the default, proceed with the deployment. The settings from the managing BIG-IQ overwrite the settings on the managed BIG-IP device.
  • To override the default, rediscover the device and reimport the service. Any changes that have been made using the BIG-IQ are overwritten with the settings from the managed BIG-IP device.

This figure illustrates the workflow you perform to manage the objects on BIG-IP devices. Deploying the settings is the last step in this process.

Deploy object changes

Change managed object workflow

Deploying configuration changes

To apply the changes you made on the BIG-IQ to your managed device, you must deploy those changes to the managed device.

  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select Change Management from the BIG-IQ menu.
  3. On the left, expand EVALUATE & DEPLOY.
  4. Under EVALUATE & DEPLOY, select Network Security or Web Application Security, whichever is appropriate.
    The list of evaluations and deployments defined on this device opens.
  5. Click the name of the evaluation that you want to deploy.
    The View Evaluation screen opens.
  6. Specify whether you want to deploy the changes immediately or schedule deployment for later.
    • To deploy this change immediately:
      1. Select Deploy Now.
      2. Click Deploy to confirm.
    • To deploy this change later:
      1. Select Schedule for later.
      2. Select the date and time.
      3. Click Schedule Deployment.
      4. Click Schedule Deployment again to confirm.
    The process of deploying changes can take some time, especially if there are a large number of changes. During this time, you can click Cancel to stop the deployment process.
    Important: If you cancel a deployment, some of the changes may have already deployed. Cancel does not roll back these changes.
The evaluation you chose is added to the list of deployments on the bottom half of the screen.
  • If you chose to deploy immediately, the changes begin to deploy and the Status column updates as it proceeds.
  • If you choose to delay deployment, the Status column displays the scheduled date and time.

Making an urgent deployment

You can skip the evaluation task and deploy changes right now if you need to make urgent changes.

  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select Change Management from the BIG-IQ menu.
  3. On the left, expand EVALUATE & DEPLOY.
  4. Under EVALUATE & DEPLOY, select Network Security or Web Application Security, whichever is appropriate.
    The list of evaluations and deployments defined on this device opens.
  5. Under Deployments, click Create.
    The Create Deployment screen opens.
  6. In the Name field, type in a name for the deployment task you are creating.
  7. In the Description field, type in a brief description for the deployment task you are creating.
  8. For the Source setting, select what you want to deploy.
    • To deploy your changes to the managed device, select Current Changes.
    • To deploy the object settings from a stored snapshot, select Existing Snapshot, then choose the snapshot you want to use.
  9. Using the Target settings, identify the devices for which you want to deploy changes.
    1. If the devices are in a device group, select Group, and select the group.
    2. If the devices are not in a device group, select Device.
    3. Select the devices from the Available list and use the arrow button to move the devices to the Enabled list.
  10. Consider one more time how you want to deploy these changes.
    • To make the changes right now, click Deploy immediately.
    • If you want to review the changes, click Create evaluation.
  11. Click Create.
    • If you selected Deploy immediately, the changes begin to deploy and the Status column updates as it proceeds.
    • If you selected Create evaluation, the new evaluation is added to the list and the changes are analyzed for errors. When the evaluation completes, you will see how many changes or errors the evaluation found.

Verifying firewall rules have compiled on all BIG-IP devices

Once a firewall deployment has completed successfully, Check Rule Compilation is enabled on the View Deployment screen.
Use Check Rule Compilation to verify that your firewall rules are active on the BIG-IP devices to which you deployed those rules.
  1. On the Deployments screen, click the name of the deployment that contains the firewall rules you want to verify.
    The View Deployment screen for that deployment displays.
  2. On the View Deployment screen, click Check Rule Compilation to determine if rules have been compiled on all the BIG-IP devices in the firewall deployment.
    The rule compilation status and last activation time for each BIG-IP device included in the deployment are listed in a popup.
  3. Verify that the last activation time for each BIG-IP device is after the end time of the BIG-IQ deployment task to ensure that firewall rules have been compiled on each BIG-IP devices. You can repeat this step multiple times.
    Review the following considerations when using Check Rule Compilation:
    • Be aware of any time differences, due to time zones and so on, between the BIG-IQ system and the BIG-IP device.
    • BIG-IP device versions earlier than 11.5.1 HF4 do not support the compilation statistics used by this feature and will display the message, Compilation stats not provided for this version of BIG-IP.
    • If the Check Rule Compilation feature is used with an older deployment, where the state of the BIG-IP device has changed since the deployment, the status returned will include all active firewall rule changes on the BIG-IP device since the deployment.
    • If the Check Rule Compilation feature returns the message Local Last Activation Time or the message No stats found on device, then the state of the BIG-IP device has changed since the deployment, and compilation statistics have been reset. This can be caused by a reboot of the BIG-IP device.

Reviewing deployment process states to diagnose problems

When a firewall security policy or a web application security policy is deployed, that policy goes through several deployment states. Reviewing these states may be useful in understanding what occurred during deployment in order to diagnose a problem. Note that not all states may appear in the log, since what states are displayed depends on how the deployment was processed.

Review the restjavad.n.log file to view deployment states for either a firewall security policy or a web application security policy.

Device deployment states

This table displays states that can occur during the deployment process, and a brief description of each state.

Table 1. Deployment States
State Description
CHECK_LICENSE Licenses for BIG-IQ systems are checked to be valid.
CHECK_OTHER_RUNNING_TASKS Verifies that no tasks are running that could cause errors during deployment. Tasks that could cause errors include:
  • Other BIG-IQ Security deployment tasks running at the same time as this deployment, even if they are from different modules.
  • Tasks to declare management authority over a BIG-IP device.
  • Tasks that rescind management authority of a BIG-IP device.
GET_DEVICES Finds all devices managed by the BIG-IQ Security system.
CHECK_DEVICE_AVAILABILITY Determines whether the devices to be deployed are available.
LOOKUP_CLUSTERS Determines if any devices included in the deployment are part of a cluster, and if so, verifies that both devices in the cluster are configured with the same sync mode and sync failover group on the BIG-IP device.
REFRESH_CURRENT_CONFIG_SOAP Using the SOAP API, refreshes the current configuration for all devices included in the deployment. This process adds any new configuration items from the BIG-IP device to the current configuration.
REFRESH_CURRENT_CONFIG_REST Using the REST API, refreshes the current configuration for all devices included in deployment. This process adds any new configuration items from the BIG-IP device to the current configuration.
CREATE_SNAPSHOT Creates a snapshot of the working configuration.
CREATE_DIFFERENCE Generates the differences between the snapshot taken and the current configuration.
VERIFY_CONFIG Verifies that devices to be deployed do not have configuration problems that could lead to deployment errors.
GET_CHILD_DEPLOY_DEVICES Finds all devices managed by Shared Security objects. These devices are considered to be child deployments of a parent firewall security or web application security deployment.
START_CHILD_DEPLOY Starts the deployment of devices managed by Shared Security objects.
WAIT_FOR_CHILD_DEPLOY Waits for deployment of devices managed by Shared Security objects to complete.
CLEANUP_PREVIOUS_EVALUATE Cleans up processing artifacts from the previous evaluation.
DISTRIBUTE_DSC_CLUSTERS Distributes changes to devices identified as being in a cluster by the LOOKUP_CLUSTERS process and that are configured to use the BIG-IP Device Service Clustering (DSC) to keep the BIG-IP devices synchronized.
DISTRIBUTE_CONFIG Distributes configuration changes to the specified devices.
DISTRIBUTE_CONFIG_SOAP Using the SOAP API, distributes configuration changes to the specified devices.
DISTRIBUTE_CONFIG_REST Using the REST API, distributes configuration changes to the specified devices.
FOLDBACK_DEPLOYED_ADDITIONS Inserts any newly-added objects directly into the current configuration to that the BIG-IQ system will already know about those objects on the next refresh of the current configuration.
DONE Indicates the deployment process has completed.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information