BIG-IQ® Network Security is a platform designed for the central management of security firewalls for multiple BIG-IP® systems, where firewall administrators have installed and provisioned the Advanced Firewall Manager™ (AFM™) module.
The BIG-IQ Network Security system provides:
Managing a firewall configuration includes discovering, importing, editing, and deploying changes to the firewall configuration, as well as consolidation of shared firewall objects (policies, rule lists, rules, address lists, port lists, and schedules). BIG-IQ Network Security provides a centralized management platform so you can perform all these tasks from a single location. Rather than log in to each device to manage the security policy locally, it is more expedient to use one interface to manage many devices. Not only does this simplify logistics, but you can maintain a common set of firewall configuration objects and deploy a common set of policies, rule lists, and other shared objects to multiple, similar devices from a central interface.
Bringing a device under central management means that its configuration is stored in the BIG-IQ Network Security database, which is the authoritative source for all firewall configuration entities. This database is also known as the working configuration or working-configuration set.
Once a device is under central management, do not make changes locally (on the BIG-IP device) unless there is an exceptional need. If changes are made locally for any reason, reimport the device to reconcile those changes with the BIG-IQ Network Security working configuration set. Unless local changes are reconciled, the deployment process overwrites any local changes.
In addition, BIG-IQ Network Security is aware of functionality that exists in one BIG-IP system version but not in another. This means, for example, that it prohibits using policies on BIG-IP devices that do not have the software version required to support them.
BIG-IQ® Security contains several groups of capabilities. The Shared Security group contains objects that can be used with Network Security objects and with Web Application Security objects.
BIG-IQ® Web Application Security enables enterprise-wide management and configuration of multiple BIG-IP® devices from a central management platform. You can centrally manage BIG-IP devices and security policies, and import policies from files on those devices.
For each device that it discovers, the BIG-IQ system creates a logical container to hold all security policies that are not related to any virtual server on the device. This logical container is called the inactive virtual server, and is only used to track policies that are not directly attached to other virtual servers on that device. Policies attached to the inactive virtual server that are distributed are not enforced.
In order for you to deploy a policy to a BIG-IP device, the policy must be attached to one of the device's virtual servers, or to the inactive virtual server. You can deploy policies to a device that already has the policy by overwriting it. If the policy does not yet exist on the device, you can either deploy it as a new policy attached to an available virtual server, or deploy it as a policy attached to the inactive virtual server (which will deploy the policy to the BIG-IP device without attaching it to a virtual server).
From this central management platform, you can perform the following actions:
The BIG-IQ® Security system interface provides many features to assist you in completing tasks.
Using filtering, you can rapidly narrow the search scope to more easily locate an entity within the system interface. Each frame in the system interface has its own filter text entry field.
F5® recommends a minimum screen resolution of 1280 x 1024 to properly display and use the screens efficiently.
It is possible to shrink the browser screen so that system interface elements (screens, scroll bars, icons) no longer appear in the visible screen. Should this occur, use the browser's zoom-out function to shrink the screens and controls.
For example, you can customize the columns displayed for a particular user in the policy editor.
User preference settings persist across sessions. If users log out, they see the same settings when logging back in.
By default, BIG-IQ Network Security replicates user preferences in BIG-IQ high-availability (HA) scenarios.
|Firewall Types||Select or clear the check boxes as required. By default, the interface displays all firewall contexts in the Firewall Contexts screen.|
|Rule Editor||Select or clear the check boxes as required to modify the policy editor settings. You can set whether to automatically expand rule lists and select which columns to display in the policy editor. By default, the all columns are displayed.|
|Idle Timeout (minutes)||Specify a number indicating how many minutes the BIG-IQ Security user interface can be idle before a user is logged out. The default value is 20.|
|Default View||Select what part of the BIG-IQ user interface should be initially displayed when a user logs in to the system. The default is Last Visited which indicates that the last page used by this user should be displayed when they log in to the system.|
Within the BIG-IQ® Security system, one or more users may edit firewall security or web application security objects simultaneously. A locking mechanism is used to avoid problems with conflicting changes to objects.
Initially, the user interface displays all objects as read-only. When a user initiates an editing session, the object is locked. Once locked, no one can modify or delete that object except the holder of the lock, or a user with privileges sufficient to break the lock:
BIG-IQ Security uses a single repository to hold policy objects and saves each editorial change. With this single-copy design, multiple editors can share the editing task through a locking mechanism.
Each editor has her own copy of a policy (a point-in-time snapshot of the policy managed by BIG-IQ across all devices) and can make changes. When done, an editor can push the changes to the preferred state as one, complete set of changes. Then, an administrator can review a policy change as a single entity before committing it.
If an editor wants to edit an object that is already locked, the system informs the editor that the object is locked and provides a way to clear the lock if the editor has sufficient privileges. When the lock is cleared, the next firewall editor receives the latest version of the object and any referenced shared objects. Thus, merges and conflicts are avoided. Deleting an object automatically clears all locks associated with it.
BIG-IQ Security supports:
As a security system manager, you need to differentiate between types of users, and to limit user privileges based on user responsibilities. To assist you, the BIG-IQ® system provides a default set of roles. You can associate multiple roles with a given user; for example, you can grant a user the edit (Network_Security_Edit) and the deploy (Network_Security_Deploy) roles for network security functions. Roles persist and are available after a BIG-IQ system failover.
To view the defined roles, both default and locally-defined, log in to BIG-IQ System as administrator, and navigate to the Roles screen.
Select System Management from the BIG-IQ menu and then click .
The Roles screen lists each defined role and a description of that role. Refer to the Roles online help or to the BIG-IQ® Centralized Management: Licensing and Initial Setup guide for more information on roles and their use.
BIG-IQ® system security uses the following terminology to refer to configuration sets for a centrally-managed BIG-IP® device:
The working configuration is created when the administrator first manages the BIG-IP device from the BIG-IQ system. The working configuration is updated when a device is reimported or rediscovered.
If conflicts are observed during reimport or rediscovery, the object in conflict is only updated in the working configuration when the Use BIG-IP resolution conflict option is used.