F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Cloud
  4. BIG-IQ System: Licensing and Initial Setup
  5. Licensing and Initial Configuration
Manual Chapter : Licensing and Initial Configuration

Applies To:

Show Versions Show Versions

BIG-IQ Cloud

  • 4.4.0

BIG-IQ Device

  • 4.4.0

BIG-IQ Security

  • 4.4.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About licensing and initial configuration

BIG-IQ system runs as a virtual machine in specifically-supported hypervisors or on the BIG-IQ 7000 series platform. After you set up your virtual environment your platform, you can license the BIG-IQ system. You initiate the license activation process with the base registration key.

The base registration key is a character string that the license server uses to verify the functionality that you are entitled to license. If the system has access to the internet, you select an option to automatically contact the F5 license server and activate the license. If the system is not connected to the internet, you can manually retrieve the activation key from a system that is connected to the internet, and transfer it to the BIG-IQ system.

Automatic license activation

You must have a base registration key to license the BIG-IQ system. If you do not have a base registration key, contact the F5 Networks sales group (http://www.f5.com).
If the BIG-IQ system is connected to the public internet, you can use this procedure to activate its license.
  1. Using a browser on which you have configured the management interface, type https://<varname><management_IP_address><varname> where management_IP_address> is the address you specified for device management. This is the IP address that the BIG-IQ system uses to communicate with its managed devices.
  2. Log in to the BIG-IQ System with the default user name admin and password admin.
  3. In the Base Registration Key field, type or paste the BIG-IQ registration key.
  4. In the Add-on Keys field, paste any additional license key you have.
  5. For the Activation Method setting, select Automatic, and click the Activate button. The End User License Agreement (EULA) displays.
  6. To accept the EULA, click the Accept button.
  7. Click Properties.
  8. In the Host Name field, type a fully-qualified domain name (FQDN) for the system. The FQDN can consist of letters and numbers, as well as the characters underscore ( _ ), dash ( - ), or period ( . ).
  9. In the Self IP Address field, type the self IP address of your internal VLAN. The self IP address must be in Classless InterDomain Routing (CIDR) format. For example: 10.10.10.10/24. This is the self IP address that managed devices use to communicate with the BIG-IQ system. This address is also referred to as the discovery address. Once you save this self IP address, you cannot change it.
  10. Click the Save button to save your configuration.

Manual license activation

You must have a base registration key to license the BIG-IQ system. If you do not have a base registration key, contact the F5 Networks sales group (http://www.f5.com).
If the BIG-IQ system is not connected to the public internet, this procedure can activate its license.
  1. Using a browser on which you have configured the management interface, type https://<varname><management_IP_address><varname> where management_IP_address> is the address you specified for device management. This is the IP address that the BIG-IQ system uses to communicate with its managed devices.
  2. Log in to the BIG-IQ System with the default user name admin and password admin.
  3. In the Base Registration Key field, type or paste the BIG-IQ registration key.
  4. In the Add-on Keys field, paste any additional license key you have.
  5. For the Activation method setting, select Manual and click the Generate Dossier button. The BIG-IQ system refreshes and displays the dossier in the Device Dossier field.
  6. Copy the text displayed in the Device Dossier field, and click the Access F5 manual activation web portal link. Alternatively, you can navigate to the F5 license activation portal at https://activate.f5.com/license/.
  7. Copy the text displayed in the Device Dossier field, and click the Access F5 manual activation web portal link. Alternatively, you can navigate to the F5 license activation portal at https://activate.f5.com/license/.
  8. Paste the dossier into the Enter your dossier field, and then click the Next button. The Accept User Legal Agreement displays.
  9. Click Accept.
  10. Click Properties.
  11. In the Host Name field, type a fully-qualified domain name (FQDN) for the system. The FQDN can consist of letters and numbers, as well as the characters underscore ( _ ), dash ( - ), or period ( . ).
  12. In the Self IP Address field, type the self IP address of your internal VLAN. The self IP address must be in Classless InterDomain Routing (CIDR) format. For example: 10.10.10.10/24. This is the self IP address that managed devices use to communicate with the BIG-IQ system. This address is also referred to as the discovery address. Once you save this self IP address, you cannot change it.
  13. To add an additional self IP address, click the + sign, and in the new Self IP Address field that the system creates, edit the duplicated self IP address to reflect the additional self IP address that you want to add.
  14. Click the Save button to save your configuration.

Defining DNS and NTP servers for the BIG-IQ system

After you license the BIG-IQ system, you can specify the DNS and NTP servers.
Setting your DNS server and domain allows the BIG-IQ system to properly parse IP addresses. Defining the NTP server ensures the BIG-IQ system’s clock is synchronized with Coordinated Universal Time (UTC).
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. On the BIG-IQ Systems panel, click the gear icon next to the group name for which you want to define the DNS and NTP servers, and then click Properties.
  3. Click Services.
  4. In the DNS Lookup Servers field, type the IP address of your DNS server.
  5. In the DNS Search Domains field, type the name of your search domain. The DNS search domain list allows the BIG-IQ system to search for local domain lookups to resolve local host names.
  6. In the Time Servers fields, type the IP addresses of your Network Time Protocol (NTP) servers.
  7. Click the Save button to save your configuration.

Changing the default password for the root user

You must specify the management IP address settings for the BIG-IQ system to prompt the system automatically create the root user.
After you initially license and configure the BIG-IQ system, it is important to change the password for the root user from the default password, default.
  1. Log in to BIG-IQ Device with your administrator user name and password.
  2. At the top of the screen, click Access Control.
  3. On the Users panel, click the gear icon for the root user.
  4. In the Old Password field, type the password.
  5. In the Password and Confirm Password fields, type a new password.
  6. Click the Save button.

Changing the default password for the administrator user

You must specify the management IP address settings for the BIG-IQ system to prompt the system automatically create the administrator user.
After you initially license and configure the BIG-IQ system, it is important to change the password for the administrator password user from the default password, admin.
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Access Control.
  3. On the Users panel, click the properties gear for Admin User.
  4. In the Old Password field, type the password.
  5. In the Password and Confirm Password fields, type a new password.
  6. Click the Add button.

Overview: SNMP and SMTP alerts

You can easily manage the health of your network by configuring the BIG-IQ system to alert you when specific events occur for your managed devices. You can receive notifications by having the BIG-IQ system send traps to your SNMP manager and you can also configure the BIG-IQ system to send alerts for certain events to a specified individual. SNMP is an industry standard protocol for monitoring devices on IP networks. BIG-IQ Device integrates easily with your SNMP manager, allowing you to centrally manage collected data. Once configured, the SNMP agent sends data collected from BIG-IQ Device to your third-party SNMP manager. BIG-IQ Device is compatible with SNMPv1, SNMPv2c, and SNMPv3. Additionally, you can specify SNMP events to also trigger SMTP alerts.

About integrating with SNMP version 1 or 2 for alerts

To prepare BIG-IQ Device to interface with your SNMP version 1 or 2 manager, you must complete the following procedures.

  • Configure SNMP agent
  • Configure SNMP access
  • Create an SNMP trap destination

Configuring SNMP version 1 or 2 for alerts

You configure the SNMP agent and provide specific access to BIG-IQ Device so that the SNMP manager can collect data.

  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Configuration.
  3. In the BIG-IQ Systems panel, click the gear icon next to the BIG-IQ management group you are configuring, and then click Properties.
  4. Click SNMP Config. The screen displays the SNMP Agent Properties settings.
  5. In the Contact Information field, type the name and email address of the person who is responsible for SNMP administration, and in the Machine Location field, type the location of the SNMP manager system. These details are for informational purposes only, and have no impact on how BIG-IQ Device interfaces with your SNMP manager.
  6. To download the F5-specific MIBs, click the Download MIB link.
  7. In the Addresses/Networks fields, type the IP address and networks (and the netmask if applicable) that the SNMP manager is allowed to access.
  8. To add another address, click the plus ( + ) sign.
  9. Click the Save button located at the top of the panel.
  10. Click the Access tab. The SNMP Access settings display.
  11. In the New v1/v2 Access Records section, from the Type list, select the appropriate protocol for the SNMP manager's IP address.
  12. In the Community field, type the name of the associated community.
  13. Click the Traps tab.
  14. In the New v1/v2c Destinations section, from the Version list, select the version of SNMP you are using.
  15. In the Community, Destination, and Port fields, type, respectively, the community name, IP address, and port for the trap destination.
  16. To configure additional SNMP trap destination, click the plus ( + ) sign and specify the settings
  17. Click the Save button located at the top of the panel.
You can now specify alert settings.

About integrating with SNMP version 3 for alerts

To prepare BIG-IQ Device to interface with your SNMP version 3 manager, you must complete the following procedures.

  • Configure SNMP agent
  • Configure SNMP access
  • Create an SNMP trap destination

Configuring SNMP version 3 for alerts

You configure the SNMP agent and provide specific access to BIG-IQ Device so that the SNMP manager can collect data.

  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Configuration.
  3. Click SNMP Config. The screen displays the SNMP Agent Properties settings.
  4. In the Contact Information field, type the name and email address of the person who is responsible for SNMP administration, and in the Machine Location field, type the location of the SNMP manager system. These details are for informational purposes only, and have no impact on how BIG-IQ Device interfaces with your SNMP manager.
  5. To download the F5-specific MIBs, click the Download MIB link.
  6. In the Addresses/Networks fields, type the IP address and networks (and the netmask if applicable) that the SNMP manager is allowed to access.
  7. To add another address, click the plus ( + ) sign.
  8. In the New v3 Access Records section, in the User Name field, type the SNMP manager's user name.
  9. If you want to specify the authentication protocol for SNMP traps, from the Auth Type list, select the type that you want the system to use.
    • MD5 specifies digest algorithm.
    • SHA specifies secure hash algorithm.
  10. If you selected an Auth Type, from the Privacy list, also select the type of encryption you want the system to use to encrypt SNMP traps.
    • AES specifies Advanced Encryption Standard
    • DES for Data Encryption Standard.
  11. In the Privacy Password field, type the required password for access.

    SNMPv3 has special requirements when you create plain-text passwords on a router or switch:

    • The password must be at least eight characters long.
    • The password can include alphabetic, numeric, and special characters, but it cannot include control characters.
  12. In the OID field, type the object identifier (OID) you want to associate with this user.
  13. Click the Save button located at the top of the panel.
You can now specify alert settings.

About integrating with SMTP for alerts

To have a specific recipient receive an email message when an alert is triggered by a system event, configure BIG-IQ Device to deliver locally-generated email messages using the internet-standard for electronic mail transmission, Simple Mail Transfer Protocol (SMTP). Sending an email alert ensures that administrators are immediately notified when a specific system event occurs so they can quickly troubleshoot potential issues.

Specifying alert conditions

After you configure SNMP and or SMTP integration, you can specify the alerts that prompt BIG-IQ System to send an email to the specified recipients.
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Configuration.
  3. Click the name of the gear icon next to the group for which you want to specify alert conditions, and then click Properties.
  4. Click Alert Conditions.
  5. Select the check box next to each event that should trigger an alert email.
  6. If a threshold is associated with the condition, in the adjacent Threshold field, type a value on which you want to trigger an alert email.
  7. Click the Save button.

About authentication integration

Integrating BIG-IQ systems with your authentication server allows you to remotely manage user access based on specific BIG-IQ system roles and associated permissions.

The BIG-IQ system is compatible with RADIUS and LDAP protocols.

Configuring authentication with LDAP

Before integrating LDAP authentication with the BIG-IQ system, you must first:

  • Use an LDAP browser to familiarize yourself with the groups and users in your directory's structure and their position in the hierarchy of organizational units (OUs).
  • Decide how you want to map user names. The first option is to map users directly to their Distinguished Name (DN) in the directory with a user bind template in the form of uid=<username>ou=people,o=sevenSeas. For example, when you map John Smith's user name with his DN as uid=<jsmith>ou=people,o=sevenSeas and he logs in as jsmith, he is properly authenticated with his user name in the directory through his DN. The second option is to allow users to log in with names that do not map directly to their DN, by specifying a userSearchFilter in the form of (&(uid=%s)) when creating the provider. For example, if John Smith's DN is cn=John Smith,ou=people,o=sevenSeas, but you would like him to be able to log in with jsmith, specify a userSearchFilter in the form of (&(jsmith=%s)). If your directory does not allow anonymous binds, you must also specify a bindUser and bindPassword so that the BIG-IQ system can validate the user's credentials.
  • Determine which groups in your directory to map into BIG-IQ groups. If you configured a bindUser and bindPassword for users, the BIG-IQ system displays a list of groups from which to choose. If you have not, you must know the DN for each group.
  • Identify the DN under which all users and groups can be found. This is the root bind DN for your directory and is expressed as rootDN when you create a provider. The BIG-IQ system uses the root bind DN as a starting point when searching for users and groups.
  • Determine the host IP address for the LDAP server. The default port is 389, if not specified otherwise.

When you configure the BIG-IQ system for user authentication through your company's LDAP service, you can associate existing and new users added to the LDAP service with specific BIG-IQ roles. The permissions associated with those roles are based on the user credentials. The BIG-IQ system integration is compatible with LDAP server versions 2 and 3, and OpenLDAP directory, Apache Directory Server, and Active Directory

  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Configuration.
  3. In the BIG-IQ Systems panel, click the gear icon next to the BIG-IQ management group you are configuring, and then click Properties.
  4. Click Auth Provider.
  5. From the User Directory list, select Remote RADIUS. The screen refreshes to display RADIUS provider properties.
  6. In the Name field, type a name for this new provider. This must be a unique name.
  7. In the Host and Port fields, type the LDAP server's IP address (or fully qualified domain name) and port number.
  8. If your LDAP server does not allow anonymous binds, in the Bind User and Bind User Password fields, type the full distinguished name and password for user with query access.
  9. In the Root DN field, type the root context that contains users and groups. The root context must be a full distinguished name.
  10. From the Authentication Method list, select an option.
    • None Select this option to prompt the LDAP server to ignore the user name and password.
    • Simple Select this option to require a user name and password for authentication.
  11. In the Search Scope field, type a number to specify the depth at which searches are made. The default is 2. Alternatively, you can specify 0 for search only on the named object or 1 for a one-level search scope.
  12. In the Search Filter field, type the LDAP filter expression that determines how users are found. The search filter is determined by your LDAP implementation.
  13. In the Connection Timeout field, type the number of milliseconds after which the BIG-IP system stops trying to connect to the LDAP server.
  14. In the Read Timeout, field type the number of milliseconds after which the BIG-IP system stops waiting for a response to a query
  15. Select the Perform Test check box to test this provider.
  16. Leave the Group Search Filter at its default query to return all groups under the provided rootDN. Alternatively, if you have a large number of groups (more than 100), you can narrow base the search on a specific term by typing a query with a "{searchterm}" token in this field.
  17. In the Group Membership Filter field
  18. Click the Save button to save this new provider.
The BIG-IQ system now authenticates users against the configured LDAP server.

Configuring authentication with RADIUS

You must first license the BIG-IQ system and specify DNS settings before you can specify authentication settings.

When you configure the BIG-IQ system for user authentication through your company's RADIUS service, you can associate existing and new users added to the RADIUS service with specific BIG-IQ roles. The permissions associated with those roles are based on the user credentials.

  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Configuration.
  3. In the BIG-IQ Systems panel, click the gear icon next to the BIG-IQ management group you are configuring, and then click Properties.
  4. Click Auth Provider.
  5. Click the New button.
  6. In the Name field, type a name for this new provider. This must be a unique name.
  7. From the User Directory list, select Remote RADIUS.
  8. In the Host and Port fields, type the RADIUS server's IP address (or fully qualified domain name) and port number.
  9. In the Secret field, type the case-sensitive text string used to validate communication.
  10. To validate the user after adding it, in the Test Connection User and Test Password fields, type the user name and password.
  11. Click the Save button to save this new provider.
The BIG-IQ system now authenticates users against the configured RADIUS server.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information