F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Cloud
  4. BIG-IQ System: Licensing and Initial Setup
  5. Software Download Licensing and Initial Configuration
Manual Chapter : Software Download Licensing and Initial Configuration

Applies To:

Show Versions Show Versions

BIG-IQ ADC

  • 4.5.0

BIG-IQ Cloud

  • 4.5.0

BIG-IQ Device

  • 4.5.0

BIG-IQ Security

  • 4.5.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About downloading software, licensing and initial configuration

BIG-IQ system runs as a virtual machine in specifically-supported hypervisors or on the BIG-IQ 7000 series platform. After you set up your virtual environment or your platform, you can download the BIG-IQ software, and then license the BIG-IQ system. You initiate the license activation process with the base registration key.

The base registration key is a character string that the license server uses to verify the functionality that you are entitled to license. If the system has access to the internet, you select an option to automatically contact the F5 license server and activate the license. If the system is not connected to the internet, you can manually retrieve the activation key from a system that is connected to the internet, and transfer it to the BIG-IQ system.

Downloading software images

Download software images for new installations, upgrades, or hot fixes to managed physical and virtual devices with just a few clicks.

  1. Browse to the F5 Downloads site, https://downloads.f5.com, and locate the image you want to download.
  2. Log in to BIG-IQ Device with the administrator user name and password.
  3. At the top of the screen, click Provisioning.
  4. Hover over the Images header, and click the + icon when it appears, and then click New Software Image.
  5. Click the Choose File button and navigate to the shared images directory and click on the software image you want to download to BIG-IQ Device. The software image appears in the Images panel.
The software image is now available for you to install on a managed device.

Installing and upgrading BIG-IQ System software

Before you perform an initial BIG-IQ System software installation, or software upgrade, you must perform the following tasks:

  • Activate, or reactivate, your current license to ensure that you have a valid service check date.
  • Download the ISO file for the upgrade from F5 Downloads to /shared/images on BIG-IQ System. If you need to create this directory, use the exact name /shared/images.
  • For upgrades only, create a backup of the user configuration set (UCS), locate it in the /var/local/ucs directory on the source installation location, and copy the UCS file to another system for safe keeping.
Use this procedure when you are ready to perform an initial BIG-IQ System software installation or upgrade a to a more recent software version.
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Configuration.
  3. On the BIG-IQ Systems panel, expand Management Group or HA Peer Group by clicking the arrow next to it.
  4. Click the gear icon next to localhost, and then click Properties.
  5. Click Software Update.
  6. Click the Update button.
  7. From the Software Image list, select the new image or browse to the location to which you saved it.
  8. From the Install Location list, select the volume to which you want to install the image.
  9. For the Options setting, select one:
    • To automatically reboot the BIG-IQ System to the specified volume immediately after the software is installed, select Reboot after Live Install.
    • To manually reboot the BIG-IQ System at another time from the System > Properties screen, select Set Default Boot Location.
  10. Click the Apply button.
BIG-IQ System installs the selected software. For upgrades, BIG-IQ System also rolls forward the UCS file.

Automatic license activation

You must have a base registration key to license the BIG-IQ system. If you do not have a base registration key, contact the F5 Networks sales group (http://www.f5.com).
If the BIG-IQ system is connected to the public internet, you can use this procedure to activate its license.
  1. Using a browser on which you have configured the management interface, type https://<varname><management_IP_address><varname> where <management_IP_address> is the address you specified for device management. This is the IP address that the BIG-IQ system uses to communicate with its managed devices.
  2. Log in to BIG-IQ System with the default user name admin and password admin.
  3. In the Base Registration Key field, type or paste the BIG-IQ registration key.
  4. In the Add-on Keys field, paste any additional license key you have.
  5. For the Activation Method setting, select Automatic, and click the Activate button. The License Agreement displays.
  6. To accept the License Agreement, click the Agree button.
  7. Click User Administration.
  8. In the Old Password fields, type the default admin and root passwords, and then type a new password in the Password and Confirm Password fields.
  9. Click Properties.
  10. In the Host Name field, type a fully-qualified domain name (FQDN) for the system. The FQDN can consist of letters and numbers, as well as the characters underscore ( _ ), dash ( - ), or period ( . ).
  11. Click the Save button to save your configuration.

Manual license activation

You must have a base registration key to license the BIG-IQ system. If you do not have a base registration key, contact the F5 Networks sales group (http://www.f5.com).
If the BIG-IQ system is not connected to the public internet, this procedure can activate its license.
  1. Using a browser on which you have configured the management interface, type https://<varname><management_IP_address><varname> where <management_IP_address> is the address you specified for device management. This is the IP address that the BIG-IQ system uses to communicate with its managed devices.
  2. Log in to BIG-IQ System with the default user name admin and password admin.
  3. In the Base Registration Key field, type or paste the BIG-IQ registration key.
  4. In the Add-on Keys field, paste any additional license key you have.
  5. For the Activation Method setting, select Manual and click the Generate Dossier button. The BIG-IQ system refreshes and displays the dossier in the Device Dossier field.
  6. Copy the text displayed in the Device Dossier field, and click the Access F5 manual activation web portal link. Alternatively, you can navigate to the F5 license activation portal at https://activate.f5.com/license/.
  7. Paste the dossier into the Enter your dossier field, and then click the Next button.
  8. To accept the License Agreement, click the Agree button.
  9. Click User Administration.
  10. In the Old Password fields, type the default admin and root passwords, and then type a new password in the Password and Confirm Password fields.
  11. Click Properties.
  12. In the Host Name field, type a fully-qualified domain name (FQDN) for the system. The FQDN can consist of letters and numbers, as well as the characters underscore ( _ ), dash ( - ), or period ( . ).
  13. Click the Save button to save your configuration.

Defining DNS and NTP servers for the BIG-IQ system

After you license the BIG-IQ system, you can specify the DNS and NTP servers.
Setting your DNS server and domain allows the BIG-IQ system to properly parse IP addresses. Defining the NTP server ensures that the BIG-IQ system’s clock is synchronized with Coordinated Universal Time (UTC).
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. On the BIG-IQ Systems panel, click the gear icon next to the group name for which you want to define the DNS and NTP servers, and then click Properties.
  3. Click Services.
  4. In the DNS Lookup Servers field, type the IP address of your DNS server.
  5. In the DNS Search Domains field, type the name of your search domain. The DNS search domain list allows the BIG-IQ system to search for local domain lookups to resolve local host names.
  6. In the Time Servers fields, type the IP addresses of your Network Time Protocol (NTP) servers.
  7. Click the Save button to save your configuration.

Changing the default password for the administrator user

You must specify the management IP address settings for the BIG-IQ system to prompt the system to automatically create the administrator user.
After you initially license and configure the BIG-IQ system, it is important to change the administrator role password from the default, admin.
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Access Control.
  3. On the Users panel, for Admin User, click the gear icon and then Properties.
  4. In the Old Password field, type the password.
  5. In the Password and Confirm Password fields, type a new password.
  6. Click the Add button.

Overview: SNMP and SMTP alerts

You can easily manage the health of your network by configuring the BIG-IQ system to alert you when specific events occur for your managed devices. You can receive notifications by having the BIG-IQ system send traps to your SNMP manager and you can also configure the BIG-IQ system to send alerts for certain events to a specified individual. SNMP is an industry standard protocol for monitoring devices on IP networks. BIG-IQ Device integrates easily with your SNMP manager, allowing you to centrally manage collected data. Once configured, the SNMP agent sends data collected from BIG-IQ Device to your third-party SNMP manager. BIG-IQ Device is compatible with SNMPv1, SNMPv2c, and SNMPv3. Additionally, you can specify SNMP events to also trigger SMTP alerts.

About integrating with SNMP version 1 or 2 for alerts

To prepare BIG-IQ Device to interface with your SNMP version 1 or 2 manager, you must do three things, all accomplished in one task.

  • Configure SNMP agent
  • Configure SNMP access
  • Create an SNMP trap destination

Configuring SNMP version 1 or 2 for alerts

You configure the SNMP agent and provide specific access to BIG-IQ Device so that the SNMP manager can collect data.

  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Configuration.
  3. In the BIG-IQ Systems panel, click the gear icon next to the HA Peer Group you are configuring, and then click Properties.
  4. Click SNMP Config. The screen displays the SNMP Agent Properties settings.
  5. In the Contact Information field, type the name and email address of the person who is responsible for SNMP administration, and in the Machine Location field, type the location of the SNMP manager system. These details are for informational purposes only, and have no impact on how BIG-IQ Device interfaces with your SNMP manager.
  6. To download the F5-specific MIBs, click the Download MIB link.
  7. In the Addresses/Networks fields, type the IP address and networks (and the netmask if applicable) that the SNMP manager is allowed to access.
  8. To add another address, click the plus ( + ) sign.
  9. Click the Save button located at the top of the panel.
  10. Click the Access tab. The SNMP Access settings display.
  11. In the New v1/v2 Access Records section, from the Type list, select the appropriate protocol for the SNMP manager's IP address.
  12. In the Community field, type the name of the associated community.
  13. Click the Traps tab.
  14. In the New v1/v2c Destinations section, from the Version list, select the version of SNMP you are using.
  15. In the Community, Destination, and Port fields, type, respectively, the community name, IP address, and port for the trap destination.
  16. To configure additional SNMP trap destination, click the plus ( + ) sign and specify the settings
  17. Click the Save button located at the top of the panel.
You can now specify alert settings.

About integrating with SNMP version 3 for alerts

To prepare BIG-IQ Device to interface with your SNMP version 3 manager, you must do three things, all accomplished in one task.

  • Configure SNMP agent
  • Configure SNMP access
  • Create an SNMP trap destination

Configuring SNMP version 3 for alerts

You configure the SNMP agent and provide specific access to BIG-IQ Device so that the SNMP manager can collect data.

  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Configuration.
  3. Click SNMP Config. The screen displays the SNMP Agent Properties settings.
  4. In the Contact Information field, type the name and email address of the person who is responsible for SNMP administration, and in the Machine Location field, type the location of the SNMP manager system. These details are for informational purposes only, and have no impact on how BIG-IQ Device interfaces with your SNMP manager.
  5. To download the F5-specific MIBs, click the Download MIB link.
  6. In the Addresses/Networks fields, type the IP address and networks (and the netmask if applicable) that the SNMP manager is allowed to access.
  7. To add another address, click the plus ( + ) sign.
  8. In the New v3 Access Records section, in the User Name field, type the SNMP manager's user name.
  9. If you want to specify the authentication protocol for SNMP traps, from the Auth Type list, select the type that you want the system to use.
    • MD5 specifies digest algorithm.
    • SHA specifies secure hash algorithm.
  10. If you selected an Auth Type, from the Privacy list, also select the type of encryption you want the system to use to encrypt SNMP traps.
    • AES specifies Advanced Encryption Standard
    • DES for Data Encryption Standard.
  11. In the Privacy Password field, type the required password for access.

    SNMPv3 has special requirements when you create plain-text passwords on a router or switch:

    • The password must be at least eight characters long.
    • The password can include alphabetic, numeric, and special characters, but it cannot include control characters.
  12. In the OID field, type the object identifier (OID) you want to associate with this user.
  13. Click the Save button located at the top of the panel.
You can now specify alert settings.

About integrating with SMTP for alerts

To have a specific recipient receive an email message when an alert is triggered by a system event, configure BIG-IQ Device to deliver locally-generated email messages using the internet-standard for electronic mail transmission, Simple Mail Transfer Protocol (SMTP). Sending an email alert ensures that administrators are immediately notified when a specific system event occurs so they can quickly troubleshoot potential issues.

Specifying alert conditions

After you configure SNMP and or SMTP integration, you can specify the alerts that prompt BIG-IQ System to send an email to the specified recipients.
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Configuration.
  3. Click the gear icon next to the group for which you want to specify alert conditions, and then click Properties.
  4. Click Alert Conditions.
  5. Select the check box next to each event that should trigger an alert email.
  6. If a threshold is associated with the condition, in the adjacent Threshold field, type a value on which you want to trigger an alert email.
  7. Click the Save button.

About authentication integration

Integrating BIG-IQ systems with your authentication server allows you to remotely manage user access based on specific BIG-IQ system roles and associated permissions.

The BIG-IQ system is compatible with RADIUS and LDAP protocols.

Configuring authentication with LDAP

Before integrating LDAP authentication with the BIG-IQ system, you must first:

  • Use an LDAP browser to familiarize yourself with the groups and users in your directory's structure and their position in the hierarchy of organizational units (OUs).
  • Decide how you want to map user names. The first option is to map users directly to their Distinguished Name (DN) in the directory with a user bind template in the form of uid=<username>, ou=people,o=sevenSeas. For example, when you map John Smith's user name with his DN as uid=<jsmith>, ou=people,o=sevenSeas and he logs in as jsmith, he is properly authenticated with his user name in the directory through his DN. The second option is to allow users to log in with names that do not map directly to their DN, by specifying a userSearchFilter in the form of (&(uid=%s)) when creating the provider. For example, if John Smith's DN is cn=John Smith,ou=people,o=sevenSeas, but you would like him to be able to log in with jsmith, specify a userSearchFilter in the form of (&(jsmith=%s)). If your directory does not allow anonymous binds, you must also specify a bindUser and bindPassword so that the BIG-IQ system can validate the user's credentials.
  • Determine which groups in your directory to map into BIG-IQ groups. If you configured a bindUser and bindPassword for users, the BIG-IQ system displays a list of groups from which to choose. If you have not, you must know the DN for each group.
  • Identify the DN under which all users and groups can be found. This is the root bind DN for your directory and is expressed as rootDN when you create a provider. The BIG-IQ system uses the root bind DN as a starting point when searching for users and groups.
  • Determine the host IP address for the LDAP server. The default port is 389, if not specified otherwise.

When you configure the BIG-IQ system for user authentication through your company's LDAP service, you can associate existing and new users added to the LDAP service with specific BIG-IQ roles. The permissions associated with those roles are based on the user credentials. The BIG-IQ system integration is compatible with LDAP server versions 2 and 3, and OpenLDAP directory, Apache Directory Server, and Active Directory

  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Configuration.
  3. In the BIG-IQ Systems panel, click the gear icon next to the HA Peer Group you are configuring, and then click Properties.
  4. Click Auth Provider.
  5. From the User Directory list, select Remote LDAP. The screen refreshes to display LDAP provider properties.
  6. In the Name field, type a name for this new provider. This must be a unique name.
  7. In the Host field, type the IP address of your LDAP server.
  8. If your Active Directory server uses a port other than the default, 389, in the Port field, type the number of the alternative port.
  9. If you want BIG-IQ System to use an SSL port to communicate with the LDAP server, select the Enabled check box for the SSL Enabled setting. Note that the Port setting automatically changes to 636.
  10. If your LDAP server does not allow anonymous binds, in the Bind User and Bind User Password fields, type the full distinguished names and passwords for users with query access.
  11. In the Root DN field, type the root context that contains users and groups. The root context must be a full distinguished name.
  12. From the Authentication Method list, select an option.
    • None - Select this option to prompt the LDAP server to ignore the user name and password.
    • Simple - Select this option to require a user name and password for authentication.
  13. In the Search Scope field, type a number to specify the depth at which searches are made. The default is 2. Alternatively, you can specify 0 for search only on the named object or 1 for a one-level search scope.
  14. In the Search Filter field, type the LDAP filter expression that determines how users are found. The search filter is determined by your LDAP implementation.
  15. In the Connect Timeout field, type the number of milliseconds after which the BIG-IP system stops trying to connect to the LDAP server.
  16. In the Read Timeout, field type the number of seconds after which the BIG-IP system stops waiting for a response to a query.
  17. In the User Display Name Attribute field, type LDAP field to use for the name BIG-IQ System displays. When using Active Directory, this is typically displayName.
  18. To direct bind to a distinguished name, in the User Bind Template field, type the name. For example, cn={username},ou=people,o=sevenSeas. Now, when a user logs in, BIG-IQ System inserts their user name into the template in place of the token, and the resulting distinguished name is used to bind to the directory.
  19. To prompt the LDAP provider to search for groups based on a specific display name attribute, in the Group Display Name Attribute, field type an attribute. This attribute is typically cn.
  20. Leave the Group Search Filter at its default query to return all groups under the provided rootDN. Alternatively, if you have a large number of groups (more than 100), you can narrow base the search on a specific term by typing a query with a {searchterm} token in this field.

    For example: (&objectCategory=group)(|(cn={searchterm}*)))

  21. To specify a query for finding a users group, in the Group Membership Filter field, type a query string. Use the token {userDN} anywhere that the user's distinguished name should be supplied in the LDAP query.

    You can use a {username} token as a substitute to the user’s login name in a query.

    Leave this setting at the default (|(member={username})(uniqueMember={username})) unless the provider is Active Directory.
  22. To specify a query attribute for finding users in a particular group, in the Group Membership User Attribute field, type the attribute. When using Active Directory, use memberof. For example: (memberOf=cn=group_name,ou=organizational_unit,dc=domain_component) For other LDAP directories, use groupMembershipFilter. For example: (groupMembership=cn=group_name,ou=organizational_unit,o=organization)
  23. Select the Perform Test check box to test this provider.
  24. Click the Save button.
The BIG-IQ system now authenticates users against the configured LDAP server.

Configuring authentication with RADIUS

You must first license the BIG-IQ system and specify DNS settings before you can specify authentication settings.

When you configure the BIG-IQ system for user authentication through your company's RADIUS service, you can associate existing and new users added to the RADIUS service with specific BIG-IQ roles. The permissions associated with those roles are based on the user credentials.

  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Configuration.
  3. In the BIG-IQ Systems panel, click the gear icon next to the HA Peer Group you are configuring, and then click Properties.
  4. Click Auth Provider.
  5. From the User Directory list, select Remote RADIUS.
  6. In the Name field, type a name for this new provider. This must be a unique name.
  7. In the Host and Port fields, type the RADIUS server's IP address (or fully qualified domain name) and port number.
  8. In the Secret field, type the case-sensitive text string used to validate communication.
  9. To validate the user after adding it, in the Test Connection User and Test Connection Password fields, type the user name and password.
  10. Click the Save button.
You can now associate RADIUS server users and groups to BIG-IQ system roles.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information