Manual Chapter : Understanding BIG-IQ ASM

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.2.0
Manual Chapter

Overview: BIG-IQ ASM

BIG-IQ ASM enables enterprise-wide management and configuration of multiple BIG-IP devices from a central management platform. You can centrally manage BIG-IP devices and security policies, and import policies from files on those devices.

For each device discovered, an additional virtual server is created to hold all security policies that are not related to any virtual server on the device. To deploy a policy to a device, the policy must be attached to one of the device's virtual servers. Policies can be deployed to a device that already has the policy by overwriting it. If the policy does not yet exist on the device, you have the option to deploy it as a new policy attached to an available virtual server or as an inactive policy.

From this central management platform, you can perform the following actions through a REST API:

  • Import ASM policies from files.
  • Import ASM policies from discovered devices.
  • Distribute policies to devices.
  • Export policies, including an option to export policy files in XML format.

About BIG-IQ roles

Different users have different responsibilities. Therefore, system administrators need a way to differentiate between users to limit user privileges based on those responsibilities.

To assist administrators with this, the BIG-IQ ASM module provides these default roles:

Administrator
This role has access to all BIG-IQ modules, including ASM.
ASM Manager
This role has administrator-level rights for the BIG-IQ ASM module only.

Roles persist and are available after a BIG-IQ system failover. You can associate multiple roles with a given user.

About BIG-IQ users

BIG-IQ Application Security Manager(ASM) provides these default users:

admin
This user can assign roles to users, but cannot access the command shell or system console.
root
This user can access the system console.

Users persist and are available after a BIG-IQ system failover.

Creating users

By creating users and managing user roles, you place controls on specific functions (view, edit, and deploy).
  1. Log in with administrator credentials.
  2. At the top of the screen in the black banner, hover over System and click Users.
  3. Hover in the Users banner and click the + icon.
  4. Edit the fields as required.
    Option Description
    User name Enter the user's login name.
    Full Name Enter the user's actual name. This field can contain a combination of symbols, letters (upper and lowercase), numbers and spaces.
    Password Enter the password for this user.
    Confirm Password Retype the password.
  5. Click Add to save your edits and create the user. Click Cancel to close the panel without saving your entries.
You can now associate this user with a specific role (set of privileges).

Associating users with roles

To control what users are able to accomplish, associate specific roles (sets of privileges) with particular users.
  1. Log in with administrator credentials.
  2. At the top of the screen in the black banner, hover over System and click Users.
  3. In the Users panel, click the user that you want to associate with a role and drag-and-drop the user onto the role (Roles panel). Conversely, you can also drag-and-drop the role onto the user.
The user now has the necessary privileges.
To confirm, click the gear icon for the role and view the User Role Properties screen. To the right of Active Users, view the list of users associated with the role. Or, click the gear icon for the user and to the right of User Roles, view the list of roles associated with the user. Alternatively, if you select the user, the BIG-IQ system highlights the roles associated with that user.

Disassociating users from roles

To disable a user's ability to perform a given function, disassociate the role (set of privileges) from that user.
  1. Log in with administrator credentials.
  2. At the top of the screen in the black banner, hover over System and click Users.
  3. In the Roles panel, hover over the role that contains the user you want to disassociate and click the gear icon.
  4. To the right of Active Users, view the list of users associated with the role.
  5. Click the x icon next to the user that you want to disassociate from the role.
  6. Click Save.
The user is disassociated from the role and no longer has the privileges associated with the role.