Applies To:

Show Versions Show Versions

Manual Chapter: Overview BIG-IQ Security
Manual Chapter
Table of Contents   |   Next Chapter >>

About BIG-IQ Security and firewall management

BIG-IQ Security is a platform designed for the central management of security firewalls for multiple BIG-IP systems, where firewall administrators have installed and provisioned the Advanced Firewall Manager (AFM) module.

The BIG-IQ Security system provides:

  • Device discovery with import of firewalls referenced by discovered devices
  • Management of shared objects (address lists, port lists, rule lists, policies, and schedules)
  • L3/L4 firewall policy support, including staged and enforced policies
  • Firewall audit log used to record every firewall policy change and event
  • Role-based access control
  • Deploying configurations from snapshots and the ability to preview differences between snapshots
  • Multi-user editing through a locking mechanism

Managing a firewall configuration includes discovering, importing, editing, and deploying changes to the firewall configuration, as well as consolidation of shared firewall objects (policies, rule lists, rules, address lists, port lists, and schedules). BIG-IQ Security provides a centralized management platform so you can perform all these tasks from a single location. Rather than log into each device to manage the security policy locally, it is more expedient to use one interface to manage many devices. Not only does this simplify logistics, but you can maintain a common set of firewall configuration objects and deploy a common set of policies, rule lists, and other shared objects to multiple, similar devices from a central interface.

Bringing a device under central management means that its configuration is stored in the BIG-IQ Security database, which is the authoritative source for all firewall configuration entities. This database is also known as the working configuration or working-configuration set.

Once a device is under central management, do not make changes locally (on the BIG-IP device) unless there is an exceptional need. If changes are made locally for any reason, reimport the device to reconcile those changes with the BIG-IQ Security working configuration set. Unless local changes are reconciled, the deployment process will overwrite any local changes.

In addition, BIG-IQ Security is aware of functionality in one BIG-IP system version but not in another. This means, for example, that it prohibits using policies on BIG-IP devices that do not have the software version required to support them.

About filtering

With filtering, you can rapidly narrow the search scope to more easily locate an entity within the GUI. Filtering reduces the set of data that is visible in the GUI.

Filtering is accessed through the Filter field. You can click any object in a panel to populate the Filter field and preview the filtering results.

Filtering the BIG-IQ Security GUI

Filter techniques can be important for troubleshooting firewalls.

  1. To search in the GUI, type a text string in the Filter field and click Apply. (The string moves under the Filter field.) Assume you have configured the shared object schedule1. If you type schedule1 in the Filter field and click Apply, the following line appears under the field: Related to Shared Objects:schedule1
  2. Clear the filter results by clicking the x to the right of the string.

About panels

BIG-IQ Security system panels expand to display details such as settings or properties for a particular device or shared object. These expanded panels include an arrow slanted at a 45-degree angle on the right side of their banners. If the arrow is slanted up, you can click it to expand the panel. If the arrow is slanted down, you can click it to collapse the panel. You can also click Cancel to close the expanded panel without saving edits or initiating actions.

You can reorder panels by dragging-and-dropping them to new locations. The customized order persists until you clear the browser's history, cache, and/or cookies.

The BIG-IQ Security interface consists of the following panels:

Devices
Displays the set of BIG-IP devices that BIG-IQ Security has discovered. From this panel, you can initiate device discovery and display device properties. You can also remove devices and reimport devices.
Firewalls
Displays discovered/imported network firewalls residing on discovered BIG-IP devices.
Policies
Displays the policies available. Rules for each policy type (staged or enforced) and each context form their own list, and are processed both in the context hierarchy and in the order within each context list.
Rule Lists
Displays discovered/imported rule lists that you can share among multiple firewalls. From this panel, you can display and edit rule list details.
Snapshots
Displays a list of imported snapshots. From this panel, you can back up, restore, and deploy the BIG-IQ working configuration to a specific configuration state or deploy a specific set of working configuration edits back to a BIG-IP device.
Shared Objects
Displays the address lists, port lists, and schedules that you can share among multiple firewalls. From this panel, you can display and edit object details.
Deployment
Enables deployment, to a target BIG-IP device, of any change that occurred to any configuration object. After you have completed edits to a firewall policy, you can create a deployment task to push configuration object changes out to BIG-IP devices.

Expanding panels

Hover in the panel header and click the + icon to expand the panels. For the Shared Objects panel, hover over the header for each object type (address lists, port lists, or schedules) and click the + icon.

Reordering panels

To reorder panels, drag-and-drop them to the new locations of your choice.
The customized order persists until you clear the browser history/cache/cookies.

About tooltips

The BIG-IQ Security system uses tooltips to provide additional information. That additional information varies according to the context.

Tooltips show the name of the shared object when you hover over the name in a list. For example, if you hover over the name of an address list in the Shared Objects panel, you see the full, expanded name of the shared object.

If you hover over that same object from inside a rule, you see the data in the shared object. For an address list, for example, you see a listing of the addresses, address ranges, and/or nested address lists in the selected address list.

About browser resolution

F5 recommends a minimum screen resolution of 1280 x 1024 to properly display and use the panels efficiently.

It is possible to shrink the browser screen so that GUI elements (panels, scroll bars, icons) no longer appear in the visible screen. Should this occur, use the browser's zoom-out function to shrink the panels and controls.

About user preferences

As a firewall policy editor, you can customize the BIG-IQ Security GUI to minimize the information displayed and to simplify routine editing sessions. The first customization concerns the set of panels displayed for a particular user. For example, if you never perform deployments, you might decide to hide the Deployments blade.

Note: This customization does not create an access issue. Users still have access to the resources required by their roles; they just choose not to display them.

The second customization concerns the set of firewall types shown in panels. If you do not use certain types, you might decide to hide them to avoid confusion and to minimize scrolling in the panel.

User preference settings persist across user sessions. If the user logs out, they see the same settings when logging back in.

By default, BIG-IQ Security replicates user preferences through BIG-IQ high-availability (HA).

Setting user preferences

  1. Log in to the BIG-IQ Security system.
  2. At the top-right of the screen in the black banner, hover over the admin icon.
  3. When User settings appears, click it to display the Settings popup screen.
  4. Edit the check box options as required for your role.
    Option Description
    Show Panels Select or clear the check boxes as required. By default, the GUI displays all panels.
    Show Firewall Types Select or clear the check boxes as required. By default, the GUI displays all firewall contexts in the Firewall Contexts panel.
  5. Click Save to save your preferences. Click Close to close the popup screen without saving your selections.
Your preferences are now in effect and persist across user sessions. If you log out, you will see the same settings when you log back in.

About roles

Different users have different responsibilities. As a Firewall manager, you need a way to limit user privileges based on those responsibilities.

To assist you, the BIG-IQ Security system is created with the following default set of roles.

Administrator
This role is responsible for overall management of the platform. Users with this role can add individual users, install updates, activate licenses, and configure HA and networks.
Firewall_Deploy
This role permits viewing and deploying for all firewall configuration objects for all firewall devices under management. Users with this role cannot edit configuration objects, discover devices, or reimport devices or otherwise make changes to the working configuration of the BIG-IQ system. This role cannot create, edit, or delete snapshots. Also, this role does not have access to System/Overview or Networking.
Firewall_Edit
With this role, the user can view and modify all configuration objects for all firewall devices under management, including the ability to create, modify, or delete all shared and firewall-specific objects. Users with only this role cannot deploy configuration changes to remote devices under management. Also, this role does not have access to System/Overview or Networking.
Firewall_View
With this role, the user can view all configuration objects and tasks for all firewall devices under management across all devices. Users with this role cannot edit objects and cannot initiate a discovery or deployment task.
Firewall_Manager
This role encompasses the roles of Firewall_View, Firewall_Edit, and Firewall_Deploy. A user logging in with this role bypasses the SYSTEM panel and is logged directly into BIG-IQ Security.
Security_Manager
This role combines the privileges of Firewall_View, Firewall_Edit, and Firewall_Deploy. A user logging in with this role is logged directly into BIG-IQ Security. A user logging in with this role can also access BIG-IQ ASM.

Roles persist and are available after a BIG-IQ system failover.

You can associate multiple roles with a given user; for example, you can grant a user the edit (Firewall_Edit) and the deploy (Firewall_Deploy) roles.

About users

The BIG-IQ Security system is created with the following users.

admin
This user can create firewall managers and assign roles to them. This user cannot access the command shell or the system console.
root
This user can access the system console.

Users persist and are available after a BIG-IQ system failover.

Creating users

It is the Firewall manager's responsibility to ensure the creation of the right set of users and the association of those users with the right roles (sets of privileges). By managing user roles, the Firewall manager places controls on specific functions (view, edit, and deploy).

Users and roles persist and are available after a BIG-IQ system failover.

  1. Log in with administrator credentials.
  2. At the top of the screen in the black banner, hover over System and click Users.
  3. Hover in the Users banner and click the + icon.
  4. Edit the fields as required.
    Option Description
    User name Enter the user's login name.
    Full Name Enter the user's actual name. This field can contain a combination of symbols, letters (upper and lowercase), numbers and spaces.
    Password Enter the password for this user.
    Confirm Password Retype the password.
  5. Click Add to save your edits and create the user. Click Cancel to close the panel without saving your entries.
You can now associate this user with a specific role (set of privileges).

Associating users with roles

To control what users are able to accomplish, associate roles (sets of privileges) with particular users.
  1. Log in with administrator credentials.
  2. At the top of the screen in the black banner, hover over System and click Users.
  3. In the Users panel, click the user that you want to associate with a role and drag-and-drop the user onto the role (Roles panel). Conversely, you can also drag-and-drop the role onto the user.
The user now has the necessary privileges. To confirm, click the gear icon for the role and view the User Role Properties screen. To the right of Active Users, view the list of users associated with the role. Or, click the gear icon for the user and to the right of User Roles, view the list of roles associated with the user. Or, select the user and the BIG-IQ Security system highlights the roles associated with that user.

Disassociating users from roles

To disable a user's ability to perform a given function, disassociate roles (sets of privileges) from that user.
  1. Log in with administrator credentials.
  2. At the top of the screen in the black banner, hover over System and click Users.
  3. In the Roles panel, hover over the role that contains the user you want to disassociate and click the gear icon.
  4. To the right of Active Users, view the list of users associated with the role.
  5. Click the x icon next to the user that you want to disassociate from the role.
  6. Click Save.
The user is now disassociated from the role and no longer has the privileges associated with the role.

About multi-user editing

With the BIG-IQ Security system, multiple firewall editors can edit shared firewall policy objects simultaneously. This is accomplished through a locking mechanism that avoids conflicts and merges. Initially, the user interface presents all firewall configuration objects as read-only. When a firewall editor initiates an editing session, he/she locks the object. Once an object is locked, no one can modify or delete that object except the holder of the lock or users with privileges sufficient to break the lock (admin, Firewall_Manager, or Security_Manager).

BIG-IQ Security uses a single repository to hold firewall policies. With this single-copy design, multiple editors share the editing task through a locking mechanism. The system saves each editorial change.

Each firewall editor has their own copy of a firewall policy (a point-in-time snapshot of the policy managed by BIG-IQ across all devices) and can make changes. When done, an editor can push the changes to the preferred state as one, complete set of changes. Then, a firewall administrator can review a policy change as a single entity before committing it.

For example:

  1. If a firewall editor needs to edit Portlist_1, AddressList_2, and Rulelist_5, the editor locks those objects.
  2. When the edit pass is complete, the editor saves the object, which clears the lock.

If an editor wants to edit an object that is already locked, the system informs the editor that the object is locked and provides a way to clear the lock if the editor has sufficient privileges.

When the lock is cleared, the next firewall editor receives the latest version of the object and any referenced shared objects. Thus, merges and conflicts are avoided.

Deleting an object automatically clears all locks associated with it.

BIG-IQ Security supports:

  • Multiple, independent locks.
  • Locking/unlocking at the firewall level. Locking a firewall locks all shared objects referenced by all of the device’s firewalls/rules.
  • Locking/unlocking on an object-by-object basis where the object is defined as a shared object or a firewall.

Locking configuration objects for editing

Before editing a configuration object, you must establish a lock on that object.
Note: If you have editing privileges, you can lock firewalls, policies, rule lists, address lists, port lists, and schedules.
  1. Navigate to the object that you want to edit.
  2. Hover in the header for that object, and click the gear icon to expand the panel and display object details. If an Edit button is visible, you can edit the object. If the object is already locked, a lock header is visible and there is no Edit button available.

    The lock header provides a date and time stamp of the lock.

  3. If an Edit button is visible, click it to lock the object for editing. A lock appears on the object and a lock header is displayed.
  4. Edit as appropriate.
  5. When finished, click Save. If you navigate away from the panel without saving, the GUI displays a dialog box asking if you want to save changes. Click Yes or No or click Cancel to dismiss the dialog box and return to the location where you were editing.
The lock on the object is released. If you click Cancel, the lock is also released but any edits will be discarded.

Viewing locks on all configuration objects

BIG-IQ Security provides a way to view all locked configuration objects from a single popup screen.
  1. Examine all panels to locate locked configuration objects.
  2. Navigate to a locked object.
  3. Hover over the lock icon. A tooltip is displayed that shows the owner of the lock and the date and time the lock was created, as well as a link labeled View All.
  4. Click View All.
The Locks popup screen is displayed showing type, name, user, date and time, and a description for all locked objects.

Clearing locks on configuration objects

The owner of a lock can always clear that lock. Other roles (Administrator, Firewall_Manager, Security_Manager) also carry sufficient privileges to clear locks held by any user.
  1. Examine all panels to locate locked configuration objects.
  2. Search for the object whose lock you want to clear.
  3. Hover over the lock icon to the left of the object's name in the panel. A tooltip is displayed that shows the owner of the lock and the date and time the lock was created, as well as a link labeled View All. If your role carries sufficient privileges, you will also see a link labeled Unlock.
  4. In the tooltip, click Unlock.
  5. In the confirmation dialog box, click Unlock.
The lock is cleared.

Clearing multiple locks or all locks

BIG-IQ Security provides a way to clear multiple locks or all locks from a single popup screen, providing that the user carries sufficient privileges.
  1. Examine all panels to locate locked configuration objects.
  2. Hover over the lock icon to the left of any locked object in any panel. A tooltip is displayed that shows the owner of the lock and the date and time the lock was created as well as a link labeled View All. If your role carries sufficient privileges, you will also see a link labeled Unlock.
  3. In the tooltip, click Unlock.
  4. In the popup screen that appears, select or clear check boxes as appropriate. Select the check box at the top to clear all locks.
  5. Click Unlock.
  6. In the confirmation dialog box, click Unlock.
The locks are cleared.

Configuring BIG-IP devices to accept traffic

If you use the BIG-IP device's self IP address to discover it, you must configure that device to accept traffic from a BIG-IQ Security system. Specifically, if the BIG-IP device has the Virtual Server & Self IP Contexts option set to Reject or Drop, the BIG-IP device will not accept traffic from the BIG-IQ system. Use the following procedure to set this option to Accept.

Alternately, you can add a rule to handle traffic between the self IP addresses of the BIG-IQ Security system and the self IP addresses of the specific BIG-IP device being discovered. In this scenario, you can leave the Virtual Server & Self IP Contexts option set to Reject or Drop.

In this case, ensure the following ports remain open:

  • 22 (SSH, TCP protocol)
  • 443 (HTTPS, TCP protocol)
  • 4353 (iQuery, TCP protocol)
Note: Whichever scenario you choose, configure the BIG-IP device to allow traffic to/from the self IP addresses of both BIG-IQ nodes in a BIG-IQ HA pair.
  1. On the BIG-IP device, navigate to Security > Options > Network Firewall.
  2. From the Virtual Server & Self IP Contexts drop-down list, select Accept.
  3. Click Update.
Packets with BIG-IQ Security as the source are then able to pass through the BIG-IP firewall and traverse the system.

About BIG-IQ active-standby, high-availability configurations

To ensure that you always have access to the BIG-IP devices under BIG-IQ management, install two BIG-IQ systems in an active-standby, high-availability (HA) configuration. Configuring a high-availability pair is optional. However, if the active BIG-IQ system in the high-availability configuration fails, the standby peer will become active, enabling you to continue to manage devices.

BIG-IQ Network Security performs asynchronous replication, which means that data is replicated continuously, asynchronously, as changes are made or commands are run on the active system.

Terminology is important in understanding the status of the HA relationship. The following table lists and defines some important terms displayed in the top left of the application banner.

Primary
Initiate the pairing from the primary node. This is the node that wins if a conflict occurs. If both nodes are up and communicating, this is the node that determines which node is active.
Secondary
Any other node. Currently, BIG-IQ Network Security supports a 2-node pairing.
Active
Node that is running commands. Normal operation is indicated by Active (Primary) at the top of the interface.
Standby
Carries a yellow status bar indicating its standby status and instructing the user to perform all module-related activity on the active node.

If you see the status indications Active (Secondary) and Standby (Primary), you have failed over to the node that is not the primary.

In the unlikely event of network segmentation, both systems may report that they are active.

The following table lists the phases encountered while the cluster is forming.

State Status Description (Phase)
UNKNOWN Collecting Initial discovery and credential exchange.
SYNCHRONIZING Active Compatibility validation complete, synchronizing configuration information and establishing primary/secondary relationship. The system copies the configuration of the primary node to the secondary node (or, peer). The secondary is restarted using that configuration.

If the peer encounters errors downloading the configuration from the primary/active node, you must delete the HA pair, investigate the causes of the error(s), and attempt to form the pair again.

.
DOWN

Active It is normal for this state to appear. After a brief period, the state will update itself; no user action is necessary. After synchronization of the initial configuration data, the secondary device's REST services will be restarted to accept the new configuration and complete the configuration synchronization.
STANDBY Active Pairing completed. The standby system will now display a yellow banner across the top of its UI indicating that changes to individual modules should take place on the active node. Changes to system-level settings will still be performed on each individual device.

Configuring BIG-IQ high-availability systems

To configure BIG-IQ systems for high-availability, you must have two licensed BIG-IQ systems, installed with the required system components. For the high-availability pair to synchronize properly, each must be running the same BIG-IQ version, and the clocks on each system must be synchronized within 60 seconds and remain synchronized. Prior to establishing the pair, examine the NTP settings at the BIG-IQ system level and the current system time value.
Note: Perform the following procedure on the active BIG-IQ system.
  1. Log in to the BIG-IQ system, using administrator credentials.
  2. In the black banner, hover over System and then click Overview.
  3. Select the High Availability tab.
  4. Edit the following fields:
    Option Description
    Peer IP Address For the peer BIG-IQ system, enter the self IP address, also known as the HA Communication Address. To obtain this address, navigate to System > Networking on the peer device.
    User Name Enter the administrative user name for the peer.
    Password Enter the administrative password for the peer.
  5. To save the configuration, click Save.
  6. Observe the phases encountered while the cluster is forming. One node discovers the other and exchanges credentials with it. Compatibility validation is completed and configuration information is synchronized. The configuration of the device being paired is overwritten by the active system. The configurations do not merge.

    If discovery fails, a delete button is displayed. Verify the information you entered. If you have entered incorrect information, click Delete to remove it. Then, repeat the process using correct information.

The active BIG-IQ system discovers its peer and displays status. The standby system displays a warning banner at the top of the application, informing the user to not attempt editing data on it.

Configuring a BIG-IQ high-availability communication network

On BIG-IQ systems, HA traffic travels over an HA communication network. It is recommended that an HA communication network be created to handle this traffic and to keep it separate from discovery traffic.

Perform these steps on both peers in the HA pair.

  1. Log in to the BIG-IQ system, using administrator credentials.
  2. In the black banner, hover over System and then click Networking.
  3. From the VLAN panel, hover over the header and select +.
  4. Edit the following fields:
    Option Description
    Name For
    Description Enter an optional description.
    Interface From the drop-down, select 1.2.
  5. Click Add.
  6. From the Self IP Addresses panel, hover over the header and click +.
  7. Edit the following fields:
    Option Description
    Name Use the self IP address as the name. Format: nn.nn.n.nnn.
    Address Enter the IP address to be used. Include the subnet mask. Format: nn.nn.n.nnn/nn.
    VLAN From the drop-down, select 1.2.
    Description Enter an optional description.
  8. Click Add.
  9. Return to the Self IP Properties panel and select the Use for HA Peer Communication check box .
  10. Click Save.

Splitting a BIG-IQ high-availability pair

To change or reconfigure peers in a BIG-IQ high-availability pair, you must first delete the HA relationship.
  1. Log in to the active BIG-IQ system, using administrator credentials.
  2. In the black banner, hover over System and then click Overview.
  3. At left, click High Availability.
  4. Click Delete.
CAUTION:
After the pair is split, each BIG-IQ system operates as a standalone and, initially, operates off the same configuration. Each configuration can be updated independently. Changes made on one system do not propagate to the other.

Forcing active BIG-IQ high-availability systems to standby

If both BIG-IQ systems in an active-standby, high-availability pair become active, a warning message is displayed at the top left of the application header. This can occur in the unlikely event of network segmentation or a communication failure. If this scenario occurs, move one system back into standby mode.
Note: Configuration replication does not occur while both systems are active.
  1. Log in to one BIG-IQ system, using administrator credentials.
  2. In the black banner, hover over System and then click Overview.
  3. At left, click High Availability.
  4. Click Force Standby.
  5. To save the change, click Save.
This BIG-IQ system is forced into standby mode.

About BIG-IQ Network Security automatic failback

In a BIG-IQ Network Security automatic failback scenario, the active node goes down and the standby node takes over. When the active node comes back up, it takes over automatically.

This process includes a failover/recovery trigger timer, which is the time it takes a peer to understand that the other peer in the pair has failed and to respond appropriately.

Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)