BIG-IQ Security is a platform designed for the central management of security firewalls for multiple BIG-IP systems, where firewall administrators have installed and provisioned the Advanced Firewall Manager (AFM) module.
The BIG-IQ Security system provides:
Managing a firewall configuration includes discovering, importing, editing, and deploying changes to the firewall configuration, as well as consolidation of shared firewall objects (policies, rule lists, rules, address lists, port lists, and schedules). BIG-IQ Security provides a centralized management platform so you can perform all these tasks from a single location. Rather than log into each device to manage the security policy locally, it is more expedient to use one interface to manage many devices. Not only does this simplify logistics, but you can maintain a common set of firewall configuration objects and deploy a common set of policies, rule lists, and other shared objects to multiple, similar devices from a central interface.
Bringing a device under central management means that its configuration is stored in the BIG-IQ Security database, which is the authoritative source for all firewall configuration entities. This database is also known as the working configuration or working-configuration set.
Once a device is under central management, do not make changes locally (on the BIG-IP device) unless there is an exceptional need. If changes are made locally for any reason, reimport the device to reconcile those changes with the BIG-IQ Security working configuration set. Unless local changes are reconciled, the deployment process will overwrite any local changes.
In addition, BIG-IQ Security is aware of functionality in one BIG-IP system version but not in another. This means, for example, that it prohibits using policies on BIG-IP devices that do not have the software version required to support them.
With filtering, you can rapidly narrow the search scope to more easily locate an entity within the GUI. Filtering reduces the set of data that is visible in the GUI.
Filtering is accessed through the Filter field. You can click any object in a panel to populate the Filter field and preview the filtering results.
Filter techniques can be important for troubleshooting firewalls.
BIG-IQ Security system panels expand to display details such as settings or properties for a particular device or shared object. These expanded panels include an arrow slanted at a 45-degree angle on the right side of their banners. If the arrow is slanted up, you can click it to expand the panel. If the arrow is slanted down, you can click it to collapse the panel. You can also click Cancel to close the expanded panel without saving edits or initiating actions.
You can reorder panels by dragging-and-dropping them to new locations. The customized order persists until you clear the browser's history, cache, and/or cookies.
The BIG-IQ Security interface consists of the following panels:
The BIG-IQ Security system uses tooltips to provide additional information. That additional information varies according to the context.
Tooltips show the name of the shared object when you hover over the name in a list. For example, if you hover over the name of an address list in the Shared Objects panel, you see the full, expanded name of the shared object.
If you hover over that same object from inside a rule, you see the data in the shared object. For an address list, for example, you see a listing of the addresses, address ranges, and/or nested address lists in the selected address list.
F5 recommends a minimum screen resolution of 1280 x 1024 to properly display and use the panels efficiently.
It is possible to shrink the browser screen so that GUI elements (panels, scroll bars, icons) no longer appear in the visible screen. Should this occur, use the browser's zoom-out function to shrink the panels and controls.
As a firewall policy editor, you can customize the BIG-IQ Security GUI to minimize the information displayed and to simplify routine editing sessions. The first customization concerns the set of panels displayed for a particular user. For example, if you never perform deployments, you might decide to hide the Deployments blade.
The second customization concerns the set of firewall types shown in panels. If you do not use certain types, you might decide to hide them to avoid confusion and to minimize scrolling in the panel.
User preference settings persist across user sessions. If the user logs out, they see the same settings when logging back in.
By default, BIG-IQ Security replicates user preferences through BIG-IQ high-availability (HA).
|Show Panels||Select or clear the check boxes as required. By default, the GUI displays all panels.|
|Show Firewall Types||Select or clear the check boxes as required. By default, the GUI displays all firewall contexts in the Firewall Contexts panel.|
Different users have different responsibilities. As a Firewall manager, you need a way to limit user privileges based on those responsibilities.
To assist you, the BIG-IQ Security system is created with the following default set of roles.
Roles persist and are available after a BIG-IQ system failover.
You can associate multiple roles with a given user; for example, you can grant a user the edit (Firewall_Edit) and the deploy (Firewall_Deploy) roles.
The BIG-IQ Security system is created with the following users.
Users persist and are available after a BIG-IQ system failover.
Users and roles persist and are available after a BIG-IQ system failover.
|User name||Enter the user's login name.|
|Full Name||Enter the user's actual name. This field can contain a combination of symbols, letters (upper and lowercase), numbers and spaces.|
|Password||Enter the password for this user.|
|Confirm Password||Retype the password.|
With the BIG-IQ Security system, multiple firewall editors can edit shared firewall policy objects simultaneously. This is accomplished through a locking mechanism that avoids conflicts and merges. Initially, the user interface presents all firewall configuration objects as read-only. When a firewall editor initiates an editing session, he/she locks the object. Once an object is locked, no one can modify or delete that object except the holder of the lock or users with privileges sufficient to break the lock (admin, Firewall_Manager, or Security_Manager).
BIG-IQ Security uses a single repository to hold firewall policies. With this single-copy design, multiple editors share the editing task through a locking mechanism. The system saves each editorial change.
Each firewall editor has their own copy of a firewall policy (a point-in-time snapshot of the policy managed by BIG-IQ across all devices) and can make changes. When done, an editor can push the changes to the preferred state as one, complete set of changes. Then, a firewall administrator can review a policy change as a single entity before committing it.
If an editor wants to edit an object that is already locked, the system informs the editor that the object is locked and provides a way to clear the lock if the editor has sufficient privileges.
When the lock is cleared, the next firewall editor receives the latest version of the object and any referenced shared objects. Thus, merges and conflicts are avoided.
Deleting an object automatically clears all locks associated with it.
BIG-IQ Security supports:
The lock header provides a date and time stamp of the lock.
If you use the BIG-IP device's self IP address to discover it, you must configure that device to accept traffic from a BIG-IQ Security system. Specifically, if the BIG-IP device has the Virtual Server & Self IP Contexts option set to Reject or Drop, the BIG-IP device will not accept traffic from the BIG-IQ system. Use the following procedure to set this option to Accept.
Alternately, you can add a rule to handle traffic between the self IP addresses of the BIG-IQ Security system and the self IP addresses of the specific BIG-IP device being discovered. In this scenario, you can leave the Virtual Server & Self IP Contexts option set to Reject or Drop.
In this case, ensure the following ports remain open:
To ensure that you always have access to the BIG-IP devices under BIG-IQ management, install two BIG-IQ systems in an active-standby, high-availability (HA) configuration. Configuring a high-availability pair is optional. However, if the active BIG-IQ system in the high-availability configuration fails, the standby peer will become active, enabling you to continue to manage devices.
BIG-IQ Network Security performs asynchronous replication, which means that data is replicated continuously, asynchronously, as changes are made or commands are run on the active system.
Terminology is important in understanding the status of the HA relationship. The following table lists and defines some important terms displayed in the top left of the application banner.
If you see the status indications Active (Secondary) and Standby (Primary), you have failed over to the node that is not the primary.
In the unlikely event of network segmentation, both systems may report that they are active.
The following table lists the phases encountered while the cluster is forming.
|UNKNOWN||Collecting||Initial discovery and credential exchange.|
|SYNCHRONIZING||Active||Compatibility validation complete, synchronizing configuration
information and establishing primary/secondary relationship. The system
copies the configuration of the primary node to the secondary node (or,
peer). The secondary is restarted using that configuration.
If the peer encounters errors downloading the configuration from the primary/active node, you must delete the HA pair, investigate the causes of the error(s), and attempt to form the pair again..
|Active||It is normal for this state to appear. After a brief period, the state will update itself; no user action is necessary. After synchronization of the initial configuration data, the secondary device's REST services will be restarted to accept the new configuration and complete the configuration synchronization.|
|STANDBY||Active||Pairing completed. The standby system will now display a yellow banner across the top of its UI indicating that changes to individual modules should take place on the active node. Changes to system-level settings will still be performed on each individual device.|
|Peer IP Address||For the peer BIG-IQ system, enter the self IP address, also known as the HA Communication Address. To obtain this address, navigate toon the peer device.|
|User Name||Enter the administrative user name for the peer.|
|Password||Enter the administrative password for the peer.|
If discovery fails, a delete button is displayed. Verify the information you entered. If you have entered incorrect information, click Delete to remove it. Then, repeat the process using correct information.
On BIG-IQ systems, HA traffic travels over an HA communication network. It is recommended that an HA communication network be created to handle this traffic and to keep it separate from discovery traffic.
Perform these steps on both peers in the HA pair.
|Description||Enter an optional description.|
|Interface||From the drop-down, select 1.2.|
|Name||Use the self IP address as the name. Format: nn.nn.n.nnn.|
|Address||Enter the IP address to be used. Include the subnet mask. Format: nn.nn.n.nnn/nn.|
|VLAN||From the drop-down, select 1.2.|
|Description||Enter an optional description.|
In a BIG-IQ Network Security automatic failback scenario, the active node goes down and the standby node takes over. When the active node comes back up, it takes over automatically.
This process includes a failover/recovery trigger timer, which is the time it takes a peer to understand that the other peer in the pair has failed and to respond appropriately.