The process of importing a firewall device's configuration or designating a firewall device for central management by BIG-IQ Security is called discovery.
After discovery, BIG-IQ Security provides a way to view device properties and to perform device-specific and firewall-specific actions through a centralized management platform.
BIG-IQ Security lists devices under management in the Devices panel.
Before discovering devices, you must install specific components required by the BIG-IQ system on each BIG-IP device you want to manage. Installing these components results in a REST framework that supports the required Java-based management services.
Once a device is under central management, the device's configuration is stored in the BIG-IQ Security database, which is the authoritative source for all configuration entities (shared objects). After that point, do not manage the firewall device locally unless there is an exceptional need.
During discovery, Remove Device appears in the dialog box after the task has identified the device and started importing the firewall configuration. If you click Remove Device, the import is canceled and management authority over the device is rescinded. The device is removed.
|Device Address||Enter the internal self IP for the BIG-IP
Note: Each managed device must be configured with a communication route from its internal self IP or management IP address to a BIG-IQ system internal self IP address on a configured BIG-IP VLAN. Otherwise, discovery will fail. F5 recommends that you use a self IP address (on the BIG-IP device) in order to gain access to additional functionality that is not provided through the management port.
|Cluster Name||Enter a name for the cluster. Optional, but highly recommended.|
|User Name||Enter the user's login name. For example: fw_admin.|
|Password||Enter the password for this user.|
|Snapshot||Ensure that this check box is selected (the default) to take a snapshot of the configuration on the BIG-IP device before importing.|
|Auto Update Framework||Select this check box to update the REST framework installed on the
It is required that certain BIG-IQ system components be installed and kept up-to-date on all BIG-IP devices brought under central management. These components provide a REST framework on the BIG-IP devices that support the required Java-based management services. To ensure the framework is up-to-date, select this check box.
The process of bringing a device under central management is known as declaring management authority (DMA). The firewall administrator initiates DMA through device discovery and import (or reimport).
The DMA process is modal. Once the process starts, you are blocked from performing any other tasks or interacting with BIG-IQ Security in any way until the process is complete or canceled. Before starting a discovery or reimport process, it is important to understand how you will resolve any conflicts that arise.
A conflict is found when two shared objects in the same partition have the same name but different data. Conflicts prevent the discovery process from running to completion.
If conflicts are found, BIG-IQ Security displays the Resolve Conflicts dialog box, which lists all conflicts found, displays detailed differences for conflicting shared objects, and provides for conflict resolution.
Although conflict resolution often results in changes to either the BIG-IP configuration or the BIG-IQ configuration, no changes are applied until they are deployed. You can deploy changes when a deployment task displays a status of READY TO DEPLOY.
The Resolve Conflicts dialog box also provides a Cancel Task button. If you click Cancel Task, the reimport is canceled. Management authority over the device is not rescinded, and the device is not removed.
|No Action||Take no action. This option does not resolve the conflict and prevents the discovery process from completing. If you are not ready to resolve the conflicts but need to perform other firewall management tasks, cancel the discovery process and return to it later. The device is not brought under management.|
|Keep Both||Retain both objects as configured. BIG-IQ Security changes the name on the incoming object to resolve the conflict. Then, it updates rules with the new object name. The new object name includes the device name so it can easily be found.|
|Keep BIG-IP Version||Keep the object as configured on the BIG-IP device and overwrite the object as configured in the central BIG-IQ Security database.|
|Keep BIG-IQ Version||Keep the object as configured on BIG-IQ Security and overwrite the object as configured on the BIG-IP device.|
Device properties are displayed for informational purposes and are read-only, except the Snapshot and Auto Update Framework check boxes.
|Host Name||Displays the fully-qualified domain name (FQDN), identified at discovery time.|
|Cluster Name||Displays the BIG-IP device cluster name, provided by the user at discovery time.|
|IP Address||Displays the IP address of the BIG-IP device, used for communication between it and the BIG-IQ Security system.|
|Product||Identifies the product.|
|Version||Identifies the version and hotfix level of the device under management.|
|Snapshot||Check box used to invoke a snapshot prior to reimporting the BIG-IP device's working configuration.|
|Auto Update Framework||Check box used to update the REST framework on the BIG-IP device.|
From the Devices panel, you can display an inventory of device properties and accompanying details for all devices under BIG-IQ Security central management. For further use, you can export this inventory to a CSV file.
Once configurations are in sync between BIG-IP devices and the BIG-IQ Security system, there is seldom a need to reimport a BIG-IP device.
Some possible reasons to reimport include:
If any of these reasons occur, you must reimport to reconcile any changes with the configuration maintained on BIG-IQ Security. If you do not reconcile changes, a subsequent deployment process will overwrite any changes made locally.
The reimport process is modal. Once reimport starts, the process blocks you from performing any other tasks or interacting with BIG-IQ Security in any way until the process completes or is canceled.
During reimport, a Remove Device button appears in the dialog box after the task has identified the device and started importing the firewall configuration. If you click Remove Device, the reimport is canceled, management authority over the device is rescinded, and the device is removed.
Possible configuration sets for a firewall device centrally managed by the BIG-IQ Security system include:
The following table displays states that occur during the discovery process.