Applies To:

Show Versions Show Versions

Manual Chapter: Overview BIG-IQ Security
Manual Chapter
Table of Contents   |   Next Chapter >>

About BIG-IQ Security and firewall management

BIG-IQ Security is a platform designed for the central management of security firewalls for multiple BIG-IP systems, where firewall administrators have installed and provisioned the Advanced Firewall Manager (AFM) module.

The BIG-IQ Security system provides:

  • Device discovery with import of firewalls referenced by discovered devices
  • Management of shared objects (address lists, port lists, rule lists, policies, and schedules)
  • L3/L4 firewall policy support, including staged and enforced policies
  • Firewall audit log used to record every firewall policy change and event
  • Role-based access control
  • Deploying configurations from snapshots and the ability to preview differences between snapshots
  • Multi-user editing through a locking mechanism
  • Monitoring

Managing a firewall configuration includes discovering, importing, editing, and deploying changes to the firewall configuration, as well as consolidation of shared firewall objects (policies, rule lists, rules, address lists, port lists, and schedules). BIG-IQ Security provides a centralized management platform so you can perform all these tasks from a single location. Rather than log into each device to manage the security policy locally, it is more expedient to use one interface to manage many devices. Not only does this simplify logistics, but you can maintain a common set of firewall configuration objects and deploy a common set of policies, rule lists, and other shared objects to multiple, similar devices from a central interface.

Bringing a device under central management means that its configuration is stored in the BIG-IQ Security database, which is the authoritative source for all firewall configuration entities. This database is also known as the working configuration or working-configuration set.

Once a device is under central management, do not make changes locally (on the BIG-IP device) unless there is an exceptional need. If changes are made locally for any reason, reimport the device to reconcile those changes with the BIG-IQ Security working configuration set. Unless local changes are reconciled, the deployment process will overwrite any local changes.

In addition, BIG-IQ Security is aware of functionality in one BIG-IP system version but not in another. This means, for example, that it prohibits using policies on BIG-IP devices that do not have the software version required to support them.

About filtering

With filtering, you can rapidly narrow the search scope to more easily locate an entity within the GUI. Filtering is accessed through the filter field. You can click any object in a panel to populate the filter field and preview the filtering results.

Filtering reduces the set of data that is visible in the GUI. For example, clicking a device filters the Monitor panel to the related monitoring results for the selected device. The panel and the type are also reflected. For example, clicking a global firewall results in the following entry in the filter field:

Firewalls:global

Filtering the BIG-IQ Security GUI

Filter techniques can be important for troubleshooting firewalls.

Note: Filter actions do not affect the displayed contents of the Monitor panel.
  1. To search in the GUI, type a text string in the filter field and click Apply. (The string moves under the filter field.) Assume you have configured the shared object schedule1. If you type schedule1 in the filter field and click Apply, the following line appears under the field: Related to Shared Objects:schedule1
  2. Clear the filter results by clicking the x to the right of the string.

About panels

BIG-IQ Security system panels expand to display details such as settings or properties for a particular device or shared object. These expanded panels include an arrow slanted at a 45-degree angle on the right side of their banners. If the arrow is slanted up, you can click it to expand the panel. If the arrow is slanted down, you can click it to collapse the panel. You can also click Cancel to close the expanded panel without saving edits or initiating actions.

You can reorder panels by dragging-and-dropping them to new locations. The customized order persists until you clear the browser's history, cache, and/or cookies.

The BIG-IQ Security interface consists of the following panels:

Devices
Displays the set of BIG-IP devices that BIG-IQ Security has discovered. From this panel, you can initiate device discovery and display device properties. You can also remove devices and reimport devices.
Firewalls
Displays discovered/imported network firewalls residing on discovered BIG-IP devices.
Policies
Displays the policies available. Rules for each policy type (staged or enforced) and each context form their own list, and are processed both in the context hierarchy and in the order within each context list.
Rule Lists
Displays discovered/imported rule lists that you can share among multiple firewalls. From this panel, you can display and edit rule list details.
Snapshots
Displays displays a list of imported snapshots. From this panel, you can back up, restore, and deploy the BIG-IQ working configuration to a specific configuration state or deploy a specific set of working configuration edits back to a BIG-IP device.
Shared Objects
Displays the address lists, port lists, and schedules that you can share among multiple firewalls. From this panel, you can display and edit object details.
Monitor
Displays counters showing the number of times the system has run a rule. The IP address of the system is shown under the rule name.
Deployment
Enables deployment, to a target BIG-IP device, of any change that occurred to any configuration object. After you have completed edits to a firewall policy, you can create a deployment task to push configuration object changes out to BIG-IP devices.

Expanding panels

Hover in the panel header and click the + icon to expand the panels. For the Shared Objects panel, hover in the header for each object type (address lists, port lists, or schedules) and click the + icon.

Reordering panels

To reorder panels, drag-and-drop them to the new locations of your choice.
The customized order persists until you clear the browser history/cache/cookies.

About tooltips

The BIG-IQ Security system uses tooltips to provide additional information. That additional information varies according to the context.

Tooltips show the name of the shared object when you hover over the name in a list. For example, if you hover over the name of an address list in the Shared Objects panel, you see the full, expanded name of the shared object.

If you hover over that same object from inside a rule, you see the data in the shared object. For an address list, for example, you see a listing of the addresses, address ranges, and/or nested address lists in the selected address list.

About browser resolution

F5 recommends a minimum screen resolution of 1280 x 1024 to properly display and use the panels efficiently.

It is possible to shrink the browser screen so that GUI elements (panels, scroll bars, icons) no longer appear in the visible screen. Should this occur, use the browser's zoom-out function to shrink the panels and controls.

About user preferences

As a firewall policy editor, you can customize the BIG-IQ Security GUI to minimize the information displayed and to simplify routine editing sessions. The first customization concerns the set of panels displayed for a particular user. For example, if you never perform deployments, you might decide to hide the Deployments blade.

Note: This customization does not create an access issue. Users still have access to the resources required by their roles; they just choose not to display them.

The second customization concerns the set of firewall types shown in panels. If you do not use certain types, you might decide to hide them to avoid confusion and to minimize scrolling in the panel.

User preference settings persist across user sessions. If the user logs out, they see the same settings when logging back in.

By default, BIG-IQ Security replicates user preferences through BIG-IQ high-availability (HA).

Setting user preferences

  1. Log in to the BIG-IQ Security system.
  2. At the top-right of the screen in the black banner, hover over the admin icon.
  3. When User settings appears, click it to display the Settings popup screen.
  4. Edit the check box options as required for your role.
    Option Description
    Show Panels Select or clear the check boxes as required. By default, the GUI displays all panels.
    Show Firewall Types Select or clear the check boxes as required. By default, the GUI displays all firewall contexts in the Firewall panel.
  5. Click Save to save your preferences. Click Close to close the popup screen without saving your selections.
Your preferences are now in effect and persist across user sessions. If you log out, you will see the same settings when you log back in.

About roles

Different users have different responsibilities. As a Firewall manager, you need a way to limit user privileges based on those responsibilities.

To assist you, the BIG-IQ Security system is created with the following default set of roles.

Administrator
This role is responsible for overall management of the platform. Users with this role can add individual users, install updates, activate licenses, and configure HA and networks.
Firewall_Deploy
This role permits viewing and deploying for all firewall configuration objects for all firewall devices under management. Users with this role cannot edit configuration objects, discover devices, or reimport devices or otherwise make changes to the working configuration of the BIG-IQ system. This role cannot create, edit, or delete snapshots. Also, this role does not have access to System/Overview or Networking.
Firewall_Edit
With this role, the user can view and modify all configuration objects for all firewall devices under management, including the ability to create, modify, or delete all shared and firewall-specific objects. Users with only this role cannot deploy configuration changes to remote devices under management. Also, this role does not have access to System/Overview or Networking.
Firewall_View
With this role, the user can view all configuration objects and tasks for all firewall devices under management and all monitoring rules across all devices. Users with this role cannot edit objects and cannot initiate a discovery or deployment task.
Firewall_Manager
This role encompasses the roles of Firewall_View, Firewall_Edit, and Firewall_Deploy. A user logging in with this role bypasses the SYSTEM panel and is logged directly into BIG-IQ Security.
Security_Manager
This role combines the privileges of Firewall_View, Firewall_Edit, and Firewall_Deploy. A user logging in with this role is logged directly into BIG-IQ Security. A user logging in with this role can also access BIG-IQ ASM.

Roles persist and are available after a BIG-IQ system failover.

You can associate multiple roles with a given user; for example, you can grant a user the edit (Firewall_Edit) and the deploy (Firewall_Deploy) roles.

About users

The BIG-IQ Security system is created with the following users.

admin
This user can create firewall managers and assign roles to them. This user cannot access the command shell or the system console.
root
This user can access the system console.

Users persist and are available after a BIG-IQ system failover.

Creating users

It is the Firewall manager's responsibility to ensure the creation of the right set of users and the association of those users with the right roles (sets of privileges). By managing user roles, the Firewall manager places controls on specific functions (view, edit, and deploy).

Users and roles persist and are available after a BIG-IQ system failover.

  1. Log in with administrator credentials.
  2. At the top of the screen in the black banner, hover over System and click Users.
  3. Hover in the Users banner and click the + icon.
  4. Edit the fields as required.
    Option Description
    User name Enter the user's login name.
    Full Name Enter the user's actual name. This field can contain a combination of symbols, letters (upper and lowercase), numbers and spaces.
    Password Enter the password for this user.
    Confirm Password Retype the password.
  5. Click Add to save your edits and create the user. Click Cancel to close the panel without saving your entries.
You can now associate this user with a specific role (set of privileges).

Associating users with roles

To control what users are able to accomplish, associate roles (sets of privileges) with particular users.
  1. Log in with administrator credentials.
  2. At the top of the screen in the black banner, hover over System and click Users.
  3. In the Users panel, click the user that you want to associate with a role and drag-and-drop the user onto the role (Roles panel). Conversely, you can also drag-and-drop the role onto the user.
The user now has the necessary privileges. To confirm, click the gear icon for the role and view the User Role Properties screen. To the right of Active Users, view the list of users associated with the role. Or, click the gear icon for the user and to the right of User Roles, view the list of roles associated with the user. Or, select the user and the BIG-IQ Security system highlights the roles associated with that user.

Disassociating users from roles

To disable a user's ability to perform a given function, disassociate roles (sets of privileges) from that user.
  1. Log in with administrator credentials.
  2. At the top of the screen in the black banner, hover over System and click Users.
  3. In the Roles panel, hover over the role that contains the user you want to disassociate and click the gear icon.
  4. To the right of Active Users, view the list of users associated with the role.
  5. Click the x icon next to the user that you want to disassociate from the role.
  6. Click Save.
The user is now disassociated from the role and no longer has the privileges associated with the role.

About multi-user editing

With the BIG-IQ Security system, multiple firewall editors can edit shared firewall policy objects simultaneously. This is accomplished through a locking mechanism that avoids conflicts and merges. Initially, the user interface presents all firewall configuration objects as read-only. When a firewall editor initiates an editing session, he/she locks the object. Once an object is locked, no one can modify or delete that object except the holder of the lock or users with privileges sufficient to break the lock (admin, Firewall_Manager, or Security_Manager).

BIG-IQ Security uses a single repository to hold firewall policies. With this single-copy design, multiple editors share the editing task through a locking mechanism. The system saves each editorial change.

Each firewall editor has their own copy of a firewall policy (a point-in-time snapshot of the policy managed by BIG-IQ across all devices) and can make changes. When done, an editor can push the changes to the preferred state as one, complete set of changes. Then, a firewall administrator can review a policy change as a single entity before committing it.

For example:

  1. If a firewall editor needs to edit Portlist_1, AddressList_2, and Rulelist_5, the editor locks those objects.
  2. When the edit pass is complete, the editor saves the object, which clears the lock.

If an editor wants to edit an object that is already locked, the system informs the editor that the object is locked and provides a way to clear the lock if the editor has sufficient privileges.

When the lock is cleared, the next firewall editor receives the latest version of the object and any referenced shared objects. Thus, merges and conflicts are avoided.

Deleting an object automatically clears all locks associated with it.

BIG-IQ Security supports:

  • Multiple, independent locks.
  • Locking/unlocking at the firewall level. Locking a firewall locks all shared objects referenced by all of the device’s firewalls/rules.
  • Locking/unlocking on an object-by-object basis where the object is defined as a shared object or a firewall.

Locking configuration objects for editing

Before editing a configuration object, you must establish a lock on that object.
Note: If you have editing privileges, you can lock firewalls, policies, rule lists, address lists, port lists, and schedules.
  1. Navigate to the object that you want to edit.
  2. Hover in the banner for that object, and click the gear icon to expand the panel and display object details. If an Edit button is visible, you can edit the object. If the object is already locked, a lock banner is visible and there is no Edit button available.

    The lock banner provides a date and time stamp of the lock.

  3. If an Edit button is visible, click it to lock the object for editing. A lock appears on the object and a lock banner is displayed.
  4. Edit as appropriate.
  5. When finished, click Save.
The lock on the object is released. If you click Cancel, the lock is also released but any edits will be discarded.

Viewing locks on all configuration objects

BIG-IQ Security provides a way to view all locked configuration objects from a single popup screen.
  1. Examine all panels to locate locked configuration objects.
  2. Navigate to a locked object.
  3. Hover over the lock icon. A tooltip is displayed that shows the owner of the lock and the date and time the lock was created, as well as a link labeled View All.
  4. Click View All.
The Locks popup screen is displayed showing type, name, user, date and time, and a description for all locked objects.

Clearing locks on configuration objects

The owner of a lock can always clear that lock. Other roles (Administrator, Firewall_Manager, Security_Manager) also carry sufficient privileges to clear locks held by any user.
  1. Examine all panels to locate locked configuration objects.
  2. Search for the object whose lock you want to clear.
  3. Hover over the lock icon to the left of the object's name in the panel. A tooltip is displayed that shows the owner of the lock and the date and time the lock was created, as well as a link labeled View All. If your role carries sufficient privileges, you will also see a link labeled Unlock.
  4. In the tooltip, click Unlock.
  5. In the confirmation dialog box, click Unlock.
The lock is cleared.

Clearing multiple locks or all locks

BIG-IQ Security provides a way to clear multiple locks or all locks from a single popup screen, providing that the user carries sufficient privileges.
  1. Examine all panels to locate locked configuration objects.
  2. Hover over the lock icon to the left of any locked object in any panel. A tooltip is displayed that shows the owner of the lock and the date and time the lock was created as well as a link labeled View All. If your role carries sufficient privileges, you will also see a link labeled Unlock.
  3. In the tooltip, click Unlock.
  4. In the popup that appears, select or clear check boxes as approrpiate. Select the check box at the top to clear all locks.
  5. Click Unlock.
  6. In the confirmation dialog box, click Unlock.
The locks are cleared.

Configuring BIG-IP devices to accept traffic

If you use the BIG-IP device's self IP address to discover it, you must configure that device to accept traffic from a BIG-IQ Security system. Specifically, if the BIG-IP device has the Virtual Server & Self IP Contexts option set to Reject or Drop, the BIG-IP device will not accept traffic from the BIG-IQ system. Use the following procedure to set this option to Accept.

Alternately, you can add a rule to handle traffic between the self IP addresses of the BIG-IQ Security system and the self IP addresses of the specific BIG-IP device being discovered. In this scenario, you can leave the Virtual Server & Self IP Contexts option set to Reject or Drop.

In this case, ensure the following ports remain open:

  • 22 (SSH, TCP protocol)
  • 443 (HTTPS, TCP protocol)
  • 4353 (iQuery, TCP protocol)
Note: Whichever scenario you choose, configure the BIG-IP device to allow traffic to/from the self IP addresses of both BIG-IQ nodes in a BIG-IQ HA pair.
  1. On the BIG-IP device, navigate to Security > Options > Network Firewall.
  2. From the Virtual Server & Self IP Contexts dropdown, select Accept.
  3. Click Update.
Packets with BIG-IQ Security as the source are then able to pass through the BIG-IP firewall and traverse the system.

About BIG-IQ active-standby, high-availability configurations

To ensure that you always have access to the BIG-IP devices under BIG-IQ management, install two BIG-IQ systems in an active-standby, high-availability (HA) configuration. Configuring a high-availability pair is optional. However, if the active BIG-IQ system in the high-availability configuration fails, the standby peer will become active, enabling you to continue to manage devices. When a standby system assumes the active role, the archive file is expanded to allow access to the configuration data.

Note: The standby system does not display the updated firewall data until it assumes the active role.

The BIG-IQ high-availability active system synchronizes its configuration to the standby system's archive file every 15 minutes.

Configuring BIG-IQ high-availability systems

To configure high-availability, you must have two licensed BIG-IQ systems, installed with the required system components. For the high-availability pair of BIG-IQ systems to synchronize properly, each must be running the same BIG-IQ version, and the clocks on each device must be synchronized within 60 seconds of the other. System times must remain synchronized. Prior to establishing the pair, examine the NTP settings at the BIG-IQ system level and the current system time value.
  1. Log in to the BIG-IQ system, using administrator credentials.
  2. In the black banner, hover over System and then click Overview.
  3. At left, click High Availability.
  4. Edit these fields:
    Option Description
    Peer IP Address For the peer BIG-IQ system, enter the self IP address that is noted as the Discovery Address on the peer's System > Networking tab.
    User Name Enter the administrative user name.
    Password Enter the administrative password.
  5. To save the configuration, click Save. If discovery fails, a delete button displays. Verify the correct information. If you have entered incorrect information, click Delete to remove the incorrect information. Then, repeat the process using correct information.
The active BIG-IQ system discovers its peer and displays status. The standby system displays a yellow banner at the top of the application, informing the user not to attempt editing data on it.

Splitting a BIG-IQ high-availability pair

To change or reconfigure peers in a BIG-IQ high-availability system, you must first delete the peers.
  1. Log in to the standby BIG-IQ system, using administrator credentials.
  2. In the black banner, hover over System and then click Overview.
  3. At left, click High Availability.
  4. Click Delete.
  5. Repeat steps 1 to 4 on the active peer BIG-IQ system.
Each BIG-IQ system is operating standalone.

Forcing active BIG-IQ high-availability systems to standby

If both BIG-IQ systems in an active-standby, high-availability (HA) pair become active, a warning message is displayed at the top of every screen. If this scenario occurs, move one system back into standby mode.
Note: Configuration replication does not occur while the systems are in this state.
  1. Log in to one BIG-IQ system, using administrator credentials.
  2. In the black banner, hover over System and then click Overview.
  3. At left, click High Availability.
  4. Click Force Standby.
  5. To save the change, click Save.
This BIG-IQ system is forced into standby mode.
Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)