Manual Chapter : Deploying Configuration Changes

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.4.0
Manual Chapter

About BIG-IQ Security deployments

The BIG-IQ Security system displays individual deployments and their status (one action per row in the Deployment panel).

After you have completed edits to firewall contexts, objects, or policies you can create a deployment to distribute those changes to selected BIG-IP devices from the Deployment panel.

Note: You can deploy security policies to a device that already has the policy by overwriting the existing security policy. If the security policy does not yet exist on the device, you can deploy it as a new policy attached to an available virtual server or you can deploy it as an inactive policy.

The system displays changes as follows:

  • ADDED. New shared objects added to a rule and called by an existing rule list, policy, or firewall are counted as ADDED. Newly-created shared objects that are not referenced in a firewall are not counted and are not distributed.
  • MODIFIED. Existing objects already used by an existing rule list, policy, or firewall, and subsequently edited, are counted as MODIFIED.
  • REMOVED. Existing objects used by an existing rule list, policy, or firewall, and subsequently removed, are counted as REMOVED. If a shared object is removed from a rule and is no longer being used by any other rules, it is marked for removal from the selected devices. It is not removed from the BIG-IQ Security system unless expressly deleted.
Note: If an individual rule in a rule list, policy, or firewall has been changed, added, or removed, the entire modified object (rule list, policy, or firewall) is marked for deployment. This also applies to adding, modifying, or removing ports in a port list, or addresses in an address list.

During the distribution phase, configuration changes and security policies are pushed out to remote BIG-IP devices. The working-configuration set is deployed, or the selected BIG-IP device is rolled back, to the state reflected in the snapshot. Any changes made locally to the BIG-IP device are overwritten.

With BIG-IQ Security, you can deploy up to 20 devices in a single deployment.

Filtering on deployment tasks

To filter the Deployment panel, type text in the filter field and press the Enter key. Clear the filter by clicking the X to the right of the text in the gray box under the filter.

To filter on a specific deployment, hover over the deployment task and when the gear icon appears, click it. Then, select Show Only Related Objects to filter by deployment task.

Evaluation process steps

During the evaluation process, BIG-IQ Security:

  1. Contacts the selected remote BIG-IP devices and synchronizes the working-configuration sets for all.
  2. Takes a snapshot of the working-configuration set for each BIG-IP device.
  3. Compares the remote and local configurations.
  4. Calculates the set of changes to be deployed (number and type of each change).
  5. Displays the number and type of each change.

Adding deployments

When you have completed edits to a firewall or security policy, you can create a deployment to push out to a target device any change that occurred to any configuration object.
  1. Navigate to the Deployment panel.
  2. Hover over the Deployment banner and click the + icon.
  3. Complete the fields as required. Your changes are saved automatically.
    Option Description
    Deployment Name Name for the deployment that indicates its purpose. It can be useful to develop a convention such as ticket numbers.
    Description Optional description, including the purpose of the deployment or other relevant information.
    Deployment Source Choose between Working Config and Snapshot. To deploy the working configuration currently on the BIG-IQ system, select Working Config and click Evaluate. To deploy from a snapshot, select Snapshot, and from the popup screen, select the snapshot you want to deploy from and click Evaluate.
    Select Devices to Evaluate; Available Devices Available devices are listed. Select or clear check boxes as appropriate.
  4. To evaluate differences between the working configuration (BIG-IQ Security) and the configuration on the BIG-IP device, click Evaluate .
  5. To create the deployment task, click Deploy.
A deployment is created and listed in the Deployment panel along with its status. A status of READY TO DEPLOY indicates that you can deploy the working-configuration set or you can roll back the selected BIG-IP device to the state reflected in the snapshot.

Managing deployments

When a deployment displays a status of READY TO DEPLOY, you can distribute configuration changes to managed BIG-IP devices. If there are no changes to deploy, a message displays to confirm this.
  1. Navigate to the Deployment panel.
  2. Hover over the banner of the deployment you want to manage and click the gear icon to open the screen and display task properties.
    Option Description
    Deployment Name User-provided name of the deployment task.
    Description Optional description, including the purpose of the deployment or other relevant information.
    User Name of the user who initiated the deployment.
    Task Status Status for deployment phases (evaluation and distribution).
    Start Time Time the deployment started in the format yyyy-mm-ddThh:mm:ss-hours-off-GMT. Example: 2013-05-31T08:16:17-07:00
    End Time Time the deployment ended in the format yyyy-mm-ddThh:mm:ss-hours-off-GMT. Example: 2013-05-31T08:16:36-07:00
    Select Devices to Evaluate Available devices are listed to the right of the field. Select or clear check boxes as appropriate.
  3. Click Evaluate to evaluate differences between the selected snapshot and the current configuration.
  4. Click View Diffs to view differences between the configuration on BIG-IQ Web Application Security and the BIG-IP device. A dialog box opens displaying the differences. The display shows four columns: Type (type of entity changed), Change (add, modify, remove), On BIG-IQ (name of the entity on BIG-IQ Web Application Security), and On BIG-IP (name of the entity on the BIG-IP device).
  5. When ready to deploy, click Deploy to push changes to the selected BIG-IP device.
Deployment states are displayed during the deployment process. At the end of the deployment process, the working-configuration set is deployed to selectedBIG-IP device(s) or, if a snapshot was selected, the BIG-IP device is rolled back to the state reflected in the snapshot.

Deploying from snapshots

During deployment, use snapshots to restore a specific configuration state or to deploy a specific set of working configuration edits back to the BIG-IP device.
  1. Navigate to the Deployment panel.
  2. Hover over the Deployment banner and click the + icon.
  3. Complete the fields as required. Your changes are saved automatically.
    Option Description
    Deployment Name Name for the deployment that indicates its purpose. It can be useful to develop a convention such as ticket numbers.
    Description Optional description, including the purpose of the deployment or other relevant information.
    Deployment Source Choose between Working Config and Snapshot. To deploy the working configuration currently on the BIG-IQ system, select Working Config and click Evaluate. To deploy from a snapshot, select Snapshot, and from the popup screen, select the snapshot you want to deploy from and click Evaluate.
    Select Devices to Evaluate; Available Devices Available devices are listed. Select or clear check boxes as appropriate.
  4. When you see the message READY TO DEPLOY under the deployment name in the Deployment panel, click the gear icon to expand the panel.
    1. Under the text Evaluate found the following changes: you will see a device name followed by an arrow.
    2. Click the arrow to display differences. Differences are listed by: name, type, change (added, modified, deleted), and device (blank unless the type is firewall).
    3. Click an object name to view the JSON in the table under the list of differences.
  5. When ready to deploy, click Deploy to push changes to the selected BIG-IP device.
The selected snapshot or the specific set of working-configuration edits is deployed to the selected BIG-IP device.

Device deployment states

This table displays states that occur during the deployment process, and a brief description of each state.

State Description
NEW The deployment process has started.
COMPLETED_RETRIEVE_DEVICES Devices have been successfully retrieved. All managed devices on the BIG-IQ Security system have been found.
FAILED_RETRIEVE_DEVICES Failed to retrieve devices. Failed to find all managed devices on BIG-IQ Security.
COMPLETED_CHECK_DMA Verified that the process of declaring management authority (DMA) is not currently running. The deployment process cannot run if DMA is running.
FAILED_CHECK_DMA Verified that the process of DMA is currently running. The deployment process cannot run at the same time.
STARTED_REFRESH_CONFIG Refresh of the current configuration for all devices included in deployment has started. This process pulls in any new configuration items from the BIG-IP device into the current configuration.
COMPLETED_REFRESH_CONFIG Refresh of the current configuration for all devices included in deployment that started has completed. This process pulls in any new configuration items from the BIG-IP device into the current configuration.
FAILED_REFRESH_CONFIG Refresh of the BIG-IQ Security current configuration has failed. This refresh pulls in any new configuration items from the BIG-IP device into the current configuration.
STARTED_SNAPSHOT Snapshot of the working configuration has started.
COMPLETED_SNAPSHOT Snapshot of the working configuration has completed.
FAILED_SNAPSHOT Snapshot of the working configuration has failed.
START_DIFFERENCE Preparing to start the process of enumerating differences between the snapshot taken and the current configuration.
STARTED_DIFFERENCE Generating the differences between the snapshot taken and the current configuration has started.
COMPLETED_DIFFERENCE The process of enumerating differences between the snapshot taken and the current configuration has completed.
FAILED_DIFFERENCE The process of enumerating differences between the snapshot taken and the current configuration has failed.
STARTED_PROCESSING_DIFFERENCE Processing differences between the snapshot taken and the current configuration has started. This state transforms the difference data into a form that can be distributed.
COMPLETED_PROCESSING_DIFFERENCE Processing differences between the snapshot taken and the current configuration has completed. This state transforms the difference data into a form that can be distributed.
FAILED_PROCESSING_DIFFERENCE Processing differences between the snapshot taken and the current configuration has failed. This state transforms the difference data into a form that can be distributed.
START_DISTRIBUTION Preparing to start the distribution process.
STARTED_DISTRIBUTION The process of distributing configuration changes to specified devices has started.
FAILED_DISTRIBUTION The process of distributing configuration changes has failed.
COMPLETED The deployment process has completed.