F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Security
  4. BIG-IQ Security: Administration
  5. Managing BIG-IP Devices
Manual Chapter : Managing BIG-IP Devices

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.4.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About device discovery

About device discovery: BIG-IQ Network Security

The process of importing a firewall device's configuration or designating a firewall device for central management by BIG-IQ Network Security is called discovery.

After discovery, BIG-IQ Network Security provides a way to view device properties and to perform device-specific and firewall-specific actions through a centralized management platform.

The BIG-IQ Security Devices panel displays user-defined and system-defined groups and imported BIG-IP devices.
Note: Groups are simply a way to group devices visually and manage them more efficiently.

Before discovering devices and importing firewalls, you must install specific components required by the BIG-IQ system on each BIG-IP device you want to manage. Installing these components results in a framework that supports the required Java-based management services.

To view all devices under management, in BIG-IQ Network Security, navigate to the Devices panel.

To display only those items related to the specific device, hover over the device and when the gear icon appears, click it. Then, you can select Properties to display properties or Show Only Related Items to filter by device.

About device discovery: BIG-IQ Web Application Security

The process of designating a device for central management by BIG-IQ Web Application Security is called discovery. Once a BIG-IP device is discovered, all security policies and virtual servers on the device come under management by the BIG-IQ system.

For each discovered device, the system creates an extra virtual server to hold all policies not related to any virtual server in the discovered device.

After discovery, BIG-IQ Web Application Security enables a view of devices and properties, policies, and virtual servers associated with those devices, and a way to perform device-specific and policy-specific actions.

To view all devices under management, in BIG-IQ Web Application Security, navigate to the Devices panel.

Discovering devices on BIG-IQ Network Security

Before discovering BIG-IP devices, ensure that the required BIG-IQ components are installed on those devices. For details, consult the BIG-IQ-Device: Device Management section on installing required BIG-IQ components on managed devices.

You can perform device discovery to bring a BIG-IP device under central management. Once a device is under central management, the device's configuration is stored in the BIG-IQ Security database, which is the authoritative source for all configuration objects. After that occurs, do not manage the firewall device locally unless there is an exceptional need. Otherwise, changes made locally could be overwritten on the next deployment task.

During discovery, a Remove Device button appears after the task has identified the device and started importing the firewall configuration. If you click Remove Device at this point, the import is canceled and management authority over the device is rescinded. Subsequently, the device is removed.

  1. Navigate to the Devices panel. At first login, this panel will contain no discovered devices. However, it will display a device group named Firewall Group.
  2. Hover over the Devices header and click the + icon to display the available menu options (New Device and New Group).
  3. Click New Device to discover a device.
  4. Complete the property fields as required.
    Option Description
    Device Address Type the BIG-IP device self IP address or management IP address.
    Note: Each managed device must be configured with a communication route from its self IP address or management IP address to a BIG-IQ system self IP addresses. Otherwise, discovery will fail. F5 recommends that you use a BIG-IP self IP address for discovery.
    Cluster Name Type a name for the cluster. Optional, but highly recommended if the BIG-IP device is in a config sync relationship with other BIG-IP devices.

    The cluster name will create a new group if one doesn't exist or add the device to an existing cluster group if it does exist. For more information, consult the sections on managing groups in this guide.
    Username Type the user's login name. For example: admin.
    Password Type the password for this user.
    Snapshot Ensure that this check box is selected (the default) to snapshot the configuration on the BIG-IP device before importing.

    BIG-IQ Security uses snapshots to protect the working-configuration set of the Security module. Thus, at any time, you can back up, restore, and deploy the BIG-IQ working configuration to a specific configuration state, or deploy a specific set of working configuration edits back to a BIG-IP device.
    Update Framework Select the Update on Discovery check box to update the REST framework installed on the BIG-IP device.

    Certain BIG-IQ system components must be installed and kept up-to-date on all BIG-IP devices brought under central management. These components provide a REST framework on the BIG-IP devices that support the required Java-based management services. To ensure the framework is up-to-date, select this check box.
    Root Username If the framework on the target BIG-IP device must be updated, you must specify the root user name as part of the discovery process. Type the root user name which is root, by default.
    Root Password If the framework on the target BIG-IP device must be updated, you must specify the root password as part of the discovery process. Type the root password.
  5. Click Add.
After discovery, the BIG-IP device is listed in the Devices panel by its FQDN and internal self IP address. By default, the device is added to the Firewall group. If a cluster group is specified, it is added to the specified cluster group. Also, the system lists the snapshot of the working configuration taken during import in the Snapshots panel. The system imports any firewall policies on this device and makes them available for configuration management.

Discovering devices on BIG-IQ Web Application Security

Before discovering one or more BIG-IP devices, ensure that required BIG-IQ components are installed and kept up-to-date on those BIG-IP devices. For details, consult the BIG-IQ-Device: Device Management section on installing required BIG-IQ components on managed devices.
Perform device discovery to bring a BIG-IP device under central management. Once a device is under central management, information about the device and objects stored on the device are located in the BIG-IQ database, which is the authoritative source for all configuration objects.
Note: Do not manage the BIG-IP device locally. If you make changes locally, you (or another Administrator) might overwrite those changes when performing a deployment from the BIG-IQ system.
  1. Navigate to the Devices panel. At first login, this panel will contain no discovered devices. However, it will display a device group named Firewall Group.
  2. Hover over the Devices header and click the + icon to display the available menu options (New Device and New Group).
  3. Complete the property fields as required.
    Option Description
    Device Address Type the internal self IP address for the BIG-IP device.
    Note: Each managed device must be configured with a communication route from its self IP address or management IP address to a BIG-IQ system self IP addresses. Otherwise, discovery will fail. F5 recommends that you use a BIG-IP self IP address for discovery.
    User Name Type the user's login name. For example: admin.
    Password Type the password for this user.
    Auto Update Framework Select this check box to force an update of the REST framework on the BIG-IP device.

    Certain BIG-IQ system components should be installed and kept up-to-date on all BIG-IP devices brought under central management. These components provide a REST framework that supports the required Java-based management services.
    Check to overwrite... Clear this check box (the default setting) to ensure that the discovery process does not overwrite the source of imported policies already on the BIG-IQ system.
  4. Click Add.
After discovery, the BIG-IP device is listed in the Devices panel by its FQDN and internal self IP address.

About declaring management authority

The process of bringing a device under central management is known as declaring management authority (DMA). The firewall administrator initiates DMA through device discovery and import (or reimport).

The DMA process is modal. Once the process starts, you are blocked from performing any other tasks or interacting with BIG-IQ Security in any way until the process is complete or canceled. Before starting a discovery or reimport process, it is important to understand how you will resolve any conflicts that arise.

Note: In this scenario, a conflict is defined as two shared objects in the same partition having the same name, but containing different data.

About conflict resolution

A conflict is found when two objects of the same type have the same name but contain different data. Thus, an address list named list1 and a port list named list1 would not be in conflict.
Note: An object is defined as an address list, port list, rule list, policy, or schedule.
Conflicts prevent processes from running to completion.
Note: It is the responsibility of the administrator to know how to resolve conflicts between shared objects, and to deploy the resolution. If you encounter conflicts during discovery, import, reimport, or deployment, you must resolve those conflicts before you can interact further with BIG-IQ Security.

If conflicts are found, BIG-IQ Security displays the Resolve Conflicts dialog box, which lists all conflicts found, displays detailed differences for conflicting shared objects, and provides for conflict resolution.

Although conflict resolution often results in changes to either the BIG-IP configuration or the BIG-IQ configuration, no changes are applied until they are deployed. You can deploy changes when a deployment task displays a status of READY TO DEPLOY.

Resolving conflicts

After importing or reimporting a BIG-IP device, you can use the Resolve Conflicts dialog box to view the differences between configurations, and to resolve conflicts.
  1. Navigate to the Devices panel.
  2. Hover over the name of the device you want to import/reimport and when the gear icon appears, click it to display the expanded panel. You can modify only a few of the properties displayed.
    Option Description
    Host Name Fully-qualified domain name (FQDN), identified at time of discovery.
    Cluster Name BIG-IP device cluster name, provided at time of discovery.
    IP Address / Management Address IP address for the communication route to the BIG-IQ system internal self IP address.

    Each managed device must be configured with a communication route from its self IP address or management IP address to a BIG-IQ system self IP addresses. Otherwise, discovery will fail. F5 recommends that you use a BIG-IP self IP address for discovery.
    Product Product identity.
    Version Version and hotfix level of the device under management.
    Status (BIG-IQ Web Application Security) Active.
    Snapshot Check box used to snapshot the configuration on the BIG-IP device before importing (the default).
    Username Administrative login name. For example: admin.
    Password Administrative password for this user.
    Update Framework Check box used to update the REST framework installed on the BIG-IP device.

    Certain BIG-IQ system components must be installed and kept up-to-date on all BIG-IP devices brought under central management. These components provide a REST framework on the BIG-IP devices that support the required Java-based management services. To ensure the framework is up-to-date, select this Update On Save check box.
    Root Username If the framework on the target BIG-IP device must be updated, you must specify the root user name as part of the reimport process. Type the root user name which is root, by default.
    Root Password If the framework on the target BIG-IP device must be updated, you must specify the root password as part of the reimport process. Type the root password.
  3. In the Device Properties screen, click Add/Reimport.
  4. When the Resolve Conflicts dialog box opens, highlighting the conflicting shared objects are highlighted in blue in the upper half of the dialog box. Click the shared object to view details in the lower half of the dialog box. The object's configuration on the BIG-IP device is displayed on the left and the object's configuration on BIG-IQ Security is displayed on the right. A gray area indicates that an object has been removed. Yellow indicates that a line has changed, and green indicates that an object has been added or modified. The Resolve Conflicts dialog box also provides a Cancel Task button. If you click Cancel Task, the reimport is canceled. Management authority over the device, if established, is not rescinded, and the device is not removed.
  5. Examine differences. From the Action list, select one of the following for each object in conflict:
    Option Description
    Keep BIG-IQ Version Keep the object as configured on BIG-IQ Security, and overwrite the object as configured on the BIG-IP device.
    Keep BIG-IP Version Keep the object as configured on the BIG-IP device, and overwrite the object as configured in the central BIG-IQ Security database.
    Keep Both Retain both objects as configured. BIG-IQ Security changes the name on the incoming object to resolve the conflict. Then, it updates rules with the new object name. The new object name includes the device name so it can easily be found.
  6. Alternately, from the Apply this action to all conflicts: list , select an action to resolve all existing conflicts.
After conflict resolution, the device's configuration is refreshed and synchronized with the configuration stored in BIG-IQ Security.

About BIG-IQ Security configuration sets

BIG-IQ Security systems use the following terminology to refer to firewall configuration sets for a centrally-managed device:

Current configuration set
The configuration of the BIG-IP device as discovered by BIG-IQ Security. The current configuration is updated during a reimport/rediscovery and before calculating differences during the deployment process. After deployment (and after the resolution of any conflicting shared objects), BIG-IQ Security overwrites the BIG-IP current configuration (if the option Keep BIG-IQ Version is chosen).
Working configuration set
The configuration as maintained by the BIG-IQ Security system. Initially, the working configuration is created when the firewall manager elects to manage the device from BIG-IQ Security (DMA). It is the configuration that is edited on BIG-IQ Security and deployed back to BIG-IP devices.

Configuring devices to accept traffic

When using the BIG-IP device's self IP address during discovery, you must configure that device to accept traffic from a BIG-IQ Security system. Specifically, if the BIG-IP device has the Virtual Server & Self IP Contexts option set to Reject or Drop, the BIG-IP device will not accept traffic from the BIG-IQ system. Use the following procedure to set this option to Accept.

Alternately, you can add a rule to handle traffic between the self IP addresses of the BIG-IQ Security system and the self IP addresses of the specific BIG-IP device being discovered. In this scenario, you can leave the Virtual Server & Self IP Contexts option set to Reject or Drop.

In this case, ensure the following ports remain open:

  • 22 (SSH, TCP protocol)
  • 443 (HTTPS, TCP protocol)
  • 4353 (iQuery, TCP protocol)
Note: Whichever scenario you choose, configure the BIG-IP device to allow traffic to/from the self IP addresses of both BIG-IQ nodes in a BIG-IQ HA pair.
  1. On the BIG-IP device, on the Main tab, click Security > Options > Network Firewall.
  2. From the Virtual Server & Self IP Contexts list, select Accept.
  3. Click Update.
Packets with BIG-IQ Security as the source are then able to pass through the BIG-IP firewall and traverse the system.

Displaying device properties

You can display properties and health and performance statistics for an individual device to assist in identifying potential trouble spots.
  1. In the Devices panel, hover over the name of the device you want to examine until the gear icon appears, then display the properties in one of these ways:
    • Select Show Properties from the sub-menu.
    • Click the gear icon to expand the panel.
  2. Review the statistics in the properties screen for that device.

Device properties

Device properties are displayed for informational purposes mostly, and are read-only, except for the check boxes.

Device Property Description
Device Address IP address for the BIG-IP device entered at time of discovery and used for communication between the device and the BIG-IQ system.
Host Name Fully-qualified domain name (FQDN), identified at discovery time.
Cluster Name BIG-IP device cluster name, provided at discovery time.
IP Address / Management Address IP address for the communication route to the BIG-IQ system internal self IP address.

Each managed device must be configured with a communication route from its internal self IP or management IP address to a BIG-IQ system internal self IP address on a configured BIG-IP VLAN. Otherwise, discovery fails. F5 recommends that you use a self IP address (on the BIG-IP device) to gain access to additional functionality that is not provided through the management port.
Username User's login name. For example: admin.
Password User's password.
Product Identifies the product.
Version Identifies the version and hotfix level of the device under management.
Status (BIG-IQ Web Application Security) Status of the device under management (Active or Standby).
Snapshot Check box used to invoke a snapshot prior to reimporting the BIG-IP device's working configuration.
Update Framework Check box used to update the REST framework on the BIG-IP device on discovery or on save.
Check to overwrite the source of imported policies that already exist Check box used to determine whether the discovery process overwrites the source of imported policies already on the BIG-IQ system.
Signature file Version Identifies the BIG-IP version that the Attack Signature Database is packaged with.
Root Username If the framework on the target BIG-IP device must be updated, you must specify the root user name as part of the discovery process. Enter the root user name which is root, by default.
Root Password If the framework on the target BIG-IP device must be updated, you must specify the root password as part of the discovery process.

Displaying the device inventory

From the BIG-IQ Network Security Devices panel, you can display an inventory with accompanying details for all devices under BIG-IQ Network Security central management. For further use, you can export this inventory to a CSV file.
  1. Navigate to the Devices panel.
  2. Hover over the name of the device for which you want to view an inventory.
  3. When the right-pointing arrow appears, click it to read inventory details.
    Option Description
    Name Fully-qualified domain name (FQDN) for the BIG-IP device.
    Marketing Name BIG-IP Virtual Edition.
    Product Product identity. For example, BIG-IP.
    Version Version and hotfix level of the device under management.
    Build Build level of the device under management.
    Mgmt IP Address Management IP for the BIG-IP and used to manage the device.
    License License end date and end time, registration key, and a list of active modules.
    Slots For each slot, a listing of volume label, product occupying the slot, version, build, cluster status (active, standby).
    Network Interfaces Configured network interfaces.
    Serial Number Serial number for the BIG-IP device.
    Mac Address Mac address for the BIG-IP device.
    CPU Info Manufacturer and technical details. For example, Intel(R) Xeon(R) CPU X5660 @ 2.80GHz.
    Memory (MB) Memory on the BIG-IP device.
    Platform Z100
    HAL ID For example, 4208f88e-3f9e-0d7e-b75e-ca1dc2dd630c.
    UUID Universally unique identifier. For example, 6b8bf5ef-bcb0-4d1b-b61f-8c95f70475a8.
  4. To exit from the inventory, click Close.

About device reimport/rediscovery

Once configurations are in sync between BIG-IP devices and the BIG-IQ Security system, there is seldom a need to reimport a BIG-IP device.

Some possible reasons to reimport include:

  • Additions, deletions, or changes made to management IPs or virtual servers on the BIG-IP device.
  • Changes to policies, firewall rules, shared objects, or signature files made locally on the BIG-IP device.
  • Updates made to the BIG-IP device's software that need to be recognized by BIG-IQ Security.

If any of these reasons occur, you must reimport/rediscover to reconcile any changes with the configuration maintained on BIG-IQ Security. If you do not reconcile changes, a subsequent deployment process will overwrite any changes made locally.

The reimport/rediscovery process is modal. Once reimport starts, the process blocks you from performing any other tasks or interacting with BIG-IQ Security in any way until the process completes or is canceled.

During reimport/rediscovery, a Remove Device button appears in the dialog box after the task has identified the device and started the import process. If you click Remove Device, the reimport/rediscovery is canceled, management authority over the device is rescinded, and the device is removed.

Reimporting or rediscovering devices

You reimport/rediscover BIG-IP devices to reconcile any configuration changes with the configuration maintained on BIG-IQ Security. If you do not reconcile changes, a subsequent deployment process will overwrite any changes made locally.

  1. Navigate to the Devices panel.
  2. Hover over the name of the device you want to import/reimport and when the gear icon appears, click it to display the expanded panel. You can modify only a few of the properties displayed.
    Option Description
    Host Name Fully-qualified domain name (FQDN), identified at time of discovery.
    Cluster Name BIG-IP device cluster name, provided at time of discovery.
    IP Address / Management Address IP address for the communication route to the BIG-IQ system internal self IP address.

    Each managed device must be configured with a communication route from its self IP address or management IP address to a BIG-IQ system self IP addresses. Otherwise, discovery will fail. F5 recommends that you use a BIG-IP self IP address for discovery.
    Product Product identity.
    Version Version and hotfix level of the device under management.
    Status (BIG-IQ Web Application Security) Active.
    Snapshot Check box used to snapshot the configuration on the BIG-IP device before importing (the default).
    Username Administrative login name. For example: admin.
    Password Administrative password for this user.
    Update Framework Check box used to update the REST framework installed on the BIG-IP device.

    Certain BIG-IQ system components must be installed and kept up-to-date on all BIG-IP devices brought under central management. These components provide a REST framework on the BIG-IP devices that support the required Java-based management services. To ensure the framework is up-to-date, select this Update On Save check box.
    Root Username If the framework on the target BIG-IP device must be updated, you must specify the root user name as part of the reimport process. Type the root user name which is root, by default.
    Root Password If the framework on the target BIG-IP device must be updated, you must specify the root password as part of the reimport process. Type the root password.
  3. In the Device Properties screen, click Add/Reimport.
After reimport/rediscovery, the configuration for the selected device is refreshed and synchronized with the configuration stored in BIG-IQ Security.

Monitoring device health and performance

Before you can view device properties, health, and performance, that device must be under central management.
You can assess the health and performance of your network to provide early intervention for trouble spots.
  1. Navigate to the Devices panel.
  2. To display properties and health and performance statistics for an individual device, hover over the name for that device (in the Devices panel).
  3. When the gear icon appears, select Show Properties from the sub-menu or click the gear to expand the panel.
  4. Scroll past the properties to examine the health and performance statistics for this device.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information