BIG-IQ Network Security is a platform designed for the central management of security firewalls for multiple BIG-IP systems, where firewall administrators have installed and provisioned the Advanced Firewall Manager (AFM) module.
The BIG-IQ Network Security system provides:
Managing a firewall configuration includes discovering, importing, editing, and deploying changes to the firewall configuration, as well as consolidation of shared firewall objects (policies, rule lists, rules, address lists, port lists, and schedules). BIG-IQ Network Security provides a centralized management platform so you can perform all these tasks from a single location. Rather than log in to each device to manage the security policy locally, it is more expedient to use one interface to manage many devices. Not only does this simplify logistics, but you can maintain a common set of firewall configuration objects and deploy a common set of policies, rule lists, and other shared objects to multiple, similar devices from a central interface.
Bringing a device under central management means that its configuration is stored in the BIG-IQ Network Security database, which is the authoritative source for all firewall configuration entities. This database is also known as the working configuration or working-configuration set.
Once a device is under central management, do not make changes locally (on the BIG-IP device) unless there is an exceptional need. If changes are made locally for any reason, reimport the device to reconcile those changes with the BIG-IQ Network Security working configuration set. Unless local changes are reconciled, the deployment process overwrites any local changes.
In addition, BIG-IQ Network Security is aware of functionality that exists in one BIG-IP system version but not in another. This means, for example, that it prohibits using policies on BIG-IP devices that do not have the software version required to support them.
BIG-IQ Security contains several groups of capabilities. The Shared Security group contains capabilities that can be used by objects in Network Security and by objects in Web Application Security.
You can manage each object using the Shared Security panels that BIG-IQ Security provides:
BIG-IQ Web Application Security enables enterprise-wide management and configuration of multiple BIG-IP devices from a central management platform. You can centrally manage BIG-IP devices and security policies, and import policies from files on those devices.
For each device that it discovers, the system creates an additional virtual server to hold all security policies that are not related to any virtual server on the device. To deploy a policy to a device, the policy must be attached to one of the device's virtual servers. You can deploy policies to a device that already has the policy by overwriting it. If the policy does not yet exist on the device, you have the option to deploy it as a new policy attached to an available virtual server or as an inactive policy.
From this central management platform, you can perform the following actions:
The BIG-IQ Security system interface provides many features to assist you in completing tasks.
Using filtering, you can rapidly narrow the search scope to more easily locate an entity within the system interface. Each frame in the system interface has its own filter text entry field.
You can filter from the Overview frame or you can filter from the Policy Editor frame. You can also search for related items in the Policy Editor frame.
You can filter the contents of panels within each frame to reduce the set of data that is visible in the system interface. Filtering techniques can be important for troubleshooting.
You can easily clear the filters for all panels in BIG-IQ Network Security Overview, using Clear All.
You can filter the contents of panels within the Policy Editor frame to reduce the set of data that is visible in the system interface. Filtering techniques can be important for troubleshooting.
You can filter the contents of the toolbox (the bottom frame within the Policy Editor frame) to reduce the set of objects visible in the system interface. Filtering techniques can be important for troubleshooting.
You can filter the contents of panels within the Policy Editor frame to show objects related to a selected object.
BIG-IQ Security system panels expand to display details such as settings or properties for a particular device or shared object. These expanded panels include a triangle slanted at a 45-degree angle on the right side of their headers. If the triangle is slanted up, you can click it to widen the panel. If the triangle is slanted down, you can click it to collapse the panel. You can also click Cancel to close the panel without saving edits or initiating actions.
F5 recommends a minimum screen resolution of 1280 x 1024 to properly display and use the panels efficiently.
It is possible to shrink the browser screen so that system interface elements (panels, scroll bars, icons) no longer appear in the visible screen. Should this occur, use the browser's zoom-out function to shrink the panels and controls.
For example, you can customize the set of panels displayed for a particular user. If that user never performs deployments, you might decide to hide the Deployment panel.
User preference settings persist across sessions. If users log out, they see the same settings when logging back in.
By default, BIG-IQ Network Security replicates user preferences in BIG-IQ high-availability (HA) scenarios.
|Rule Grid Columns||Select or clear the check boxes as required. By default, the system interface displays all columns.|
|Show Panels||Select or clear the check boxes as required. By default, the system interface displays all panels.|
|Show Firewall Types||Select or clear the check boxes as required. By default, the system interface displays all firewall contexts in the Firewall Contexts panel.|
Within the BIG-IQ Security system, multiple firewall editors can edit shared firewall policy objects simultaneously. This is accomplished through a locking mechanism that avoids conflicts and merges. Initially, the user interface presents all firewall configuration objects as read-only. When a firewall editor initiates an editing session, she locks the object. Once an object is locked, no one can modify or delete that object except the holder of the lock or users with privileges sufficient to break the lock (admin, Firewall_Manager, or Security_Manager).
BIG-IQ Security uses a single repository to hold firewall policies. With this single-copy design, multiple editors share the editing task through a locking mechanism. The system saves each editorial change.
Each firewall editor has her own copy of a firewall policy (a point-in-time snapshot of the policy managed by BIG-IQ across all devices) and can make changes. When done, an editor can push the changes to the preferred state as one, complete set of changes. Then, a firewall administrator can review a policy change as a single entity before committing it.
If an editor wants to edit an object that is already locked, the system informs the editor that the object is locked and provides a way to clear the lock if the editor has sufficient privileges.
When the lock is cleared, the next firewall editor receives the latest version of the object and any referenced shared objects. Thus, merges and conflicts are avoided.
Deleting an object automatically clears all locks associated with it.
BIG-IQ Security supports:
The lock header provides a date and time stamp of the lock.
Click Yes to save your edits and release the lock.
Click No to discard your edits and navigate to the location you requested without releasing the lock.
Click Cancel to retain your edits, retain the lock on the object, and return to the object you were editing.