F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Security
  4. BIG-IQ Security: Administration
  5. Overview BIG-IQ Security
Manual Chapter : Overview BIG-IQ Security

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.5.0
Manual Chapter
Table of Contents | Next Chapter >>

Understanding BIG-IQ Network Security and firewall management

BIG-IQ Network Security is a platform designed for the central management of security firewalls for multiple BIG-IP systems, where firewall administrators have installed and provisioned the Advanced Firewall Manager (AFM) module.

The BIG-IQ Network Security system provides:

  • Device discovery with import of firewalls referenced by discovered devices
  • Management of shared objects (address lists, port lists, rule lists, policies, and schedules)
  • L3/L4 firewall policy support, including staged and enforced policies
  • Firewall audit log used to record every firewall policy change and event
  • Role-based access control
  • Deployment of configurations from snapshots, and the ability to preview differences between snapshots
  • Multi-user editing through a locking mechanism
  • Monitoring of rules
  • Reports on security

Managing a firewall configuration includes discovering, importing, editing, and deploying changes to the firewall configuration, as well as consolidation of shared firewall objects (policies, rule lists, rules, address lists, port lists, and schedules). BIG-IQ Network Security provides a centralized management platform so you can perform all these tasks from a single location. Rather than log in to each device to manage the security policy locally, it is more expedient to use one interface to manage many devices. Not only does this simplify logistics, but you can maintain a common set of firewall configuration objects and deploy a common set of policies, rule lists, and other shared objects to multiple, similar devices from a central interface.

Bringing a device under central management means that its configuration is stored in the BIG-IQ Network Security database, which is the authoritative source for all firewall configuration entities. This database is also known as the working configuration or working-configuration set.

Once a device is under central management, do not make changes locally (on the BIG-IP device) unless there is an exceptional need. If changes are made locally for any reason, reimport the device to reconcile those changes with the BIG-IQ Network Security working configuration set. Unless local changes are reconciled, the deployment process overwrites any local changes.

In addition, BIG-IQ Network Security is aware of functionality that exists in one BIG-IP system version but not in another. This means, for example, that it prohibits using policies on BIG-IP devices that do not have the software version required to support them.

Understanding Shared Security in BIG-IQ Security

BIG-IQ Security contains several groups of capabilities. The Shared Security group contains capabilities that can be used by objects in Network Security and by objects in Web Application Security.

You can manage each object using the Shared Security panels that BIG-IQ Security provides:

  • Virtual Servers
  • Self IPs
  • Route Domains
  • Logging Profiles
  • DoS Profiles
  • Device DoS

Understanding BIG-IQ Web Application Security and application management

BIG-IQ Web Application Security enables enterprise-wide management and configuration of multiple BIG-IP devices from a central management platform. You can centrally manage BIG-IP devices and security policies, and import policies from files on those devices.

For each device that it discovers, the system creates an additional virtual server to hold all security policies that are not related to any virtual server on the device. To deploy a policy to a device, the policy must be attached to one of the device's virtual servers. You can deploy policies to a device that already has the policy by overwriting it. If the policy does not yet exist on the device, you have the option to deploy it as a new policy attached to an available virtual server or as an inactive policy.

From this central management platform, you can perform the following actions:

  • Import Application Security Manager (ASM) policies from files.
  • Import ASM policies from discovered devices.
  • Distribute policies to devices.
  • Export policies, including an option to export policy files in XML format.
  • Manage configuration snapshots.

About the BIG-IQ Security system interface

The BIG-IQ Security system interface provides many features to assist you in completing tasks.

About filtering

Using filtering, you can rapidly narrow the search scope to more easily locate an entity within the system interface. Each frame in the system interface has its own filter text entry field.

Note: When you begin typing in the text entry field, you may notice that your browser has cached entries from previous sessions. You can select from the list or continue typing.

You can filter from the Overview frame or you can filter from the Policy Editor frame. You can also search for related items in the Policy Editor frame.

Filtering the Overview frame

You can filter the contents of panels within each frame to reduce the set of data that is visible in the system interface. Filtering techniques can be important for troubleshooting.

  1. Log in to BIG-IQ Network Security.
  2. Navigate to Network Security > Overview.
  3. In the filter text field, type the text you want to filter on and click Apply. Filtering works by performing a wildcard search of the underlying JSON, not just the name of the object. For example, if you type a 1 (the number one) in the filter, the system will display any object with a 1 in it anywhere in its JSON. Note that the system populates the top of each panel (under the Filter field) with the text you entered inside a gray box.
All panels are filtered on the text entered.

Clearing the filter in the Overview frame

You can easily clear the filters for all panels in BIG-IQ Network Security Overview, using Clear All.

  1. Log in to BIG-IQ Network Security.
  2. Navigate to Network Security > Overview.
  3. In the filter text field at the top of the interface, type the text you want to filter on and click Apply. Note that the system filters each panel (Devices, Deployment, and Snapshots). It also populates the top of each panel (under the Filter field) with the text you entered inside a gray box.
  4. Clear all text in the filter by clicking Clear All. Clear the filter for each individual panel by clicking the X to the right of the test at the top of the panel.
This action resets all panels and returns the system interface to a display of all objects.

Filtering the Policy Editor frame

You can filter the contents of panels within the Policy Editor frame to reduce the set of data that is visible in the system interface. Filtering techniques can be important for troubleshooting.

  1. To filter the contents of the Policy Editor frame, log in to BIG-IQ Security.
  2. Navigate to Network Security > Policy Editor.
  3. In the filter text field, type the text you want to filter on and press Return. Filtering works by performing a wildcard search of the underlying JSON, not just the name of the object. For example, if you type a 1 (the number one) in the filter, the system will display any object with a 1 in its JSON. You can clear the filter field by clicking the X to the right of the filter field.
Objects are filtered on the text entered and a count for each appears to the right of each object type.

Filtering the Policy Editor toolbox frame

You can filter the contents of the toolbox (the bottom frame within the Policy Editor frame) to reduce the set of objects visible in the system interface. Filtering techniques can be important for troubleshooting.

  1. To filter the contents of the toolbox, log in to BIG-IQ Security.
  2. Navigate to Network Security > Policy Editor > Toolbox at the bottom of the right frame. The filter appears to the right of the Show dropdown list.
  3. In the filter text field, type the text you want to filter on and click the filter icon. Filtering works by performing a wildcard search of the underlying JSON, not just the name of the object. For example, if you type a 1 (the number one) in the filter, the system will display any object with a 1 in its JSON. You can clear the filter by clicking the X to the left of the filter field.

Filtering the Policy Editor for related objects

You can filter the contents of panels within the Policy Editor frame to show objects related to a selected object.

  1. To filter for related objects within the Policy Editor frame, log in to BIG-IQ Network Security.
  2. Navigate to Network Security > Policy Editor.
  3. Locate the object you want to filter on in either the left panel (under Objects) or in the toolbox at the bottom of the right frame.
  4. Right-click the object.
  5. Click Filter 'related to'. You can clear the Related to filter by clicking the X to the right of the text under the filter field.
All object types in the left frame are filtered and a count of each related to object found appears to the right of each object type.

About panels

BIG-IQ Security system panels expand to display details such as settings or properties for a particular device or shared object. These expanded panels include a triangle slanted at a 45-degree angle on the right side of their headers. If the triangle is slanted up, you can click it to widen the panel. If the triangle is slanted down, you can click it to collapse the panel. You can also click Cancel to close the panel without saving edits or initiating actions.

Expanding panels

You can expand the BIG-IQ system panels to display settings or properties for a particular device or shared object.
  1. Hover over the panel header and click the + icon to widen the panel and create the object (device, deployment, snapshot, and so on).
  2. Hover over the object name and click the gear icon to expand the panel and view properties for the object, to edit the object, or to initiate other actions.

Reordering panels

You can customize the BIG-IQ system interface by arranging the panels to suit your needs.
To reorder panels, drag and drop them to the new locations of your choice.
The customized order persists until you clear the browser history/cache/cookies.

About browser resolution

F5 recommends a minimum screen resolution of 1280 x 1024 to properly display and use the panels efficiently.

It is possible to shrink the browser screen so that system interface elements (panels, scroll bars, icons) no longer appear in the visible screen. Should this occur, use the browser's zoom-out function to shrink the panels and controls.

Setting user preferences

As a firewall policy editor, you can customize the BIG-IQ Network Security system interface to minimize the information displayed, and to simplify routine editing sessions.
Note: Setting user preferences is not available through the BIG-IQ Web Application Security system interface.

For example, you can customize the set of panels displayed for a particular user. If that user never performs deployments, you might decide to hide the Deployment panel.

Note: This customization does not create an access issue. Users still have access to the resources required by their roles; they just choose not to display them.

User preference settings persist across sessions. If users log out, they see the same settings when logging back in.

By default, BIG-IQ Network Security replicates user preferences in BIG-IQ high-availability (HA) scenarios.

  1. Log in to the BIG-IQ Network Security system.
  2. At the top-right of the screen in the black banner, hover over the admin icon.
  3. When User settings appears, click it to display the Settings popup screen.
  4. Edit the check box options as required for your role.
    Option Description
    Rule Grid Columns Select or clear the check boxes as required. By default, the system interface displays all columns.
    Show Panels Select or clear the check boxes as required. By default, the system interface displays all panels.
    Show Firewall Types Select or clear the check boxes as required. By default, the system interface displays all firewall contexts in the Firewall Contexts panel.
  5. Click Save to save your preferences or click Close to close the popup screen without saving your selections.
Selected preferences are now in effect and persist across user sessions. If you log out, you will see the same settings when you log back in.

About multi-user editing

Within the BIG-IQ Security system, multiple firewall editors can edit shared firewall policy objects simultaneously. This is accomplished through a locking mechanism that avoids conflicts and merges. Initially, the user interface presents all firewall configuration objects as read-only. When a firewall editor initiates an editing session, she locks the object. Once an object is locked, no one can modify or delete that object except the holder of the lock or users with privileges sufficient to break the lock (admin, Firewall_Manager, or Security_Manager).

BIG-IQ Security uses a single repository to hold firewall policies. With this single-copy design, multiple editors share the editing task through a locking mechanism. The system saves each editorial change.

Each firewall editor has her own copy of a firewall policy (a point-in-time snapshot of the policy managed by BIG-IQ across all devices) and can make changes. When done, an editor can push the changes to the preferred state as one, complete set of changes. Then, a firewall administrator can review a policy change as a single entity before committing it.

For example:

  1. If a firewall editor needs to edit Portlist_1, AddressList_2, and Rulelist_5, the editor locks those objects.
  2. When the edit pass is complete, the editor saves the object, which clears the lock.

If an editor wants to edit an object that is already locked, the system informs the editor that the object is locked and provides a way to clear the lock if the editor has sufficient privileges.

When the lock is cleared, the next firewall editor receives the latest version of the object and any referenced shared objects. Thus, merges and conflicts are avoided.

Deleting an object automatically clears all locks associated with it.

BIG-IQ Security supports:

  • Multiple, independent locks.
  • Locking/unlocking on an object-by-object basis where the object is defined as a shared object or a firewall.

Locking configuration objects for editing

You establish a lock on a configuration object so that you alone can edit it.
Note: If you have editing privileges, you can lock firewalls, policies, rule lists, address lists, port lists, and schedules.
  1. Navigate to the object that you want to edit.
  2. Hover over the name of that object, and click the gear icon to expand the panel and display object details. If an Edit button is visible, you can edit the object. If the object is already locked, a lock message is visible and there is no Edit button available.

    The lock header provides a date and time stamp of the lock.

  3. If an Edit button is visible, click it to lock the object for editing. A lock appears on the object name, and a lock message displays.
  4. Edit as appropriate.
  5. When finished, click Save. If you navigate away from the panel before saving your changes, the system interface displays a dialog box asking if you want to save changes before leaving the panel.

    Click Yes to save your edits and release the lock.

    Click No to discard your edits and navigate to the location you requested without releasing the lock.

    Click Cancel to retain your edits, retain the lock on the object, and return to the object you were editing.

Viewing locks on all configuration objects

BIG-IQ Security provides a way to view all locked configuration objects from a single popup screen.
  1. Examine all panels to locate locked configuration objects.
  2. Navigate to a locked object.
  3. Hover over the lock icon. A tooltip shows the owner of the lock and the date and time the lock was created, as well as a link labeled View All.
  4. Click View All.
The Locks popup screen opens,showing type, name, user, date and time, and a description for all locked objects.

Clearing locks on configuration objects

The owner of a lock can always clear that lock to enable editing by other users. Other roles (Administrator, Network_Security_Manager, Security_Manager) also carry sufficient privileges to clear locks held by any user.
  1. Examine all panels to locate locked configuration objects.
  2. Search for the object whose lock you want to clear.
  3. Hover over the lock icon to the left of the object's name in the panel. A tooltip shows the owner of the lock, and the date and time the lock was created, as well as a link labeled View All. If your role carries sufficient privileges, you will also see a link labeled Unlock.
  4. In the tooltip, click Unlock.
  5. In the confirmation dialog box, click Unlock.
The lock is cleared.

Clearing multiple locks or all locks

BIG-IQ Security provides a way to clear multiple locks or all locks from a single popup screen, providing that the user carries sufficient privileges (Administrator, Network_Security_Manager, Security_Manager).
  1. Examine all panels to locate locked configuration objects.
  2. Hover over the lock icon to the left of any locked object in any panel. A tooltip shows the owner of the lock, and the date and time the lock was created, as well as a link labeled View All. If your role carries sufficient privileges, you will also see a link labeled Unlock.
  3. In the tooltip, click Unlock.
  4. In the popup screen that opens, select or clear check boxes as appropriate (or select the check box at the top to clear all locks).
  5. Click Unlock.
  6. In the confirmation dialog box, click Unlock.
The locks are cleared.
Table of Contents | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information