Applies To:

Show Versions Show Versions

Manual Chapter: Device Discovery and Declaring Management Authority
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Devices panel

The Devices panel displays the discovered BIG-IP devices for which the BIG-IQ Security system is managing the firewall configurations that it imported. The panel also provides a way to initiate import of additional BIG-IP devices.

To initiate a discovery, hover in the banner of the Devices panel and when the (+) icon appears, click it to display the Add Device flyout. To add a device, populate the fields and click Add. Or, click Cancel to close the flyout without starting the task and without saving any entries.

To get help about adding a BIG-IP device, hover in the banner of the Devices panel and click the (+) icon. Then click the (?) help icon in the top right corner of the interface.

To display properties for a device, hover over an individual device header (in the Devices panel) and click the gear icon.

About installing required BIG-IQ system components on managed BIG-IP systems

You must install specific components required by the BIG-IQ system on each BIG-IP device you want to manage. To install these components, you run a series commands from the command line.

Installing required BIG-IQ components on BIG-IP systems

You can perform this task only after you have licensed and installed the BIG-IQ system and at least one BIG-IP device running version 11.3 or later.
This task installs, onto your managed BIG-IP devices, a REST framework that supports the required Java-based management services. You must perform this installation task each time you discover a new device.
Important: When you run this installation script, the traffic management interface (TMM) on each BIG-IP device restarts. It is important that, before you run this script, you verify that no critical network traffic is targeted to the BIG-IP devices.
  1. Log in to the BIG-IQ system terminal as the root user.
  2. Establish SSH trust between the BIG-IQ system and the managed BIG-IP device. ssh-copy-id root@<BIG-IP Management IP Address> This step is optional. If you do not establish trust, you will be required to provide the BIG-IP system's root password multiple times.
  3. Navigate to the folder in which the files reside. cd /usr/lib/dco/packages/upd-adc
  4. Run the installation script.
    • For devices installed in an Amazon EC2 environment: ./update_bigip.sh -a admin -p <password> -i /<path_to_PEM_file> <BIG-IP Management IP Address>
    • For devices installed in any other environment: ./update_bigip.sh –a admin –p <password> <BIG-IP Management IP Address>
    Where <password> is the administrator password for the BIG-IP device.
  5. Revoke SSH trust between the BIG-IQ system and the managed BIG-IP device. ssh-keygen –R <BIG-IP Management IP address> This step is not required if you did not establish trust in step 2.

Declaring management authority

Firewall administrators are often responsible for the security policy on many firewall devices in a given network. Rather than log into each device to manage the security policy locally, it is expedient to use one interface to manage many devices. Not only does this simplify logistics, but it enables you to maintain a common set of firewall configuration objects and deploy a common set of rules, rule lists, and policies to multiple, similar devices from a central interface.

Once a firewall device is designated for central management, it should no longer be managed locally unless there is an exceptional need.

Note: If changes are made locally (on the BIG-IP device), you should reimport the device to reconcile those changes with the BIG-IQ Security system. Unless local changes are reconciled, the deployment process overwrites any changes made locally on a BIG-IP system.

The process of designating a firewall device for central management is called declaring management authority (DMA).

The process of declaring management authority is called modal. This means that once the process starts, you are blocked from performing any other tasks or interacting with BIG-IQ Security in any way until the process is complete or canceled. When the DMA task starts, the BIG-IQ Security system opens a screen, which does not close until the task is complete or canceled. Canceling the task removes the device being imported or reimported.

Because DMA is modal, be prepared to resolve any conflicts prior to starting a discovery or reimport process. BIG-IQ Security displays conflicts in a popup screen after discovery, and you must resolve all conflicts before continuing on to other tasks or interacting with BIG-IQ Security in any other way (except to cancel the DMA process).

Once a device is under central management, the device configuration is stored in the BIG-IQ Security database, which is the authoritative source for all configuration entities (shared objects).

To declare management authority

Important: Before you declare management authority for one or more BIG-IP systems, you must install the required BIG-IQ components on those BIG-IP systems.
  1. Log into the BIG-IQ Security system with user name and password credentials.
  2. Navigate to the Devices panel. On the first login, this panel is empty (no discovered devices).
  3. Hover in the Devices banner and click the (+) icon.
  4. In the Add Device flyout, enter the BIG-IP device IP address, user name, and password.
  5. To confirm and start the discovery, click Add. Click Cancel to cancel the operation, collapse the flyout, and return to the Devices panel.

After discovery, the BIG-IP device is listed in the Devices panel. The firewall policy for a selected BIG-IP device is then available for configuration management and deployment.

Devices panel: Adding BIG-IP devices

Initiating Discovery

Important: Before you declare management authority for one or more BIG-IP systems, you must install the required BIG-IQ components on those BIG-IP systems.

To initiate discovery from the Add Device flyout, populate the property fields and click Add. Or, click Cancel to cancel the operation and close the Add Device flyout without saving entries.

Device address Enter the BIG-IP device self IP. Be sure that the BIG-IP system self IP has a route to a configured BIG-IP VLAN.
Cluster Name (Designates that multiple BIG-IP devices are in a clustered relationship.) Enter a name to reference a group of clustered BIG-IP devices. This name is case-sensitive and although not a required field, it cannot be added later.
Username Enter the admin user name for the BIG-IP device.
Password Enter the admin password for the BIG-IP device.
Note: DNS aliases are not supported for device discovery.

The discovery process known as declaring management authority (DMA) proceeds as follows:

  1. The BIG-IQ Security system gathers firewall data from the BIG-IP device.
  2. BIG-IQ Security verifies that the version running on the BIG-IP device is supported.
  3. BIG-IQ Security synchronizes the global, route domain, and virtual server configurations if previous cluster members exist.
  4. BIG-IQ Security compares incoming data with any existing data to identify conflicts.
  5. The firewall admin (user) resolves any conflicts.
  6. The firewall admin (user) commits the data and deploys to the BIG-IP device.

The discovery process is modal, which means that once the process starts, you are blocked from performing any other tasks or interacting with BIG-IQ Security in any way until the process completes or is canceled manually. Canceling the process also removes the device being discovered. Because discovery is modal, be prepared to resolve any conflicts before continuing on to other tasks or interacting with BIG-IQ Security in any other way (except to cancel the DMA process).

If discovery fails for a BIG-IP device that has recently received an upgrade and if you used the self IP to discover it, log in to the BIG-IP device and verify that it has retained its self IP address through the upgrade process.

Device discovery states are displayed during the discovery process.

Conflict Resolution

Conflicts can prevent the discovery process from running to completion.

Note: A conflict is defined as two shared objects having the same name but containing different data.

If a conflict is found, BIG-IQ Security displays the Resolve Conflicts screen, which lists all conflicts found. Resolve each conflict by selecting an option from the object's Action drop-down list and clicking Resolve.

By default, all conflict resolutions are set to No Action, which indicates that no resolution has yet been selected for the conflict.

The Resolve Conflicts screen also includes an option you can use to apply a single action to all conflicts listed. Resolve all conflicts by selecting an option from the drop-down list and clicking Resolve.

Note: You must select an action other than No Action or conflicts will not be resolved and the DMA process will not complete.

Each conflict is listed in the table with the following content:

On BIG-IP (device IP address) Name of the shared object on the BIG-IP device.
On BIG-IQ Name of the shared object on BIG-IQ Security.
Type Type of shared object in conflict: address list, port list, rule list, policy, or schedule.
Action Select from the following actions to resolve conflicts:
  • Keep Both. Retain both objects as configured. BIG-IQ Security changes the name on the incoming object to resolve the conflict. Then, it updates rules with the new object name. The new object name includes the device name so it can easily be found.
  • No Action. This option does not resolve the conflict and prevents the discovery process from completing.

    If you are not ready to resolve the conflicts but need to perform other firewall management tasks, cancel the discovery process and come back to it later.

  • Use BIG-IP Version. Keep the object as configured on the BIG-IP device and overwrite the object as configured in the central BIG-IQ Security database.
  • Use BIG-IQ Version. Keep the object as configured on BIG-IQ Security and overwrite the object as configured on the BIG-IP device.

Managing Firewalls for Clustered BIG-IP Devices

To manage firewalls for clustered BIG-IP devices:

  1. Synchronize the configurations of the BIG-IP devices before initiating discovery by BIG-IQ Security.
  2. Discover the first BIG-IP device. When entering the required properties, enter a cluster name that you will continue to use to define the group of devices that are clustered.
    Note: Do not use the floating self IP address for discovery.
  3. Discover the second BIG-IP device and enter the same cluster name.
  4. Resolve any conflicts.
  5. Make any desired changes to either device. The BIG-IQ Security system keeps the working configurations in sync for the global, route domain, and virtual server firewalls.
    Note: BIG-IQ Security does not synchronize its local copies of the firewall data for the management of self IP firewalls for clustered BIG-IP devices.
  6. For BIG-IP clustered devices not using the automatic sync feature, you may deploy to the standby BIG-IP device first when ready to deploy.
    Note: To determine which BIG-IP device is standby, inspect the interface to the BIG-IP device. The interface indicates ONLINE (ACTIVE) or ONLINE (STANDBY) in the sync status.
  7. Inspect the configuration on the standby BIG-IP device.
  8. When thoroughly tested, fail over so that the standby BIG-IP device becomes the active device.
  9. Deploy to the standby device.

Devices panel: Managing devices

This flyout displays device properties and enables you to reimport or remove a device.

Device Properties

Host Name Informational, read-only field that displays the fully-qualified domain name (FQDN), identified at discovery time.
Cluster Name Informational, read-only field that displays the BIG-IP device cluster name, provided by the user at discovery time.
IP Address Informational, read-only field that displays the IP address of the BIG-IP device, used for communication between it and the BIG-IQ Security system.
Product Informational, read-only field that identifies the product.
Version Informational, read-only field that identifies the version and hotfix level of the device under management.

The flyout provides a way to:

  • Reimport. If changes are made locally (on the BIG-IP device), reimport the device to reconcile those changes with BIG-IQ Security. Unless changes are reconciled, the deployment process overwrites any changes made locally on a BIG-IP device.

    The reimport process is modal, meaning that once this process starts, it blocks you from performing any other tasks or interacting with BIG-IQ Security in any way until the process completes or is canceled. When this process starts, BIG-IQ Security opens a screen that does not close until the process completes or is canceled. Canceling the process removes the device being reimported.

  • Remove. Removes a device from the Devices panel and rescinds BIG-IQ Security management authority.
  • Cancel. Cancels the operation and closes the flyout without saving any entries.

Conflict Resolution

Conflicts can prevent the discovery process from running to completion.

Note: A conflict is defined as two shared objects having the same name but containing different data. For details on conflict resolution, see the help for adding BIG-IP devices.

If a conflict is found, BIG-IQ Security displays the Resolve Conflicts screen, which lists all conflicts found. Resolve each conflict by selecting an option from the object's Action drop-down list and clicking Resolve.

By default, all conflict resolutions are set to No Action, which indicates that no resolution has yet been selected for the conflict.

The Resolve Conflicts screen also includes an option you can use to apply a single action to all conflicts listed. Resolve all conflicts by selecting an option from the drop-down list and clicking Resolve.

Note: You must select an action other than No Action or conflicts will not be resolved and the DMA process will not complete.

Each conflict is listed in the table with the following content:

On BIG-IP (device IP address) Name of the shared object on the BIG-IP device.
On BIG-IQ Name of the shared object on BIG-IQ Security.
Type Type of shared object in conflict: address list, port list, rule list, policy, or schedule.
Action Select from the following actions to resolve conflicts:
  • Keep Both. Retain both objects as configured. BIG-IQ Security changes the name on the incoming object to resolve the conflict. Then, it updates rules with the new object name. The new object name includes the device name so it can easily be found.
  • No Action. This option does not resolve the conflict and prevents the discovery process from completing.

    If you are not ready to resolve the conflicts but need to perform other firewall management tasks, cancel the discovery process and come back to it later.

  • Use BIG-IP Version. Keep the object as configured on the BIG-IP device and overwrite the object as configured in the central BIG-IQ Security database.
  • Use BIG-IQ Version. Keep the object as configured on BIG-IQ Security and overwrite the object as configured on the BIG-IP device.

Device configuration states

Possible configuration states for a firewall device centrally managed by the BIG-IQ Security system include:

  • Current state. The configuration state of the BIG-IP device as discovered by BIG-IP Security. The current state is updated during a reimport and before calculating differences during the deployment process. After deployment (and after the resolution of any conflicting shared objects), BIG-IQ Security may overwrite the BIG-IP current configuration (if the option to USE BIG-IQ is chosen).
  • Working state. The configuration state as maintained in the BIG-IQ Security database. This state is initially created when the firewall manager elects to manage the device from BIG-IQ Security. It is the configuration that is edited on BIG-IQ Security and deployed back out to BIG-IP devices.

After deploying the working state configuration changes to the remote devices, there is seldom a need to reimport the remote device configuration. Some possible reasons to reimport the remote device's configuration are:

  • Additions, deletions, or changes made to the self IPs or virtual servers of the BIG-IP system.
  • Changes to the firewall rules or shared objects made directly on the BIG-IP device that need to be imported to the working state of the BIG-IQ Security system.
  • Updates made to the BIG-IP device's software that need to be recognized by BIG-IQ Security.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)