Applies To:

Show Versions Show Versions

Manual Chapter: Deploying Configuration Changes
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Deployment panel

The Deployment panel displays individual deployments tasks and their status (one per row in the panel). To display details for each task, hover over the row and click the gear icon.

After you have completed edits to a firewall and shared objects, you can create a deployment task to distribute those changes to selected BIG-IP devices.

To create a deployment task, hover over the banner of the Deployment panel and when the (+) icon appears, click it to display the Add Deployment flyout. Populate the fields as needed and click Evaluate.

To get help about adding a new deployment task, click the (+) icon to display the Add Task flyout and then click the (?) help icon.

The BIG-IQ Security system enables you to deploy up to 20 devices in a single task.

Note: During the deployment process, any changes made locally to the BIG-IP device are overwritten.

From the Deployment flyout, you can click Cancel to close the flyout without saving or click Remove to remove a deployment task.

Deployment: Add a deployment task

When you have completed edits to a firewall policy, you can create a deployment task to push out to a target device any change that occurred to any configuration object. A deployment task consists of two phases: evaluation and distribution.

Evaluation phase

To create a deployment task, populate the property fields in the Add Deployment flyout, select or clear the check boxes for the devices where you want evaluations performed, and click Evaluate.

When you click Evaluate, the BIG-IQ Security system presents the following:

  1. Refresh - Contacts the remote BIG-IQ Security systems and reads and synchronizes the current working configuration for all devices selected.
  2. Change enumeration - The set of changes to be distributed is calculated and displayed (number and type of each change).
  3. Snapshot - A background process takes a snapshot of the firewall working configuration for each BIG-IP device.
  4. Differences - In the logs, differences are noted between the BIG-IP system current configuration and the BIG-IP working configuration.
  5. Compares the remote and local configurations and calculates the set of changes that need to be deployed.
  6. Displays the number and type of each change.
Note: If an individual rule in a rule list, policy, or firewall has been changed, added, or removed, the entire modified object (rule list, policy, or firewall) is marked for distribution. An analogous operation is adding, modifying, or removing ports in a port list or addresses in an address list.

Changes are reported as follows:

  • ADDED. New shared objects added to a rule and called by an existing rule list, policy, or firewall are counted as ADDED. Newly-created shared objects that are not referenced in a firewall are not counted and are not distributed.
  • MODIFIED. Existing objects already used by an existing rule list, policy, or firewall and subsequently edited are counted as MODIFIED.
  • REMOVED. Existing objects used by an existing rule list, policy, or firewall and subsequently removed are counted as REMOVED. If a shared object is removed from a rule and is no longer being used by any other rules, it is marked for removal from the selected devices. It is not removed from the BIG-IQ Security system unless expressly deleted.

Distribution phase

During the distribution phase, configuration changes are pushed out to remote BIG-IP devices.

Deployment task properties

Deployment Name Name for the deployment task. It can be useful to develop a convention for naming deployment tasks.
Description (Optional) Description for the deployment task. To add a description, enter text in the field.
Select Devices to Evaluate Devices ready to be evaluated are displayed with check boxes. Select and/or clear check boxes as appropriate.

If there are no changes to evaluate for a device, its check box is cleared and disabled.

Deployment task states are displayed during the deployment process.

Deployment: Managing deployment tasks

When the task displays a status of READY TO DEPLOY, hover in the task header and click the gear icon. This displays a flyout that enables you to deploy, remove a deployment task, or cancel the flyout.

Note: If there are no changes to deploy, a message displays to confirm this.

To deploy, click Deploy to the right of Task Status.

To remove a deployment task, click Remove at the top of the panel.

To abandon the operation and close the flyout, click Cancel at the top of the panel.

Note: When you select a deployment task during the evaluation phase, the BIG-IQ Security system brushes all devices whose check boxes were selected for evaluation. the devices in the Devices panel that correspond to that deployment task. When you select a deployment task during the deployment phase, BIG-IQ Security brushes only those devices selected for deployment.

Deployment task properties

Deployment Name User-provided name of the deployment task.
Description (Optional) Description for the deployment task. To add a description, click in the field and enter text. The field accepts up to 128 characters.
User Name of the user who executed the task.
Task Status Status for the phases the task goes through.
Start Time Time the deployment task started in the format yyyy-mm-ddThh:mm:ss-hours-off-GMT. Example: 2013-05-31T08:16:17-07:00
End Time Time the deployment task ended in the format yyyy-mm-ddThh:mm:ss-hours-off-GMT. Example: 2013-05-31T08:16:36-07:00

After the Properties table, BIG-IQ Security displays a table of configuration changes. The table consists of these columns: Type (type of item), Change (ADDED, and so on), On BIG-IP (configuration items added, modified, or removed on the BIG-IP device), On BIG-IQ (configuration items added, modified, or removed on the BIG-IP device).

Changes are reported as follows:

  • ADDED. New shared objects added to a rule and called by an existing rule list, policy, or firewall are counted as ADDED. Newly-created shared objects that are not referenced in a firewall are not counted and are not distributed.
  • MODIFIED. Existing objects already used by an existing rule list, policy, or firewall and subsequently edited are counted as MODIFIED.
  • REMOVED. Existing objects used by an existing rule list, policy, or firewall and subsequently removed are counted as REMOVED. If a shared object is removed from a rule and is no longer being used by any other rules, it is marked for removal from the selected devices. It is not removed from the BIG-IQ Security system unless expressly deleted.

The table also includes a check box for each BIG-IP device. If checked, the changes for the device will be deployed. If cleared, the device will be taken out of the deployment task.

Note: When you click on a deployment task during the deployment phase, BIG-IQ Security brushes all selected devices.

Deploying Firewalls for Clustered BIG-IP Devices

To deploy firewalls for clustered BIG-IP devices:

  1. For BIG-IP clustered devices not using the automatic sync feature, you may deploy to the standby BIG-IP device first when ready to deploy.
    Note: To determine which BIG-IP device is standby, inspect the interface to the BIG-IP device. The interface indicates ONLINE (ACTIVE) or ONLINE (STANDBY) and the sync status.
  2. Inspect the configuration on the standby BIG-IP device.
  3. When thoroughly tested, fail over so that the standby BIG-IP device becomes the active device.
  4. Deploy to the standby device.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)