Applies To:

Show Versions Show Versions

Manual Chapter: Overview BIG-IQ Security
Manual Chapter
Table of Contents   |   Next Chapter >>

Overview: BIG-IQ Security

BIG-IQ Security is a platform designed for the central management of security firewalls for multiple BIG-IP systems that have the Advanced Firewall Manager (AFM) module installed and provisioned.

It provides:

  • Device discovery with import of firewalls referenced by discovered devices
  • Management of shared objects (address lists, port lists, rule lists, and schedules)
  • L3/L4 firewall policy deployment
  • Monitoring

Managing firewall configuration includes discovering, editing, and deploying changes to firewall configurations, as well as the consolidation of shared firewall objects (address lists, port lists, rule lists, and schedules). BIG-IQ Security provides a way to perform all these tasks from a single location.

Discovery/import (declaring management authority) is an administrative action initiated by the firewall administrator. A firewall administrator declares that BIG-IQ Security is managing the firewall. Once a firewall device is centrally managed, changes should not be made locally unless there is an exceptional need.
Note: If changes are made locally (on the BIG-IP device), you should reimport the device to reconcile those changes with BIG-IQ Security. Unless local changes are reconciled, the deployment process will overwrite any changes made locally on a BIG-IP system.

The BIG-IQ Security interface consists of the following panels:

Devices
Displays the set of BIG-IP devices that BIG-IQ Security has discovered. From this panel, you can initiate device discovery and display device properties. You can also remove devices and reimport devices.
Shared objects
Displays the address lists, port lists, rule lists, and schedules that you can share among multiple firewalls. From this panel, you can display and edit object details.
Monitor
Displays counters showing the number of times the system has executed a rule. The IP address of the system is shown under the rule name.
Deploy
Enables deployment to a target device(s) any change(s) that occurred to any configuration object(s).

Accessing help for BIG-IQ Security

Context-Sensitive Help

One source for information about BIG-IQ Security is context-sensitive online Help found inside the application. To access the Help system, click the Help icon (the question mark located at far right of the black banner, across the top of the user interface).

Help topics are provided for each panel, shared object, and function in the user interface. The contents of the Help screen change whenever the user clicks a header or object in the GUI.

BIG-IQ Security: User's Guide

BIG-IQ Security also provides additional information about the application in the form of this user's guide. Among many other topics, the contents include:

  • Declaring Management Authority
  • Discovering new BIG-IP devices
  • Monitoring rule hit counts
  • Deploying changes to devices
  • Contacting Support

BIG-IQ Security Release Notes

Includes information about the following:

  • Supported browser version
  • New features
  • Known issues
  • Contacting F5 Networks

GUI interactions

The BIG-IQ Security GUI provides a variety of ways to interact with the application.

Filtering in the GUI

Filtering reduces the set of data that is visible in the GUI. For example, left-clicking a device filters the Monitor panel down to the related monitoring hits for the selected device.

Brushing in the GUI

Brushing highlights objects related to a selected object.

Brushing lets you quickly find objects related to an object you have selected. Once you select an object or firewall (by right-clicking), the GUI highlights and counts related objects. The count appears in parentheses to the right of the object and explanatory text appears under the search field at the top of the screen. The GUI grays out entities that are not related.

For example, assume you have configured the shared object schedule1. If you right-click schedule1, the GUI counts and displays related objects and the following line appears under the search field:

Rules with so:schedule1

As another example, if you right-click a firewall on the management IP, the GUI highlights and counts entities in the shared objects panel that are related to that firewall context and the following line appears under the search field:

SharedObjects within fw:management-ip

In all cases, a button appears at right, labeled clear. Click clear to remove the explanatory line and all counts associated with the object.

Searching in the GUI

You can also type a term in the search field at the top of the GUI screen. (The text appears in red.) Click + to the right of the search field. An explanatory line appears under the search field.

For example, assume you have configured the shared object schedule1. If you type schedule1 in the search field, the following line appears under the search field:

Rules with value:schedule1 and SharedObjects with value:schedule1

The clear button removes the explanatory line and all associated counts.

These filter/search techniques can be important for troubleshooting firewalls.

Right-click in the firewall flyout panel to see a context-sensitive menu.

In BIG-IQ Security, tooltips are used to provide additional information. For example, in the Device detail flyout, you can hover over the entry in the Name column until a tooltip is displayed. The first line in the tooltip is the name of the rule and the second line is the name of the rule list.

If you hover over an address list or port list, the tooltip displays the addresses or ports in the list. In cases where the address or port list name is larger than the display field, click inside the field and press the down arrow to see the complete name.

Browser resolution

F5 recommends a minimum screen resolution of 1280 x 1024 to properly display and use the panels efficiently.

It is possible to shrink the browser screen so that GUI elements (buttons, scroll bars, functions) no longer appear in the visible screen. Should this occur, use the browser's zoom-out function to shrink the panels and controls.

Devices panel

In BIG-IQ Security, devices are BIG-IP systems that BIG-IQ Security has discovered and whose firewalls it is managing.

BIG-IQ Security displays devices by the name and fully-qualified domain name (FQDN) as assigned by the BIG-IP administrator.

Note: DNS aliases are not supported for device discovery.

The Devices panel displays discovered devices and provides a way to initiate discovery. Click a device in this panel to display the hierarchy of configured firewalls for that device. To view the configuration for an individual firewall, click that firewall in the hierarchy.

You can use BIG-IQ Security to manage the firewalls and firewall components (also known as shared objects) on the devices listed.

Note: After device discovery and import of firewalls, the BIG-IP device is managed centrally by BIG-IQ Security (except under exceptional conditions). Changes made locally to the BIG-IP device will get overwritten during the deployment process.

If discovery fails for a BIG-IP device that has recently received a hot fix, log in to the BIG-IP device and verify that it has retained its management IP address through the hot fix installation process.

Firewall types include:

Global firewall
Consists of one global firewall per device. Packets are processed by the global firewall before they get to the route domain, virtual server, or self IP firewalls.
Route domain firewalls
There can be more than one configured route domain firewall; each listed by its ID. The default route domain firewall on the BIG-IP device is route domain 0. Packets are assessed by the route domain firewall before they are processed by the associated virtual server or self IP firewalls.
Self IP firewalls
Consist of an IP packet filter configured on the self IP address. Any IP packet that passes through the self IP is assessed by this firewall.
Virtual IP (VIP) servers firewalls
Consist of IPs of the virtual services configured on the BIG-IP system.
Management firewall
Consists of the IP address for the management interface; single firewall per management interface. Packets must trigger ACCEPT to pass to the destination interface.

When you hover over the banner of the Devices panel, a (+) icon appears. Click (+) to display the Add Device panel.

When you hover over the header of an individual device, a gear icon appears (upper right corner). Click the gear to display the properties of the discovered device.

About individual devices in BIG-IQ Security

In BIG-IQ Security, a device is a BIG-IP system that BIG-IQ Security has discovered and whose firewalls are centrally managed by BIG-IQ Security.

Note: DNS aliases are not supported for device discovery.

After device discovery and import of firewalls, the BIG-IP device is managed centrally by BIG-IQ Security (except under exceptional conditions). Changes made locally to the BIG-IP device will get overwritten during the deployment process.

Select a device to view the firewalls configured on the device, as well as configuration details for individual devices. When you hover over the header of an individual device, a gear icon appears (upper right corner). Click the gear to display the properties of the discovered device.

Device properties

Device address (IP address) Informational, read-only field
Device name Example: ballet.east.dataman.com
Default Firewall Action Options: accept, drop, reject

From the device properties flyout, you can:

  • Reimport. If changes are made locally (on the BIG-IP device), reimport the device to reconcile those changes with BIG-IQ Security. Unless local changes are reconciled, the deployment process will overwrite any changes made locally on a BIG-IP system.
  • Remove. Remove a device from the Devices panel. Rescind management authority by BIG-IQ Security.
  • Cancel. Cancel the discovery and import processes.

If discovery fails for a BIG-IP device that has recently received a hot fix, log in to the BIG-IP device and verify that it has retained its management IP address through the hot fix installation process.

Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)