Applies To:

Show Versions Show Versions

Manual Chapter: Declaring Management Authority
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Declaring management authority

As a firewall manager, you are often responsible for the security policy on many firewall devices in a given network. Rather than log into each device to manage the security policy locally, it is more expedient to use one interface to manage many devices. Not only does this simplify logistics, but it enables you to maintain a common set of firewall configuration objects and deploy a common set of rules to multiple, similar devices from a central interface.

Once a firewall device is designated for central management, it should no longer be managed locally unless there is an exceptional need.

Note: If changes are made locally (on the BIG-IP device), you should reimport the device to reconcile those changes with BIG-IQ Security. Unless local changes are reconciled, the deployment process will overwrite any changes made locally on a BIG-IP system.

The process of designating a firewall device for central management is called declaring management authority (DMA).

Once a device is under central management, the device configuration is stored in the BIG-IQ database, which is the authoritative source for all configuration entities (shared objects).

To declare management authority, you will:

  1. Log into BIG-IQ Security with username/password credentials.
  2. Navigate to the Devices panel. On the first login, this panel is empty (no discovered devices).
  3. Hover in the Device banner and click the (+) icon.
  4. In the Add Device flyout, enter the device IP address, username, and password.
  5. Click Save to confirm and start the discovery. Click Cancel to cancel the process, collapse the flyout, and return to the Devices panel.

After discovery, the device is listed in the Devices panel. The firewall policy for the selected device is available for management and deployment, and its components are visible in the Shared objects panel where you can view and edit them.

Any conflicts are flagged by a red diamond icon to the left of the device name. All conflicts must be resolved before you can continue.

Device discovery

Device discovery states are displayed during the discovery process. For details, see the section about Support and Maintenance.

Device configuration states

The following are possible configuration states for a firewall device centrally managed by BIG-IQ Security:

  • Current state. The configuration state of the BIG-IP device as discovered by BIG-IP Security. Current state is updated during a reimport and before calculating differences during the deployment process. After deployment (and after the resolution of any conflicting objects), BIG-IQ Security may overwrite the BIG-IP current configuration.
  • Working state. The configuration state as maintained in the BIG-IQ database. This state is initially created when the firewall manager elects to manage the device from BIG-IQ Security. It is the configuration that is edited and deployed back out to devices.

These states may or may not be synchronized, which is acceptable because the current configuration state and the working configuration state are kept separately in the BIG-IQ database.

The only supported way to reset a state is to reimport the BIG-IP device's current state.

Conflict resolution

The basis of conflict resolution is the name of the shared object. If a shared object has the same name in more than one place but with different data, there is a conflict.

The burden is on the firewall manager to know how conflicts between shared objects are to be resolved and to deploy the resolution.

In BIG-IQ Security, a red diamond icon to the left of the device name indicates a conflict. Click the red diamond icon to display the Resolve Conflict panel. Resolve each conflict by selecting an option from the object's Action drop-down list and clicking Resolve.

Conflict resolution options are displayed as follows:

On BIG-IP (device IP address) Name of the object on the BIG-IP device.
On BIG-IQ Name of the object on BIG-IQ Security.
Type Type of shared object in conflict: address list, port list, rule list, or schedule.
Action Select from the following actions to resolve conflicts:
  • KEEP BOTH - Retain both objects as configured. BIG-IQ Security changes the name on the incoming object to eliminate conflicts. Then, it updates rules with the new object name.
  • NO ACTION - Cannot continue. Until conflicts are resolved, you cannot perform any new discoveries. If you must perform discoveries, remove the device.
  • USE BIG-IP VERSION - Overwrite the object as configured in the central BIG-IQ Security database (which represents the working configuration) with the object as configured on the BIG-IP device (the current configuration).
  • USE BIG-IQ VERSION - Overwrite the object as configured on the BIG-IP device (current configuration) with the object as configured on BIG-IQ Security (working configuration).
Note: The term working configuration refers to the state of the configuration as it exists in the central BIG-IQ Security database. The term current configuration refers to the state of the configuration as it was imported from and running on the BIG-IP device.
Note: Any changes are not applied to the BIG-IP device until they are deployed. This is an action performed by the firewall administrator and initiated by clicking Deploy Changes.

Conflict resolution scenarios

The following sections contain examples that illustrate each of the conflict resolution options.

KEEP BOTH

A pre-existing discovered device, Cambridge, contains rulex, a firewall rule that calls portlist1. portlist1 contains a range of ports (44-47).

rulex and portlist1 are stored in the BIG-IQ database, also called the working configuration.

In this scenario after import and deploy of another device containing a portlist with the same name, neither rulex nor portlist1 change.

Incoming device Boston contains ruley, a firewall rule that calls portlist1.

This portlist1 contains a range of ports (50-79).

Both objects are stored in the BIG-IP database on device Boston (current configuration).

In this scenario after import, portlist1 is renamed in the following format: device-name_object-name_timestamp.
Note: The timestamp is in hexadecimal format.
So, portlist1 becomes boston_portlist1_13dcff54702 due to the conflict with Cambridge's portlist1.

After import, ruley is modified to call boston_portlist1_13dcff54702 and the working configuration (the BIG-IQ database) now contains boston_portlist1_13dcff54702.

When deployed to device Boston, the system will modify ruley to call boston_portlist1_13dcff54702 and delete portlist1.

You cannot continue. Until conflicts are resolved, you cannot perform any new discoveries. If you must perform discoveries, remove the device. Then, resolve the conflict on the BIG-IP device. Then return to BIG-IQ Security and rediscover the BIG-IP device.

USE BIG-IP

A pre-existing discovered device, Cambridge, contains rulex, a firewall rule that calls portlist1. portlist1 contains a range of ports (44-47).

rulex and portlist1 are stored in the BIG-IQ database, also called the working configuration.

Incoming device, Boston, contains ruley, a firewall rule that calls portlist1. This portlist1 contains a range of ports (50-79).

ruley and portlist1 are stored in the BIG-IP database on device Boston (the current configuration).

The user selects USE BIG-IP.

In this scenario after import, portlist1 replaces the portlist1 on Cambridge and portlist1 on Cambridge now contains the range 50-79.

After import, Boston's ruley is not modified. After import, the working configuration in the BIG-IQ database contains rulex, ruley, and portlist1 (with range 50-79). There is no change to Boston.

USE BIG-IQ

A pre-existing discovered device, Cambridge, contains rulex, a firewall rule that calls portlist1. portlist1 contains a range of ports (44-47).

rulex and portlist1 are stored in the BIG-IQ database, also called the working configuration.

Incoming device, Boston, contains ruley, a firewall rule that calls portlist1. This portlist1 contains a range of ports (50-79).

ruley and portlist1 are stored in the BIG-IP database on device Boston (current configuration).

The user selects USE BIG-IQ.

In this scenario after import, portlist1 on Cambridge replaces portlist1 on Boston. (portlist1 on Boston now contains the range 44-47.) After import, Boston's ruley is not modified. After import, the working configuration in the BIG-IQ database contains rulex, ruley, and portlist1 (with range 44-47). There is no change to Cambridge.

Important: No changes are applied until they are pushed out to the BIG-IP device through the deployment process (a manual process initiated by the firewall administrator). This applies to all scenarios.

Conflict resolution best practice

As a best practice for conflict resolution, F5 suggests the following steps:

  1. Select NO ACTION.
  2. In the Shared objects panel, find the BIG-IQ shared object that has the conflict.
  3. Open a web page for a BIG-IP device. Log in to the device and find the object with the conflict.
  4. If the BIG-IQ object contains the preferable data, choose USE BIG-IQ as the conflict resolution option.
  5. If the BIG-IP object contains the preferable data, choose USE BIG-IP as the conflict resolution option.
  6. If the object on the BIG-IP device should remain unique, change the name of the object on the BIG-IP device. Then, sync the configuration with any peers and reimport the device in BIG-IQ Security.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)