Network Security is a platform designed for the central management of security firewalls for multiple BIG-IP® systems, where firewall administrators have installed and provisioned the BIG-IP Advanced Firewall Manager™ (AFM™) module.
Network Security system provides:
Managing a firewall configuration includes discovering, importing, editing, and deploying changes to the firewall configuration, as well as consolidation of shared firewall objects (policies, rule lists, rules, address lists, port lists, and schedules). Network Security provides a centralized management platform so you can perform all these tasks from a single location. Rather than log in to each device to manage the security policy locally, it is more expedient to use one interface to manage many devices. Not only does this simplify logistics, but you can maintain a common set of firewall configuration objects and deploy a common set of policies, rule lists, and other shared objects to multiple, similar devices from a central interface.
Bringing a device under central management means that its configuration is stored in the Network Security database, which is the authoritative source for all firewall configuration entities. This database is also known as the working configuration or working-configuration set.
Once a device is under central management, do not make changes locally (on the BIG-IP device) unless there is an exceptional need. If changes are made locally for any reason, reimport the device to reconcile those changes with the Network Security working configuration set. Unless local changes are reconciled, the deployment process overwrites any local changes.
In addition, Network Security is aware of functionality that exists in one BIG-IP system version but not in another. This means, for example, that it prohibits using policies on BIG-IP devices that do not have the software version required to support them.
BIG-IQ® Centralized Management Security contains several groups of capabilities. The Shared Security group contains objects that can be used with Network Security objects and with Web Application Security objects.
Web Application Security enables enterprise-wide management and configuration of multiple BIG-IP® devices from a central management platform. You can centrally manage BIG-IP devices and security policies, and import policies from files on those devices.
From this central management platform, you can perform the following actions:
The BIG-IQ® Centralized Management system uses the following terminology to refer to configuration sets for a centrally-managed BIG-IP® device:
The working configuration is created when the administrator first manages the BIG-IP device from the BIG-IQ Centralized Management system. The working configuration is updated when a device is re-imported or re-discovered.
If conflicts are observed during a re-discover and re-import, the object in conflict is only updated in the working configuration when the Use BIG-IP resolution conflict option is used.
Once you have placed a BIG-IP® device under management by the BIG-IQ® Centralized Management system by discovering and importing that device configuration, you should avoid directly changing the BIG-IP device configuration. All changes to the BIG-IP device configuration should be made using the BIG-IQ Centralized Management system to avoid errors.
A BIG-IP software release may include features that the BIG-IQ Centralized Management system does not yet manage. If changes are made to the configuration of that feature directly on the BIG-IP device, the BIG-IQ Centralized Management system might remove those changes when a subsequent deployment is made to the BIG-IP device.
During the deployment process, the BIG-IQ Centralized Management system imports the current configuration of the targeted BIG-IP devices. Subsequent changes made directly on the BIG-IP device which add new objects to the configuration will be labeled as being not imported and those objects will not be removed during the next deployment. These objects will continue to be labeled as not imported, until you reimport the configuration using the Device Management BIG-IP Devices screen.
To avoid this situation, when you directly modify a BIG-IP device, you must re-discover and re-import the BIG-IP device from the BIG-IQ Centralized Management system to reconcile the configuration differences.
There are several filter fields you can use to select the data displayed for firewall objects. The filter text you enter is used to perform a search of the underlying object's representation in storage (in JSON), which includes not only the name and other displayed data, but also metadata for the object, such as timestamps. Make the text you enter in the filter field specific enough to uniquely identify the one or more objects you want to display.
|Filter field at top right of screen||Use the filter field at the right top of the screen to search only the displayed objects for a match to the filter. You select filter options by clicking the arrow to the left of the filter field, and then selecting an option from each option group. The bottom option group in the list controls whether the filter text must be a partial match or an exact match.
The top options group in the list control which objects are filtered. Not all options are displayed on all screens; if none of these options are displayed (IP Address, Name or Port), the default is All.
If the navigation list is displayed, a count of the matching objects appears to the right of each object type in the navigation list.
To remove the filter, click the X to the right of the filter expression area near the filter field.
|Filter field in Toolbox at bottom||Use the filter field in the upper right of the toolbox (displayed at the bottom of the page when active) to search the shared objects list in the toolbox and display only those that have a full or partial match to the filter. To remove the filter, click the X to the right of the filter expression area near the filter field.|
When specifying a date in a filter, only these date and time formats are supported: