Manual Chapter : Evaluating and Deploying Changes

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.4.0
Manual Chapter

How do I evaluate changes made to managed objects?

To change the object settings on a managed device, there are four tasks to perform.

This figure illustrates the workflow you perform to manage the objects on BIG-IP® devices. Evaluating the changes you have made is the third step in this process.

Evaluate object changes

Overview of evaluating changes made to managed objects

Note: If you need to make an urgent change, you can skip the evaluation step. However, we highly recommend evaluation in all but emergency situations. See Making an urgent deployment for details.

How do shared objects affect my deployments?

The objects that you manage using BIG-IQ® depend on associations with other, supporting objects. These objects are called shared objects. When the BIG-IQ evaluates a deployment to a managed device, it starts by deploying the device-specific objects. Then it examines the managed device to compile a list of the objects that are needed by other objects on that device. Then (unless you override the default behavior) the BIG-IQ system deletes any shared objects that exist on the managed device but are not used. So if there are objects on a managed device that are not being used, the next time you deploy changes to that device, the unused objects are deleted.

Note: You can override this default behavior by selecting the Keep Unused Objects check box when you deploy changes.

Evaluate Access configuration changes

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.
Note: When BIG-IQ® Centralized Management evaluates configuration changes, it first re-discovers the configuration from the managed device to ensure that there are no unexpected differences. If there are issues, the default behavior is to discard any changes made on the managed device, and then deploy the configuration changes.
  • To accept the default, proceed with the evaluation. The settings from the managing BIG-IQ overwrite the settings on the managed BIG-IP® device.
  • To override the default, re-discover the device and re-import the service. The settings from the managed BIG-IP device overwrite any changes that have been made using the BIG-IQ.
Note: Critical errors are issues with a configuration change that cannot be deployed successfully. Verification warnings are less serious in that they might not cause the deployment to fail, but you should review them,nonetheless.
Note: If you have Local Traffic & Network (LTM) changes to deploy, deploy the LTM changes before deploying changes to other components, or those deployments might fail.
  1. Click Deployment.
  2. Under EVALUATE & DEPLOY, select Access.
    The screen opens a list of Access evaluations and deployments that have been created on this device.
  3. Under Evaluations, click Create.
    The New Evaluation screen opens.
  4. For the Name setting, type a name for the evaluation task you are creating.
  5. For the Description setting, type a brief description for the evaluation task you are creating.
  6. For the Source setting, select what you want to evaluate.
    • To compare the object settings currently on the managed device with the object settings in the pending version, select Current Changes.
    • To compare the object settings currently on the managed device with the object settings in a stored snapshot, select Existing Snapshot, and then choose the snapshot you want to use.
  7. Specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select Keep Unused Objects.

    To understand what an object is unused is, consider the following example:

    There are two address lists on the BIG-IP device to which you are about to deploy changes (AddressList-a and AddressList-b).

    • AddressList-a is referenced by a policy that is in turn referenced by a firewall context.
    • AddressList-b is not referenced (directly or indirectly) by any objects.

    If you leave Remove Unused Objects (the default) selected, then when you deploy changes to the BIG-IP device, AddressList-b is deleted. If you don’t want it deleted, select Keep Unused Objects.

  8. For Supporting Objects, select Include associated LTM Objects to deploy an Access configuration with associated LTM objects.
  9. Using the Target Devices settings, identify the devices for which you want to evaluate changes. Select the devices from the Available list, and move the devices to the Selected list.
    Note:
    • If you are evaluating a device that is a member of a cluster set to initiate BIG-IP DSC sync at deployment, you can select either member of the HA pair.
    • If you are evaluating a device that is a member of a cluster set to ignore BIG-IP DSC sync, you should select both devices in the cluster.
  10. If you want to apply access policies on each BIG-IP device after deployment, select Automatically apply policies after deployment.
  11. Review the evaluation to determine whether you are going to deploy it or not.
    1. If there are critical errors, you cannot deploy these changes. Click each error to see what it is, and then go back to where you made the change to fix it.
      After resolving any critical errors, you can come back and repeat the evaluation.
    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. Click each warning to see what it is, and then go back to where you made the change to fix it.
      After resolving any verification warnings, you can come back and repeat the evaluation.
    3. If there are no critical errors or verification warnings, review the changes by clicking the view link.
      Each change is listed. You can review each one by clicking the name.
      Note: When you create an evaluation to deploy an ASM or AFM object that is referenced by a Local Traffic & Network object, it can trigger a verification error. This occurs for a few related object types that require manual intervention before you can deploy objects that reference them. To deploy these objects, you must deploy the related object and the object that references it using the Local Traffic & Network user interface. In some cases, before you deploy, you need to pin the related object to a pinning policy that establishes the relationship between a device and that object.
      • If you get a verification error that requires a Local Traffic & Network deployment, use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      • If you get a verification error with a Pin Object button that requires a Local Traffic & Network deployment, click the button to associate the two objects, and then use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      For additional information about pinning related objects, refer to Managing Object Pinning in F5 BIG-IQ Centralized Management: Security on support.f5.com.
    4. When you finish reviewing the differences, click Cancel.
  12. If the evaluation shows that you must evaluate and deploy Local Traffic configurations, do that before you deploy this evaluation.

To apply the evaluated object changes to the managed device, they must be deployed. Refer to Deploy configuration changes for instructions.

Evaluate Local Traffic configuration changes

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.
Note: When BIG-IQ® Centralized Management evaluates configuration changes, it first re-discovers the configuration from the managed device to ensure that there are no unexpected differences. If there are issues, the default behavior is to discard any changes made on the managed device, and then deploy the configuration changes.
  • To accept the default, proceed with the evaluation. The settings from the managing BIG-IQ overwrite the settings on the managed BIG-IP® device.
  • To override the default, re-discover the device and re-import the service. The settings from the managed BIG-IP device overwrite any changes that have been made using the BIG-IQ.
Note: Critical errors are issues with a configuration change that cannot be deployed successfully. Verification warnings are less serious in that they might not cause the deployment to fail, but you should review them,nonetheless.
Note: If you have Local Traffic & Network (LTM) changes to deploy, deploy the LTM changes before deploying changes to other components, or those deployments might fail.
  1. At the top of the screen, click Deployment.
  2. Under EVALUATE & DEPLOY, select Local Traffic & Network.
    The screen displays a list of Local Traffic & Network evaluations and deployments defined on this device.
  3. Under Evaluations, click Create.
    The New Evaluation screen opens.
  4. For the Name setting, type a name for the evaluation task you are creating.
  5. For the Description setting, type a brief description for the evaluation task you are creating.
  6. For the Source setting, select what you want to evaluate.
    • To compare the object settings currently on the managed device with the object settings in the pending version, select Current Changes.
    • To compare the object settings currently on the managed device with the object settings in a stored snapshot, select Existing Snapshot, and then choose the snapshot you want to use.
  7. Determine the Source Scope; that is, choose whether you want to evaluate all of the changes from the selected source, or specify which changes to evaluate. Select either All Changes or Partial Changes.
    If you choose to do a partial deployment, additional controls are displayed.
    Important: If you select All Changes, skip to the next step.
    1. If you want to deploy changes only to the selected objects, for Supporting Objects, clear the Include check box.
      Note: The objects that you manage using BIG-IQ depend on associations with other, supporting objects. These object associations form relationship trees that are sometimes quite complex. Generally, when you deploy a change to a managed object, it is a very good idea to include these supporting objects in the deployment. This diagram illustrates a typical relationship tree for a Network Services managed object. For Local Traffic or Web Application Security objects, the trees are equally complex and just as vital to include.
      Network Services supporting objects tree
    2. On the Available tab, select the object type for which you want to evaluate changes.
    3. From the list of configuration changes, select the objects that you want to evaluate and move them to the Selected list.
      Note: If you include objects in an evaluation that have not been changed, and you later deploy this evaluation, the unchanged objects are not deployed to your BIG-IP device. Only objects that have been changed are deployed.
    4. If there are additional object types you want to include in this evaluation, repeat the previous two sub-steps for each object type.
    5. If you add an object to the evaluation and then change your mind, you can move it back to the Available list.
    6. Under Target Device(s), click Find Relevant Devices.
      Note: The objects you select for deployment determine which devices display in the Available list. You cannot deploy a device specific object (like a pool) to a device on which it does not already exist. You can deploy a shared object (such as a profile) to a device on which it does not exist, as long as the shared object is referenced by an object on that device. For example, Consider a device (BIG-IP1) with a virtual server (Virt1). If you add a profile named Pro1 to Virt1, BIG-IP1 will appear in the list of devices that you can deploy changes to.
      BIG-IQ lists all devices to which you can deploy the selected objects.
  8. If you selected All Changes, you can specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select Keep Unused Objects.

    To understand what an unused object is, consider the following example:

    There are two address lists on the BIG-IP device to which you are about to deploy changes (AddressList-a and AddressList-b).

    • AddressList-a is referenced by a policy that is in turn referenced by a firewall context.
    • AddressList-b is not referenced (directly or indirectly) by any objects.

    If you leave Remove Unused Objects (the default) selected, then when you deploy changes to the BIG-IP device, AddressList-b is deleted. If you don’t want it deleted, select Keep Unused Objects.

  9. Using the Target Devices settings, identify the devices for which you want to evaluate changes. Select the devices from the Available list, and move the devices to the Selected list.
    Note:
    • If you are evaluating a device that is a member of a cluster set to initiate BIG-IP DSC sync at deployment, you can select either member of the HA pair.
    • If you are evaluating a device that is a member of a cluster set to ignore BIG-IP DSC sync, you should select both devices in the cluster.
  10. Click the Create button at the bottom of the screen.
    The system adds the new evaluation to the list, and analyzes the changes for errors. When the configuration evaluation completes, you see how many changes or errors the evaluation found.
  11. Review the evaluation to determine whether you are going to deploy it or not.
    1. If there are critical errors, you cannot deploy these changes. Click each error to see what it is, and then go back to where you made the change to fix it.
      After resolving any critical errors, you can come back and repeat the evaluation.
    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. Click each warning to see what it is, and then go back to where you made the change to fix it.
      After resolving any verification warnings, you can come back and repeat the evaluation.
    3. If there are no critical errors or verification warnings, review the changes by clicking the view link.
      Each change is listed. You can review each one by clicking the name.
      Note: When you create an evaluation to deploy an ASM or AFM object that is referenced by a Local Traffic & Network object, it can trigger a verification error. This occurs for a few related object types that require manual intervention before you can deploy objects that reference them. To deploy these objects, you must deploy the related object and the object that references it using the Local Traffic & Network user interface. In some cases, before you deploy, you need to pin the related object to a pinning policy that establishes the relationship between a device and that object.
      • If you get a verification error that requires a Local Traffic & Network deployment, use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      • If you get a verification error with a Pin Object button that requires a Local Traffic & Network deployment, click the button to associate the two objects, and then use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      For additional information about pinning related objects, refer to Managing Object Pinning in F5 BIG-IQ Centralized Management: Security on support.f5.com.
    4. When you finish reviewing the differences, click Cancel.

To apply the evaluated object changes to the managed device, they must be deployed. Refer to Deploy configuration changes for instructions.

Evaluate Network Security configuration changes

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.
Note: When BIG-IQ® Centralized Management evaluates configuration changes, it first re-discovers the configuration from the managed device to ensure that there are no unexpected differences. If there are issues, the default behavior is to discard any changes made on the managed device, and then deploy the configuration changes.
  • To accept the default, proceed with the evaluation. The settings from the managing BIG-IQ overwrite the settings on the managed BIG-IP® device.
  • To override the default, re-discover the device and re-import the service. The settings from the managed BIG-IP device overwrite any changes that have been made using the BIG-IQ.
Note: Critical errors are issues with a configuration change that cannot be deployed successfully. Verification warnings are less serious in that they might not cause the deployment to fail, but you should review them,nonetheless.
Note: If you have Local Traffic & Network (LTM) changes to deploy, deploy the LTM changes before deploying changes to other components, or those deployments might fail.
  1. At the top of the screen, click Deployment.
  2. Under EVALUATE & DEPLOY, select Network Security.
    The screen displays a list of Network Security evaluations and deployments defined on this device.
  3. Under Evaluations, click Create.
    The New Evaluation screen opens.
  4. For the Name setting, type a name for the evaluation task you are creating.
  5. For the Description setting, type a brief description for the evaluation task you are creating.
  6. For the Source setting, select what you want to evaluate.
    • To compare the object settings currently on the managed device with the object settings in the pending version, select Current Changes.
    • To compare the object settings currently on the managed device with the object settings in a stored snapshot, select Existing Snapshot, and then choose the snapshot you want to use.
  7. Determine the Source Scope; that is, choose whether you want to evaluate all of the changes from the selected source, or specify which changes to evaluate. Select either All Changes or Partial Changes.
    If you choose to do a partial deployment, additional controls are displayed.
    Important: If you select All Changes, skip to the next step.
    1. If you want to deploy changes only to the selected objects, for Supporting Objects, clear the Include check box.
      Note: The objects that you manage using BIG-IQ depend on associations with other, supporting objects. These object associations form relationship trees that are sometimes quite complex. Generally, when you deploy a change to a managed object, it is a very good idea to include these supporting objects in the deployment. This diagram illustrates a typical relationship tree for a Network Services managed object. For Local Traffic or Web Application Security objects, the trees are equally complex and just as vital to include.
      Network Services supporting objects tree
    2. On the Available tab, select the object type for which you want to evaluate changes.
    3. From the list of configuration changes, select the objects that you want to evaluate and move them to the Selected list.
      Note: If you include objects in an evaluation that have not been changed, and you later deploy this evaluation, the unchanged objects are not deployed to your BIG-IP device. Only objects that have been changed are deployed.
    4. If there are additional object types you want to include in this evaluation, repeat the previous two sub-steps for each object type.
    5. If you add an object to the evaluation and then change your mind, you can move it back to the Available list.
    6. Under Target Device(s), click Find Relevant Devices.
      Note: The objects you select for deployment determine which devices display in the Available list. You cannot deploy a device specific object (like a pool) to a device on which it does not already exist. You can deploy a shared object (such as a profile) to a device on which it does not exist, as long as the shared object is referenced by an object on that device. For example, Consider a device (BIG-IP1) with a virtual server (Virt1). If you add a profile named Pro1 to Virt1, BIG-IP1 will appear in the list of devices that you can deploy changes to.
      BIG-IQ lists all devices to which you can deploy the selected objects.
  8. If you selected All Changes, you can specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select Keep Unused Objects.

    To understand what an unused object is, consider the following example:

    There are two address lists on the BIG-IP device to which you are about to deploy changes (AddressList-a and AddressList-b).

    • AddressList-a is referenced by a policy that is in turn referenced by a firewall context.
    • AddressList-b is not referenced (directly or indirectly) by any objects.

    If you leave Remove Unused Objects (the default) selected, then when you deploy changes to the BIG-IP device, AddressList-b is deleted. If you don’t want it deleted, select Keep Unused Objects.

  9. Using the Target Devices settings, identify the devices for which you want to evaluate changes. Select the devices from the Available list, and move the devices to the Selected list.
    Note:
    • If you are evaluating a device that is a member of a cluster set to initiate BIG-IP DSC sync at deployment, you can select either member of the HA pair.
    • If you are evaluating a device that is a member of a cluster set to ignore BIG-IP DSC sync, you should select both devices in the cluster.
  10. Click the Create button at the bottom of the screen.
    The system adds the new evaluation to the list, and analyzes the changes for errors. When the configuration evaluation completes, you see how many changes or errors the evaluation found.
  11. Review the evaluation to determine whether you are going to deploy it or not.
    1. If there are critical errors, you cannot deploy these changes. Click each error to see what it is, and then go back to where you made the change to fix it.
      After resolving any critical errors, you can come back and repeat the evaluation.
    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. Click each warning to see what it is, and then go back to where you made the change to fix it.
      After resolving any verification warnings, you can come back and repeat the evaluation.
    3. If there are no critical errors or verification warnings, review the changes by clicking the view link.
      Each change is listed. You can review each one by clicking the name.
      Note: When you create an evaluation to deploy an ASM or AFM object that is referenced by a Local Traffic & Network object, it can trigger a verification error. This occurs for a few related object types that require manual intervention before you can deploy objects that reference them. To deploy these objects, you must deploy the related object and the object that references it using the Local Traffic & Network user interface. In some cases, before you deploy, you need to pin the related object to a pinning policy that establishes the relationship between a device and that object.
      • If you get a verification error that requires a Local Traffic & Network deployment, use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      • If you get a verification error with a Pin Object button that requires a Local Traffic & Network deployment, click the button to associate the two objects, and then use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      For additional information about pinning related objects, refer to Managing Object Pinning in F5 BIG-IQ Centralized Management: Security on support.f5.com.
    4. When you finish reviewing the differences, click Cancel.

To apply the evaluated object changes to the managed device, they must be deployed. Refer to Deploy configuration changes for instructions.

Evaluate Web Application Security configuration changes

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.
Note: When BIG-IQ® Centralized Management evaluates configuration changes, it first re-discovers the configuration from the managed device to ensure that there are no unexpected differences. If there are issues, the default behavior is to discard any changes made on the managed device, and then deploy the configuration changes.
  • To accept the default, proceed with the evaluation. The settings from the managing BIG-IQ overwrite the settings on the managed BIG-IP® device.
  • To override the default, re-discover the device and re-import the service. The settings from the managed BIG-IP device overwrite any changes that have been made using the BIG-IQ.
Note: Critical errors are issues with a configuration change that cannot be deployed successfully. Verification warnings are less serious in that they might not cause the deployment to fail, but you should review them,nonetheless.
Note: If you have Local Traffic & Network (LTM) changes to deploy, deploy the LTM changes before deploying changes to other components, or those deployments might fail.
  1. At the top of the screen, click Deployment.
  2. Under EVALUATE & DEPLOY, select Network Security.
    The screen displays a list of Network Security evaluations and deployments defined on this device.
  3. Under Evaluations, click Create.
    The New Evaluation screen opens.
  4. For the Name setting, type a name for the evaluation task you are creating.
  5. For the Description setting, type a brief description for the evaluation task you are creating.
  6. For the Source setting, select what you want to evaluate.
    • To compare the object settings currently on the managed device with the object settings in the pending version, select Current Changes.
    • To compare the object settings currently on the managed device with the object settings in a stored snapshot, select Existing Snapshot, and then choose the snapshot you want to use.
  7. Determine the Source Scope; that is, choose whether you want to evaluate all of the changes from the selected source, or specify which changes to evaluate. Select either All Changes or Partial Changes.
    If you choose to do a partial deployment, additional controls are displayed.
    Important: If you select All Changes, skip to the next step.
    1. On the Available tab, select the object type for which you want to evaluate changes.
    2. From the list of configuration changes, select the objects that you want to evaluate and move them to the Selected list.
      Note: If you include objects in an evaluation that have not been changed, and you later deploy this evaluation, the unchanged objects are not deployed to your BIG-IP device. Only objects that have been changed are deployed.
    3. If there are additional object types you want to include in this evaluation, repeat the last two sub-steps for each object type.
    4. If you add an object to the evaluation and then change your mind, you can move it back to the Available list.
    5. Under Target Device(s), click Find Relevant Devices.
      Note: The objects you select for deployment determine which devices display in the Available list. You cannot deploy a device specific object (like a pool) to a device on which it does not already exist. You can deploy a shared object (like a profile) to a device on which it does not exist, as long as the shared object is referenced by an object on that device. For example, consider a device (BIG-IP1) with a virtual server (Virt1). If you add a profile named Pro1 to Virt1, BIG-IP1 will appear in the list of devices that you can deploy changes to.
      BIG-IQ lists all devices to which you can deploy the selected objects.
  8. If you selected All Changes, there are a couple of extra options you can specify.
    1. Specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select Keep Unused Objects.

      To understand what an object is unused is, consider the following example:

      There are two address lists on the BIG-IP device to which you are about to deploy changes (AddressList-a and AddressList-b).

      • AddressList-a is referenced by a policy that is in turn referenced by a firewall context.
      • AddressList-b is not referenced (directly or indirectly) by any objects.

      If you leave Remove Unused Objects (the default) selected, then when you deploy changes to the BIG-IP device, AddressList-b is deleted. If you don’t want it deleted, select Keep Unused Objects.

    2. You can filter the list of available devices, so that only BIG-IP devices that own objects that have been changed and are provisioned with ASM are displayed. To filter the available devices list, click Select Modified ASM Devices.
  9. Using the Target Devices settings, identify the devices for which you want to evaluate changes. Select the devices from the Available list, and move the devices to the Selected list.
    Note:
    • If you are evaluating a device that is a member of a cluster set to initiate BIG-IP DSC sync at deployment, you can select either member of the HA pair.
    • If you are evaluating a device that is a member of a cluster set to ignore BIG-IP DSC sync, you should select both devices in the cluster.
  10. Click the Create button at the bottom of the screen.
    The system adds the new evaluation to the list, and analyzes the changes for errors. When the configuration evaluation completes, you see how many changes or errors the evaluation found.
  11. Review the evaluation to determine whether you are going to deploy it or not.
    1. If there are critical errors, you cannot deploy these changes. Click each error to see what it is, and then go back to where you made the change to fix it.
      After resolving any critical errors, you can come back and repeat the evaluation.
    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. Click each warning to see what it is, and then go back to where you made the change to fix it.
      After resolving any verification warnings, you can come back and repeat the evaluation.
    3. If there are no critical errors or verification warnings, review the changes by clicking the view link.
      Each change is listed. You can review each one by clicking the name.
      Note: When you create an evaluation to deploy an ASM or AFM object that is referenced by a Local Traffic & Network object, it can trigger a verification error. This occurs for a few related object types that require manual intervention before you can deploy objects that reference them. To deploy these objects, you must deploy the related object and the object that references it using the Local Traffic & Network user interface. In some cases, before you deploy, you need to pin the related object to a pinning policy that establishes the relationship between a device and that object.
      • If you get a verification error that requires a Local Traffic & Network deployment, use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      • If you get a verification error with a Pin Object button that requires a Local Traffic & Network deployment, click the button to associate the two objects, and then use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      For additional information about pinning related objects, refer to Managing Object Pinning in F5 BIG-IQ Centralized Management: Security on support.f5.com.
    4. When you finish reviewing the differences, click Cancel.

To apply the evaluated object changes to the managed device, they must be deployed. Refer to Deploy configuration changes for instructions.

How do I deploy changes made to managed objects?

Deploying changes applies the revisions that you have made on the BIG-IQ® Centralized Management system to the managed BIG-IP® devices.

This figure illustrates the workflow you perform to manage the objects on BIG-IP devices. Deploying the settings is the last step in this process.

Deploy object changes

Change managed object workflow

How does deployment to devices in a cluster work?

When you created a cluster in BIG-IQ® inventory, you chose a deployment option for the devices in that cluster.

If you chose to initiate BIG-IP® DSC® sync, and the Sync-Failover group on the BIG-IP system is configured for manual sync, after deployment to either device in the HA pair, Access kicks off manual sync to the other device. If manual sync succeeds, the deployment is successful. Otherwise, the deployment status shows an error.

If you chose to initiate BIG-IP DSC sync and the Sync-Failover group on the BIG-IP system is configured for automatic sync, after deploying to either device in the HA pair, automatic sync propagates the configuration to the other device. If automatic sync succeeds, the deployment is successful. Otherwise, the deployment status shows an error.

If you chose to ignore BIG-IP DSC sync, you must deploy the configuration from BIG-IQ to both devices in the cluster.

Note: It is possible that after this, conflicts in DSC sync for these devices will occur.

Deploy configuration changes

To apply the changes you made on the BIG-IQ® Centralized Management system to your managed device, you must deploy those changes to the managed device.

  1. At the top of the screen, click Deployment.
  2. Under EVALUATE & DEPLOY, select the component for which you want to make changes.
    The screen displays a list of evaluations and deployments defined on this device.
  3. Click the name of the evaluation that you want to deploy.
    The View Evaluation screen opens.
  4. Specify whether you want to deploy the changes immediately or schedule deployment for later.
    • To deploy this change immediately:
      1. Select Deploy Now.
      2. Click Deploy to confirm.
    • To deploy this change later:
      1. Select the Schedule for later check box.
      2. Select the date and time.
      3. Click Schedule Deployment.
    The process of deploying changes can take some time, especially if there are a large number of changes. During this time, you can click Cancel to stop the deployment process.
    Important: If you cancel a deployment, some of the changes might have already deployed. Cancel does not roll back these changes.
The evaluation you chose is added to the list of deployments on the bottom half of the screen.
  • If you chose to deploy immediately, the changes begin to deploy and the Status column updates as it proceeds.
  • If you choose to delay deployment, the Status column displays the scheduled date and time.

Make an urgent Local Traffic & Network deployment

If you need to make an urgent change, you can skip the Evaluate configuration changes task and deploy changes to your BIG-IP® device immediately. Changes to configuration objects are still validated; if there are critical errors, the deployment does not proceed. But you can avoid the task of creating an evaluation and viewing the changes and get right to deploying your changes.

Note: We recommend evaluating your changes before making a deployment. However, in situations where you need to deploy changes as quickly as possible, you can deploy the changes right away. The urgent deployment work flow skips the task of creating an evaluation, which speeds up the process of deploying your changes.
  1. At the top of the screen, click Deployment.
  2. Under EVALUATE & DEPLOY, select Local Traffic & Network.
    The screen displays a list of Local Traffic & Network evaluations and deployments defined on this device.
  3. Under Deployments, click Create.
    The New Deployment screen opens.
  4. For the Name setting, type a name for the deployment task you are creating.
  5. For the Description setting, type a brief description for the deployment task you are creating.
  6. For the Source setting, select what you want to deploy.
    • To deploy your changes to the managed device, select Current Changes.
    • To deploy the object settings from a stored snapshot, select Existing Snapshot, then choose the snapshot you want to use.
  7. Determine the Source Scope; that is, choose whether you want to evaluate all of the changes from the selected source, or specify which changes to evaluate. Select either All Changes or Partial Changes.
    If you choose to do a partial deployment, additional controls are displayed.
    Important: If you select All Changes, skip to the next step.
    1. If you want to deploy changes only to the selected objects, for Supporting Objects, clear the Include check box.
      Note: The objects that you manage using BIG-IQ depend on associations with other, supporting objects. These object associations form relationship trees that are sometimes quite complex. Generally, when you deploy a change to a managed object, it is a very good idea to include these supporting objects in the deployment. This diagram illustrates a typical relationship tree for a Network Services managed object. For Local Traffic or Web Application Security objects, the trees are equally complex and just as vital to include.
      Network Services supporting objects tree
    2. On the Available tab, select the object type for which you want to evaluate changes.
    3. From the list of configuration changes, select the objects that you want to evaluate and move them to the Selected list.
      Note: If you include objects in an evaluation that have not been changed, and you later deploy this evaluation, the unchanged objects are not deployed to your BIG-IP device. Only objects that have been changed are deployed.
    4. If there are additional object types you want to include in this evaluation, repeat the previous two sub-steps for each object type.
    5. If you add an object to the evaluation and then change your mind, you can move it back to the Available list.
    6. Under Target Device(s), click Find Relevant Devices.
      Note: The objects you select for deployment determine which devices display in the Available list. You cannot deploy a device specific object (like a pool) to a device on which it does not already exist. You can deploy a shared object (such as a profile) to a device on which it does not exist, as long as the shared object is referenced by an object on that device. For example, Consider a device (BIG-IP1) with a virtual server (Virt1). If you add a profile named Pro1 to Virt1, BIG-IP1 will appear in the list of devices that you can deploy changes to.
      BIG-IQ lists all devices to which you can deploy the selected objects.
  8. If you selected All Changes, you can specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select Keep Unused Objects.

    To understand what an unused object is, consider the following example:

    There are two address lists on the BIG-IP device to which you are about to deploy changes (AddressList-a and AddressList-b).

    • AddressList-a is referenced by a policy that is in turn referenced by a firewall context.
    • AddressList-b is not referenced (directly or indirectly) by any objects.

    If you leave Remove Unused Objects (the default) selected, then when you deploy changes to the BIG-IP device, AddressList-b is deleted. If you don’t want it deleted, select Keep Unused Objects.

  9. Consider one more time how you want to deploy these changes.
    • If you want to review the changes, click Create evaluation.
    • To make the changes right now, click Deploy immediately.
  10. Using the Target Devices settings, identify the devices for which you want to deploy changes. Select the devices from the Available list, and move the devices to the Selected list.
    Note:
    • If you are evaluating a device that is a member of a cluster set to initiate BIG-IP DSC sync at deployment, you can select either member of the HA pair.
    • If you are evaluating a device that is a member of a cluster set to ignore BIG-IP DSC sync, you should select both devices in the cluster.
  11. Start the evaluation or deployment.
    When you choose this Method: Perform these steps
    Create evaluation
    1. Click Evaluate.
    2. The evaluation begins.
      • If you are deploying changes for a specific object, when the evaluation is complete you can decide how and when you want to deploy it.
      • If you are deploying changes to a number of devices, the evaluation is added to the Evaluations list with a status of Pending confirmation.
    Deploy immediately
    1. Click Deploy.
    2. A confirmation screen notifies you that you are about to trigger a deployment.
    3. Click Deploy again to deploy the changes to your device.

Deploy urgent Network Security updates

If you need to make an urgent change, you can skip the Evaluate configuration changes task and deploy changes to your BIG-IP® device immediately. Changes to configuration objects are still validated; if there are critical errors, the deployment does not proceed. But you can avoid the task of creating an evaluation and viewing the changes and get right to deploying your changes.

Note: We recommend evaluating your changes before making a deployment. However, in situations where you need to deploy changes as quickly as possible, you can deploy the changes right away. The urgent deployment work flow skips the task of creating an evaluation, which speeds up the process of deploying your changes.
  1. At the top of the screen, click Deployment.
  2. Under EVALUATE & DEPLOY, select Network Security.
    The screen displays a list of Network Security evaluations and deployments defined on this device.
  3. Under Deployments, click Create.
    The New Deployment screen opens.
  4. For the Name setting, type a name for the deployment task you are creating.
  5. For the Description setting, type a brief description for the deployment task you are creating.
  6. For the Source setting, select what you want to deploy.
    • To deploy your changes to the managed device, select Current Changes.
    • To deploy the object settings from a stored snapshot, select Existing Snapshot, then choose the snapshot you want to use.
  7. Determine the Source Scope; that is, choose whether you want to evaluate all of the changes from the selected source, or specify which changes to evaluate. Select either All Changes or Partial Changes.
    If you choose to do a partial deployment, additional controls are displayed.
    Important: If you select All Changes, skip to the next step.
    1. If you want to deploy changes only to the selected objects, for Supporting Objects, clear the Include check box.
      Note: The objects that you manage using BIG-IQ depend on associations with other, supporting objects. These object associations form relationship trees that are sometimes quite complex. Generally, when you deploy a change to a managed object, it is a very good idea to include these supporting objects in the deployment. This diagram illustrates a typical relationship tree for a Network Services managed object. For Local Traffic or Web Application Security objects, the trees are equally complex and just as vital to include.
      Network Services supporting objects tree
    2. On the Available tab, select the object type for which you want to evaluate changes.
    3. From the list of configuration changes, select the objects that you want to evaluate and move them to the Selected list.
      Note: If you include objects in an evaluation that have not been changed, and you later deploy this evaluation, the unchanged objects are not deployed to your BIG-IP device. Only objects that have been changed are deployed.
    4. If there are additional object types you want to include in this evaluation, repeat the previous two sub-steps for each object type.
    5. If you add an object to the evaluation and then change your mind, you can move it back to the Available list.
    6. Under Target Device(s), click Find Relevant Devices.
      Note: The objects you select for deployment determine which devices display in the Available list. You cannot deploy a device specific object (like a pool) to a device on which it does not already exist. You can deploy a shared object (such as a profile) to a device on which it does not exist, as long as the shared object is referenced by an object on that device. For example, Consider a device (BIG-IP1) with a virtual server (Virt1). If you add a profile named Pro1 to Virt1, BIG-IP1 will appear in the list of devices that you can deploy changes to.
      BIG-IQ lists all devices to which you can deploy the selected objects.
  8. If you selected All Changes, you can specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select Keep Unused Objects.

    To understand what an unused object is, consider the following example:

    There are two address lists on the BIG-IP device to which you are about to deploy changes (AddressList-a and AddressList-b).

    • AddressList-a is referenced by a policy that is in turn referenced by a firewall context.
    • AddressList-b is not referenced (directly or indirectly) by any objects.

    If you leave Remove Unused Objects (the default) selected, then when you deploy changes to the BIG-IP device, AddressList-b is deleted. If you don’t want it deleted, select Keep Unused Objects.

  9. Consider one more time how you want to deploy these changes.
    • If you want to review the changes, click Create evaluation.
    • To make the changes right now, click Deploy immediately.
  10. Using the Target Devices settings, identify the devices for which you want to deploy changes. Select the devices from the Available list, and move the devices to the Selected list.
    Note:
    • If you are evaluating a device that is a member of a cluster set to initiate BIG-IP DSC sync at deployment, you can select either member of the HA pair.
    • If you are evaluating a device that is a member of a cluster set to ignore BIG-IP DSC sync, you should select both devices in the cluster.
  11. Start the evaluation or deployment.
    When you choose this Method: Perform these steps
    Create evaluation
    1. Click Evaluate.
    2. The evaluation begins.
      • If you are deploying changes for a specific object, when the evaluation is complete you can decide how and when you want to deploy it.
      • If you are deploying changes to a number of devices, the evaluation is added to the Evaluations list with a status of Pending confirmation.
    Deploy immediately
    1. Click Deploy.
    2. A confirmation screen notifies you that you are about to trigger a deployment.
    3. Click Deploy again to deploy the changes to your device.

Make an urgent Web Application Security deployment

If you need to make an urgent change, you can skip the Evaluate configuration changes task and deploy changes to your BIG-IP® device immediately. Changes to configuration objects are still validated; if there are critical errors, the deployment does not proceed. But you can avoid the task of creating an evaluation and viewing the changes and get right to deploying your changes.

Note: We recommend evaluating your changes before making a deployment. However, in situations where you need to deploy changes as quickly as possible, you can deploy the changes right away. The urgent deployment work flow skips the task of creating an evaluation, which speeds up the process of deploying your changes.
  1. At the top of the screen, click Deployment.
  2. Under EVALUATE & DEPLOY, select Web Application Security.
    The screen displays a list of Web Application Security evaluations and deployments defined on this device.
  3. Under Deployments, click Create.
    The New Deployment screen opens.
  4. For the Name setting, type a name for the deployment task you are creating.
  5. For the Description setting, type a brief description for the deployment task you are creating.
  6. For the Source setting, select what you want to deploy.
    • To deploy your changes to the managed device, select Current Changes.
    • To deploy the object settings from a stored snapshot, select Existing Snapshot, then choose the snapshot you want to use.
  7. Determine the Source Scope; that is, choose whether you want to evaluate all of the changes from the selected source, or specify which changes to evaluate. Select either All Changes or Partial Changes.
    If you choose to do a partial deployment, additional controls are displayed.
    Important: If you select All Changes, skip to the next step.
    1. On the Available tab, select the object type for which you want to evaluate changes.
    2. From the list of configuration changes, select the objects that you want to evaluate and move them to the Selected list.
      Note: If you include objects in an evaluation that have not been changed, and you later deploy this evaluation, the unchanged objects are not deployed to your BIG-IP device. Only objects that have been changed are deployed.
    3. If there are additional object types you want to include in this evaluation, repeat the last two sub-steps for each object type.
    4. If you add an object to the evaluation and then change your mind, you can move it back to the Available list.
    5. Under Target Device(s), click Find Relevant Devices.
      Note: The objects you select for deployment determine which devices display in the Available list. You cannot deploy a device specific object (like a pool) to a device on which it does not already exist. You can deploy a shared object (like a profile) to a device on which it does not exist, as long as the shared object is referenced by an object on that device. For example, Consider a device (BIG-IP1) with a virtual server (Virt1). If you add a profile named Pro1 to Virt1, BIG-IP1 will appear in the list of devices that you can deploy changes to.
      BIG-IQ lists all devices to which you can deploy the selected objects.
  8. If you selected All Changes, there are a couple of extra options you can specify.
    1. Specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select Keep Unused Objects.

      To understand what an object is unused is, consider the following example:

      There are two address lists on the BIG-IP device to which you are about to deploy changes (AddressList-a and AddressList-b).

      • AddressList-a is referenced by a policy that is in turn referenced by a firewall context.
      • AddressList-b is not referenced (directly or indirectly) by any objects.

      If you leave Remove Unused Objects (the default) selected, then when you deploy changes to the BIG-IP device, AddressList-b is deleted. If you don’t want it deleted, select Keep Unused Objects.

    2. You can filter the list of available devices, so that only BIG-IP devices that own objects that have been changed and are provisioned with ASM are displayed. To filter the available devices list, click Select Modified ASM Devices.
  9. Consider one more time how you want to deploy these changes.
    • If you want to review the changes, click Create evaluation.
    • To make the changes right now, click Deploy immediately.
  10. Using the Target Devices settings, identify the devices for which you want to deploy changes. Select the devices from the Available list, and move the devices to the Selected list.
    Note:
    • If you are evaluating a device that is a member of a cluster set to initiate BIG-IP DSC sync at deployment, you can select either member of the HA pair.
    • If you are evaluating a device that is a member of a cluster set to ignore BIG-IP DSC sync, you should select both devices in the cluster.
  11. Start the evaluation or deployment.
    When you choose this Method: Perform these steps
    Create evaluation
    1. Click Evaluate.
    2. The evaluation begins.
      • If you are deploying changes for a specific object, when the evaluation is complete you can decide how and when you want to deploy it.
      • If you are deploying changes to a number of devices, the evaluation is added to the Evaluations list with a status of Pending confirmation.
    Deploy immediately
    1. Click Deploy.
    2. A confirmation screen notifies you that you are about to trigger a deployment.
    3. Click Deploy again to deploy the changes to your device.

Deploy to one device when a cluster member is down

Deploying changes to a device in a cluster that has a device offline will generally fail. Normally, all device members must be available before you deploy changes to a cluster member. However, if you need to deploy changes before all cluster members are available you can do so.
  1. At the top of the screen, click Devices.
  2. Under Device Name, click the cluster member to which you want to deploy changes.
    The properties screen for this member opens.
  3. Under Cluster Properties, click Edit.
    The Cluster Properties popup screen for this cluster opens.
  4. For Deployment Settings, select Ignore BIG-IP DSC sync when deploying configuration changes.
  5. Click OK, and then click Close.

With the Ignore BIG-IP DSC sync when deploying configuration changes option selected, you can now deploy changes to the member that is available, and BIG-IQ will not attempt to sync those changes to the member that is unavailable.

Use the Deploy configuration changes task to deploy changes to the available member. When you select the target device for deployment, do not select the unavailable device.

Access deployment errors and warnings: causes and resolutions

Problem Description Resolution
Access profile type mismatch The deployment process imports an access profile from a device to the other devices in the Access group. If an access profile of the same name exists on a device, the access profile types must match. If it does not, a critical error occurs and deployment fails. On the BIG-IP® device, delete the access profile. Then, redeploy on the BIG-IQ® system.
Sandbox object outside of the /Common partition If partitions exist on the device in addition to the /Common partition, they contain sandbox objects by default. When the deployment process tries to create the sandbox objects, if the same partitions do not exist on the device, a critical error occurs and deployment fails. On each BIG-IP device, create the same partitions. Then, redeploy on the BIG-IQ system.
Pools, pool members, self IPs, route domains Access objects refer to pools, pool members, self IP addresses, and route domains, all of which are managed in ADC. If any of these objects is not present on the device, evaluation provides a warning that LTM® must be deployed before Access can be deployed. If the warning is ignored, Access deployment fails. Deploy LTM. Then re-discover LTM before trying to deploy Access.