Manual Chapter : Managing Devices

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.3.0
Manual Chapter

About device discovery

The process of importing a firewall device's configuration or designating a firewall device for central management by BIG-IQ Security is called discovery.

After discovery, BIG-IQ Security provides a way to view device properties and to perform device-specific and firewall-specific actions through a centralized management platform.

BIG-IQ Security lists devices under management in the Devices panel.

Before discovering devices, you must install specific components required by the BIG-IQ system on each BIG-IP device you want to manage. Installing these components results in a REST framework that supports the required Java-based management services.

Discovering devices

Before discovering one or more BIG-IP devices, ensure the required BIG-IQ components are installed on those devices.

Once a device is under central management, the device's configuration is stored in the BIG-IQ Security database, which is the authoritative source for all configuration entities (shared objects). After that point, do not manage the firewall device locally unless there is an exceptional need.

During discovery, Remove Device appears in the dialog box after the task has identified the device and started importing the firewall configuration. If you click Remove Device, the import is canceled and management authority over the device is rescinded. The device is removed.

  1. To begin the discovery process, navigate to the Devices panel. At first login, this panel is empty because there are no discovered devices.
  2. Hover over the Devices header and click the + icon to display the property fields for a new device.
  3. Edit the property fields as required.
    Option Description
    Device Address Enter the internal self IP for the BIG-IP device.
    Note: Each managed device must be configured with a communication route from its internal self IP or management IP address to a BIG-IQ system internal self IP address on a configured BIG-IP VLAN. Otherwise, discovery will fail. F5 recommends that you use a self IP address (on the BIG-IP device) in order to gain access to additional functionality that is not provided through the management port.
    Cluster Name Enter a name for the cluster. Optional, but highly recommended.
    User Name Enter the user's login name. For example: fw_admin.
    Password Enter the password for this user.
    Snapshot Ensure that this check box is selected (the default) to take a snapshot of the configuration on the BIG-IP device before importing.
    Auto Update Framework Select this check box to update the REST framework installed on the BIG-IP device.

    It is required that certain BIG-IQ system components be installed and kept up-to-date on all BIG-IP devices brought under central management. These components provide a REST framework on the BIG-IP devices that support the required Java-based management services. To ensure the framework is up-to-date, select this check box.

  4. Click Add.
After discovery, the BIG-IP device is listed in the Devices panel by its FQDN and internal self IP or management IP address. Also, the system lists the snapshot of the working configuration taken during import in the Snapshots panel. The system imports the firewall policy for this device and makes it available for configuration management.

About declaring management authority

The process of bringing a device under central management is known as declaring management authority (DMA). The firewall administrator initiates DMA through device discovery and import (or reimport).

The DMA process is modal. Once the process starts, you are blocked from performing any other tasks or interacting with BIG-IQ Security in any way until the process is complete or canceled. Before starting a discovery or reimport process, it is important to understand how you will resolve any conflicts that arise.

Note: In this scenario, a conflict is defined as two shared objects in the same partition having the same name, but containing different data.

About conflict resolution

A conflict is found when two shared objects in the same partition have the same name but different data. Conflicts prevent the discovery process from running to completion.

Note: It is the responsibility of the Firewall manager to know how to resolve conflicts between shared objects and to deploy the resolution. If you encounter conflicts during discovery, import, or reimport, you must resolve those conflicts before you can interact further with BIG-IQ Security.

If conflicts are found, BIG-IQ Security displays the Resolve Conflicts dialog box, which lists all conflicts found, displays detailed differences for conflicting shared objects, and provides for conflict resolution.

Although conflict resolution often results in changes to either the BIG-IP configuration or the BIG-IQ configuration, no changes are applied until they are deployed. You can deploy changes when a deployment task displays a status of READY TO DEPLOY.

Resolving conflicts

After reimporting a BIG-IP device, use the Resolve Conflicts dialog box to view the differences between configurations and to resolve conflicts.

The Resolve Conflicts dialog box also provides a Cancel Task button. If you click Cancel Task, the reimport is canceled. Management authority over the device is not rescinded, and the device is not removed.

  1. To begin the reimport process, navigate to the Devices panel.
  2. Hover in the header for the device you want to reimport and when the gear icon appears, click it to display the expanded panel, containing device properties and actions. You cannot change any of the properties displayed on this screen, except the Snapshot check box, which is optional. To ensure that a snapshot is taken prior to import, leave the check box selected.
  3. In the expanded panel, click Reimport.
  4. When the Resolve Conflicts dialog box appears, conflicting shared objects are highlighted in blue in the upper half of the dialog box. Click the shared object to view details in the lower half of the dialog box. The object's configuration on the BIG-IP device is displayed on the left and the object's configuration on BIG-IQ Security is displayed on the right. A gray area indicates that an object has been removed. Yellow indicates that a line has changed, and green indicates that an object has been added or modified.
  5. Examine differences. From the Action dropdown, select one of the following for each object in conflict:
    Option Description
    No Action Take no action. This option does not resolve the conflict and prevents the discovery process from completing. If you are not ready to resolve the conflicts but need to perform other firewall management tasks, cancel the discovery process and return to it later. The device is not brought under management.
    Keep Both Retain both objects as configured. BIG-IQ Security changes the name on the incoming object to resolve the conflict. Then, it updates rules with the new object name. The new object name includes the device name so it can easily be found.
    Keep BIG-IP Version Keep the object as configured on the BIG-IP device and overwrite the object as configured in the central BIG-IQ Security database.
    Keep BIG-IQ Version Keep the object as configured on BIG-IQ Security and overwrite the object as configured on the BIG-IP device.
  6. Or, from the Action dropdown to the right of Apply this action to all conflicts:, select an action to resolve all existing conflicts.
After conflict resolution, the device's configuration is refreshed and synchronized with the configuration stored in BIG-IQ Security.

Displaying device properties

  1. To display properties for an individual device, hover over the header for that device (in the Devices panel).
  2. Click the gear icon to display and expand the panel containing device properties.

Device properties

Device properties are displayed for informational purposes and are read-only, except the Snapshot and Auto Update Framework check boxes.

Device Property Description
Host Name Displays the fully-qualified domain name (FQDN), identified at discovery time.
Cluster Name Displays the BIG-IP device cluster name, provided by the user at discovery time.
IP Address Displays the IP address of the BIG-IP device, used for communication between it and the BIG-IQ Security system.
Product Identifies the product.
Version Identifies the version and hotfix level of the device under management.
Snapshot Check box used to invoke a snapshot prior to reimporting the BIG-IP device's working configuration.
Auto Update Framework Check box used to update the REST framework on the BIG-IP device.

About the device inventory

From the Devices panel, you can display an inventory of device properties and accompanying details for all devices under BIG-IQ Security central management. For further use, you can export this inventory to a CSV file.

Reimporting devices

Once configurations are in sync between BIG-IP devices and the BIG-IQ Security system, there is seldom a need to reimport a BIG-IP device.

Some possible reasons to reimport include:

  • Additions, deletions, or changes made to self IPs or virtual servers on the BIG-IP device.
  • Changes to policies, firewall rules, or shared objects made locally on the BIG-IP device.
  • Updates made to the BIG-IP device's software that need to be recognized by BIG-IQ Security.

If any of these reasons occur, you must reimport to reconcile any changes with the configuration maintained on BIG-IQ Security. If you do not reconcile changes, a subsequent deployment process will overwrite any changes made locally.

The reimport process is modal. Once reimport starts, the process blocks you from performing any other tasks or interacting with BIG-IQ Security in any way until the process completes or is canceled.

During reimport, a Remove Device button appears in the dialog box after the task has identified the device and started importing the firewall configuration. If you click Remove Device, the reimport is canceled, management authority over the device is rescinded, and the device is removed.

  1. To begin the reimport process, navigate to the Devices panel.
  2. Hover in the header for the device you want to reimport and when the gear icon appears, click it to display the expanded panel, containing device properties and actions. You cannot change any of the properties displayed on this screen, except the Snapshot check box, which is optional. To ensure that a snapshot is taken prior to import, leave the check box selected.
  3. In the expanded panel, click Reimport.
After reimport, the firewall policy for the selected device is refreshed and synchronized with the configuration stored in BIG-IQ Security.

Monitoring device health and performance

Before you can view device properties and health, you must discover at least one device.
With the BIG-IQ system, you can easily assess the health and performance of your network.
  1. Navigate to the Devices panel.
  2. Hover over the banner of the device you want to monitor and when the gear icon appears, click it to expand the panel.
  3. In the expanded panel, view health data under device properties.

About device configuration sets

Possible configuration sets for a firewall device centrally managed by the BIG-IQ Security system include:

Current configuration set
The configuration of the BIG-IQ device as discovered by BIG-IP Security. The current configuration is updated during a reimport and before calculating differences during the deployment process. After deployment (and after the resolution of any conflicting shared objects), BIG-IQ Security overwrites the BIG-IP current configuration (if the option to USE BIG-IQ is chosen).
Working configuration set
The configuration as maintained by the BIG-IQ Security system. Initially, the working configuration is created when the firewall manager elects to manage the device from BIG-IQ Security (DMA). It is the configuration that is edited on BIG-IQ Security and deployed back to BIG-IP devices.

Device discovery states

The following table displays states that occur during the discovery process.

NEW
SUBTASK_INIT
LOAD_LICENSE
QUERY_LICENSE
IDENTIFY_LICENSE
PENDING_IDENTIFIED_DEVICE
IDENTIFY_DEVICE_COMPLETE
DELAY_REFRESH_COMPLETE
REFRESH_DEVICE_COMPLETE
QUERY_RUNNING_CONFIG
RUNNING_IMPORT_COMPLETE
RUNNING_IMPORT_RULELISTS_COMPLETE
RUNNING_IMPORT_FIREWALLS_COMPLETE
WORKING_IMPORT_COMPLETE
WORKING_IMPORT_RULELISTS_COMPLETE
WORKING_IMPORT_FIREWALLS_COMPLETE
WORKING_IMPORT_COMPLETE
WORKING_IMPORT_RULELISTS_COMPLETE
WORKING_IMPORT_FIREWALLS_COMPLETE
PENDING_CONFLICTS
PENDING_CANCEL
CONFLICT_RESOLUTION_COMPLETE
IMPORT_ADDRESS_LISTS_COMPLETE
IMPORT_PORT_LISTS_COMPLETE
IMPORT_SCHEDULES_LISTS_COMPLETE
UPDATING_RULES_COMPLETE
REFRESH_RULE_LISTS_COMPLETE
IMPORT_RULE_LISTS_COMPLETE
IMPORT_RULES_COMPLETE
UPDATING_FIREWALLS_COMPLETE
IMPORT_FIREWALLS_COMPLETE
COMPLETE
FAILED
FAILED_MAX_EXCEEDED