F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Security
  4. BIG-IQ Security: Administration
  5. Managing BIG-IP Devices
Manual Chapter : Managing BIG-IP Devices

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.5.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About device discovery

About device discovery: BIG-IQ Network Security

The process of importing a firewall device's configuration or designating a firewall device for central management by BIG-IQ Network Security is called discovery.

After discovery, BIG-IQ Network Security provides a way to view device properties and to perform device-specific and firewall-specific actions through a centralized management platform.

The BIG-IQ Security Devices panel displays user-defined and system-defined groups and imported BIG-IP devices.

Note: Groups are simply a way to group devices visually and manage them more efficiently.

Before discovering devices and importing firewalls, you must install specific components required by the BIG-IQ system on each BIG-IP device you want to manage. Installing these components results in a framework that supports the required Java-based management services.

To view all devices under management, in BIG-IQ Network Security, navigate to the Devices panel.

To display only those items related to the specific device, hover over the device and when the gear icon appears, click it. Then, you can select Properties to display properties or Show Only Related Items to filter by device.

About device discovery: BIG-IQ Web Application Security

The process of designating a device for central management by BIG-IQ Web Application Security is called discovery. Once a BIG-IP device is discovered, all security policies and virtual servers on the device come under management by the BIG-IQ system.

For each discovered device, the system creates an extra virtual server to hold all policies not related to any virtual server in the discovered device.

After discovery, BIG-IQ Web Application Security enables a view of devices and properties, policies, and virtual servers associated with those devices, and a way to perform device-specific and policy-specific actions.

To view all devices under management, in BIG-IQ Web Application Security, navigate to the Devices panel.

About declaring management authority

The process of bringing a device under central management is known as declaring management authority (DMA). The firewall administrator initiates DMA through device discovery and import (or reimport).

The DMA process is modal. Once the process starts, you are blocked from performing any other tasks or interacting with BIG-IQ Security in any way until the process is complete or canceled. Before starting a discovery or reimport process, it is important to understand how you will resolve any conflicts that arise.

Note: In this scenario, a conflict is defined as two configuration objects (such as policies) in the same partition having the same name, but containing different data.

Discovering devices on BIG-IQ Network Security

Before discovering BIG-IP devices, ensure that the required BIG-IQ components are installed on those devices. For details, consult the BIG-IQ-Device: Device Management section on installing required BIG-IQ components on managed devices.

You can perform device discovery to bring a BIG-IP device under central management. Once a device is under central management, the device's configuration is stored in the BIG-IQ Security database, which is the authoritative source for all configuration objects. After that occurs, do not manage the firewall device locally unless there is an exceptional need. Otherwise, changes made locally could be overwritten on the next deployment task.

During discovery, a Remove Device button appears after the task has identified the device and started importing the firewall configuration. If you click Remove Device at this point, the import is canceled and management authority over the device is rescinded. Subsequently, the device is removed.

  1. Navigate to the Devices panel.
  2. Hover over the Devices header, click the + icon to display the available options (New Device and New Group), and click New Device.
  3. Click New Device.
  4. Complete the property fields as required.
    Option Description
    IP Address Type the BIG-IP device self IP address or management IP address.
    Note: Each managed device must be configured with a communication route from its self IP address or management IP address to a BIG-IQ system self IP addresses. Otherwise, discovery will fail. F5 recommends that you use a BIG-IP self IP address for discovery.
    Cluster Name Type a name for the cluster. Optional, but highly recommended if the BIG-IP device is in a config sync relationship with other BIG-IP devices.

    The cluster name will create a new group if one does not exist, or add the device to an existing cluster group if it does exist. For more information, consult the sections on managing groups in this guide.
    User Name Type the user's login name. For example: admin.
    Password Type the password for this user.
    Snapshot Ensure that this check box is selected (the default) to snapshot the configuration on the BIG-IP device before importing.

    BIG-IQ Security uses snapshots to protect the working-configuration set of the Security module. Thus, at any time, you can back up, restore, and deploy the BIG-IQ working configuration to a specific configuration state, or deploy a specific set of working configuration edits back to a BIG-IP device.
    Update Framework Select the Update Framework on Discovery check box to update the REST framework installed on the BIG-IP device.

    Certain BIG-IQ system components must be installed and kept up-to-date on all BIG-IP devices brought under central management. These components provide a REST framework on the BIG-IP devices that support the required Java-based management services. To ensure the framework is up-to-date, select this check box.
    Root User Name If the framework on the target BIG-IP device must be updated, you must specify the root user name as part of the discovery process. Type the root user name, which is root, by default.
    Root Password If the framework on the target BIG-IP device must be updated, you must specify the root password as part of the discovery process. Type the root password.
  5. Click Add. A popup screen opens prompting for confirmation.
After discovery, the BIG-IP device is listed in the Devices panel by its FQDN and internal self IP address. By default, the device is added to the Firewall group. If a cluster group is specified, it is added to the specified cluster group. Also, the system lists the snapshot of the working configuration taken during import in the Snapshots panel. The system imports any firewall policies on this device and makes them available for configuration management.

Discovering devices on BIG-IQ Web Application Security

You perform device discovery to bring a BIG-IP device under central management. Once a device is under central management, information about the device and objects stored on the device are located in the BIG-IQ database, which is the authoritative source for all configuration objects.

Note: Do not manage the BIG-IP device locally. If you make changes locally, you (or another Administrator) might overwrite those changes when performing a deployment from the BIG-IQ system.
  1. Navigate to Security > Web Application Security > Overview.
  2. Hover over the Devices header, click the + icon to display the available options (New Device and New Group), and click New Device.
  3. Complete the property fields as required.
    Option Description
    Device Address Type the IP address for the BIG-IP device.
    Note: Each managed device must be configured with a communication route from its self IP address or management IP address to a BIG-IQ system self IP address. Otherwise, discovery fails. F5 recommends that you use a BIG-IP system self IP address for discovery.
    User Name Type the user's login name. For example: admin.
    Password Type the password for this user.
    Update on Discovery Select this check box to force an update of the REST framework on the BIG-IP device.

    Certain BIG-IQ system components should be installed and kept up-to-date on all BIG-IP devices brought under central management. These components provide a REST framework that supports the required Java-based management services. If this box is checked, the discovery process updates all system components automatically.
    Root Username If the framework on the target BIG-IP device must be updated, you must specify the root user name as part of the discovery process. Type the root user name, which is root by default.
    Root Password If the framework on the target BIG-IP device must be updated, you must specify the root password as part of the discovery process. Type the root password.
  4. Click Add. A popup screen opens prompting for confirmation.
  5. Click Yes. Another popup screen takes its place, showing you the status of the discovery as it occurs.
After discovery, the BIG-IP device is listed in the Devices panel, and any discovered virtual servers and Web Application Security policies are listed in the other panels.

About conflict resolution

A conflict is found when two objects of the same type have the same name but contain different data. Thus, an address list named list1 and a port list named list1 would not be in conflict.

Note: An object is defined as an address list, port list, rule list, policy, or schedule.

Conflicts prevent processes from running to completion.

Note: It is the responsibility of the administrator to know how to resolve conflicts between shared objects, and to deploy the resolution. If you encounter conflicts during discovery, import, reimport, or deployment, you must resolve those conflicts before you can interact further with BIG-IQ Security.

If conflicts are found, BIG-IQ Security displays the Resolve Conflicts dialog box, which lists all conflicts found, displays detailed differences for conflicting shared objects, and provides for conflict resolution. The Resolve Conflicts dialog box may be displayed two times: once for Network Security objects, and once for Shared Security objects.

Although conflict resolution often results in changes to either the BIG-IP configuration or the BIG-IQ configuration, no changes are applied until they are deployed. You can deploy changes when a deployment task displays a status of READY TO DEPLOY.

Resolving conflicts

After importing or reimporting a BIG-IP device, you can use the Resolve Conflicts dialog box to view the differences between configurations, and to resolve conflicts.
  1. Navigate to the Devices panel.
  2. Hover over the name of the device you want to import/reimport and when the gear icon appears, click it to display the expanded screen. You can modify only a few of the properties displayed.
    Option Description
    Host Name Fully-qualified domain name (FQDN), identified at time of discovery.
    Cluster Name BIG-IP device cluster name, provided at time of discovery.
    IP Address / Management Address IP address for the communication route to the BIG-IQ system internal self IP address.

    Each managed device must be configured with a communication route from its self IP address or management IP address to a BIG-IQ system self IP addresses. Otherwise, discovery will fail. F5 recommends that you use a BIG-IP system self IP address for discovery.
    Product Product identity.
    Version Version and hotfix level of the device under management.
    Status (BIG-IQ Web Application Security) Active.
    Snapshot Check box used to take a snapshot of the configuration on the BIG-IP device before importing (the default).
    Username Administrative login name. For example: admin.
    Password Administrative password for this user.
    Update Framework Check box used to update the REST framework installed on the BIG-IP device.

    Certain BIG-IQ system components must be installed and kept up-to-date on all BIG-IP devices brought under central management. These components provide a REST framework on the BIG-IP devices that support the required Java-based management services. To ensure the framework is up-to-date, select this Update On Save check box.
    Root Username If the framework on the target BIG-IP device must be updated, you must specify the root user name as part of the reimport process. Type the root user name, which is root, by default.
    Root Password If the framework on the target BIG-IP device must be updated, you must specify the root password as part of the reimport process. Type the root password.
  3. In the Device Properties screen, click Add/Reimport.
  4. When the Conflict Resolution dialog box opens, the conflicting shared objects are highlighted in the upper half of the dialog box. Click the shared object to view details in the lower half of the dialog box. The object's configuration on the BIG-IP device is displayed on the left and the object's configuration on BIG-IQ Security is displayed on the right. A gray area indicates that a line has been removed. Yellow indicates that a line has changed, and green indicates that a line has been added or modified. The Resolve Conflicts dialog box also provides a Cancel Task button. If you click Cancel Task, the reimport is canceled. Management authority over the device, if established, is not rescinded, and the device is not removed.
  5. Examine differences. From the Action list, select one of the following for each object in conflict:
    Option Description
    Keep BIG-IQ Version Keep the object as configured on BIG-IQ Security, and overwrite the object as configured on the BIG-IP device.
    Keep BIG-IP Version Keep the object as configured on the BIG-IP device, and overwrite the object as configured in the central BIG-IQ Security database.
  6. Alternately, from the Apply this action to all conflicts: list , select an action to resolve all existing conflicts.
After conflict resolution, the device's configuration is refreshed and synchronized with the configuration stored in BIG-IQ Security.

About BIG-IQ Security configuration sets

BIG-IQ Security systems use the following terminology to refer to firewall configuration sets for a centrally-managed device:

Current configuration set
The configuration of the BIG-IP device as discovered by BIG-IQ Security. The current configuration is updated during a reimport/rediscovery and before calculating differences during the deployment process. After deployment (and after the resolution of any conflicting shared objects), BIG-IQ Security overwrites the BIG-IP current configuration (if the option Keep BIG-IQ Version is chosen).
Working configuration set
The configuration as maintained by the BIG-IQ Security system. Initially, the working configuration is created when the firewall manager elects to manage the device from BIG-IQ Security (DMA). It is the configuration that is edited on BIG-IQ Security and deployed back to BIG-IP devices.

Configuring devices to accept traffic

When using the BIG-IP device's self IP address during discovery, you must configure that device to accept traffic from a BIG-IQ Security system. Specifically, if the BIG-IP device has the Virtual Server & Self IP Contexts option set to Reject or Drop, the BIG-IP device will not accept traffic from the BIG-IQ system. Use the following procedure to set this option to Accept.

Alternately, you can add a rule to handle traffic between the self IP addresses of the BIG-IQ Security system and the self IP addresses of the specific BIG-IP device being discovered. In this scenario, you can leave the Virtual Server & Self IP Contexts option set to Reject or Drop.

In this case, ensure the following ports remain open:

  • 22 (SSH, TCP protocol)
  • 443 (HTTPS, TCP protocol)
  • 4353 (iQuery, TCP protocol)
Note: Whichever scenario you choose, configure the BIG-IP device to allow traffic to/from the self IP addresses of both BIG-IQ nodes in a BIG-IQ HA pair.
  1. On the BIG-IP device, on the Main tab, click Security > Options > Network Firewall.
  2. From the Virtual Server & Self IP Contexts list, select Accept.
  3. Click Update.
Packets with BIG-IQ Security as the source are then able to pass through the BIG-IP firewall and traverse the system.

Displaying device properties

You can display properties and health and performance statistics for an individual device to assist in identifying potential trouble spots.
  1. In the Devices panel, hover over the name of the device you want to examine until the gear icon appears, then display the properties in one of these ways:
    • Select Show Properties from the sub-menu.
    • Click the gear icon to expand the panel.
  2. Review the statistics in the properties screen for that device.

Device properties

Device properties are displayed for informational purposes mostly, and are read-only, except for the check boxes.

Device Property Description
Device Address IP address for the BIG-IP device entered at time of discovery and used for communication between the device and the BIG-IQ system.
Host Name Fully-qualified domain name (FQDN), identified at discovery time.
Cluster Name BIG-IP device cluster name, provided at discovery time.
IP Address / Management Address IP address for the communication route to the BIG-IQ system internal self IP address.Each managed device must be configured with a communication route from its internal self IP or management IP address to a BIG-IQ system internal self IP address on a configured BIG-IP VLAN. Otherwise, discovery fails. F5 recommends that you use a self IP address (on the BIG-IP device) to gain access to additional functionality that is not provided through the management port.
Username User's login name. For example: admin.
Password User's password.
Product Identifies the product.
Version Identifies the version and hotfix level of the device under management.
Status (BIG-IQ Web Application Security) Status of the device under management (Active or Standby).
Snapshot Check box used to invoke a snapshot prior to reimporting the BIG-IP device's working configuration.
Update Framework Check box used to update the REST framework on the BIG-IP device on discovery or on save.
Check to overwrite the source of imported policies that already exist Check box used to determine whether the discovery process overwrites the source of imported policies already on the BIG-IQ system.
Signature file Version Identifies the BIG-IP version that the Attack Signature Database is packaged with.
Root Username If the framework on the target BIG-IP device must be updated, you must specify the root user name as part of the discovery process. Enter the root user name which is root, by default.
Root Password If the framework on the target BIG-IP device must be updated, you must specify the root password as part of the discovery process.

Displaying the device inventory

From the BIG-IQ Network Security Devices panel, you can display an inventory with accompanying details for all devices under BIG-IQ Network Security central management. For further use, you can export this inventory to a CSV file.
  1. Navigate to the Devices panel.
  2. Hover over the name of the device for which you want to view an inventory.
  3. When the right-pointing arrow appears, click it to read inventory details.
    Option Description
    Name Fully-qualified domain name (FQDN) for the BIG-IP device.
    Marketing Name BIG-IP Virtual Edition.
    Product Product identity. For example, BIG-IP.
    Version Version and hotfix level of the device under management.
    Build Build level of the device under management.
    Mgmt IP Address Management IP address for the BIG-IP device, used to manage the device.
    License License end date and end time, registration key, and a list of active modules.
    Slots For each slot, a listing of volume label, product occupying the slot, version, build, cluster status (active, standby).
    Network Interfaces Configured network interfaces.
    Serial Number Serial number for the BIG-IP device.
    Mac Address Mac address for the BIG-IP device.
    CPU Info Manufacturer and technical details. For example, Intel(R) Xeon(R) CPU X5660 @ 2.80GHz.
    Memory (MB) Memory on the BIG-IP device.
    Platform Z100
    HAL ID For example, 4208f88e-3f9e-0d7e-b75e-ca1dc2dd630c.
    UUID Universally unique identifier. For example, 6b8bf5ef-bcb0-4d1b-b61f-8c95f70475a8.
  4. To exit from the inventory, click Close.

About device reimport/rediscovery

Once configurations are in sync between BIG-IP devices and the BIG-IQ Security system, there is seldom a need to reimport a BIG-IP device.

Some possible reasons to reimport include:

  • Additions, deletions, or changes made to management IPs or virtual servers on the BIG-IP device.
  • Changes to policies, firewall rules, shared objects, or signature files made locally on the BIG-IP device.
  • Updates made to the BIG-IP device's software that need to be recognized by BIG-IQ Security.

If any of these reasons occur, you must reimport/rediscover to reconcile any changes with the configuration maintained on BIG-IQ Security. If you do not reconcile changes, a subsequent deployment process will overwrite any changes made locally.

The reimport/rediscovery process is modal. Once reimport starts, the process blocks you from performing any other tasks or interacting with BIG-IQ Security in any way until the process completes or is canceled.

During reimport/rediscovery, a Remove Device button appears in the dialog box after the task has identified the device and started the import process. If you click Remove Device, the reimport/rediscovery is canceled, management authority over the device is rescinded, and the device is removed.

Reimporting or rediscovering devices

You reimport/rediscover BIG-IP devices to reconcile any configuration changes with the configuration maintained on BIG-IQ Security. If you do not reconcile changes, a subsequent deployment process will overwrite any changes made locally.

  1. Navigate to the Devices panel.
  2. Hover over the name of the device you want to import/reimport and when the gear icon appears, click it to display the expanded screen. You can modify only a few of the properties displayed.
    Option Description
    Host Name Fully-qualified domain name (FQDN), identified at time of discovery.
    Cluster Name BIG-IP device cluster name, provided at time of discovery.
    IP Address / Management Address IP address for the communication route to the BIG-IQ system internal self IP address.

    Each managed device must be configured with a communication route from its self IP address or management IP address to a BIG-IQ system self IP addresses. Otherwise, discovery will fail. F5 recommends that you use a BIG-IP system self IP address for discovery.
    Product Product identity.
    Version Version and hotfix level of the device under management.
    Status (BIG-IQ Web Application Security) Active.
    Snapshot Check box used to take a snapshot of the configuration on the BIG-IP device before importing (the default).
    Username Administrative login name. For example: admin.
    Password Administrative password for this user.
    Update Framework Check box used to update the REST framework installed on the BIG-IP device.

    Certain BIG-IQ system components must be installed and kept up-to-date on all BIG-IP devices brought under central management. These components provide a REST framework on the BIG-IP devices that support the required Java-based management services. To ensure the framework is up-to-date, select this Update On Save check box.
    Root Username If the framework on the target BIG-IP device must be updated, you must specify the root user name as part of the reimport process. Type the root user name, which is root, by default.
    Root Password If the framework on the target BIG-IP device must be updated, you must specify the root password as part of the reimport process. Type the root password.
  3. In the Device Properties screen, click Add/Reimport.
After reimport/rediscovery, the configuration for the selected device is refreshed and synchronized with the configuration stored in BIG-IQ Security.

Monitoring device health and performance

Before you can view device properties, health, and performance, that device must be under central management.
You can assess the health and performance of your network to provide early intervention for trouble spots.
  1. Navigate to the Devices panel.
  2. To display properties and health and performance statistics for an individual device, hover over the name for that device (in the Devices panel).
  3. When the gear icon appears, select Show Properties or click the gear to expand the panel.
  4. Scroll past the properties to examine the health and performance statistics for this device.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information