Manual Chapter :
Maintaining OPSWAT Libraries with a Sync-Only Device Group
Applies To:
Show VersionsBIG-IP APM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
Maintaining OPSWAT Libraries with a Sync-Only Device Group
Overview: Updating antivirus and firewall libraries with a Sync-Only device group
This implementation describes how to upload antivirus and firewall libraries from OPSWAT to one
BIG-IP
Access Policy Manager® device, and to install an antivirus and firewall
library to that device, or to multiple devices in a device group.
To download OPSWAT OESIS library updates, you must download the OPSWAT
hotfix from the F5 Downloads site.
To synchronize installation between multiple devices, you configure a Sync-Only device group,
which includes the devices between which you want to synchronize installation of updates. Device
group setup requires establishing trust relationships between devices, creating a device group,
and synchronization of settings.
About device groups
and synchronization
When you have more than one BIG-IP
device in a local trust domain, you can synchronize BIG-IP configuration data among those devices
by creating a device group. A
device group
is a collection of
BIG-IP devices that trust each other and synchronize their BIG-IP configuration data. If you want
to exclude certain devices from ConfigSync, you can simply exclude them from membership in that
particular device group.You can synchronize some types of data on a global level across all BIG-IP
devices, while synchronizing other data in a more granular way, on an individual application
level to a subset of devices.
To
configure redundancy on a device, you do not need to explicitly specify that you want the BIG-IP
device to be part of a redundant configuration. Instead, this occurs automatically when you add
the device to an existing device group.
Before you configure device trust
Before you configure device trust, you should consider the following:
- Only version 11.x or later systems can join the local trust domain.
- You can manage device trust when logged in to a certificate signing authority only. You cannot manage device trust when logged in to a subordinate non-authority device.
- If you reset trust authority on a certificate signing authority by retaining the authority of the device, you must subsequently recreate the local trust domain and the device group.
- As a best practice, you should configure the ConfigSync and mirroring addresses on a device before you add that device to the trust domain.
Task summary for updating and syncing OPSWAT libraries sync only
The configuration process for a BIG-IP system entails adding the OPSWAT library update to one system, then installing it to that same system, or to a device group. You must pre-configure a device group to install the update to multiple systems.
Establishing device trust
Before you begin this task, verify that:
- Each BIG-IP device that is to be part of the local trust domain has a device certificate installed on it.
- The local device is designated as a certificate signing authority.
You perform this task to establish trust among devices on one or more network segments. Devices that trust each other constitute the
local trust domain
. A device must be a member of the local trust domain prior to joining a device group.By default, the BIG-IP software includes a local trust domain with one member, which is the local device. You can choose any one of the BIG-IP devices slated for a device group and log into that device to add other devices to the local trust domain. For example, devices
Bigip_1
, Bigip_2
, and Bigip_3
each initially shows only itself as a member of the local trust domain. To configure the local trust domain to include all three devices, you can simply log into device Bigip_1
and add devices Bigip_2
and Bigip_3
to the local trust domain; there is no need to repeat this process on devices Bigip_2
and Bigip_3
.- On the Main tab, click.
- ClickAdd.
- From theDevice Typelist, selectPeerorSubordinate.
- Type a device IP address, administrator user name, and administrator password for the remote BIG-IP device with which you want to establish trust. The IP address you specify depends on the type of BIG-IP device:
- If the BIG-IP device is an appliance, type a management IP address (IPv4 or IPv6) for the device.
- If the BIG-IP device is a VIPRION device that is not licensed and provisioned for vCMP, type a primary cluster management IP address (IPv4 or IPv6) for the cluster.
- If the BIG-IP device is a VIPRION device that is licensed and provisioned for vCMP, then type a cluster management IP address (IPv4 or IPv6) for the guest.
- If the BIG-IP device is an Amazon Web Services EC2 device, type one of the Private IP addresses created for this EC2 instance.
- ClickRetrieve Device Information.
- Verify that the certificate of the remote device is correct, and then clickDevice Certificate Matches.
- In theNamefield, verify that the name of the remote device is correct.
- ClickAdd Device.
After you perform this task, the local device is now a member of the local trust domain. Also, the BIG-IP system automatically creates a special Sync-Only device group for the purpose of synchronizing trust information among the devices in the local trust domain, on an ongoing basis.
Repeat this task to specify each device that you want to add to the local trust domain.
Adding a device to the local trust domain
Verify that each BIG-IP device that is to be part of a local trust domain has a device
certificate installed on it.
Follow these steps to log in to any BIG-IP device
on the network and add one or more devices to the local system's local trust domain.
Any BIG-IP devices that you intend to add to a device group at
a later point must be members of the same local trust domain.
- On the Main tab, click.
- ClickAdd.
- From theDevice Typelist, selectPeerorSubordinate.
- Type a device IP address, administrator user name, and administrator password for the remote BIG-IP device with which you want to establish trust. The IP address you specify depends on the type of BIG-IP device:
- If the BIG-IP device is an appliance, type a management IP address (IPv4 or IPv6) for the device.
- If the BIG-IP device is a VIPRION device that is not licensed and provisioned for vCMP, type a primary cluster management IP address (IPv4 or IPv6) for the cluster.
- If the BIG-IP device is a VIPRION device that is licensed and provisioned for vCMP, then type a cluster management IP address (IPv4 or IPv6) for the guest.
- If the BIG-IP device is an Amazon Web Services EC2 device, type one of the Private IP addresses created for this EC2 instance.
- Verify that the certificate of the remote device is correct, and then clickDevice Certificate Matches.
- In theNamefield, verify that the name of the remote device is correct.
- ClickAdd Device.
After you perform this task, the local device and the device that you specified in this
procedure have a trust relationship and, therefore, are qualified to join a device
group.
Creating a
Sync-Only device group
You perform this task to create a Sync-Only type
of device group. When you create a Sync-Only device group, the BIG-IP system can then
automatically synchronize configuration data in folders attached to the device group
(such as security policies and acceleration applications) with the other devices in the
group, even when some of those devices reside in another network.
You perform
this task on any one BIG-IP device within the local trust domain; there is no need
to repeat this process on the other devices in the device group.
- On the Main tab, click.
- Find thePartitionlist in the upper right corner of the BIG-IP Configuration utility screen, to the left of theLog outbutton.
- From thePartitionlist, pick partitionCommon.
- On the Device Groups list screen, clickCreate.The New Device Group screen opens.
- Type a name for the device group, select the device group typeSync-Only, and type a description for the device group.
- From theConfigurationlist, selectAdvanced.
- For theMemberssetting, select a host name from theAvailablelist for each BIG-IP device that you want to include in the device group. Use the Move button to move the host name to theIncludeslist.The list shows any devices that are members of the device's local trust domain.
- For theFull Syncsetting, specify whether the system synchronizes the entire configuration during synchronization operations:
- Select the check box when you want all sync operations to be full syncs. In this case, every time a config sync operation occurs, the BIG-IP system synchronizes all configuration data associated with the device group. This setting has a performance impact and is not recommended for most customers.
- Clear the check box when you want all sync operations to be incremental (the default setting). In this case, the BIG-IP system syncs only the changes that are more recent than those on the target device. When you select this option, the BIG-IP system compares the configuration data on each target device with the configuration data on the source device and then syncs the delta of each target-source pair.
If you enable incremental synchronization, the BIG-IP system might occasionally perform a full sync for internal reasons. This is a rare occurrence and no user intervention is required. - In theMaximum Incremental Sync Size (KB)field, retain the default value of1024, or type a different value.This value specifies the total size of configuration changes that can reside in the incremental sync cache. If the total size of the configuration changes in the cache exceeds the specified value, the BIG-IP system performs a full sync whenever the next config sync operation occurs.
- ClickFinished.
You now have a Sync-Only type of device group
containing BIG-IP devices as members.
Uploading an OPSWAT update to Access Policy Manager
When new updates to OPSWAT antivirus and firewall
libraries are made available, you can add these updates to the BIG-IP system. To upload
an update to the BIG-IP system, you must first download the OPSWAT hotfix from the F5
Downloads site.
- On the Main tab, click.The Antivirus Check Updates screen displays a list of OPSWAT packages available on the device.
- Click theUploadbutton to add an OPSWAT update.The Upload Package screen appears.
- ClickBrowseand select an OPSWAT package ZIP file to upload.
- Select an install option from the list.
- SelectDo Not Installto upload the package to the local device, but without installing the OPSWAT package on the system.
- SelectInstall on this deviceto upload the package to the local device, and then install the OPSWAT package to this device.
- SelectInstall on device groupto upload the package to the local device, and then install the OPSWAT package on the device group. A list of available device groups appears, and you can select the device group on which to install.
- ClickOK.
The OPSWAT package file is added to the list on the Antivirus Check Updates screen.
You can install or delete OPSWAT packages from this page.
Installing an OPSWAT update on one or more Access Policy Manager devices
After you have uploaded an OPSWAT antivirus and firewall library update to the
BIG-IP system, you can install the update to one or more BIG-IP systems in a device
group.
- On the Main tab, click.The Antivirus Check Updates screen displays a list of OPSWAT packages available on the device.
- Double-click an OPSWAT package to view details about the update and included firewall or antivirus libraries.
- Select an OPSWAT package and clickInstall.The Install Package screen opens.
- SelectInstall on device groupto upload the package to the local device, and then install the OPSWAT package on the device group. A list of available device groups appears, and you can select the device group on which to install.
- ClickOk.
The OPSWAT update is installed on the selected systems. You can view the installed and available OPSWAT versions on the
screen.Viewing supported products in the installed OPSWAT EPSEC version
You can always view details about any installed OPSWAT version, including supported
antivirus, firewall, anti-spyware, hard disk encryption, peer-to-peer software, patch
management software, and Windows Health Agent features for supported
platforms.
- To view the details for the current device group:
- Click the F5 logo to go to the start (Welcome) page.
- In the Support area, click theOSWAT application integration support chartslink.The OPSWAT Integration web page opens in a new browser tab or window. By default, this page shows Antivirus Integration for Windows.
- From the lists at the top of the screen, select the page to view. You can select the supported EPSEC feature, and you can select to view supported products forWindows,Mac, orLinux.
- Click theShowbutton to view the list of supported products for the type and platform you selected.
- To view the details for another device group or another OESIS version:
- On the Main tab, click.The Package Status screen displays a list of OPSWAT packages available on the device.
- Click theDevice EPSEC Statusbutton.TheDevice EPSEC Statusscreen appears and shows the installed OPSWAT version.
- To select a different device group on which to view the installed OPSWAT version, select the device group from theLocal Device/Device Grouplist.
- UnderInstalled OESIS version, click the version number for which you want to view the OPSWAT features chart.The OPSWAT Integration web page opens in a new browser tab or window. By default, this page shows Antivirus Integration for Windows.
- From the lists at the top of the screen, select the page to view. You can select the supported EPSEC feature, and you can select to view supported products forWindows,Mac, orLinux.
- Click theShowbutton to view the list of supported products for the type and platform you selected.
Implementation result
To summarize, you now have uploaded an OPSWAT update to one BIG-IP® system, and installed it to
one system, or to multiple systems in a device group.
You can view the installed and available OPSWAT versions on the
screen.