Manual Chapter : Security Deployment Best Practices
Applies To:Show Versions
BIG-IQ Centralized Management
Security Deployment Best Practices
Understanding roles required for deploying
When you want to deploy a Web Application Security configuration, or a Network Security configuration, you need to use one of the following built-in roles.
- To deploy Network Security or Web Application Security configurations, use an account with the Security Manager role.
- To deploy only Network Security configurations, use an account with the Security Manager, Network Security Manager, or Network Security Deployer roles.
- To deploy only Web Application Security configurations, use an account with the Security Manager, Web App Security Manager, or Web App Security Deployer roles.
For more information on roles, refer to the role descriptions on the Roles screen () or refer to
F5 BIG-IQ® Centralized Management: Authentication, Roles, and User Managementon
Verifying firewall rules have compiled on all BIG-IP devices
Once a firewall deployment has completed successfully,
Check Rule Compilationis enabled on the View Deployment screen.
Check Rule Compilationto verify that your firewall rules are active on the BIG-IP devices to which you deployed those rules.
- On the Deployments screen, click the name of the deployment that contains the firewall rules you want to verify.The View Deployment screen for that deployment displays.
- On the View Deployment screen, clickCheck Rule Compilationto determine if rules have been compiled on all the BIG-IP devices in the firewall deployment.The rule compilation status and last activation time for each BIG-IP device included in the deployment are listed in a popup.
- Verify that the last activation time for each BIG-IP device is after the end time of the BIG-IQ deployment task to ensure that firewall rules have been compiled on each BIG-IP devices. You can repeat this step multiple times.Review the following considerations when usingCheck Rule Compilation:
- Be aware of any time differences, due to time zones and so on, between the BIG-IQ system and the BIG-IP device.
- BIG-IP device versions earlier than 11.5.1 HF4 do not support the compilation statistics used by this feature and will display the message,Compilation stats not provided for this version of BIG-IP.
- If the Check Rule Compilation feature is used with an older deployment, where the state of the BIG-IP device has changed since the deployment, the status returned will include all active firewall rule changes on the BIG-IP device since the deployment.
- If the Check Rule Compilation feature returns the messageLocal Last Activation Timeor the messageNo stats found on device, then the state of the BIG-IP device has changed since the deployment, and compilation statistics have been reset. This can be caused by a reboot of the BIG-IP device.
Reviewing deployment process states to diagnose problems
When a firewall security policy or a web application security policy is deployed, that policy goes through several deployment states. Reviewing these states may be useful in understanding what occurred during deployment in order to diagnose a problem. Note that not all states may appear in the log, since what states are displayed depends on how the deployment was processed.
restjavad.n.logfile to view deployment states for either a firewall security policy or a web application security policy.
Device deployment states
This table displays states that can occur during the deployment process, and a brief description of each state.
Licenses for BIG-IQ systems are checked to be valid.
Verifies that no tasks are running that could cause errors during deployment. Tasks that could cause errors include:
Finds all devices managed by the BIG-IQ Security system.
Determines whether the devices to be deployed are available.
Determines if any devices included in the deployment are part of a cluster, and if so, verifies that both devices in the cluster are configured with the same sync mode and sync failover group on the BIG-IP device.
Using the SOAP API, refreshes the current configuration for all devices included in the deployment. This process adds any new configuration items from the BIG-IP device to the current configuration.
Using the REST API, refreshes the current configuration for all devices included in deployment. This process adds any new configuration items from the BIG-IP device to the current configuration.
Creates a snapshot of the working configuration.
Generates the differences between the snapshot taken and the current configuration.
Verifies that devices to be deployed do not have configuration problems that could lead to deployment errors.
Finds all devices managed by Shared Security objects. These devices are considered to be child deployments of a parent firewall security or web application security deployment.
Starts the deployment of devices managed by Shared Security objects.
Waits for deployment of devices managed by Shared Security objects to complete.
Cleans up processing artifacts from the previous evaluation.
Distributes changes to devices identified as being in a cluster by the
LOOKUP_CLUSTERSprocess and that are configured to use the BIG-IP Device Service Clustering (DSC) to keep the BIG-IP devices synchronized.
Distributes configuration changes to the specified devices.
Using the SOAP API, distributes configuration changes to the specified devices.
Using the REST API, distributes configuration changes to the specified devices.
Inserts any newly-added objects directly into the current configuration to that the BIG-IQ system will already know about those objects on the next refresh of the current configuration.
Indicates the deployment process has completed.