Manual Chapter : Managing a BIG-IQ System

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 6.1.0
Manual Chapter

Managing a BIG-IQ System

BIG-IQ navigation overview

F5 BIG-IQ® Centralized Management includes navigation, search tools, and a customizable user interface to help you complete your tasks efficiently and find objects easily.
  • Customized interactions with System and Network Security views
    There are a few customizable viewing options for the System and Network Security views. You can specify the amount of time that passes before BIG-IQ logs you out when the system is idle and what screen displays when you log back in. If you're using the Network Security service, you can specify what types of firewalls are displayed in the menu, have rule lists in policies auto expand, treat terms you search for as a filter, and specify default values for columns.
  • Global search, related content, and preview pane
    BIG-IQ has a robust and interactive global search feature that allows you to easily find a specific content and related content. From any screen, you can click the magnifying glass icon in the upper-right corner of the screen and type a search string. Search results are grouped by content type. From the results, you can click an object to go directly to that object's properties screen in BIG-IQ.
  • Flexible access to objects and configuration options
    For some objects, you can view and edit settings that are located in other places in the user interface, without having to stop what you're doing and navigate to another part of BIG-IQ. For example, you could be editing a firewall policy and find an address list in the toolbox that you want to look at. Right there, you can click the address to access the details, and then view or edit it as you want.
    You can also configure some types of objects from different places in BIG-IQ, depending on what your user role is or what work flow you're in. For example, you can create an access group from the Configuration area of BIG-IQ, as well as from the Devices area. This makes it convenient for you to access during other tasks you're doing in different areas of BIG-IQ.
  • Filters
    For each screen that contains a list, you can use a context-sensitive filter to search on a term, and then narrow your search further to view only those items that are relevant to you at the moment. For example, say you wanted to see local traffic and network audit logs. You can use the search on local traffic, and further refine what is displayed by filtering again on network audit logs.
  • Customization and sorting columns
    You can customize the columns that display in each screen that has a list, hiding any information that isn't important to you, as well as rearrange the order the columns display, and sort objects in the list. This helps you to focus on only those attributes that are relevant to you.

BIG-IQ Centralized Management documentation set

BIG-IQ Centralized Management documentation set is located on AskF5 at https://support.f5.com. Click the
Product Manuals
link under Resources, and select
BIG-IQ Centralized Management
from the product list, and select the appropriate version.
Title
Use to:
F5 BIG-IQ Centralized Management Virtual Editions Setup guides
Set up BIG-IQ Virtual Edition (VE) as a guest in a virtual environment using supported hypervisors.
Planning and Implementing an F5 BIG-IQ Centralized Management Deployment
Plan deployment, license, and set up the BIG-IQ system in your network.
F5 BIG-IQ Centralized Management: Core Concepts
Find out more about the concepts about the core functionality included with BIG-IQ Centralized Management.
F5 BIG-IQ Centralized Management DCD Sizing Guide
Determine the resources that are required to handle the data generated by the BIG-IP devices you manage. Requirements vary according to the type and amount of data you generate.
F5 BIG-IQ Centralized Management: Authentication, Roles, and User Management
  • Configure authentication through a 3rd-party provider (LDAP, RADIUS or TACAS+) .
  • Use built-in and custom roles to manage user access.
F5 BIG-IQ Centralized Management: Monitoring and Reports
  • Set up health monitoring and alerts and statistics collections
  • Manage audit logs, run reports, and analyze statistics.
  • Troubleshoot Access reports.
F5 BIG-IQ Centralized Management: Device
  • Discover BIG-IP devices and import F5 services.
  • Deploy software images, licenses, SSL certificates, backup files, and configurations.
F5 BIG-IQ Local Traffic & Network Implementations
Manage:
  • Local Traffic profiles
  • Virtual servers
  • Network objects
  • iRules
  • Applications and application templates
As well as configuring an IPsec tunnel and event viewing.
F5 BIG-IQ Centralized Management: Security
Manage:
  • Object pinning
  • Firewall contexts
  • Address and port lists
  • Rules, rule lists, policies, and rule reports
  • Service, timer, and port misuse policies
  • NAT policies and translations
  • FQDN resolvers
  • Change verifications
  • External logging devices
  • Shared security for virtual servers, DoS profiles, device DoS configurations, network whitelists, logging profiles, and SSH profiles
  • Bot signatures and bot signature categories
  • IP intelligence settings
  • External redirection settings
  • Application Securities Policies
  • Signature files, custom attack signatures and sets
  • Web Application Security event logs
F5 BIG-IQ Centralized Management: Access
  • Configure an Access group, HA pair, and cluster.
  • Manage access groups.
  • View and edit access configurations.
  • Configure authentication for Active Directory, SecuID, HTTP, Oracle Access Manager, OCSP responder, CRLDP, and Kerberos.
  • Manage audit logs
F5 BIG-IQ Centralized Management: Fraud Protection Service
Set up, manage, and monitor alerts for fraud protection. Configuration of DataSafe profiles (data encryption protection), where a single profile can be used on multiple BIG-IP systems.
F5 Platform Guide: BIG-IQ 7000 Series
Set up and manage the BIG-IQ 7000 hardware platform.
F5 BIG-IQ Centralized Management Use Case: Provide Role-Based User Access to an Application
Give role-based user access to a SharePoint application.
F5 BIG-IQ Centralized Management: Auto-Scale in an Azure Cloud
  • Setup BIG-IQ to auto-scale BIG-IP VE devices in an Azure cloud to manage applications.
  • Monitor health of BIG-IP VE devices.
  • Manage scaling policies, application templates, and device templates.
F5 BIG-IQ Centralized Management: Auto-Scale in a VMware Environment
  • Setup BIG-IQ to auto-scale BIG-IP VE devices in a VMware environment to manage applications.
  • Monitor health of BIG-IP VE devices.
  • Manage scaling policies, application templates, and device templates.
F5 BIG-IQ Centralized Management: Auto-Scale in a AWS Cloud
  • Setup BIG-IQ to auto-scale BIG-IP VE devices in an AWS cloud to manage applications.
  • Monitor health of BIG-IP VE devices.
  • Manage scaling policies, application templates, and device templates.
F5 BIG-IQ Centralized Management: Auto-Scale in a Azure Cloud
  • Setup BIG-IQ to auto-scale BIG-IP VE devices in an Azure cloud to manage applications.
  • Monitor health of BIG-IP VE devices.
  • Manage scaling policies, application templates, and device templates.
BIG-IQ Centralized Management: Monitoring and Managing Application Services
Monitor the health and statistics for your application services.
F5 BIG-IQ Centralized Management upgrade guides
Upgrade BIG-IQ Centralized Management and BIG-IQ Logging Node to the most recent software version.
Release notes
Find information about the current software release, including a list of associated documentation, a summary of new features, enhancements, fixes, known issues, and available workarounds.
AskF5 Articles and Tech Notes
Read responses and resolutions to known issues. Tech Notes provide additional configuration instructions and how-to information.

Use global search to access associated objects from any screen

BIG-IQ Centralized Management makes it easy for you to perform a search for specific details of your configuration across all your managed devices. From the content that is returned, you can access everything associated with that content, regardless of where it is on BIG-IQ. For example, if you search on a specific self-IP address, the results give you access to other content related to that self-IP address. We call this
global search
.
Global search is a powerful feature that gives you quick access to all objects that contain a certain string. This can give you insight about how objects are relate, even when they're running different services, devices, and so forth.
BIG-IQ global search returns only the content specific to your user role privileges. For example, if your user role doesn't have privileges for content associated with security, content specific only to security does not display.
  1. On any screen, click the icon in the upper right corner.
    The global search popup screen opens.
  2. Into the search field, type all or part of a string you want to search for.
  3. If you want to specify search options, click the arrow next to the search field and select the options you want and click the Enter key.
    The screen refreshes to display content associated with your search term, organized by type.
  4. Click the object link to view the details for an object.
    You can navigate back to the results after you click on an object, by clicking the magnifying glass on upper right side of the screen again.
  5. If you want to clear the search results, click the
    X
    next to the
    BIG-IQ Search
    field of the popup window.

Filter an object list

For each screen that contains an object list, you can narrow the list to display only specific items, phrases, or numbers. This helps you easily navigate long lists and find what you need quickly.
  1. Navigate to a screen that contains a list of objects.
    For example,
    Devices
    BIG-IP DEVICES
    .
  2. In the
    Filter
    field located towards the top of the screen, type a term, phrase, or number, and press the Enter key.
    By default, BIG-IQ uses this filter on anything that matches any field on the screen, so this can be a partial term, phrase or number. For example, if you wanted to see only objects that contained the number 191, you'd type
    191
    .
    To limit the filter to a specific object type, click the down arrow next to the search field and select the type of object you're looking for. To require the term match exactly, click
    Exact
    .
    The screen refreshes to display only those items that include or exactly match the term you used for a filter. The filter you used displays at the top of the list.
  3. To further limit the results displayed, type another term in the
    Filter
    field, selecting options from the filter menu as you did before.
  4. To view the properties of an object, click the object's name.
    Click the back button to return to the filter results.
  5. To remove a filter, at the top of the list, click the
    X
    next to a filter.

Set preferences for BIG-IQ user interface

Only after you license and finish the initial setup for BIG-IQ Centralized Management, can you specify a few preferences for the user interface.
Setting user preferences customizes your view into BIG-IQ.
The navigation objects and screens you see depend on your user role.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    USER PREFERENCES
    towards the bottom of the screen.
  3. You can edit the user preferences for the overall BIG-IQ system by clicking the
    Edit
    button.
  4. Click
    Network Security
    and the
    Edit
    button to edit preferences for the Security service.
Click the icon at the top right of the screen for more information about these options.

How do I manage BIG-IQ systems in a high availability configuration?

Setting up BIG-IQ®in a high availability configuration ensures that you always have access to the BIG-IP® devices you are managing. In a BIG-IQ high availability configuration, the BIG-IQ system replicates configuration changes since the last synchronization from the primary device to the secondary device every 30 seconds. If it ever becomes necessary, you can have the secondary peer take over management of the BIG-IP devices.

Add BIG-IQ primary and secondary SSL certificates to the primary BIG-IQ

Before you create a BIG-IQ high availability pair, you should add the SSL certificates for both BIG-IQ systems to what will be the primary BIG-IQ so you can validate the end-user host. This is required for both BIG-IQ systems to communicate with your managed devices, regardless of which BIG-IQ system is active.
  1. Save the BIG-IQ SSL certificate keys on your local system.
  2. At the top of the screen, click
    System
    .
  3. On the left, click
    SSL CERTIFICATION VERIFICATION
    .
    On this screen, you can enable the verification of the identity of the entities the BIG-IQ establishes an encrypted SSL session with, such as between BIG-IQ and BIG-IP devices that you manage, and between BIG-IQ systems in an high availability configuration. BIG-IQ validates the SSL certificate presented by the communicating host either against a list of certificates you provide (for example, self-signed certificates), or internal or public certificate authority certificates.
  4. Click the
    Import
    button.
  5. From the
    Import Type
    list, select
    Certificate
    .
  6. In the
    Name
    box, type a name for this BIG-IQ certificate.
    BIG-IQ stores and identifies this certificate by the name you specify here. Therefore, if the certificate you are importing is currently named
    mycertificate.crt
    , but you when you import it you name it
    f5.crt
    , BIG-IQ renames the certificate as you specified, to
    f5.crt
    .
  7. Click the
    Upload File
    button and navigate to the certificate.
  8. Repeat steps 4 - 8 to add the secondary BIG-IQ system's certificate device to this primary BIG-IQ system.
You can now add the secondary BIG-IQ system to create a high availability configuration.

Add a standby BIG-IQ for a high availability configuration for auto failover

Before you can set up F5 BIG-IQ Centralized Management in a high availability (HA) pair, you must have two licensed BIG-IQ systems and you must have added both SSL certificate to the active BIG-IQ.
For the high-availability pair to synchronize properly, each system must be running the same BIG-IQ version, and the clocks on each system must be synchronized to within 60 seconds. To make sure the clocks are in sync, take a look at the NTP settings on each system before you add a peer.
Configuring BIG-IQ in a high availability (HA) pair means that you can still manage your BIG-IP devices even if one BIG-IQ fails.
fail over to work properly, the standby BIG-IQ system is not on the same underlying hardware as the primary BIG-IQ system to avoid having both BIG-IQ systems fail.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    BIG-IQ HA
    .
  3. Click the
    Add Standby
    button.
  4. Type the properties for the BIG-IQ system that you are adding.
  5. Click the
    Add
    button at the bottom of the screen.
The BIG-IQ system synchronize. Once they are finished, both appear as ready (green).

Change a peer BIG-IQ system in a high availability pair to a standalone system

If the one of your BIG-IQ systems in an HA pair is having any type of system issue, you might want to make its peer system a standalone system until you can fix the problem.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    BIG-IQ HA
    .
  3. Click the
    BIG-IQ HA Settings
    button and then click the
    Reset to Standalone
    button.
This BIG-IQ system becomes a standalone system from which you can start managing your devices.

Remove the secondary BIG-IQ system from the HA pair

If the F5 BIG-IQ Centralized Management system is configured in an HA pair, you must remove the secondary BIG-IQ system before you upgrade the primary BIG-IQ.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    BIG-IQ HA
    .
  3. Click
    Remove Secondary
    .
    A dialog box opens, prompting you to confirm that you want to remove the HA secondary device from this group.
  4. Click
    Remove
    to confirm that you want to take the HA secondary device out of the group.
    The system logs you out of the BIG-IQ while it removes the secondary device.
  5. Log back in to the primary BIG-IQ.
    For a while, both the primary and the secondary BIG-IQ devices continue to display. After a few minutes, the screen updates to display a single standalone device.

Optional VLAN for device management

During the licensing and initial configuration procedures, you specify the management port for BIG-IQ®. This is all the networking configuration required to start managing devices. However, if you would prefer to manage devices from a VLAN address, you have the option to configure that.

Configure a VLAN to manage BIG-IP devices

You must have licensed the BIG-IQ system before you can configure a VLAN.
If you decide you want to manage BIG-IP devices from a VLAN rather than the BIG-IQ system's management port, you can configure it using this procedure.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    NETWORK SETTINGS
    VLANs
    .
  3. Click the
    Create
    button.
  4. In the
    Name
    and
    Description
    fields, type a unique name and description to identify this new VLAN.
  5. In the
    Tag
    field, type an optional tag number.
    A VLAN
    tag
    is a unique ID number between 1 and 4094. All messages sent from a host in this VLAN includes the tag as a header in the message to identify the specific VLAN where the source or destination host is located. If you do not assign a tag, BIG-IQ assigns one automatically.
  6. From the
    Interface
    list, select the port that you want this VLAN to use.
    The
    interface
    is a physical or virtual port that you use to connect the BIG-IQ system to managed devices in your network.
  7. In the
    MTU
    field, type an optional frame size value for Path Maximum Transmission Unit (MTU).
    By default, BIG-IP devices use the standard Ethernet frame size of 1518 bytes (1522 bytes if VLAN tagging is used) with the corresponding MTU of 1500 bytes. For BIG-IP devices that support Jumbo Frames, you can specify another MTU value.
  8. Click the
    Save & Close
    button.

Specify a self-IP address for a VLAN

You need to configure BIG-IQ with at least a VLAN before you can associate a self IP address with it.
If you've configured a VLAN to manage BIG-IP devices, you can then associate a self IP address with that VLAN.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    NETWORK SETTINGS
    Self IPs
    .
  3. At the top of the screen, click the
    Create
    button.
  4. In the
    Name
    field, type a unique name to identify this new self IP address.
  5. In the
    Address
    field, type the self IP address and netmask.
    The format is
    <self IP address/netmask>
    .
  6. In the
    Description
    field, type a description for this self IP address.
  7. From the
    VLAN
    list, select the VLAN to associate with this self IP address.
  8. Click the
    Save & Close
    button.

Specify a web proxy for secure communication

Before you can specify a web proxy, you must license and perform the initial configuration for BIG-IQ Centralized Management.
For security purposes, you can specify a web proxy for BIG-IQ to use for communication with the F5 iHealth server and the F5 license server.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    PROXIES
    .
  3. Near the top of the screen, click the
    Add
    button.
  4. In the
    Name
    field, type a name to identify this web proxy.
    You must use the exact same proxy name on all BIG-IQ systems in a cluster.
  5. In the
    Address
    and
    Port
    fields, type the IP address and port for the web proxy server.
    The proxy address and port don't have to be the same for all BIG-IQ systems in a cluster.
  6. If the web proxy server requires authentication, provide the credentials in the
    User Name
    and
    Password
    fields.
  7. For the
    Functions
    setting, select the check box next to each function you want to use this web proxy for communication between BIG-IQ and the internet.
  8. Click the
    Save & Close
    button.
BIG-IQ will now use this web proxy for communication when accessing the internet for the functionality you specified.