Manual Chapter : Deploying Object Changes to Managed Devices

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.0.0
Manual Chapter

Deploying Object Changes to Managed Devices

How do shared objects impact my deployments?

The objects that you manage using BIG-IQ depend on associations with other, supporting objects. These supporting objects are called
shared objects
. When the BIG-IQ evaluates a deployment to a managed device, it starts by deploying the device-specific objects. Then it examines the managed device to compile a list of the objects that are needed by other objects on that device. Then (based on the recent analysis) the BIG-IQ deletes any shared objects that exist on the managed device but are not used. So, if there are objects on a managed device that are not being used, the next time you deploy changes to that device, BIG-IQ deletes the unused objects.

How do I evaluate changes made to managed objects?

To change the object settings on a managed device, there are four tasks to perform.
This figure illustrates the workflow for managing the objects on BIG-IP devices. Evaluating the changes you have made is the third step in this process.
Overview of evaluating changes made to managed objects
Evaluate object changes
If you need to make an urgent change, you can skip the evaluation step. However, we highly recommend evaluation in all but emergency situations. See
Making an urgent deployment
for details.

Evaluate APM configuration changes

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.
  1. At the top of the screen, click
    Deployment
    .
  2. At the left, under
    EVALUATE & DEPLOY
    , click
    Access
    .
    The screen opens a list of Access evaluations and deployments that have been created on this device.
  3. Under Evaluations, click
    Create
    .
    The New Evaluation screen opens.
  4. Type a
    Name
    for the evaluation task you are creating.
  5. Type a brief
    Description
    for the evaluation task you are creating.
  6. For the
    Source
    , select what you want to evaluate.
    • When you want to compare the object settings currently on the managed device with the object settings in the pending version, select
      Current Changes
      .
    • When you want to compare the object settings currently on the managed device with the object settings in a stored snapshot, select
      Existing Snapshot
      , then choose the snapshot you want to use.
  7. For the
    Unused Objects
    setting, specify whether you want the system to delete unused objects from the BIG-IP devices that you are deploying changes to.
    If you do not want the system to delete unused objects:
    select
    Keep Unused Objects
    .
    If you want the system to delete objects not referenced (directly or indirectly) by an object:
    leave
    Remove Unused Objects
    (the default) selected.
    To understand what an unused object is, consider the following example:
    There are two address lists on the BIG-IP device to which you are about to deploy changes (
    AddressList-a
    and
    AddressList-b
    ).
    • AddressList-a
      is referenced by a policy that in turn is referenced by a firewall context.
    • AddressList-b
      is not referenced (directly or indirectly) by any objects.
    If you leave
    Remove Unused Objects
    (the default) selected, then when you deploy changes to the BIG-IP device,
    AddressList-b
    is deleted. If you don’t want it deleted, select
    Keep Unused Objects
    .
  8. To deploy an Access configuration with associated LTM objects, for
    Supporting Objects
    , select
    Include associated LTM Objects
    .
  9. In the
    Target
    settings, from the
    Group
    list, select the Access group that you want to evaluate.
    Devices in the group display in the field.
  10. Move the devices that you want to evaluate to the Selected list.
    • If you are evaluating a device that is a member of a cluster that is set to initiate BIG-IP DSC sync at deployment, you can select either member of the HA pair.
    • If you are evaluating a device that is a member of a cluster that is set to ignore BIG-IP DSC sync, you should select both devices in the cluster.
  11. If you want to apply access policies on each BIG-IP device after deployment, select
    Automatically apply policies after deployment
    .
  12. Review the evaluation to determine whether you are going to deploy it.
    1. If there are critical errors, you cannot deploy these changes. In the Critical Errors column, click each error to see what it is, and then go back to where you made the change to fix it.
      After resolving any critical errors, you can come back and repeat the evaluation.
    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. In the Verification Warnings column, click each warning to see what it is, and then go back to where you made the change to fix it.
      After resolving any verification warnings, you can come back and repeat the evaluation.
    3. If there are no critical errors or verification warnings, review the changes by clicking the
      view
      link.
      Each change is listed. You can review each one by clicking the name.
      When you create an evaluation to deploy an ASM or AFM object that is referenced by a Local Traffic & Network object, it can trigger a verification error. This occurs for a few related object types that require manual intervention before you can deploy objects that reference them. To deploy these objects, you must deploy the related object and the object that references it using the Local Traffic & Network user interface. In some cases, before you deploy, you need to pin the related object to a pinning policy that establishes the relationship between a device and that object.
      • If you get a verification error that requires a Local Traffic & Network deployment, use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      • If you get a verification error with a
        Pin Object
        button that requires a Local Traffic & Network deployment, click the button to associate the two objects, and then use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      For additional detail on pinning related objects, refer to
      Managing Object Pinning
      in
      F5 BIG-IQ Centralized Management: Security
      on
      support.f5.com
      .
    4. When you finish reviewing the differences, click
      Cancel
      .
  13. If the evaluation shows that you must evaluate and deploy Local Traffic configurations, do that before you deploy this evaluation.
Before you can apply these just-evaluated object changes to the managed device, they must be deployed. Refer to
Deploy configuration changes
for instructions.

Evaluate DNS configuration changes

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.
  1. At the top of the screen, click
    Deployment
    .
  2. Under
    EVALUATE & DEPLOY
    , select
    DNS
    .
    The screen opens a list of DNS evaluations and deployments that have been created on this device.
  3. Under Evaluations, click
    Create
    .
    The New Evaluation screen opens.
  4. Type a
    Name
    for the evaluation task you are creating.
  5. Type a brief
    Description
    for the evaluation task you are creating.
  6. For the
    Source
    , select what you want to evaluate.
    • When you want to compare the object settings currently on the managed device with the object settings in the pending version, select
      Current Changes
      .
    • When you want to compare the object settings currently on the managed device with the object settings in a stored snapshot, select
      Existing Snapshot
      , then choose the snapshot you want to use.
  7. Specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select
    Keep Unused Objects
    .
    To understand what an unused object is, consider the following example:
    There are two address lists on the BIG-IP device to which you are about to deploy changes (
    AddressList-a
    and
    AddressList-b
    ).
    • AddressList-a
      is referenced by a policy that is in turn referenced by a firewall context.
    • AddressList-b
      is not referenced (directly or indirectly) by any objects.
    If you leave
    Remove Unused Objects
    (the default) selected, then when you deploy changes to the BIG-IP device,
    AddressList-b
    is deleted. If you don’t want it deleted, select
    Keep Unused Objects
    .
  8. In the Target area, specify how you want to deploy these changes.
    • To deploy the changes to specific devices, click
      Deploy to Devices
      . Then move the devices you want from the
      Available
      list to the
      Selected
      list.
    • To deploy the changes to all devices in one or more sync groups, click
      Deploy to Sync Groups
      . Then move the sync groups you want from the
      Available
      list to the
      Selected
      list.
  9. If you decide you want to remove one of the objects selected for deployment, you can select it and then click
    Remove
    .
  10. Click the
    Create
    button at the bottom of the screen.
    The system adds the new evaluation to the list, and analyzes the changes for errors. When the configuration evaluation finishes, you see how many changes or errors the evaluation found.
  11. Review the evaluation to determine whether you are going to deploy it.
    1. If there are critical errors, you cannot deploy these changes. In the Critical Errors column, click each error to see what it is, and then go back to where you made the change to fix it.
      After resolving any critical errors, you can come back and repeat the evaluation.
    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. In the Verification Warnings column, click each warning to see what it is, and then go back to where you made the change to fix it.
      After resolving any verification warnings, you can come back and repeat the evaluation.
    3. If there are no critical errors or verification warnings, review the changes by clicking the
      view
      link.
      Each change is listed. You can review each one by clicking the name.
      When you create an evaluation to deploy an ASM or AFM object that is referenced by a Local Traffic & Network object, it can trigger a verification error. This occurs for a few related object types that require manual intervention before you can deploy objects that reference them. To deploy these objects, you must deploy the related object and the object that references it using the Local Traffic & Network user interface. In some cases, before you deploy, you need to pin the related object to a pinning policy that establishes the relationship between a device and that object.
      • If you get a verification error that requires a Local Traffic & Network deployment, use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      • If you get a verification error with a
        Pin Object
        button that requires a Local Traffic & Network deployment, click the button to associate the two objects, and then use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      For additional detail on pinning related objects, refer to
      Managing Object Pinning
      in
      F5 BIG-IQ Centralized Management: Security
      on
      support.f5.com
      .
    4. When you finish reviewing the differences, click
      Cancel
      .
Before you can apply these just-evaluated object changes to the managed device, they must be deployed. Refer to
Deploy configuration changes
for instructions.

Evaluate FPS configuration changes

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.
  1. At the top of the screen, click
    Deployment
    .
  2. On the left, under
    EVALUATE & DEPLOY
    , select
    Fraud Protection
    .
    The screen displays a list of Fraud Protection evaluations and deployments defined on this device.
  3. Under Evaluations, click
    Create
    .
    The New Evaluation screen opens.
  4. Type a
    Name
    for the evaluation task you are creating.
  5. Type a brief
    Description
    for the evaluation task you are creating.
  6. For the
    Source
    , select what you want to evaluate.
    • When you want to compare the object settings currently on the managed device with the object settings in the pending version, select
      Current Changes
      .
    • When you want to compare the object settings currently on the managed device with the object settings in a stored snapshot, select
      Existing Snapshot
      , then choose the snapshot you want to use.
  7. For the
    Unused Objects
    setting, specify whether you want the system to delete unused objects from the BIG-IP devices that you are deploying changes to.
    If you do not want the system to delete unused objects:
    select
    Keep Unused Objects
    .
    If you want the system to delete objects not referenced (directly or indirectly) by an object:
    leave
    Remove Unused Objects
    (the default) selected.
    To understand what an unused object is, consider the following example:
    There are two address lists on the BIG-IP device to which you are about to deploy changes (
    AddressList-a
    and
    AddressList-b
    ).
    • AddressList-a
      is referenced by a policy that in turn is referenced by a firewall context.
    • AddressList-b
      is not referenced (directly or indirectly) by any objects.
    If you leave
    Remove Unused Objects
    (the default) selected, then when you deploy changes to the BIG-IP device,
    AddressList-b
    is deleted. If you don’t want it deleted, select
    Keep Unused Objects
    .
  8. For Target Devices, select the devices that you want to deploy changes to, and move the ones you want from the
    Available
    list to the
    Selected
    list.
  9. Click the
    Create
    button at the bottom of the screen.
    The system adds the new evaluation to the list, and analyzes the changes for errors. When the configuration evaluation finishes, you see how many changes or errors the evaluation found.
  10. Review the evaluation to determine whether you are going to deploy it.
    1. If there are critical errors, you cannot deploy these changes. Click each error to see what it is, and then go back to where you made the change to fix it.
      After resolving any critical errors, you can come back and repeat the evaluation.
    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. Click each warning to see what it is, and then go back to where you made the change to fix it.
      After resolving any verification warnings, you can come back and repeat the evaluation.
    3. If there are no critical errors or verification warnings, review the changes by clicking the
      view
      link.
      Each change is listed. You can review each one by clicking the name.
    4. When you finish reviewing the differences, click
      Cancel
      .
Before you can apply these just-evaluated object changes to the managed device, they must be deployed. Refer to
Deploy configuration changes
for instructions.

Evaluate LTM configuration changes

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.
  1. At the top of the screen, click
    Deployment
    .
  2. Under
    EVALUATE & DEPLOY
    , select
    Local Traffic & Network
    .
    The screen opens a list of LTM evaluations and deployments that have been created on this device.
  3. Under Evaluations, click
    Create
    .
    The New Evaluation screen opens.
  4. Type a
    Name
    for the evaluation task you are creating.
  5. Type a brief
    Description
    for the evaluation task you are creating.
  6. For the
    Source
    , select what you want to evaluate.
    • When you want to compare the object settings currently on the managed device with the object settings in the pending version, select
      Current Changes
      .
    • When you want to compare the object settings currently on the managed device with the object settings in a stored snapshot, select
      Existing Snapshot
      , then choose the snapshot you want to use.
  7. Determine the
    Source Scope
    ; that is, choose whether you want to evaluate all of the changes from the selected source, or specify which changes to evaluate (either
    All Changes
    or
    Partial Changes
    ).
    If you choose to do a partial deployment, the screen displays additional controls.
    If you select
    All Changes
    , skip the rest of this step.
    1. If you want to evaluate changes only to the selected objects, for
      Supporting Objects
      , clear the
      Include
      check box. It is almost always best to evaluate changes to the associated objects, as well.
      The objects that you manage using BIG-IQ depend on associations with other, supporting objects. These object associations form relationship trees that are sometimes quite complex. Generally, when you deploy a change to a managed object, it is a very good idea to include these supporting objects in the deployment. This diagram illustrates a typical relationship tree for a Network Services managed object. For Local Traffic objects, the trees are equally complex and just as vital to include.
      Network Services supporting objects tree
    2. Under Available, select the object type for which you want to evaluate changes.
    3. From the list of objects, select the ones that you want to deploy, and move them to the Selected list.
      If you include objects in an deployment that have not been changed, the unchanged objects are not deployed to your BIG-IP device. Only objects that have been changed are deployed.
    4. If you want to include additional object types in this deployment, repeat the last two sub-steps (steps 3 and 4) for each object type.
    5. If you add an object to the deployment and then change your mind, you can move it back to the Available list.
    6. Under Target Device(s), click
      Find Relevant Devices
      .
      The objects you select for deployment determine which devices display in the
      Available
      list. You cannot deploy a device-specific object (like a pool) to a device on which it does not already exist. You can deploy a shared object (like a profile) to a device on which it does not exist, as long as the shared object is referenced by an object on that device. For example, consider a device (
      BIG-IP1
      ) with a virtual server (
      Virt1
      ). If you add a profile named
      Pro1
      to
      Virt1
      , then
      BIG-IP1
      will appear in the list of devices that you can deploy changes to.
      BIG-IQ lists all devices to which you can deploy the selected objects.
    7. From the list of relevant devices, select the devices that you want to deploy these changes to, and move them to the Selected list.
  8. If you selected
    All Changes
    , there are a couple of extra options to specify.
    1. Specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select
      Keep Unused Objects
      .
      To understand what an unused object is, consider the following example:
      There are two address lists on the BIG-IP device to which you are about to deploy changes (
      AddressList-a
      and
      AddressList-b
      ).
      • AddressList-a
        is referenced by a policy that is in turn referenced by a firewall context.
      • AddressList-b
        is not referenced (directly or indirectly) by any objects.
      If you leave
      Remove Unused Objects
      (the default) selected, then when you deploy changes to the BIG-IP device,
      AddressList-b
      is deleted. If you don’t want it deleted, select
      Keep Unused Objects
      .
    2. From the Available list under Target Devices, select the devices to which you want to deploy changes, and move them to the Selected list.
      If you deploy changes to a device in a DSC cluster, you must make changes to all devices in the cluster before you can create the evaluation.
  9. Click the
    Create
    button at the bottom of the screen.
    The system adds the new evaluation to the list, and analyzes the changes for errors. When the configuration evaluation finishes, you see how many changes or errors the evaluation found.
  10. Review the evaluation to determine whether you are going to deploy it.
    1. If there are critical errors, you cannot deploy these changes. In the Critical Errors column, click each error to see what it is, and then go back to where you made the change to fix it.
      After resolving any critical errors, you can come back and repeat the evaluation.
    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. In the Verification Warnings column, click each warning to see what it is, and then go back to where you made the change to fix it.
      After resolving any verification warnings, you can come back and repeat the evaluation.
    3. If there are no critical errors or verification warnings, review the changes by clicking the
      view
      link.
      Each change is listed. You can review each one by clicking the name.
      When you create an evaluation to deploy an ASM or AFM object that is referenced by a Local Traffic & Network object, it can trigger a verification error. This occurs for a few related object types that require manual intervention before you can deploy objects that reference them. To deploy these objects, you must deploy the related object and the object that references it using the Local Traffic & Network user interface. In some cases, before you deploy, you need to pin the related object to a pinning policy that establishes the relationship between a device and that object.
      • If you get a verification error that requires a Local Traffic & Network deployment, use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      • If you get a verification error with a
        Pin Object
        button that requires a Local Traffic & Network deployment, click the button to associate the two objects, and then use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      For additional detail on pinning related objects, refer to
      Managing Object Pinning
      in
      F5 BIG-IQ Centralized Management: Security
      on
      support.f5.com
      .
    4. When you finish reviewing the differences, click
      Cancel
      .
Before you can apply these just-evaluated object changes to the managed device, they must be deployed. Refer to
Deploy configuration changes
for instructions.

Evaluate Network Security configuration changes

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.
  1. At the top of the screen, click
    Deployment
    .
  2. Under
    EVALUATE & DEPLOY
    , select
    Network Security
    .
    The screen opens a list of Network Security evaluations and deployments that have been created on this device.
  3. Under Evaluations, click
    Create
    .
    The New Evaluation screen opens.
  4. Type a
    Name
    for the evaluation task you are creating.
  5. Type a brief
    Description
    for the evaluation task you are creating.
  6. For the
    Source
    , select what you want to evaluate.
    • When you want to compare the object settings currently on the managed device with the object settings in the pending version, select
      Current Changes
      .
    • When you want to compare the object settings currently on the managed device with the object settings in a stored snapshot, select
      Existing Snapshot
      , then choose the snapshot you want to use.
  7. Determine the
    Source Scope
    ; that is, choose whether you want to evaluate all of the changes from the selected source, or specify which changes to evaluate (either
    All Changes
    or
    Partial Changes
    ).
    If you choose to do a partial deployment, the screen displays additional controls.
    If you select
    All Changes
    , skip the rest of this step.
    1. If you want to evaluate changes only to the selected objects, for
      Supporting Objects
      , clear the
      Include
      check box. It is almost always best to evaluate changes to the associated objects, as well.
      The objects that you manage using BIG-IQ depend on associations with other, supporting objects. These object associations form relationship trees that are sometimes quite complex. Generally, when you deploy a change to a managed object, it is a very good idea to include these supporting objects in the deployment.
      Network Services supporting objects tree
    2. Under Available, select the object type for which you want to deploy changes.
    3. From the list of objects, select the ones that you want to deploy, and move them to the Selected list.
      If you include objects in an deployment that have not been changed, the unchanged objects are not deployed to your BIG-IP device. Only objects that have been changed are deployed.
    4. If you want to include additional object types in this deployment, repeat the last two sub-steps (steps 3 and 4) for each object type.
    5. If you add an object to the deployment and then change your mind, you can move it back to the Available list.
    6. Under Target Device(s), click
      Find Relevant Devices
      .
      The objects you select for deployment determine which devices display in the
      Available
      list. You cannot deploy a device-specific object (like a pool) to a device on which it does not already exist. You can deploy a shared object (like a profile) to a device on which it does not exist, as long as the shared object is referenced by an object on that device. For example, consider a device (
      BIG-IP1
      ) with a virtual server (
      Virt1
      ). If you add a profile named
      Pro1
      to
      Virt1
      , then
      BIG-IP1
      will appear in the list of devices that you can deploy changes to.
      BIG-IQ lists all devices to which you can deploy the selected objects.
    7. From the list of relevant devices, select the devices that you want to deploy these changes to, and move them to the Selected list.
  8. If you selected
    All Changes
    , there are a couple of extra options to specify.
    1. Specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select
      Keep Unused Objects
      .
      To understand what an unused object is, consider the following example:
      There are two address lists on the BIG-IP device to which you are about to deploy changes (
      AddressList-a
      and
      AddressList-b
      ).
      • AddressList-a
        is referenced by a policy that is in turn referenced by a firewall context.
      • AddressList-b
        is not referenced (directly or indirectly) by any objects.
      If you leave
      Remove Unused Objects
      (the default) selected, then when you deploy changes to the BIG-IP device,
      AddressList-b
      is deleted. If you don’t want it deleted, select
      Keep Unused Objects
      .
    2. From the Available list under Target Devices, select the devices to which you want to deploy changes, and move them to the Selected list.
      If you deploy changes to a device in a DSC cluster, you must make changes to all devices in the cluster before you can create the evaluation.
  9. Click the
    Create
    button at the bottom of the screen.
    The system adds the new evaluation to the list, and analyzes the changes for errors. When the configuration evaluation finishes, you see how many changes or errors the evaluation found.
  10. Review the evaluation to determine whether you are going to deploy it.
    1. If there are critical errors, you cannot deploy these changes. In the Critical Errors column, click each error to see what it is, and then go back to where you made the change to fix it.
      After resolving any critical errors, you can come back and repeat the evaluation.
    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. In the Verification Warnings column, click each warning to see what it is, and then go back to where you made the change to fix it.
      After resolving any verification warnings, you can come back and repeat the evaluation.
    3. If there are no critical errors or verification warnings, review the changes by clicking the
      view
      link.
      Each change is listed. You can review each one by clicking the name.
      When you create an evaluation to deploy an ASM or AFM object that is referenced by a Local Traffic & Network object, it can trigger a verification error. This occurs for a few related object types that require manual intervention before you can deploy objects that reference them. To deploy these objects, you must deploy the related object and the object that references it using the Local Traffic & Network user interface. In some cases, before you deploy, you need to pin the related object to a pinning policy that establishes the relationship between a device and that object.
      • If you get a verification error that requires a Local Traffic & Network deployment, use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      • If you get a verification error with a
        Pin Object
        button that requires a Local Traffic & Network deployment, click the button to associate the two objects, and then use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      For additional detail on pinning related objects, refer to
      Managing Object Pinning
      in
      F5 BIG-IQ Centralized Management: Security
      on
      support.f5.com
      .
    4. When you finish reviewing the differences, click
      Cancel
      .
Before you can apply these just-evaluated object changes to the managed device, they must be deployed. Refer to
Deploy configuration changes
for instructions.

Evaluate Shared Security configuration changes

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.
  1. At the top of the screen, click
    Deployment
    .
  2. Under
    EVALUATE & DEPLOY
    , select
    Shared Security
    .
    The screen opens a list of Shared Security evaluations and deployments that have been created on this device.
  3. Under Evaluations, click
    Create
    .
    The New Evaluation screen opens.
  4. Type a
    Name
    for the evaluation task you are creating.
  5. Type a brief
    Description
    for the evaluation task you are creating.
  6. For the
    Source
    , select what you want to evaluate.
    • When you want to compare the object settings currently on the managed device with the object settings in the pending version, select
      Current Changes
      .
    • When you want to compare the object settings currently on the managed device with the object settings in a stored snapshot, select
      Existing Snapshot
      , then choose the snapshot you want to use.
  7. Determine the
    Source Scope
    ; that is, choose whether you want to evaluate all of the changes from the selected source, or specify which changes to evaluate (either
    All Changes
    or
    Partial Changes
    ).
    If you choose to do a partial deployment, the screen displays additional controls.
    If you select
    All Changes
    , skip the rest of this step.
    1. If you want to evaluate changes only to the selected objects, for
      Supporting Objects
      , clear the
      Include
      check box. It is almost always best to evaluate changes to the associated objects, as well.
      The objects that you manage using BIG-IQ depend on associations with other, supporting objects. These object associations form relationship trees that are sometimes quite complex. Generally, when you deploy a change to a managed object, it is a very good idea to include these supporting objects in the deployment. This diagram illustrates a typical relationship tree for a Network Services managed object. For Local Traffic or Web Application Security objects, the trees are equally complex and just as vital to include.
      Network Services supporting objects tree
    2. Under Available, select the object type for which you want to deploy changes.
    3. From the list of objects, select the ones that you want to deploy, and move them to the Selected list.
      If you include objects in an deployment that have not been changed, the unchanged objects are not deployed to your BIG-IP device. Only objects that have been changed are deployed.
    4. If you want to include additional object types in this deployment, repeat the last two sub-steps (steps 3 and 4) for each object type.
    5. If you add an object to the deployment and then change your mind, you can move it back to the Available list.
    6. Under Target Device(s), click
      Find Relevant Devices
      .
      The objects you select for deployment determine which devices display in the
      Available
      list. You cannot deploy a device-specific object (like a pool) to a device on which it does not already exist. You can deploy a shared object (like a profile) to a device on which it does not exist, as long as the shared object is referenced by an object on that device. For example, consider a device (
      BIG-IP1
      ) with a virtual server (
      Virt1
      ). If you add a profile named
      Pro1
      to
      Virt1
      , then
      BIG-IP1
      will appear in the list of devices that you can deploy changes to.
      BIG-IQ lists all devices to which you can deploy the selected objects.
    7. From the list of relevant devices, select the devices that you want to deploy these changes to, and move them to the Selected list.
  8. If you selected
    All Changes
    , there are a couple of extra options to specify.
    1. Specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select
      Keep Unused Objects
      .
      To understand what an unused object is, consider the following example:
      There are two address lists on the BIG-IP device to which you are about to deploy changes (
      AddressList-a
      and
      AddressList-b
      ).
      • AddressList-a
        is referenced by a policy that is in turn referenced by a firewall context.
      • AddressList-b
        is not referenced (directly or indirectly) by any objects.
      If you leave
      Remove Unused Objects
      (the default) selected, then when you deploy changes to the BIG-IP device,
      AddressList-b
      is deleted. If you don’t want it deleted, select
      Keep Unused Objects
      .
    2. From the Available list under Target Devices, select the devices to which you want to deploy changes, and move them to the Selected list.
      If you deploy changes to a device in a DSC cluster, you must make changes to all devices in the cluster before you can create the evaluation.
  9. Click the
    Create
    button at the bottom of the screen.
    The system adds the new evaluation to the list, and analyzes the changes for errors. When the configuration evaluation finishes, you see how many changes or errors the evaluation found.
  10. Review the evaluation to determine whether you are going to deploy it.
    1. If there are critical errors, you cannot deploy these changes. In the Critical Errors column, click each error to see what it is, and then go back to where you made the change to fix it.
      After resolving any critical errors, you can come back and repeat the evaluation.
    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. In the Verification Warnings column, click each warning to see what it is, and then go back to where you made the change to fix it.
      After resolving any verification warnings, you can come back and repeat the evaluation.
    3. If there are no critical errors or verification warnings, review the changes by clicking the
      view
      link.
      Each change is listed. You can review each one by clicking the name.
      When you create an evaluation to deploy an ASM or AFM object that is referenced by a Local Traffic & Network object, it can trigger a verification error. This occurs for a few related object types that require manual intervention before you can deploy objects that reference them. To deploy these objects, you must deploy the related object and the object that references it using the Local Traffic & Network user interface. In some cases, before you deploy, you need to pin the related object to a pinning policy that establishes the relationship between a device and that object.
      • If you get a verification error that requires a Local Traffic & Network deployment, use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      • If you get a verification error with a
        Pin Object
        button that requires a Local Traffic & Network deployment, click the button to associate the two objects, and then use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      For additional detail on pinning related objects, refer to
      Managing Object Pinning
      in
      F5 BIG-IQ Centralized Management: Security
      on
      support.f5.com
      .
    4. When you finish reviewing the differences, click
      Cancel
      .
Before you can apply these just-evaluated object changes to the managed device, they must be deployed. Refer to
Deploy configuration changes
for instructions.

Evaluate ASM configuration changes

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.
  1. At the top of the screen, click
    Deployment
    .
  2. Under
    EVALUATE & DEPLOY
    , select
    Web Application Security
    .
    The screen displays a list of Web Application Security evaluations and deployments defined on this device.
  3. Under Evaluations, click
    Create
    .
    The New Evaluation screen opens.
  4. Type a
    Name
    for the evaluation task you are creating.
  5. Type a brief
    Description
    for the evaluation task you are creating.
  6. For the
    Source
    , select what you want to evaluate.
    • When you want to compare the object settings currently on the managed device with the object settings in the pending version, select
      Current Changes
      .
    • When you want to compare the object settings currently on the managed device with the object settings in a stored snapshot, select
      Existing Snapshot
      , then choose the snapshot you want to use.
  7. Determine the
    Source Scope
    ; that is, choose whether you want to evaluate all of the changes from the selected source, or specify which changes to evaluate (either
    All Changes
    or
    Partial Changes
    ).
    If you choose to do a partial deployment, the screen displays additional controls.
    If you select
    All Changes
    , skip the rest of this step.
    1. If you want to evaluate changes only to the selected objects, for
      Supporting Objects
      , clear the
      Include
      check box. It is almost always best to evaluate changes to the associated objects, as well.
      The objects that you manage using BIG-IQ depend on associations with other, supporting objects. These object associations form relationship trees that are sometimes quite complex. Generally, when you deploy a change to a managed object, it is a very good idea to include these supporting objects in the deployment. This diagram illustrates a typical relationship tree for a Network Services managed object. For Local Traffic or Web Application Security objects, the trees are equally complex and just as vital to include.
      Network Services supporting objects tree
    2. For
      Method
      , click
      Create evaluation
      .
      • If you want to review the changes, click
        Create evaluation
        .
      • To make the changes right now, click
        Deploy immediately
        .
    3. Under Available, select the object type for which you want to deploy changes.
    4. From the list of objects, select the ones that you want to evaluate, and move them to the Selected list.
      If you include objects in an deployment that have not been changed, the unchanged objects are not deployed to your BIG-IP device. Only objects that have been changed are deployed.
    5. If you want to include additional object types in this deployment, repeat the last two sub-steps (steps 3 and 4) for each object type.
    6. If you add an object to the deployment and then change your mind, you can move it back to the Available list.
    7. Under Target Device(s), click
      Find Relevant Devices
      .
      The objects you select for deployment determine which devices display in the
      Available
      list. You cannot deploy a device-specific object (like a pool) to a device on which it does not already exist. You can deploy a shared object (like a profile) to a device on which it does not exist, as long as the shared object is referenced by an object on that device. For example, consider a device (
      BIG-IP1
      ) with a virtual server (
      Virt1
      ). If you add a profile named
      Pro1
      to
      Virt1
      , then
      BIG-IP1
      will appear in the list of devices that you can deploy changes to.
      BIG-IQ lists all devices to which you can deploy the selected objects.
    8. From the list of relevant devices, select the devices that you want to deploy these changes to, and move them to the Selected list.
  8. If you selected
    All Changes
    , for the Source Scope, then before you select the devices to which you are deploying changes, you need to specify whether you want unused objects to be deleted from those BIG-IP devices.
    1. From the
      Available
      list under Target Devices, select the devices to which you want to deploy changes, and move them to the
      Selected
      list.
      If you deploy changes to a device in a DSC cluster, you must make changes to all devices in the cluster before you can create the evaluation.
    2. If you add an device to the evaluation and then change your mind, you can move it back to the Available list.
  9. Click the
    Create
    button at the bottom of the screen.
    The system adds the new evaluation to the list, and analyzes the changes for errors. When the configuration evaluation finishes, you see how many changes or errors the evaluation found.
  10. Review the evaluation to determine whether you are going to deploy it.
    1. If there are critical errors, you cannot deploy these changes. In the Critical Errors column, click each error to see what it is, and then go back to where you made the change to fix it.
      After resolving any critical errors, you can come back and repeat the evaluation.
    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. In the Verification Warnings column, click each warning to see what it is, and then go back to where you made the change to fix it.
      After resolving any verification warnings, you can come back and repeat the evaluation.
    3. If there are no critical errors or verification warnings, review the changes by clicking the
      view
      link.
      Each change is listed. You can review each one by clicking the name.
      When you create an evaluation to deploy an ASM or AFM object that is referenced by a Local Traffic & Network object, it can trigger a verification error. This occurs for a few related object types that require manual intervention before you can deploy objects that reference them. To deploy these objects, you must deploy the related object and the object that references it using the Local Traffic & Network user interface. In some cases, before you deploy, you need to pin the related object to a pinning policy that establishes the relationship between a device and that object.
      • If you get a verification error that requires a Local Traffic & Network deployment, use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      • If you get a verification error with a
        Pin Object
        button that requires a Local Traffic & Network deployment, click the button to associate the two objects, and then use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      For additional detail on pinning related objects, refer to
      Managing Object Pinning
      in
      F5 BIG-IQ Centralized Management: Security
      on
      support.f5.com
      .
    4. When you finish reviewing the differences, click
      Cancel
      .
Before you can apply these just-evaluated object changes to the managed device, they must be deployed. Refer to
Deploy configuration changes
for instructions.

How do I deploy changes made to managed objects?

Deploying changes
applies the revisions that you have made on the BIG-IQ Centralized Management system to the managed BIG-IP devices.
This figure illustrates the workflow for managing the objects on BIG-IP devices. Deploying the settings is the last step in this process.
Change managed object workflow
Deploy object changes

Deploy configuration changes

To apply the changes you made on the BIG-IQ Centralized Management system to your managed device, you must deploy those changes to the managed device.
  1. At the top of the screen, click
    Deployment
    .
  2. Under
    EVALUATE & DEPLOY
    , select the component for which you want to make changes.
    The screen displays a list of evaluations and deployments defined on this device.
  3. Click the name of the evaluation that you want to deploy.
    The View Evaluation screen opens.
  4. Scroll down to Deployment, and then use the Schedule controls to specify whether you want to deploy the changes immediately or schedule deployment for later.
    • To deploy this change immediately:
      1. Select
        Deploy Now
        .
      2. Click
        Deploy
        to confirm.
    • To deploy this change later:
      1. Select the
        Schedule for later
        check box.
      2. Select the date and time.
      3. Click
        Schedule Deployment
        .
    The process of deploying changes can take some time, especially if there are a large number of changes. During this time, you can click
    Cancel
    to stop the deployment process.
    If you cancel a deployment, some of the changes might have already deployed.
    Cancel
    does not roll back these changes.
The evaluation you chose is added to the list of deployments on the bottom half of the screen.
  • If you chose to deploy immediately, the changes begin to deploy and the Status column updates as it proceeds.
  • If you choose to delay deployment, the Status column displays the scheduled date and time.

Make an urgent APM deployment

If you need to make an urgent change, you can skip the
Evaluate configuration changes
task, and immediately deploy changes to the BIG-IP device. The system still validates changes to configuration objects; if there are critical errors, the deployment does not proceed. But you can avoid the task of creating an evaluation and viewing the changes and get right to deploying your changes.
F5 does not generally recommend making a deployment without evaluating the changes first. However, in situations where you need to deploy changes as quickly as possible, you can deploy the changes right away. The urgent deployment work flow skips the task of creating an evaluation, which speeds up the process of deploying your changes.
  1. At the top of the screen, click
    Deployment
    .
  2. Under
    EVALUATE & DEPLOY
    , select
    Access
    .
    The screen opens a list of APM evaluations and deployments that have been created on this device.
  3. Under Deployments, click
    Create
    .
    The New Deployment screen opens.
  4. Type a name
    Name
    for the deployment task you are creating.
  5. Type a brief
    Description
    for the deployment task you are creating.
  6. For the
    Source
    setting, select what you want to deploy.
    • To deploy your changes to the managed device, select
      Current Changes
      .
    • To deploy the object settings from a stored snapshot, select
      Existing Snapshot
      , then choose the snapshot you want to use.
  7. For the
    Unused Objects
    setting, specify whether you want the system to delete unused objects from the BIG-IP devices that you are deploying changes to.
    If you do not want the system to delete unused objects:
    select
    Keep Unused Objects
    .
    If you want the system to delete objects not referenced (directly or indirectly) by an object:
    leave
    Remove Unused Objects
    (the default) selected.
    To understand what an unused object is, consider the following example:
    There are two address lists on the BIG-IP device to which you are about to deploy changes (
    AddressList-a
    and
    AddressList-b
    ).
    • AddressList-a
      is referenced by a policy that in turn is referenced by a firewall context.
    • AddressList-b
      is not referenced (directly or indirectly) by any objects.
    If you leave
    Remove Unused Objects
    (the default) selected, then when you deploy changes to the BIG-IP device,
    AddressList-b
    is deleted. If you don’t want it deleted, select
    Keep Unused Objects
    .
  8. For
    Method
    , consider one more time how you want to deploy these changes.
    • If you want to review the changes, click
      Create evaluation
      .
    • To make the changes right now, click
      Deploy immediately
      .
  9. To deploy an Access configuration with associated LTM objects, for
    Supporting Objects
    , select
    Include associated LTM Objects
    .
  10. In the
    Target
    settings, from the
    Group
    list, select the Access group that you want to evaluate.
    Devices in the group display in the field.
  11. Move the devices that you want to evaluate to the Selected list.
    • If you are evaluating a device that is a member of a cluster that is set to initiate BIG-IP DSC sync at deployment, you can select either member of the HA pair.
    • If you are evaluating a device that is a member of a cluster that is set to ignore BIG-IP DSC sync, you should select both devices in the cluster.
  12. If you want to apply access policies on each BIG-IP device after deployment, select
    Automatically apply policies after deployment
    .
  13. Click
    Deploy
    to start deployment.
    A confirmation screen notifies you that you are about to trigger a deployment.
  14. Click
    Deploy
    again to deploy the changes to your device.

Make an urgent DNS deployment

If you need to make an urgent change, you can skip the
Evaluate configuration changes
task and immediately deploy changes to the BIG-IP device. The system still validates changes to configuration objects; if there are critical errors, the deployment does not proceed. But you can avoid the task of creating an evaluation and viewing the changes and get right to deploying your changes.
F5 does not generally recommend making a deployment without evaluating the changes first. However, in situations where you need to deploy changes as quickly as possible, you can deploy the changes right away. The urgent deployment work flow skips the task of creating an evaluation, which speeds up the process of deploying your changes.
  1. At the top of the screen, click
    Deployment
    .
  2. Under
    EVALUATE & DEPLOY
    , select
    DNS
    .
    The screen opens a list of DNS evaluations and deployments that have been created on this device.
  3. Under Deployments, click
    Create
    .
    The New Deployment screen opens.
  4. Type a name
    Name
    for the deployment task you are creating.
  5. Type a brief
    Description
    for the deployment task you are creating.
  6. For the
    Source
    setting, select what you want to deploy.
    • To deploy your changes to the managed device, select
      Current Changes
      .
    • To deploy the object settings from a stored snapshot, select
      Existing Snapshot
      , then choose the snapshot you want to use.
  7. For the
    Unused Objects
    setting, specify whether you want the system to delete unused objects from the BIG-IP devices that you are deploying changes to.
    If you do not want the system to delete unused objects:
    select
    Keep Unused Objects
    .
    If you want the system to delete objects not referenced (directly or indirectly) by an object:
    leave
    Remove Unused Objects
    (the default) selected.
    To understand what an unused object is, consider the following example:
    There are two address lists on the BIG-IP device to which you are about to deploy changes (
    AddressList-a
    and
    AddressList-b
    ).
    • AddressList-a
      is referenced by a policy that in turn is referenced by a firewall context.
    • AddressList-b
      is not referenced (directly or indirectly) by any objects.
    If you leave
    Remove Unused Objects
    (the default) selected, then when you deploy changes to the BIG-IP device,
    AddressList-b
    is deleted. If you don’t want it deleted, select
    Keep Unused Objects
    .
  8. For
    Method
    , consider one more time how you want to deploy these changes.
    • If you want to review the changes, click
      Create evaluation
      .
    • To make the changes right now, click
      Deploy immediately
      .
  9. In the Target area, decide how you want to deploy these changes.
    • To deploy the changes to specific devices, click
      Deploy to Devices
      . Then move the devices you want from the Available list to the Selected list.
    • To deploy the changes to all devices in one or more sync groups, click
      Deploy to Sync Groups
      . Then move the sync groups you want from the Available list to the Selected list.
  10. If you decide you want to remove one of the objects selected for deployment, you can select it and then click
    Remove
    .
  11. Click
    Deploy
    to start deployment.
    A confirmation screen notifies you that you are about to trigger a deployment.

Make an urgent FPS deployment

If you need to make an urgent change, you can skip the
Evaluate configuration changes
task and immediately deploy changes to the BIG-IP device. The system still validates changes to configuration objects validated; if there are critical errors, the deployment does not proceed. But you can avoid the task of creating an evaluation and viewing the changes and get right to deploying your changes.
F5 does not generally recommend making a deployment without evaluating the changes first. However, in situations where you need to deploy changes as quickly as possible, you can deploy the changes right away. The urgent deployment work flow skips the task of creating an evaluation, which speeds up the process of deploying your changes.
  1. At the top of the screen, click
    Deployment
    .
  2. Under
    EVALUATE & DEPLOY
    , select
    Fraud Protection
    .
    The screen opens a list of FPS evaluations and deployments that have been created on this device.
  3. Under Deployments, click
    Create
    .
    The New Deployment screen opens.
  4. Type a name
    Name
    for the deployment task you are creating.
  5. Type a brief
    Description
    for the deployment task you are creating.
  6. For the
    Source
    setting, select what you want to deploy.
    • To deploy your changes to the managed device, select
      Current Changes
      .
    • To deploy the object settings from a stored snapshot, select
      Existing Snapshot
      , then choose the snapshot you want to use.
  7. For the
    Unused Objects
    setting, specify whether you want the system to delete unused objects from the BIG-IP devices that you are deploying changes to.
    If you do not want the system to delete unused objects:
    select
    Keep Unused Objects
    .
    If you want the system to delete objects not referenced (directly or indirectly) by an object:
    leave
    Remove Unused Objects
    (the default) selected.
    To understand what an unused object is, consider the following example:
    There are two address lists on the BIG-IP device to which you are about to deploy changes (
    AddressList-a
    and
    AddressList-b
    ).
    • AddressList-a
      is referenced by a policy that in turn is referenced by a firewall context.
    • AddressList-b
      is not referenced (directly or indirectly) by any objects.
    If you leave
    Remove Unused Objects
    (the default) selected, then when you deploy changes to the BIG-IP device,
    AddressList-b
    is deleted. If you don’t want it deleted, select
    Keep Unused Objects
    .
  8. From the Available list under Target Devices, select the devices to which you want to deploy changes, and move them to the Selected list.
  9. If you selected
    All Changes
    , there are a couple more options to specify.
    1. Specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select
      Keep Unused Objects
      .
      To understand what an unused object is, consider the following example:
      There are two address lists on the BIG-IP device to which you are about to deploy changes (
      AddressList-a
      and
      AddressList-b
      ).
      • AddressList -a
        is referenced by a policy that is in turn referenced by a firewall context.
      • AddressList-b
        is not referenced (directly or indirectly) by any objects.
      If you leave
      Remove Unused Objects
      (the default) selected, then when you deploy changes to the BIG-IP device,
      AddressList-b
      is deleted. If you don’t want it deleted, select
      Keep Unused Objects
      .
    2. For
      Method
      , consider one more time how you want to deploy these changes.
      • If you want to review the changes, click
        Create evaluation
        .
      • To make the changes right now, click
        Deploy immediately
        .
    3. From the Available list under Target Devices, select the devices to which you want to deploy changes, and move them to the Selected list.
      If you deploy changes to a device in a DSC cluster, you must make changes to all devices in the cluster before you can create the evaluation.
  10. Click
    Deploy
    to start deployment.
    A confirmation screen notifies you that you are about to trigger a deployment.
  11. Click
    Deploy
    again to deploy the changes to your device.

Make an urgent LTM deployment

If you need to make an urgent change, you can skip the
Evaluate configuration changes
task and immediately deploy changes to the BIG-IP device. The system still validates changes to configuration objects; if there are critical errors, the deployment does not proceed. But you can avoid the task of creating an evaluation and viewing the changes and get right to deploying your changes.
F5 does not generally recommend making a deployment without evaluating the changes first. However, in situations where you need to deploy changes as quickly as possible, you can deploy the changes right away. The urgent deployment work flow skips the task of creating an evaluation, which speeds up the process of deploying your changes.
  1. At the top of the screen, click
    Deployment
    .
  2. Under
    EVALUATE & DEPLOY
    , select
    Local Traffic & Network
    .
    The screen opens a list of LTM evaluations and deployments that have been created on this device.
  3. Under Deployments, click
    Create
    .
    The New Deployment screen opens.
  4. Type a name
    Name
    for the deployment task you are creating.
  5. Type a brief
    Description
    for the deployment task you are creating.
  6. For the
    Source
    setting, select what you want to deploy.
    • To deploy your changes to the managed device, select
      Current Changes
      .
    • To deploy the object settings from a stored snapshot, select
      Existing Snapshot
      , then choose the snapshot you want to use.
  7. Determine the
    Source Scope
    ; that is, choose whether you want to deploy all of the changes from the selected source, or specify which changes to deploy (either
    All Changes
    or
    Partial Changes
    ).
    If you choose to do a partial deployment, the screen displays additional controls.
    If you select
    All Changes
    , skip the rest of this step.
    1. If you want to deploy changes only to the selected objects, for
      Supporting Objects
      , clear the
      Include
      check box. It is almost always best to deploy changes to the associated objects, as well.
      The objects that you manage using BIG-IQ depend on associations with other, supporting objects. These object associations form relationship trees that are sometimes quite complex. Generally, when you deploy a change to a managed object, it is a very good idea to include these supporting objects in the deployment. This diagram illustrates a typical relationship tree for a Network Services managed object. For Local Traffic or Web Application Security objects, the trees are equally complex and just as vital to include.
      Network Services supporting objects tree
    2. For
      Method
      , consider one more time how you want to deploy these changes.
      • If you want to review the changes, click
        Create evaluation
        .
      • To make the changes right now, click
        Deploy immediately
        .
    3. Under Available, select the object type for which you want to deploy changes.
    4. From the list of objects, select the ones that you want to deploy, and move them to the Selected list.
      If you include objects in an deployment that have not been changed, the unchanged objects are not deployed to your BIG-IP device. Only objects that have been changed are deployed.
    5. If you want to include additional object types in this deployment, repeat the last two sub-steps (steps 3 and 4) for each object type.
    6. If you add an object to the deployment and then change your mind, you can move it back to the Available list.
    7. Under Target Device(s), click
      Find Relevant Devices
      .
      The objects you select for deployment determine which devices display in the
      Available
      list. You cannot deploy a device-specific object (like a pool) to a device on which it does not already exist. You can deploy a shared object (like a profile) to a device on which it does not exist, as long as the shared object is referenced by an object on that device. For example, consider a device (
      BIG-IP1
      ) with a virtual server (
      Virt1
      ). If you add a profile named
      Pro1
      to
      Virt1
      , then
      BIG-IP1
      will appear in the list of devices that you can deploy changes to.
      BIG-IQ lists all devices to which you can deploy the selected objects.
    8. From the list of relevant devices, select the devices that you want to deploy these changes to, and move them to the Selected list.
  8. If you selected
    All Changes
    , there are a couple more options to specify.
    1. Specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select
      Keep Unused Objects
      .
      To understand what an unused object is, consider the following example:
      There are two address lists on the BIG-IP device to which you are about to deploy changes (
      AddressList-a
      and
      AddressList-b
      ).
      • AddressList -a
        is referenced by a policy that is in turn referenced by a firewall context.
      • AddressList-b
        is not referenced (directly or indirectly) by any objects.
      If you leave
      Remove Unused Objects
      (the default) selected, then when you deploy changes to the BIG-IP device,
      AddressList-b
      is deleted. If you don’t want it deleted, select
      Keep Unused Objects
      .
    2. For
      Method
      , consider one more time how you want to deploy these changes.
      • If you want to review the changes, click
        Create evaluation
        .
      • To make the changes right now, click
        Deploy immediately
        .
    3. From the Available list under Target Devices, select the devices to which you want to deploy changes, and move them to the Selected list.
      If you deploy changes to a device in a DSC cluster, you must make changes to all devices in the cluster before you can create the evaluation.
  9. Click
    Deploy
    to start deployment.
    A confirmation screen notifies you that you are about to trigger a deployment.
  10. Click
    Deploy
    again to deploy the changes to your device.

Make an urgent Network Security deployment

If you need to make an urgent change, you can skip the
Evaluate configuration changes
task and immediately deploy changes to the BIG-IP device. The system still validates changes to configuration objects; if there are critical errors, the deployment does not proceed. But you can avoid the task of creating an evaluation and viewing the changes and get right to deploying your changes.
F5 does not generally recommend making a deployment without evaluating the changes first. However, in situations where you need to deploy changes as quickly as possible, you can deploy the changes right away. The urgent deployment work flow skips the task of creating an evaluation, which speeds up the process of deploying your changes.
  1. At the top of the screen, click
    Deployment
    .
  2. Under
    EVALUATE & DEPLOY
    , select
    Network Security
    .
    The screen opens a list of Network Security evaluations and deployments that have been created on this device.
  3. Under Deployments, click
    Create
    .
    The New Deployment screen opens.
  4. Type a name
    Name
    for the deployment task you are creating.
  5. Type a brief
    Description
    for the deployment task you are creating.
  6. For the
    Source
    setting, select what you want to deploy.
    • To deploy your changes to the managed device, select
      Current Changes
      .
    • To deploy the object settings from a stored snapshot, select
      Existing Snapshot
      , then choose the snapshot you want to use.
  7. Determine the
    Source Scope
    ; that is, choose whether you want to deploy all of the changes from the selected source, or specify which changes to deploy (either
    All Changes
    or
    Partial Changes
    ).
    If you choose to do a partial deployment, the screen displays additional controls.
    If you select
    All Changes
    , skip the rest of this step.
    1. If you want to deploy changes only to the selected objects, for
      Supporting Objects
      , clear the
      Include
      check box. It is almost always best to deploy changes to the associated objects, as well.
      The objects that you manage using BIG-IQ depend on associations with other, supporting objects. These object associations form relationship trees that are sometimes quite complex. Generally, when you deploy a change to a managed object, it is a very good idea to include these supporting objects in the deployment. This diagram illustrates a typical relationship tree for a Network Services managed object. For Local Traffic or Web Application Security objects, the trees are equally complex and just as vital to include.
      Network Services supporting objects tree
    2. For
      Method
      , consider one more time how you want to deploy these changes.
      • If you want to review the changes, click
        Create evaluation
        .
      • To make the changes right now, click
        Deploy immediately
        .
    3. Under Available, select the object type for which you want to deploy changes.
    4. From the list of objects, select the ones that you want to deploy, and move them to the Selected list.
      If you include objects in an deployment that have not been changed, the unchanged objects are not deployed to your BIG-IP device. Only objects that have been changed are deployed.
    5. If you want to include additional object types in this deployment, repeat the last two sub-steps (steps 3 and 4) for each object type.
    6. If you add an object to the deployment and then change your mind, you can move it back to the Available list.
    7. Under Target Device(s), click
      Find Relevant Devices
      .
      The objects you select for deployment determine which devices display in the
      Available
      list. You cannot deploy a device-specific object (like a pool) to a device on which it does not already exist. You can deploy a shared object (like a profile) to a device on which it does not exist, as long as the shared object is referenced by an object on that device. For example, consider a device (
      BIG-IP1
      ) with a virtual server (
      Virt1
      ). If you add a profile named
      Pro1
      to
      Virt1
      , then
      BIG-IP1
      will appear in the list of devices that you can deploy changes to.
      BIG-IQ lists all devices to which you can deploy the selected objects.
    8. From the list of relevant devices, select the devices that you want to deploy these changes to, and move them to the Selected list.
  8. If you selected
    All Changes
    , there are a couple more options to specify.
    1. Specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select
      Keep Unused Objects
      .
      To understand what an unused object is, consider the following example:
      There are two address lists on the BIG-IP device to which you are about to deploy changes (
      AddressList-a
      and
      AddressList-b
      ).
      • AddressList -a
        is referenced by a policy that is in turn referenced by a firewall context.
      • AddressList-b
        is not referenced (directly or indirectly) by any objects.
      If you leave
      Remove Unused Objects
      (the default) selected, then when you deploy changes to the BIG-IP device,
      AddressList-b
      is deleted. If you don’t want it deleted, select
      Keep Unused Objects
      .
    2. For
      Method
      , consider one more time how you want to deploy these changes.
      • If you want to review the changes, click
        Create evaluation
        .
      • To make the changes right now, click
        Deploy immediately
        .
    3. From the Available list under Target Devices, select the devices to which you want to deploy changes, and move them to the Selected list.
      If you deploy changes to a device in a DSC cluster, you must make changes to all devices in the cluster before you can create the evaluation.
  9. If you selected
    All Changes
    , there are a couple more options to specify.
    1. Specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select
      Keep Unused Objects
      .
      To understand what an unused object is, consider the following example:
      There are two address lists on the BIG-IP device to which you are about to deploy changes (
      AddressList-a
      and
      AddressList-b
      ).
      • AddressList -a
        is referenced by a policy that is in turn referenced by a firewall context.
      • AddressList-b
        is not referenced (directly or indirectly) by any objects.
      If you leave
      Remove Unused Objects
      (the default) selected, then when you deploy changes to the BIG-IP device,
      AddressList-b
      is deleted. If you don’t want it deleted, select
      Keep Unused Objects
      .
    2. For
      Method
      , consider one more time how you want to deploy these changes.
      • If you want to review the changes, click
        Create evaluation
        .
      • To make the changes right now, click
        Deploy immediately
        .
    3. From the Available list under Target Devices, select the devices to which you want to deploy changes, and move them to the Selected list.
      If you deploy changes to a device in a DSC cluster, you must make changes to all devices in the cluster before you can create the evaluation.
  10. Click
    Deploy
    to start deployment.
    A confirmation screen notifies you that you are about to trigger a deployment.
  11. Click
    Deploy
    again to deploy the changes to your device.

Make an urgent Shared Security deployment

If you need to make an urgent change, you can skip the
Evaluate configuration changes
task and immediately deploy changes to the BIG-IP device. The system still validates changes to configuration objects; if there are critical errors, the deployment does not proceed. But you can avoid the task of creating an evaluation and viewing the changes and get right to deploying your changes.
F5 does not generally recommend making a deployment without evaluating the changes first. However, in situations where you need to deploy changes as quickly as possible, you can deploy the changes right away. The urgent deployment work flow skips the task of creating an evaluation, which speeds up the process of deploying your changes.
  1. At the top of the screen, click
    Deployment
    .
  2. Under
    EVALUATE & DEPLOY
    , select
    Shared Security
    .
    The screen opens a list of Shared Security evaluations and deployments that have been created on this device.
  3. Under Deployments, click
    Create
    .
    The New Deployment screen opens.
  4. Type a name
    Name
    for the deployment task you are creating.
  5. Type a brief
    Description
    for the deployment task you are creating.
  6. For the
    Source
    setting, select what you want to deploy.
    • To deploy your changes to the managed device, select
      Current Changes
      .
    • To deploy the object settings from a stored snapshot, select
      Existing Snapshot
      , then choose the snapshot you want to use.
  7. Determine the
    Source Scope
    ; that is, choose whether you want to deploy all of the changes from the selected source, or specify which changes to deploy (either
    All Changes
    or
    Partial Changes
    ).
    If you choose to do a partial deployment, the screen displays additional controls.
    If you select
    All Changes
    , skip the rest of this step.
    1. If you want to deploy changes only to the selected objects, for
      Supporting Objects
      , clear the
      Include
      check box. It is almost always best to deploy changes to the associated objects, as well.
      The objects that you manage using BIG-IQ depend on associations with other, supporting objects. These object associations form relationship trees that are sometimes quite complex. Generally, when you deploy a change to a managed object, it is a very good idea to include these supporting objects in the deployment. This diagram illustrates a typical relationship tree for a Network Services managed object. For Local Traffic or Web Application Security objects, the trees are equally complex and just as vital to include.
      Network Services supporting objects tree
    2. For
      Method
      , consider one more time how you want to deploy these changes.
      • If you want to review the changes, click
        Create evaluation
        .
      • To make the changes right now, click
        Deploy immediately
        .
    3. Under Available, select the object type for which you want to deploy changes.
    4. From the list of objects, select the ones that you want to deploy, and move them to the Selected list.
      If you include objects in an deployment that have not been changed, the unchanged objects are not deployed to your BIG-IP device. Only objects that have been changed are deployed.
    5. If you want to include additional object types in this deployment, repeat the last two sub-steps (steps 3 and 4) for each object type.
    6. If you add an object to the deployment and then change your mind, you can move it back to the Available list.
    7. Under Target Device(s), click
      Find Relevant Devices
      .
      The objects you select for deployment determine which devices display in the
      Available
      list. You cannot deploy a device-specific object (like a pool) to a device on which it does not already exist. You can deploy a shared object (like a profile) to a device on which it does not exist, as long as the shared object is referenced by an object on that device. For example, consider a device (
      BIG-IP1
      ) with a virtual server (
      Virt1
      ). If you add a profile named
      Pro1
      to
      Virt1
      , then
      BIG-IP1
      will appear in the list of devices that you can deploy changes to.
      BIG-IQ lists all devices to which you can deploy the selected objects.
    8. From the list of relevant devices, select the devices that you want to deploy these changes to, and move them to the Selected list.
  8. If you selected
    All Changes
    , there are a couple more options to specify.
    1. Specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select
      Keep Unused Objects
      .
      To understand what an unused object is, consider the following example:
      There are two address lists on the BIG-IP device to which you are about to deploy changes (
      AddressList-a
      and
      AddressList-b
      ).
      • AddressList -a
        is referenced by a policy that is in turn referenced by a firewall context.
      • AddressList-b
        is not referenced (directly or indirectly) by any objects.
      If you leave
      Remove Unused Objects
      (the default) selected, then when you deploy changes to the BIG-IP device,
      AddressList-b
      is deleted. If you don’t want it deleted, select
      Keep Unused Objects
      .
    2. For
      Method
      , consider one more time how you want to deploy these changes.
      • If you want to review the changes, click
        Create evaluation
        .
      • To make the changes right now, click
        Deploy immediately
        .
    3. From the Available list under Target Devices, select the devices to which you want to deploy changes, and move them to the Selected list.
      If you deploy changes to a device in a DSC cluster, you must make changes to all devices in the cluster before you can create the evaluation.
  9. If you selected
    All Changes
    , there are a couple more options to specify.
    1. Specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select
      Keep Unused Objects
      .
      To understand what an unused object is, consider the following example:
      There are two address lists on the BIG-IP device to which you are about to deploy changes (
      AddressList-a
      and
      AddressList-b
      ).
      • AddressList -a
        is referenced by a policy that is in turn referenced by a firewall context.
      • AddressList-b
        is not referenced (directly or indirectly) by any objects.
      If you leave
      Remove Unused Objects
      (the default) selected, then when you deploy changes to the BIG-IP device,
      AddressList-b
      is deleted. If you don’t want it deleted, select
      Keep Unused Objects
      .
    2. For
      Method
      , consider one more time how you want to deploy these changes.
      • If you want to review the changes, click
        Create evaluation
        .
      • To make the changes right now, click
        Deploy immediately
        .
    3. From the Available list under Target Devices, select the devices to which you want to deploy changes, and move them to the Selected list.
      If you deploy changes to a device in a DSC cluster, you must make changes to all devices in the cluster before you can create the evaluation.
  10. Click
    Deploy
    to start deployment.
    A confirmation screen notifies you that you are about to trigger a deployment.
  11. Click
    Deploy
    again to deploy the changes to your device.

Make an urgent ASM deployment

If you need to make an urgent change, you can skip the
Evaluate configuration changes
task and immediately deploy changes to the BIG-IP device. The system still validates changes to configuration objects; if there are critical errors, the deployment does not proceed. But you can avoid the task of creating an evaluation and viewing the changes and get right to deploying your changes.
F5 does not generally recommend making a deployment without evaluating the changes first. However, in situations where you need to deploy changes as quickly as possible, you can deploy the changes right away. The urgent deployment work flow skips the task of creating an evaluation, which speeds up the process of deploying your changes.
  1. At the top of the screen, click
    Deployment
    .
  2. Under
    EVALUATE & DEPLOY
    , select
    Web Application Security
    .
    The screen opens a list of ASM evaluations and deployments that have been created on this device.
  3. Under Deployments, click
    Create
    .
    The New Deployment screen opens.
  4. Type a name
    Name
    for the deployment task you are creating.
  5. Type a brief
    Description
    for the deployment task you are creating.
  6. For the
    Source
    setting, select what you want to deploy.
    • To deploy your changes to the managed device, select
      Current Changes
      .
    • To deploy the object settings from a stored snapshot, select
      Existing Snapshot
      , then choose the snapshot you want to use.
  7. Determine the
    Source Scope
    ; that is, choose whether you want to deploy all of the changes from the selected source, or specify which changes to deploy (either
    All Changes
    or
    Partial Changes
    ).
    If you choose to do a partial deployment, the screen displays additional controls.
    If you select
    All Changes
    , skip the rest of this step.
    1. If you want to deploy changes only to the selected objects, for
      Supporting Objects
      , clear the
      Include
      check box. It is almost always best to deploy changes to the associated objects, as well.
      The objects that you manage using BIG-IQ depend on associations with other, supporting objects. These object associations form relationship trees that are sometimes quite complex. Generally, when you deploy a change to a managed object, it is a very good idea to include these supporting objects in the deployment. This diagram illustrates a typical relationship tree for a Network Services managed object. For Local Traffic or Web Application Security objects, the trees are equally complex and just as vital to include.
      Network Services supporting objects tree
    2. For
      Method
      , consider one more time how you want to deploy these changes.
      • If you want to review the changes, click
        Create evaluation
        .
      • To make the changes right now, click
        Deploy immediately
        .
    3. Under Available, select the object type for which you want to deploy changes.
    4. From the list of objects, select the ones that you want to deploy, and move them to the Selected list.
      If you include objects in an deployment that have not been changed, the unchanged objects are not deployed to your BIG-IP device. Only objects that have been changed are deployed.
    5. If you want to include additional object types in this deployment, repeat the last two sub-steps (steps 3 and 4) for each object type.
    6. If you add an object to the deployment and then change your mind, you can move it back to the Available list.
    7. Under Target Device(s), click
      Find Relevant Devices
      .
      The objects you select for deployment determine which devices display in the
      Available
      list. You cannot deploy a device-specific object (like a pool) to a device on which it does not already exist. You can deploy a shared object (like a profile) to a device on which it does not exist, as long as the shared object is referenced by an object on that device. For example, consider a device (
      BIG-IP1
      ) with a virtual server (
      Virt1
      ). If you add a profile named
      Pro1
      to
      Virt1
      , then
      BIG-IP1
      will appear in the list of devices that you can deploy changes to.
      BIG-IQ lists all devices to which you can deploy the selected objects.
    8. From the list of relevant devices, select the devices that you want to deploy these changes to, and move them to the Selected list.
  8. If you selected
    All Changes
    , there are a couple more options to specify.
    1. Specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select
      Keep Unused Objects
      .
      To understand what an unused object is, consider the following example:
      There are two address lists on the BIG-IP device to which you are about to deploy changes (
      AddressList-a
      and
      AddressList-b
      ).
      • AddressList-a
        is referenced by a policy that is in turn referenced by a firewall context.
      • AddressList-b
        is not referenced (directly or indirectly) by any objects.
      If you leave
      Remove Unused Objects
      (the default) selected, then when you deploy changes to the BIG-IP device,
      AddressList-b
      is deleted. If you don’t want it deleted, select
      Keep Unused Objects
      .
    2. For
      Method
      , consider one more time how you want to deploy these changes.
      • If you want to review the changes, click
        Create evaluation
        .
      • To make the changes right now, click
        Deploy immediately
        .
    3. You can filter the list of available devices, so that only BIG-IP devices that own objects that have been changed and are provisioned with ASM are displayed. To filter the available devices list, click
      Select Modified ASM Devices
      .
    4. From the Available list under Target Devices, select the devices to which you want to deploy changes, and move them to the Selected list.
      If you deploy changes to a device in a DSC cluster, you must make changes to all devices in the cluster before you can create the evaluation.
  9. If you selected
    All Changes
    , there are a couple more options to specify.
    1. Specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select
      Keep Unused Objects
      .
      To understand what an unused object is, consider the following example:
      There are two address lists on the BIG-IP device to which you are about to deploy changes (
      AddressList-a
      and
      AddressList-b
      ).
      • AddressList -a
        is referenced by a policy that is in turn referenced by a firewall context.
      • AddressList-b
        is not referenced (directly or indirectly) by any objects.
      If you leave
      Remove Unused Objects
      (the default) selected, then when you deploy changes to the BIG-IP device,
      AddressList-b
      is deleted. If you don’t want it deleted, select
      Keep Unused Objects
      .
    2. For
      Method
      , consider one more time how you want to deploy these changes.
      • If you want to review the changes, click
        Create evaluation
        .
      • To make the changes right now, click
        Deploy immediately
        .
    3. From the Available list under Target Devices, select the devices to which you want to deploy changes, and move them to the Selected list.
      If you deploy changes to a device in a DSC cluster, you must make changes to all devices in the cluster before you can create the evaluation.
  10. Click
    Deploy
    to start deployment.
    A confirmation screen notifies you that you are about to trigger a deployment.
  11. Click
    Deploy
    again to deploy the changes to your device.

Deploy to one device when a cluster member is down

Deploying changes to a device in a cluster that has a device offline will generally fail. Normally, all device members must be available before you deploy changes to a cluster member. However, if you need to deploy changes before all cluster members are available, you can do so.
  1. At the top of the screen, click
    Devices
    .
  2. Under Device Name, click the cluster member to which you want to deploy changes.
    The properties screen for this member opens.
  3. Under Cluster Properties, click
    Edit
    .
    The Cluster Properties popup screen for this cluster opens.
  4. For Deployment Settings, select
    Ignore BIG-IP DSC sync when deploying configuration changes
    .
  5. Click
    OK
    , and then click
    Close
    .
With the
Ignore BIG-IP DSC sync when deploying configuration changes
option selected, you can now deploy changes to unavailable members, and BIG-IQ does not attempt to sync those changes.
Use the
Deploy configuration changes
task to deploy changes to the available member. When you select the target device for deployment, do not select the unavailable device.
After you restore the offline device and it is back online, you will probably need to perform a manual sync; or, you can use the
Deploy configuration changes
task to re-deploy the changes to the group.