Manual Chapter : Deploying a BIG-IQ System

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.0.0
Manual Chapter

Deploying a BIG-IQ System

How do I deploy a BIG-IQ system?

To manage your BIG-IP® devices usingBIG-IQ Centralized Management, you deploy a BIG-IQ system and then configure it to meet your business needs.
To deploy a BIG-IQ system, you should:
  • Prepare your network environment and architecture (refer to
    Planning a BIG-IQ Centralized Management Deployment
    in
    Planning a BIG-IQ Centralized Management Deployment
    on
    support.f5.com
    for details).
  • Install and configure the platform you plan to use to run the BIG-IQ system. The platform can either be a physical device or a virtual device. To use a physical device, you need a BIG-IQ 7000 series device. To use a virtual device, the solution you choose depends on the environment you choose. Supported platforms for this release are listed below. Use the guide appropriate for the platform you use to complete the installation. All of these guides are posted on
    support.f5.com
    .
    If you choose this platform:
    Refer to this guide for installation details:
    BIG-IQ 7000 Series
    Platform Guide: BIG-IQ 7000 Series
    Amazon Web Services
    F5 BIG-IQ Centralized Management 6.0.0 and Amazon Web Services: Setup
    Citrix XenServer:
    F5 BIG-IQ Centralized Management 6.0.0 and Citrix XenServer: Setup
    KVM
    F5 BIG-IQ Centralized Management 6.0.0 and Linux KVM: Setup
    Microsoft Azure
    F5 BIG-IQ Centralized Management 6.0.0 and Microsoft Azure: Setup
    Microsoft Hyper-V
    F5 BIG-IQ Centralized Management 6.0.0 and Microsoft Hyper-V: Setup
    VMware NSX-V
    F5 BIG-IQ Centralized Management 6.0.0 and VMware ESXi: Setup
    Xen Project
    F5 BIG-IQ Centralized Management 6.0.0 and Linux Xen Project: Setup
  • Deploy and configure the number of BIG-IQ systems dictated by whether your architecture requires HA or multiple data centers.
  • License and configure the BIG-IQ system.

How do I license and do the basic setup to start using BIG-IQ?

After you download the software image from the F5 Downloads site and start BIG-IQ in your virtual environment, you can license the system using the base registration key provided by F5. The
base registration key
is a character string the F5 license server uses to provide BIG-IQ a license to access the subscription licensing feature.
You license BIG-IQ in one of the following ways:
  • If the system has access to the Internet, you can have the BIG-IQ system contact the F5 license server and automatically activate the base registration key to get a license.
  • If the system is not connected to the Internet, you can manually license the BIG-IQ using the F5 license server web portal.
  • If the system is in a closed-circuit network (CCN) that does not allow you to export any encrypted information, you must open a case with F5 support at: support.f5.com/csp/my-support/home.
When licensing BIG-IQ, you:
  1. Activate the license.
  2. Specify the Master Key passphrase.
  3. Change the default admin and root passwords.
  4. Specify the system personality as BIG-IQ Centralized Management.
  5. Specify the hostname, management port IP address, and the discovery address you want to use.
  6. Define the DNS server and network time protocol (NTP) servers.

Automatic license and initial setup for BIG-IQ

You must have a base registration key before you can license the BIG-IQ system. If you do not have a base registration key, contact the F5 Networks sales group (
f5.com
). After you set up your BIG-IQ VE or set up your BIG-IQ 7000 Series, you can install the BIG-IQ software license.
If the BIG-IQ system is connected to the public internet, you can follow these steps to automatically perform the license activation and perform the initial setup.
  1. Use a browser to log in to BIG-IQ by typing
    https://
    <management_IP_address>
    , where
    <management_IP_address>
    is the address you specified for device management.
  2. In
    Base Registration Key
    , type or paste the BIG-IQ registration key.
    If you are setting up a data collection device, you have to use a registration key that supports a data collection device license.
  3. In
    Add-On Keys
    , paste any additional license key you have.
  4. For
    Activation Method
    , select
    Automatic
    , click the
    Activate
    button, and then click the
    Next
    button.
    If you are setting up this device for the first time, the Accept User Legal Agreement screen opens.
  5. To accept the license agreement, click the
    Agree
    button, and then click the
    Next
    button.
  6. Type a
    Passphrase
    that satisfies the requirements specified on screen, and then type the same phrase for
    Confirm Passphrase
    .
    The DCD uses the pass phrase to generate a Master Key. This pass phrase must be the same on all of the devices in the DCD cluster. Make sure you keep track of the pass phrase, because it cannot be recovered if you lose it.
    • Make sure you keep track of the pass phrase, because it cannot be recovered if you lose it. To protect the security of this device, you must have the passphrase used to generate the master key before you can change the master key.
    • If this BIG-IQ is not part of an HA or DCD configuration, you can change the Master Key any time from the
      System
      THIS DEVICE
      General Properties
      screen.
    • To add a BIG-IQ to an HA or DCD configuration, its master key must match the key for the other devices in the HA or DCD configuration. So if the passphrase is different and you do not know what it is, the only way to add that BIG-IQ to a cluster is to reset it to its factory defaults; However, that reset destroys any data on that BIG-IQ.
    • Finally, when you backup and restore a BIG-IQ, the master key is backed up with the rest of the data, and you cannot restore that data onto a BIG-IQ that has a different master key, so without that key you will be unable to have this BIG-IQ and it's data in an HA or DCD configuration.
    If you are setting up a Microsoft Azure VE, and you type an entry in any of the fields, you will not be able to continue successfully. The only way to proceed is to leave all of the fields empty and click the
    Next
    button at the bottom of the screen. This allows the system to use the first-time access credentials you specified previously.
  7. In the
    Old Password
    fields, type the default admin and root passwords, and then type a new password in the
    Password
    field and click the
    Next
    button at the bottom of the screen.
    If your license supports both BIG-IQ Data Collection Device and BIG-IQ Central Management Console, the System Personality screen displays. Otherwise the Management Address screen opens.
  8. If you are prompted with the System Personality screen, select the option you're licensed for, and then click OK. If you are not prompted, proceed to the next step.
    You cannot undo this choice. Once you license a device as a BIG-IQ Management Console, you can't change your mind and license it as a Data Collection Device.
    The Management Address screen opens.
  9. In
    Hostname
    , type a fully-qualified domain name (FQDN) for the system.
    The FQDN can consist of letters and numbers, as well as the characters underscore ( _ ), dash ( - ), or period ( . ).
  10. Type the
    Management Port IP Address
    and
    Management Port Route
    .
    The management port IP address must be in Classless Inter-Domain Routing (CIDR) format. For example:
    10.10.10.10/24
    .
  11. Specify what you want the BIG-IQ to use for the
    Discovery Address
    .
    BIG-IQ advertises this address to other devices that want to communicate with it. For example BIG-IQ HA peers and DCD nodes communicate using their respective discovery addresses.
    When choosing whether to use the management port or a self IP address, consider the long term ramifications. The BIG-IQ uses the address you choose for all traffic to and from the devices it manages and the DCDs that support it. Changing the discovery address involves a lengthy process that includes rediscovering all of the devices and DCDs associated with this BIG-IQ.
    • To use the management port, select
      Use Management Address
      .
    • To use the internal self IP address, select
      Self IP Address
      , and type the IP address.
      If you are configuring a BIG-IQ to manage applications in a service scaling group, use the internal self IP address.
      If you plan to manage both IPv4 and IPv6 devices, you must configure an additional interface. BIG-IQ does not manage both protocols on the same interface. You can use a self IP address for this. So if your deployment includes DCDs, your discovery address will use one internal self IP address and you will need to add a second self IP to facilitate discovery of both protocol types.
      The self IP address must be in Classless Inter-Domain Routing (CIDR) format. For example:
      10.10.10.10/24
      .
  12. Click the
    Next
    button at the bottom of the screen.
  13. In the
    DNS Lookup Servers
    field, type the IP address of your DNS server.
    You can click the
    Test Connection
    button to verify that BIG-IQ can reach that IP address.
  14. In the
    DNS Search Domains
    field, type the name of your search domain.
    The DNS search domain list allows the BIG-IQ system to search for local domain lookups to resolve local host names.
  15. In the
    Time Servers
    field, type the IP addresses of your Network Time Protocol (NTP) server.
    You can click the
    Test Connection
    button to verify that BIG-IQ can reach the IP address.
  16. From the
    Time Zone
    list, select your local time zone.
  17. If the details are as you intended, click
    Launch
    to continue; if you want to make corrections, use the
    Previous
    button to navigate back to the screen you want to change.

Manual license and initial configuration for BIG-IQ

You must have a base registration key before you can license the BIG-IQ system. If you do not have a base registration key, contact the F5 Networks sales group (
f5.com
). After you set up your BIG-IQ VE or set up your BIG-IQ 7000 Series, you can install the BIG-IQ software license.
If the BIG-IQ system is not connected to the public internet, you can follow these steps to contact the F5 license web portal then perform the initial setup.
  1. Use a browser to log in to BIG-IQ by typing
    https://
    <management_IP_address>
    , where
    <management_IP_address>
    is the address you specified for device management.
  2. In
    Base Registration Key
    , type or paste the BIG-IQ registration key.
    If you are setting up a data collection device, you have to use a registration key that supports a data collection device license.
  3. In
    Add-On Keys
    , paste any additional license key you have.
  4. For
    Activation Method
    , select
    Manual
    and click the
    Get Dossier
    button.
    The BIG-IQ system refreshes and displays the dossier in the
    Device Dossier
    field.
  5. Select and copy the text displayed in
    Device Dossier
    .
  6. Click the
    Access F5 manual activation web portal
    link.
    The Activate F5 Product site opens.
  7. Into the
    Enter your dossier
    field, paste the dossier.
    Alternatively, if you saved the file, click the
    Choose File
    button and navigate to it.
  8. Click
    Next
    .
    • If you are setting up this device for the first time, the Accept User Legal Agreement screen opens. To accept the license agreement, select
      I have read and agree to the terms of this license
      , and click
      Next
      . The licensing server creates the license key text.
    • If you have set up this device before, the licensing server goes right to generating the license text.
  9. Copy the license key.
  10. In the
    License Text
    field on BIG-IQ, paste the license text.
  11. Click the
    Activate
    button.
  12. Click the
    Next
    button at the bottom of the screen.
  13. Type a
    Passphrase
    that satisfies the requirements specified on screen, and then type the same phrase for
    Confirm Passphrase
    .
    BIG-IQ uses the pass phrase to generate a Master Key. For High Availability and data collection device cluster configurations, this pass phrase must be the same on all related BIG-IQ systems or these systems will not be able to communicate with each other.
    • Make sure you keep track of the pass phrase, because it cannot be recovered if you lose it. To protect the security of this device, you must have the passphrase used to generate the master key before you can change the master key.
    • If this BIG-IQ is not part of an HA or DCD configuration, you can change the Master Key any time from the
      System
      THIS DEVICE
      General Properties
      screen.
    • To add a BIG-IQ to an HA or DCD configuration, its master key must match the key for the other devices in the HA or DCD configuration. So if the passphrase is different and you do not know what it is, the only way to add that BIG-IQ to a cluster is to reset it to it's factory defaults; However, that reset destroys any data on that BIG-IQ.
    • Finally, when you backup and restore a BIG-IQ, the master key is backed up with the rest of the data, and you cannot restore that data onto a BIG-IQ that has a different master key, so without that key you will be unable to have this BIG-IQ and it's data in an HA or DCD configuration.
  14. In the
    Old Password
    fields, type the default admin and root passwords, and then type a new password in the
    Password
    field and click the
    Next
    button at the bottom of the screen.
    If your license supports both BIG-IQ Data Collection Device and BIG-IQ Central Management Console, the System Personality screen displays. Otherwise the Management Address screen opens.
  15. If you are prompted with the System Personality screen, select the option you're licensed for, and then click OK. If you are not prompted, proceed to the next step.
    You cannot undo this choice. Once you license a device as a BIG-IQ Management Console, you can't change your mind and license it as a Data Collection Device.
    The Management Address screen opens.
  16. Select the System Personality option you're licensed for, and then click the
    Next
    button.
  17. In
    Hostname
    , type a fully-qualified domain name (FQDN) for the system.
    The FQDN can consist of letters and numbers, as well as the characters underscore ( _ ), dash ( - ), or period ( . ).
  18. Type the
    Management Port IP Address
    and
    Management Port Route
    .
    The management port IP address must be in Classless Inter-Domain Routing (CIDR) format. For example:
    10.10.10.10/24
    .
  19. Specify what you want the BIG-IQ to use for the
    Discovery Address
    .
    BIG-IQ advertises this address to other devices that want to communicate with it. For example BIG-IQ HA peers and DCD nodes communicate using their respective discovery addresses.
    When choosing whether to use the management port or a self IP address, consider the long term ramifications. The BIG-IQ uses the address you choose for all traffic to and from the devices it manages and the DCDs that support it. Changing the discovery address involves a lengthy process that includes rediscovering all of the devices and DCDs associated with this BIG-IQ.
    • To use the management port, select
      Use Management Address
      .
    • To use the internal self IP address, select
      Self IP Address
      , and type the IP address.
      If you are configuring a BIG-IQ to manage applications in a service scaling group, use the internal self IP address.
      If you plan to manage both IPv4 and IPv6 devices, you must configure an additional interface. BIG-IQ does not manage both protocols on the same interface. You can use a self IP address for this. So if your deployment includes DCDs, your discovery address will use one internal self IP address and you will need to add a second self IP to facilitate discovery of both protocol types.
      The self IP address must be in Classless Inter-Domain Routing (CIDR) format. For example:
      10.10.10.10/24
      .
  20. Click the
    Next
    button at the bottom of the screen.
  21. In the
    DNS Lookup Servers
    field, type the IP address of your DNS server.
    You can click the
    Test Connection
    button to verify that BIG-IQ can reach that IP address.
  22. In the
    DNS Search Domains
    field, type the name of your search domain.
    The DNS search domain list allows the BIG-IQ system to search for local domain lookups to resolve local host names.
  23. In the
    Time Servers
    field, type the IP addresses of your Network Time Protocol (NTP) server.
    You can click the
    Test Connection
    button to verify that BIG-IQ can reach the IP address.
  24. From the
    Time Zone
    list, select your local time zone.
  25. Click the
    Next
    button at the bottom of the screen.
  26. If the details are as you intended, click
    Launch
    to continue; if you want to make corrections, use the
    Previous
    button to navigate back to the screen you want to change.

Monitoring BIG-IP statistics in BIG-IQ

Visibility of statistics in BIG-IQ depends on the version of your managed BIG-IP devices. Devices running versions 13.1.X, or earlier, have limited statistics visibility support within BIG-IQ. Below outlines the compatibility and what to expect when accessing Analytics (AVR) data within BIG-IQ. For more information, see the supporting documentation found in the
BIG-IQ Centralized Management: Monitoring and Reports
guide.

Statistics visibility of managed BIG-IP devices

The format in which statistics are presented in the BIG-IQ environment, depends on the managed version of BIG-IP and the service presented. Refer to the table to access statistics visibility, based on the managed device version. Ensure that the managed device configuration meets the requirements outlined below.

Minimum configuration requirements:

BIG-IP Version 13.1.x or earlier
  • Ports 22 and 443 on each BIG-IP device must be open for the BIG-IQ DCD to retrieve data.
  • There must be a Data Collection Device (DCD) configured to your BIG-IQ.
BIG-IP Version 13.1.0.5 or later
  • You must have AVR provisioned for each BIG-IP device.
  • BIG-IQ needs to provide access on Port 443 to receive BIG-IP AVR data.
  • There must be a Data Collection Device (DCD) configured to your BIG-IQ.
    To view statistics, ensure that the licenses for your managed BIG-IP devices include root access. A BIG-IP license running in Appliance Mode, will not allow for statistics visibility in the BIG-IQ environment.

Where to view statistics

Location of service statistics per managed BIG-IP version
BIG-IP v12.1
BIG-IP v13.0
BIG-IP v13.1
BIG-IP v13.1.0.5
BIG-IP v14.0
BIG-IP v14.1
BIG-IP v15.0 or later
Device Traffic
Monitoring
DASHBOARDS
Device
Local Traffic (General)
Monitoring
DASHBOARDS
Local Traffic
Local Traffic (HTTP)
Not available to this version
Monitoring
DASHBOARDS
Local Traffic
HTTP
DNS (General)*
Monitoring
DASHBOARDS
DNS
Network Firewall (General)
Monitoring
REPORTS
Security
Network Firewall
Reporting
Network Firewall information is provided by ACL, IP Reputation, and IPS.
Network Firewall (ACL)
Not applicable to this version
Monitoring
DASHBOARDS
AFM
Network Security (IP Reputation)
Not applicable to this version
Monitoring
DASHBOARDS
AFM
Network Firewall (IPS)
Not applicable to this version
Monitoring
DASHBOARDS
IPS
Web Application Security (General)
Monitoring
REPORTS
Security
Web Application Security
Reporting
Monitoring
DASHBOARDS
Web Application Security
Web Application Security (Bot)
Not available to this version
Monitoring
DASHBOARDS
Bot Traffic
DDoS (Shared Security)
Not available to this version
Monitoring
DASHBOARDS
DDoS
Application Summary
Applications
APPLICATIONS
(limited statistics visibility)
Applications
APPLICATIONS
Secure Web Gateway
Not available to this version
Monitoring
DASHBOARDS
SWG
SSLO**
Not available to this version
Monitoring
DASHBOARDS
SSLO
Access
Monitoring
DASHBOARDS
Access
Not available to this version
*Top Charts are only available to BIG-IP version 13.1.0.5 or later.
**SSLO support is available to versions 5.4 to 5.9.