Manual Chapter : Managing a BIG-IQ System

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.0.0
Manual Chapter

Managing a BIG-IQ System

BIG-IQ navigation and customization

F5 BIG-IQ Centralized Management includes navigation, search tools, and a customizable user interface to help you complete your tasks efficiently and find objects easily.
  • Product documentation, F5 modules for Ansible, and online help
    To access BIG-IP, API, Ansible documentation, and F5 modules for Ansible, click the book icon in the upper-right corner of the screen. To view the context-sensitive online help, click the question mark in the upper-right corner.
  • Customized log in screen
    To customize your log in screen for users (for example, if you want to provide special guidance or make sure all users see a certain message), you can navigate to
    System
    THIS DEVICE
    General Properties
    , click the
    Edit
    button and type your message (up to 8,192 characters) in the
    Custom Login Message
    field.
  • Finder Menu
    To quickly locate a particular menu item, click the grid icon in the left corner of the screen and type a term in the field. This search is a simple text search. BIG-IQ displays links to all screens and on line help that contains that term anywhere in the string.
  • Customized system user preferences
    You can specify the amount of time that passes before BIG-IQ logs you out when the system is idle, what default screen displays when you log back in, or change your password by clicking the arrow at the upper-right corner of the screen and select
    User Preferences
    .
  • Global search, related content, and preview pane
    BIG-IQ has a robust and interactive global search feature that allows you to easily find a specific content and related content. From any screen, you can click the magnifying glass icon in the upper-right corner of the screen and type a search string. Search results are grouped by content type. From the results, you can click an object to go directly to that object's properties screen in BIG-IQ.
  • Flexible access to objects and configuration options
    For some objects, you can view and edit settings that are located in other places in the user interface, without having to stop what you're doing and navigate to another part of BIG-IQ. For example, you could be editing a firewall policy and find an address list in the toolbox that you want to look at. Right there, you can click the address to access the details, and then view or edit it as you want.
    You can also configure some types of objects from different places in BIG-IQ, depending on what your user role is or what work flow you're in. For example, you can create an access group from the Configuration area of BIG-IQ, as well as from the Devices area. This makes it convenient for you to access during other tasks you're doing in different areas of BIG-IQ.
  • Filters
    For each screen that contains a list, you can use a context-sensitive filter to search on a term, and then narrow your search further to view only those items that are relevant to you at the moment. For example, say you wanted to see local traffic and network audit logs. You can use the search on local traffic, and further refine what is displayed by filtering again on network audit logs.
  • Customizing and sorting columns
    You can customize the columns that display in each screen that has a list by clicking the gear icon at the top right side of the screen, next to the filter, hiding any information that isn't important to you. You can also rearrange columns by dragging and dropping them to a different location or sort objects by clicking the arrow at the top of a column. This helps you to focus on only those attributes that are relevant to you.

How do I manage BIG-IQ systems in a high availability configuration?

Setting up BIG-IQ in a high availability configuration ensures that you always have access to the BIG-IP devices you are managing. In a BIG-IQ high availability configuration, the BIG-IQ system replicates configuration changes since the last synchronization from the primary device to the secondary device every 30 seconds. If it ever becomes necessary, you can have the secondary peer take over management of the BIG-IP devices.
You can also set up BIG-IQ in an auto failover configuration. For more information, refer to
Creating a BIG-IQ High Availability Auto Failover Configuration
on
support.f5.com
.

Add BIG-IQ SSL certificates to the active and standby BIG-IQ in an HA pair

If you've configured SSL certificate verification for BIG-IQ by enabling the
Verify Hosts
setting from the
System
SSL CERTIFICATE VERIFICATION
screen, you must use this procedure for successful communication between the components in the high availability configuration.
SSL certificate verification is disabled by default. If you haven’t enabled SSL verification, you do not need to complete this task for your auto failover high availability configuration.
Before you create an auto-failover BIG-IQ high availability configuration for a BIG-IQ you've enabled SSL certificate verification for, you need to add the SSL certificates for both BIG-IQ systems and the DCD quorum to what will be the active BIG-IQ so you can validate the end-user host. This is required for all BIG-IQ systems and the DCD quorum with SSL certificate verification enabled to communicate with your managed devices, regardless of which BIG-IQ system is active. BIG-IQ validates the SSL certificate presented by the communicating host either against a list of certificates you provide (for example, self-signed certificates), or internal or public certificate authority certificates.
  1. Save the BIG-IQ SSL public key certificates on your local system.
  2. At the top of the screen, click
    System
    .
  3. On the left, click
    SSL CERTIFICATION VERIFICATION
    .
  4. Click
    Import
    .
  5. From the
    Import Type
    list, select
    Certificate
    .
  6. Type a
    Name
    for this BIG-IQ certificate.
    BIG-IQ stores and identifies this certificate by the name you specify here. Therefore, if the certificate you are importing is currently named
    mycertificate.crt
    , but you when you import it you name it
    f5.crt
    , BIG-IQ renames the certificate as you specified, to
    f5.crt
    .
  7. Click
    Upload File
    and navigate to the certificate.
  8. Repeat steps 4 - 8 to add the standby BIG-IQ system's certificate device to this active BIG-IQ system.
You can now add the standby BIG-IQ system and DCD quorum to create a high availability configuration.

Add a standby BIG-IQ for a high availability configuration

Before you can set up F5 BIG-IQ Centralized Management in a high availability (HA) pair, you must have two licensed BIG-IQ systems and you must have added the primary and secondary SSL certificate to the primary BIG-IQ system.
For the high-availability pair to synchronize properly, each system must be running the same BIG-IQ version, and the clocks on each system must be synchronized to within 60 seconds. To make sure the clocks are in sync, take a look at the NTP settings on each system before you add a peer.
Configuring BIG-IQ in a high availability (HA) pair means that you can still manage your BIG-IP devices even if one BIG-IQ systems fails.
Do not install the standby BIG-IQ on the same hardware as the active BIG-IQ. That way, if a hardware issue takes the active BIG-IQ offline, it can failover to the standby BIG-IQ installed on another hardware platform so you can continue to manage your BIG-IP devices.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    BIG-IQ HA
    .
  3. Click the
    Add Secondary
    button.
  4. Type the properties for the BIG-IQ system that you are adding.
    For the IP address, be sure to specify the Discovery Address of the BIG-IQ you are adding.
    BIG-IQ does not support iPv6 short format for high availability configuration.
  5. Click the
    Add
    button at the bottom of the screen.
The BIG-IQ system synchronize. Once they are finished, both appear as ready (green).

Change a peer BIG-IQ system in a high availability pair to a standalone system

If the one of your BIG-IQ systems in an HA pair is having any type of system issue, you might want to make its peer system a standalone system until you can fix the problem.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    BIG-IQ HA
    .
  3. Click the
    BIG-IQ HA Settings
    button and then click the
    Reset to Standalone
    button.
This BIG-IQ system becomes a standalone system from which you can start managing your devices.

Remove the standby BIG-IQ system from the HA pair

If the F5 BIG-IQ Centralized Management system is configured in an HA pair, you must remove the standby BIG-IQ system before you upgrade the active BIG-IQ.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    BIG-IQ HA
    .
  3. Click
    Remove Standby
    .
    A dialog box opens, prompting you to confirm that you want to remove the standby BIG-IQ from this group.
  4. Click
    Remove
    to confirm that you want to take the standby BIG-IQ from the group.
    The system logs you out of the BIG-IQ while it removes the standby BIG-IQ.
  5. Log back in to the active BIG-IQ.
    For a while, both the active and the standby BIG-IQ continue to display. After a few minutes, the screen updates to display a single standalone BIG-IQ.

Optional VLAN for device management

During the licensing and initial configuration procedures, you specify the management port for BIG-IQ. This is all the networking configuration required to start managing devices. However, if you would prefer to manage devices from a VLAN address, you have the option to configure that.

Configure a VLAN to manage BIG-IP devices

You must have licensed the BIG-IQ system before you can configure a VLAN.
If you decide you want to manage BIG-IP devices from a VLAN rather than the BIG-IQ system's management port, you can configure it using this procedure.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    NETWORK SETTINGS
    VLANs
    .
  3. Click the
    Create
    button.
  4. In the
    Name
    and
    Description
    fields, type a unique name and description to identify this new VLAN.
  5. In the
    Tag
    field, type an optional tag number.
    A VLAN
    tag
    is a unique ID number between 1 and 4094. All messages sent from a host in this VLAN includes the tag as a header in the message to identify the specific VLAN where the source or destination host is located. If you do not assign a tag, BIG-IQ assigns one automatically.
  6. From the
    Interface
    list, select the port that you want this VLAN to use.
    The
    interface
    is a physical or virtual port that you use to connect the BIG-IQ system to managed devices in your network.
  7. In the
    MTU
    field, type an optional frame size value for Path Maximum Transmission Unit (MTU).
    By default, BIG-IP devices use the standard Ethernet frame size of 1518 bytes (1522 bytes if VLAN tagging is used) with the corresponding MTU of 1500 bytes. For BIG-IP devices that support Jumbo Frames, you can specify another MTU value.
  8. Click the
    Save & Close
    button.

Specify a self-IP address for a VLAN

You need to configure BIG-IQ with at least a VLAN before you can associate a self IP address with it.
If you've configured a VLAN to manage BIG-IP devices, you can then associate a self IP address with that VLAN.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    NETWORK SETTINGS
    Self IPs
    .
  3. At the top of the screen, click the
    Create
    button.
  4. In the
    Name
    field, type a unique name to identify this new self IP address.
  5. In the
    Address
    field, type the self IP address and netmask.
    The format is
    <self IP address/netmask>
    .
  6. In the
    Description
    field, type a description for this self IP address.
  7. From the
    VLAN
    list, select the VLAN to associate with this self IP address.
  8. Click the
    Save & Close
    button.

Specify a web proxy for secure communication

Before you can specify a web proxy, you must license and perform the initial configuration for BIG-IQ Centralized Management.
For security purposes, you can specify a web proxy for BIG-IQ to use for communication with the F5 iHealth server and the F5 license server.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    PROXIES
    .
  3. Near the top of the screen, click the
    Add
    button.
  4. In the
    Name
    field, type a name to identify this web proxy.
    You must use the exact same proxy name on all BIG-IQ systems in a cluster.
  5. In the
    Address
    and
    Port
    fields, type the IP address and port for the web proxy server.
    The proxy address and port don't have to be the same for all BIG-IQ systems in a cluster.
  6. If the web proxy server requires authentication, provide the credentials in the
    User Name
    and
    Password
    fields.
  7. For the
    Functions
    setting, select the check box next to each function you want to use this web proxy for communication between BIG-IQ and the internet.
  8. Click the
    Save & Close
    button.
BIG-IQ will now use this web proxy for communication when accessing the internet for the functionality you specified.

How do I change the Master Key?

If you configure two BIG-IQ system separately and then want to add a peer BIG-IQ system for a high availability configuration, you'll need to change the Master Key one of the BIG-IQ system so they match.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    General Properties.
  3. Click the
    Edit
    button on the right.
  4. Click the
    Change Master Key
    button.
  5. Type the current and new Master Key passphrases and confirm the new passphrase.
  6. Click the
    Save button.