Manual Chapter : Common elements discovering devices

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.0.0
Manual Chapter

Common elements discovering devices

Before you can add BIG-IP devices to BIG-IQ Centralized Management:
  • The BIG-IP device must be located in your network and running a compatible software version. Refer to K14592 for more information.
  • The management address of the BIG-IP device must be open (typically this is port 22 and 443), or any alternative IP address used to add the BIG-IP device to the BIG-IQ inventory. Ports 22 and 443 and the management IP address are open by default on BIG-IQ.
  • If you are adding a BIG-IP device provisioned with the ASM service, and that device is part of a DSC cluster, that device must also be a member of a sync-only device group, and ASM synchronization must be enabled for the device group. Without these DSC group settings, deploying changes to the ASM device can cause the cluster to get out of sync. For details on configuring these groups, refer to
    Creating a Sync-Only device group
    and
    Synchronizing an ASM-enabled device group
    in the
    Automatically Synchronizing Application Security Configurations
    article on
    support.f5.com
    .
If you are running BIG-IP versions earlier than version 11.6.0, you might need root user credentials to discover and add the device to the BIG-IP devices inventory. You don't need root user credentials for BIG-IP devices running versions 11.6.0 and later.
A BIG-IP device running versions 10.2.0 - 11.5.0 is considered a
legacy device
, and cannot be added to the BIG-IQ system's inventory for management. If you were managing a legacy device in a previous version of BIG-IQ and upgrade, the legacy device displays as impaired with a yellow triangle next to it in the BIG-IP Devices inventory. To manage it, you must upgrade it to version 11.5.0 or later. For instructions, refer to the section titled,
Upgrading a Legacy Device
.
For devices with ASM services, you can only add five devices at a time.
You cannot add multiple BIG-IP devices with SSLO services. These BIG-IP devices must be added individually.
If you're adding a BIG-IP VE device located in a third party cloud environment, refer to the documentation for managing a BIG-IP VE in a third party cloud environment.
  1. On the left, click
    BIG-IP DEVICES
    .
  2. At the top of the screen, click
    Devices
    .
  3. On the left, click
    BIG-IP VE CREATION
    .
  4. Click the
    Add Device(s)
    button.
  5. Click the
    Add Device(s)
    button.
  6. For the
    Device
    setting, select
    Add a single BIG-IP device
    .
  7. For the
    Device
    setting, select
    Add multiple BIG-IP devices
  8. Click the
    Upload CSV
    button.
  9. Click
    Create
    .
  10. For
    Task Name
    , type a name for this onboarding task.
  11. For
    BIG-IP VE Name
    , type a name to identify this BIG-IP VE you are creating.
  12. From the
    Cloud Environment
    list, select the cloud environment this BIG-IP VE is in.
  13. Click the
    Create
    button at the bottom of the screen.
  14. In the
    Hostname
    field, type a host name.
    Use the FQDN for the host name. The BIG-IP system displays its host name in the left corner of its Configuration utility and in the command prompt of the Advanced Shell.
  15. In the
    Target Username
    and
    Target Passphrase
    fields, type the admin credentials for this BIG-IP VE.
    Do not use the colon character in the username.
  16. Enter the
    Target SSH Key
    .
    BIG-IQ uses the private key for SSH operations when initially creating BIG-IP VE devices in the cloud environment. The corresponding public key must be in the target
    username's ~/.ssh/authorized_keys
    file on the targetHost.
  17. For
  18. In the
    Port
    field, type the management port for this BIG-IP VE device.
    This is the port BIG-IQ uses to send the API call to the BIG-IP VE and to manage the BIG-IP VE once it's onboarded. If you use port 0, BIG-IQ tries common ports to reach this BIG-IP VE device.
  19. In the Onboard Classes area, select each class you want to configure for this BIG-IP VE device and specify the configuration settings for this BIG-IP VE device.
    The
    BIG-IQ Settings
    class is required. If you don't select and specify its settings, BIG-IQ adds it to the API with default settings.
  20. When you provision the services, there are four settings to select from:
    • None
      - The service is not provisioned and will not run.
    • Dedicated
      - The system allocates all CPU, memory, and disk resources to the service. If you select this option for a service, BIG-IQ sets all other services to
      None
    • Nominal
      - When you select this option, the associated service gets the least amount of resources required. If other services are disabled in the future, this service gets a portion of the remaining resources.
    • Minimum
      - When selected for a service, the service gets the least amount of resources required. Additional resources are never allocated to this service even if other services are disabled.
  21. Click the
    Onboard
    button at the bottom of the screen.
  22. Click the
    Edit
    button.
  23. For
    Device Type,
    select
    Import Devices
    .
  24. Type the
    User Name
    and
    Password
    for the device.
  25. For
    IP Address
    , type the IPv4 or IPv6 address of the device.
  26. In the
    Port
    box, type the management port for this BIG-IP device.
    The port number must be between 4 and 65535. In many cases, it's the default port 443.
    Chrome and Safari browsers don't allow access to web applications running on port 65535. So if you use port 65535 as the management port, you won't be able to access the BIG-IP device's interface from BIG-IQ when using Chrome or Safari. You can still discover and manage BIG-IP devices that are using port 65535.
  27. Select the check box next to each service running on the device(s) you are adding.
  28. If you are collecting statistics for the device(s), for
    Status
    select the
    Enabled
    check box and a zone from the
    Zone
    list.
    If you do not define a zone, the data collection device (DCD) systems use the default zone.
    Zones
    are names created to associate BIG-IP devices with one or more DCD systems to help segregate statistic traffic by network topology, load, availability, and so forth, for optimal statistics traffic routing.
  29. For
    Conflict Resolution Policies
    , select an option for each.
    These options appear only if you deselected the
    Conflict Resolution
    setting.
    Do not select this option if you are discovering devices that are licensed for the Access Policy (APM) service.
    These conflict resolution policies define how BIG-IQ handles any differences for shared objects between the configuration on the BIG-IP device(s) you are discovering, and the configuration on the BIG-IQ system.
    Keep in mind that if you select the
    Use BIG-IQ
    or
    Use BIG-IP
    conflict resolution policy, when you deploy devices, BIG-IQ overwrites the conflicting objects. T hen, all manage d BIG-IP devices will match the option you selected.
    • Use BIG-IQ
      , BIG-IQ replaces conflicting shared objects with the object that exists on this BIG-IQ system's working configuration.
    • Use BIG-IP
      , BIG-IQ replaces any conflicting shared objects in its working configuration with the objects it's importing from the BIG-IP device.
    • Create Version
      , For LTM profiles and monitors only, BIG-IQ creates an instance of the object that is specific to the software version running on the BIG-IP device you are importing.
  30. Select an option to handle any conflicts.
    Use BIG-IQ
    Keep the object in BIG-IQ system's working configuration. The next time BIG-IQ deploys a configuration to that BIG-IP device, it updates the object to match the one on BIG-IQ.
    Use BIG-IP
    Use the object from the BIG-IP device's configuration to replace the object in the BIG-IQ system's working configuration that is different. If you select this option, BIG-IQ replaces that object for all of your managed BIG-IP devices the next time it deploys a configuration.
    Create Version
    BIG-IQ creates and stores a copy of the BIG-IP device's LTM monitor or profile object (s), specific to the software version running on that BIG-IP device. If you select this option, BIG-IQ replaces that object for all the managed BIG-IP devices running that version, the next time it deploys a configuration. You can store multiple versions of LTM monitors or profiles. BIG-IQ deploys the appropriate stored version to your managed devices. BIG-IQ automatically resolves conflicts against the appropriate version the next time it imports services that contain LTM monitors or profiles.
  31. If this device is part of a DSC group, for the
    Cluster Display Name
    setting, specify how to handle it:
    • For an existing DSC group, select
      Use Existing
      from the list, and then select the name of the DSC group from the next list.
    • To create a new DSC group, select
      Create New
      from the list, and type a name in the field.
    For BIG-IQ to properly associate the devices in the same DSC group, the
    Cluster Display Name
    must be the same for all members in a group.
    There can be up to eight members in a DSC group.
  32. If this device is part of a DSC group , for the
    Cluster Display Name
    setting, you must choose an existing DSC group from the list.
  33. If this device is configured in a DSC group or you are creating a new DSC group, for the
    Cluster Properties
    , specify how to handle it:
    • Initiate BIG-IP DSC sync when deploying configuration changes (Recommended)
      : Select this option if you want this device to automatically synchronize configuration changes with other members in the DSC.
    • Allow deployment when DSC configured devices have changes pending ( Not Recommended)
      : Select this option if you want to deploy changes to this device even if there are changes pending for devices in the DSC group.
      This option is not recommended, because it can lead to unpredictable results.
    • Ignore BIG-IP DSC sync when deploying configuration changes
      : Select this option if you want to manually synchronize configurations changes between members in the DSC group.
  34. Click the
    Add
    button at the bottom of the screen.
    The BIG-IQ system opens communication to the BIG-IP device, and checks the BIG-IP device framework.
    The BIG-IQ system can properly manage a BIG-IP device only if the BIG-IP device is running a compatible version of the REST framework.
  35. If a framework upgrade is required, in the popup window, in the
    Root User Name
    and
    Root Password
    fields, type the root user name and password for the BIG-IP device, and click
    Continue
    .
  36. To centrally manage this device's configurations for licensed services, select the check box next to each service you want to discover.
    You can select other service configurations after you add the BIG-IP device to the inventory.
  37. Click the
    Add
    button at the bottom of the screen.
  38. To create a snapshot of the BIG-IQ configuration before discovering and importing services, select the
    Snapshot
    check box if:.
    Clear this check box if you are adding devices that are in an access group you just created. If you don't, BIG-IQ won't be able to add the device(s).
  39. To ignore conflicts for objects shared between BIG-IQ and the BIG-IP device(s) you're adding, leave the
    Conflict Resolution
    check box selected.
    This allows you to continue to import services that have no conflicts, and fix the conflicts individually later, from the
    BIG-IP DEVICES
    SERVICES
    screen, to complete the import process for those services.
  40. To change the password for a device, or group of devices, click the check box next to it, and click the
    Set Password
    button.
    After you add or upload device(s) and before you discover and import services, you can change the device's password. If you added or imported devices in bulk, the password for all devices in a group must be the same.
  41. When you are ready to discover and import services for these devices, click the
    Discover and Import
    button at the bottom of the screen.
  42. Click the
    Add
    button at the bottom of the screen.
    When complete, a popup screen displays a status and options to discover device service configurations immediately.
  43. To discover configurations for services on the device, select them and click
    Discover
    ; otherwise, click
    Cancel
    .
    You can discover service configurations now or do it later.
  44. On the Add to Access Group popup screen, specify either a new or existing Access group:
    • Select
      Create New
      , in the
      Name
      field type a name, and click
      Add
      .
    • Select
      Add to existing
      , select a name from the
      Name
      list, and click
      Add
      .
    You must add both members of an HA pair to the same Access group.
  45. Select the check box next to each service you want to collect data for, and then click
    Continue
    .
  46. THIs STEP LEFT EMPTY ON PURPOSE to allow for storing multiple prerequisites in this common elements file. DO NOT ADD IT TO A TASK.
    You must discover a service configuration before you can import it.
    You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  47. Select the check box next to the BIG-IP devices you want to discover and import services for, and click the
    Discover and Import
    button at the bottom of the screen.
  48. Click the
    Discover and Import
    button at the bottom of the screen.
  49. For each service this BIG-IP device is licensed for, click the
    Discover
    button.
  50. After BIG-IQ discovers the service, click the
    Import
    button next to the service to import it.
  51. Click the
    Onboard
    button at the bottom of the screen.
When BIG-IQ successfully completes a BIG-IP VE creation task, the task displays on the BIG-IP VE creation screen. The BIG-IP VE creation process can take up to 10 minutes, depending on the cloud environment and the BIG-IP VE configuration.
BIG-IQ displays a discovering message in the Services column of the inventory list.
If you want to manage the configuration for the services you specified, you must import the device's configuration.
To view status and address any conflicts between BIG-IQ and BIG-IP device objects, on the left, click
BIG-IP DEVICES
.