Manual Chapter : Restoring the BIG-IQ and Data Collection Device Cluster to Pre-upgrade State

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.0.0
Manual Chapter

Restoring the BIG-IQ and Data Collection Device Cluster to Pre-upgrade State

Add the Standby BIG-IQ to the Active BIG-IQ

After you upgrade your F5 BIG-IQ Centralized Management systems in an HA configuration, you can re-associate the standby BIG-IQ with the active BIG-IQ.
Add the standby BIG-IQ to the primary BIG-IQ to re-establish the high availability configuration.
  1. Log in to active BIG-IQ system with your administrator user name and password.
  2. At the top of the screen, click
    System
    .
  3. On the left, click
    BIG-IQ HA
    .
  4. Click the
    Add Standby
    button.
  5. In the
    IP Address
    field, type the discovery address you want to set up as the standby BIG-IQ.
    This is the same IP address the peers in a high availability configuration use to communicate.
  6. Type the administrative
    Username
    and
    Password
    for the system.
  7. Type the
    Root Password
    for the system.
  8. Click the
    Add
    button to add this device to this high availability configuration.
Even though you can log in to the standby BIG-IQ after the you re-establish the HA configuration, the system continues some database re-indexing processes in the background. For larger configurations, that can take up to an hour. If you perform any searches on objects before it's done re-indexing, BIG-IQ might not return the expected results.
After the HA configuration is re-established, you'll be automatically logged out of the active BIG-IQ for a few minutes while the standby BIG-IQ restarts.
After the standby BIG-IQ restarts, you can log back into the primary BIG-IQ.

Run the post upgrade process

After you upgrade the devices in your DCD cluster and the BIG-IQ primary and secondary system, you need to complete the post-upgrade processing.
Perform this task on the primary BIG-IQ system.
  1. At the top of the screen, click
    System
    , then, on the left, click
    BIG-IQ DATA COLLECTION
    and then select
    BIG-IQ Data Collection Devices
    .
    The first time you access this screen after performing an upgrade, it triggers a dialog box that prompts you to start the post upgrade processing tasks.
  2. Click
    Continue
    .
    The BIG-IQ system is returning the devices in your DCD cluster to their pre-upgrade state. This includes restoring the data snapshot. If you have a substantial amount of data, data snapshot restoration takes an extended amount of time.
  3. Once the post upgrade processing is complete, click
    System
    BIG-IQ DATA COLLECTION
    BIG-IQ Data Collection Devices
    and confirm that each service you had enabled before the upgrade is still enabled. If there are any services that are not enabled, re-enable them now.
    1. To activate the services you want to monitor on each DCD, on the BIG-IQ Data Collection Devices screen, in the Services column, click
      Add Services
      .
      The Services screen for the data collection device opens.
    2. For the service you want to add, confirm that the
      Listener Address
      specifies the correct self IP address on the data collection device, and then click
      Activate
      .
      For Web Application Security, you can resolve insecure connection issues between devices and the Centralized Policy Builder. To establish a secure connection, click
      Enable
      under the Secure Policy Builder field.
      When the service is successfully added, the
      Service Status
      changes to
      Active
      .
Once your cluster is back online, rediscover your devices and re-discover their services to complete the upgrade.

Upgrade the statistics agent

If you collected statistics in the prior version, then when you finish upgrading the primary BIG-IQ, you need to upgrade the statistics agent on each BIG-IP device that had statistics enabled before the upgrade.
Perform this task on the primary BIG-IQ that manages the DCD cluster.
  1. At the top of the screen, click
    Devices
    .
  2. Select all of the BIG-IP devices managed by this DCD cluster by selecting the check box next to
    Status
    .
  3. Click
    More
    , and then select
    Upgrade Stats Agent
    .
    The Statistics Collection Agent Upgrade screen opens.
  4. For
    Modules/Services
    , select the check box next to the services that you collected statistics for in the previous version.
  5. For
    Frequency
    select how often you want the DCD to collect statistics for these services.
  6. Click the
    Continue
    button.
  7. Wait while the stats collection agent for each BIG-IP device is upgraded.
    Depending on the number of devices in your cluster, this could take several minutes to complete.
    When the agent is upgraded on each BIG-IP device, the status icon turns to green.

What are my options for re-discovering and re-importing devices?

After you upgrade F5 BIG-IQ Centralized Management, you must re-discover and re-import services for your managed devices so you can start managing those devices with the new features introduced in this release. You can do this in bulk, or you do it for each device and service individually.
Regardless of which option you choose, you specify how to handle any conflict between objects in the BIG-IQ system's working configuration.
  • When you re-discover and re-import in bulk, all conflicts are resolved the in the same way.
  • When you re-discover devices and re-import services manually, you specify how to resolve conflicts on an individual basis.

Re-discover and re-import services in bulk

After you upgrade F5 BIG-IQ Centralized Management, you must rediscover and re-import services for your managed devices so you can start managing those devices with the new features introduced in this release. Use this procedure to re-discover and re-import services in bulk. You'll have the option to decide how to manage any conflict between objects in the BIG-IQ system's working configuration and objects in the same way for each type of object.
If you upgraded a BIG-IQ system that's managing BIG-IP devices running Network Security or Web App Security services, you'll see evaluation differences for the default logging profile objects imported from BIG-IP devices (global-network, log all requests, log illegal requests, and local-dos). This is expected because the new version of BIG-IQ imports information about default logging profiles that were not present in the previous version. After you complete the upgrade to the latest version and re-import your Network Security or Web Application Security service, these differences should no longer occur.
  1. At the top of the screen, click
    Devices
    .
  2. Select the check box next to the devices for which you want to rediscover and reimport services.
  3. Click the
    More
    button and select
    Re-discover and Re-import
    .
  4. In the
    Name
    field, type a name for this task.
  5. For all of the Conflict Resolution Policies, we recommend you select
    Use BIG-IP
    , to replace any conflicting shared objects in its working configuration with the objects it's importing from the BIG-IP device.
    When you select
    Use BIG-IP
    to resolve conflicts, the BIG-IP device used to resolve those conflicts should appear last in the re-import list. If two or more BIG-IP devices contain the same object with different values, only the value in the last imported BIG-IP is used to resolve the conflict for all the BIG-IP devices.
  6. To create a snapshot of the BIG-IQ configuration before discovering and importing services, select the
    Snapshot
    check box if:.
    Clear this check box if you are adding devices that are in an access group you just created. If you don't, BIG-IQ won't be able to add the device(s).
  7. Click the
    Create
    button at the bottom of the screen.
After the services re-import, devices displays in the BIG-IP Devices inventory list with their services. You can now manage these BIG-IP devices from BIG-IQ.

Re-import and re-discover services individually

After you upgrade F5 BIG-IQ Centralized Management, you must re-discover and re-import services for your managed devices so you can start managing those devices with the new features introduced in this release. Use this procedure to re-discover and re-import services for each device, and handle any conflict any conflict between objects in the BIG-IQ system's working configuration on an individual bases from the Services screen.
  1. At the top of the screen, click
    Devices
    .
  2. Click the name of the BIG-IP device you want to re-discover and re-import services for.
  3. On the left, click
    Service
    .
  4. Select the
    Create a snapshot of the current configuration before importing
    check box for each service you want a snapshot of.
  5. Click the
    Re-discover
    button for each service this BIG-IP device is licensed for.
    BIG-IQ re-discovers the service.
  6. Click the
    Re-import
    button for each service this BIG-IP device is licensed for.
  7. For all of the Conflict Resolution Policies, we recommend you select
    Use BIG-IP
    , to replace any conflicting shared objects in its working configuration with the objects it's importing from the BIG-IP device.
After the services re-import, this device displays in the BIG-IP Devices inventory list with its services. You can now manage this BIG-IP device from BIG-IQ.

What are my options for re-discovering and re-importing APM devices?

After you upgrade F5 BIG-IQ Centralized Management, you must re-discover and re-import services for your managed devices so you can start managing those devices with the new features introduced in this release. If your APM configuration does not include Secure Web Gateway (SWG) data, you can do this in bulk, or you do it for each device and service individually.
Choose the method that best suits your circumstance.
  • If you do not use SWG data and want to use the bulk process, refer to
    Use a script to remove and recreate access groups in bulk for devices running APM services
    on
    support.f5.com
    .
  • If you do not use SWG data and want to use the manual process, refer to
    Re-import access groups (without SWG data) from the user interface for devices running APM services
    on
    support.f5.com
    .
  • If you use SWG data, refer to
    Remove and recreate access groups (with SWG data) from the user interface for devices running APM services
    on
    support.f5.com
    .
Regardless of which option you choose, you specify how to handle any conflict between objects in the BIG-IQ system's working configuration.
  • When you re-discover and re-import in bulk, all conflicts are resolved the in the same way.
  • When you re-discover devices and re-import services manually, you specify how to resolve conflicts on an individual basis.

Use a script to remove and recreate access groups in bulk for devices running APM services

After you upgrade F5 BIG-IQ Centralized Management, you must remove and recreate the access groups for devices running the APM service.
Before you run this script, make sure that you don't have any pending configuration changes staged for your managed BIG-IP devices. This script prompts BIG-IQ to import the configurations for all your BIG-IP devices. So, if you don't deploy staged configuration changes before you run this script, you will lose them after you run the script. If you need assistance, contact F5 Support.
You can use this script to remove and recreate the access groups for devices running the APM service so you can start managing those devices with the new version of BIG-IQ.
If you'd rather do this from the user interface, refer to,
Remove and recreate access groups (with SWG data) from the user interface for devices running APM services
or
Reimport access groups (without SWG data) from the user interface for devices running APM services
.
  1. Log in to the BIG-IQ system as
    admin
    .
  2. At the top of the screen, select
    Traffic & Network
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  3. In a separate file (such as a Notepad or Excel file), make a note of:
    • Each access group and the IP addresses of the devices contained within each.
    • The source device, from which you want to copy the configuration to all devices in the access group.
      You'll deploy the configuration from this source device to all of the devices in the access group.
  4. Select the check box next to each access group and click the
    Remove
    button.
  5. Log in to the
    downloads.f5.com
    site, click the
    Find a Download
    button, and click BIG-IQ
    Centralized Management
    .
  6. Click the
    v6.1.0
    link.
  7. Review the End User Software License agreement and click the
    I Accept
    button to accept the terms.
    The Select a Download screen opens.
  8. Click the
    bulkDiscovery.zip
    file name, and unzip it on your local system.
  9. Log in to the BIG-IQ system as the root user and upload the script.
  10. Enable executable permissions, by typing:
    chmod +x ./bulkDiscovery.pl
    To access help for this script, type
    ./bulkDiscovery.pl -h
  11. Export the IP addresses for the BIG-IP devices in your network to a CSV file using the
    bulkDiscovery
    script.
    To run this script, type:
    ./bulkDiscovery.pl -c masterDeviceList.csv -m -o
  12. For each access group:
    1. Create a device list, by typing
      cp masterDeviceList.csv <access_group_name>_devices.csv
    2. Edit the file as follows:
      • Remove any devices that don't belong to the access groups by comparing it to the list you made in step 3.
      • Place the source BIG-IP device you identified in step 3, at the top of the
        <access_group_name>_devices.csv
        file.
      • Verify the credentials for each device (the script uses ADMIN/APWD by default).
    3. Save your changes to the file.
    4. Import devices in the access group by, typing:
      ./bulkDiscovery.pl -c <access_group_name>_devices.csv -g <access_group_name> -l -p -o -v
  13. Log in to the BIG-IQ system as admin.
  14. At the top of the screen, select
    Traffic & Network
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  15. Review the access groups to verify that all the groups properly imported.
You can now start managing your BIG-IP devices using the latest version of BIG-IQ Centralized Management.

Remove and recreate access groups (with SWG data) from the user interface for devices running APM services

After you upgrade F5 BIG-IQ Centralized Management to the latest version, you must recreate the access groups running the APM service.
You can use this procedure to remove and recreate access groups for devices running APM services with F5 Secure Web Gateway configuration data so that you can start using the new features introduced in this release.
If you'd rather use a script to do this, refer to
Use a script to remove and recreate access groups in bulk for devices running APM services
. If your APM configuration doesn't include SWG data, refer to
Reimport access groups (without SWG data) from the user interface for devices running APM services
.
  1. At the top of the screen, select
    Traffic & Network
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. In a separate file (such as a Notepad or Excel file), make a note of:
    • Each access group and the IP addresses of the devices contained within each.
    • The source device, from which you want to copy the configuration to all devices in the access group.
      You'll deploy the configuration from this source device to all of the devices in the access group.
  3. Select the check box next to each access group and click the
    Remove
    button.
  4. Click the
    Create
    button.
  5. Type a name for this access group in the
    Name
    field.
  6. From the
    Device
    list, select the device from which to reimport the shared access policy configuration, and click the
    Reimport
    button.
    This device will share the access policy configuration with all other devices in this access group.
  7. Click the
    Create
    button at the bottom of the screen.
  8. If the differences window displays for the LTM service, select
    USE_BIGIP
    and click the
    Resolve
    button.
  9. Click the name of the access group you added.
  10. Click the
    Add Device
    button.
  11. From the
    Device
    list, select a device to add to this access group.
  12. Click the
    Add
    button at the bottom of the screen.
  13. If the differences window displays for the LTM service, select
    USE_BIGIP
    and click the
    Resolve
    button.
  14. If the differences window displays for the APM service, click the
    Accept
    button.
  15. Repeat steps 10-14 for each device in each access group before creating the next access group.
You can now start managing your BIG-IP devices using the latest version of BIG-IQ Centralized Management.

Re-import access groups (without SWG data) from the user interface for devices running APM services

After you upgrade F5 BIG-IQ Centralized Management, you must re-import the access groups running the APM service without SWG data.
You can use this procedure to reimport groups for devices running APM services without F5 Secure Web Gateway configuration data so you can start using the new features introduced in this release.
If you'd rather use a script to do this, refer to
Use a script to remove and recreate access groups in bulk for devices running APM services
. If your APM configuration includes SWG data, refer to
Remove and recreate access groups (with SWG data) from the user interface for devices running APM services
.
  1. At the top of the screen, select
    Traffic & Network
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of the access group.
  3. From the Device list, select the device from which to reimport the shared access policy configuration, and click the
    Reimport
    button.
    This device will share the access policy configuration with all other devices in this access group.
  4. Select
    Shared Access Group and Device Specific configuration
    and click the
    Reimport
    button at the bottom of the screen.
  5. If the differences window displays for the LTM service, select
    USE_BIGIP
    and click the
    Resolve
    button.
  6. If the differences window displays for the APM service, click the
    Accept
    button.
  7. For the remainder of the devices in this access group:
    1. Select the check box next to the device, and click the
      Reimport
      button.
    2. Select
      Device specific configuration
      and click the
      Reimport
      button at the bottom of the screen.
    3. If the differences window displays for the LTM service, select
      USE_BIGIP
      and click the
      Resolve
      button.
    4. If the differences window displays for the APM service, click the
      Accept
      button.
  8. Repeat steps 2-7 for the rest of the access groups.
You can now start managing your BIG-IP devices using the latest version of BIG-IQ Centralized Management.

Install the vCenter host root certificate on BIG-IQ after upgrading

If you have a VMware service scaling group (SSG) associated with a vCenter certificate that is self-signed or untrusted, after you upgrade BIG-IQ Centralized Management, you'll need to re-add the vCenter host root certificate. For this procedure, you must have root access to the BIG-IQ system's command line.
Providing BIG-IQ the vCenter host root certificate ensures secure communication between BIG-IQ and the vCenter.
  1. From the BIG-IQ system's command line, copy the root certificate from the vCenter host cert
    /etc/vmware-sso/key/ssoserverRoot.crt
    file to the BIG-IQ system's
    /config/ssl/ssl.crt
    file.
  2. Type this command to create a symbolic link to this certificate using the certificate's hash:
    ln -s ssoserverRoot.crt `openssl x509 -hash -noout -in ssoserverRoot.crt`.0
    .
  3. Type this command to restart
    gunicorn
    :
    bigstart restart gunicorn

Reconfigure data retention and aggregation settings

If, prior to the upgrade, DCD statistics data collection retention or aggregation, these custom settings were not automatically retained over the upgrade process. Manually configure these data retention and aggregation settings, once your upgrade is complete.
  1. Go to
    System
    BIG-IQ DATA COLLECTION
    BIG-IQ Data Collection Cluster
    CONFIGURATION
    Statistics Data Collection
    .
  2. To configure previous retention settings, click
    Configure Retention
    .
    Once you complete this step, make sure to click
    Save & Close
    .
  3. To configure previous aggregation settings, click
    Configure Aggregation
    .
    Once you complete this step, make sure to click
    Save & Close
    .