Applies To:Show Versions
BIG-IQ Centralized Management
Understanding Core Features of BIG-IQ Centralized Management
Why should I use BIG-IQ?
- Manage and monitor multiple BIG-IP devices and service configurations from BIG-IQ, rather than having to log in to each BIG-IP device (physical, virtual, or vCMP) individually.
- Centrally manage and monitor security policies across your BIG-IP devices, such as firewall policies and web application policies, depending on what service configurations you have installed.
- Maintain and edit shared configuration objects, such as policies, in one place, and then deploy those objects to multiple BIG-IP devices.
- Apply role-based authorization to specific BIG-IP services, restricting roles and permissions for some users who use only a portion of the BIG-IQ system, and define broader permissions for administrative users. For example, you can permit application owners to see only their configuration objects across multiple devices, while an administrator can see all objects.
- Find information about objects across all BIG-IP configurations using global search, restricting the scope of the search using various search options. Once an object is found, you can review additional information about that object.
What elements make up a BIG-IQ solution?
- BIG-IP devices
- BIG-IQ data collection devices (optional)
- Remote storage
BIG-IQ data collection device
Remote storage device
Quorum DCD device If you want BIG-IQ to
automatically failover to a peer BIG-IQ in a high availability (HA) configuration, you
must identify a DCD to serve as a
How do I start managing configurations for BIG-IP devices from
- Establish trust and between BIG-IQ and BIG-IP and add the BIG-IP device to the list of devices managed devices. If you do not want to manage service configurations on your BIG-IP devices, you do not have to perform the rest of the tasks.
- Discover the BIG-IP device's service configurations, such as ASM, AFM, DNS, and so on. You must at least discover the LTM service. You usually only need to discover the service configurations when you are first beginning to manage a BIG-IP device.
- Import the discovered configurations from the BIG-IP device to the BIG-IQ system and resolve any conflicts between the configurations on BIG-IP and BIG-IQ. You usually only need to perform this task when you are first beginning to manage the BIG-IP device, or after an upgrade of BIG-IQ.
- Edit the configurations as needed from BIG-IQ.
- Evaluate the configurations to ensure that there will be no deployment issues.
- Deploy the updated configurations back to the BIG-IP devices.Essentially, you perform the first three tasks to initially set up centralized management of your BIG-IP devices and services. The last three tasks (edit, evaluate, and deploy) are performed regularly as you manage your BIG-IP devices and services.
Establish trust and add BIG-IP devices for management by
- The BIG-IQ administrator adds the IP address, user name and password for an administrative user on the BIG-IP device.
- If the BIG-IP device is clustered, the administrator selects how to handle deployment to the clustered devices.
- The BIG-IP device and the BIG-IQ system exchange certificates to create a trust relationship.
- For earlier versions of BIG-IP devices, the administrator might need to update the REST framework on the BIG-IP device to be able to manage it.There are several ways you can add BIG-IP devices to BIG-IQ so you can manage them:
- Add and configure BIG-IP VE devices in an AWS, Azure, or VMware cloud.
- Add BIG-IP devices to BIG-IQ and import their services in two separate steps.
- Add multiple BIG-IP devices and add their services in one step.
- Import multiple BIG-IP devices and add their services using a CSV file.
Discovering the service configurations on BIG-IP devices
About conflict management when importing BIG-IP
- Working configurationis the BIG-IP service configuration located on BIG-IQ. This is the configuration you manage, edit, and deploy to your managed BIG-IP devices.
- Current configurationis the BIG-IP service configuration running on a BIG-IP device, which can be different than the working configuration on BIG-IQ if changes were made directly on that BIG-IP device.
- Shared - Objects shared across BIG-IP devices, such as LTM profiles and monitors.
- Shared version-specific - Objects shared across BIG-IP devices that are specific to a BIG-IP software version.
- Device-specific - Objects specific to a particular BIG-IP device, and are not shared among BIG-IP devices.
- Stop importing the services with the conflicts. Resolve each conflict individually on the BIG-IP device'sServicesscreen. Continue importing services after you address the conflicts.
- For the LTM service configuration only: If you encounter LTM configuration conflicts, you can place the device in a silo, continue to discover other BIG-IP devices and later, go back to address the LTM service's conflict(s) for that BIG-IP device. After you address the conflicts, you can re-add the BIG-IP device and discover and import the LTM service (as well as any other licensed services).The option to place a BIG-IP device with a conflict in a silo to address the conflict later is available only for the LTM service. For all other services, you cannot use a silo to address conflicts. For information about managing conflicts from a silo, refer to theBIG-IQ: Using Silos to Resolve LTM Object Conflicts implementationonsupport.askf5.com.
- Use a BIG-IQ conflict resolution policy to automatically treat all configuration object conflicts the same way if a difference is found.
- Use BIG-IQ
- Keep the object settings specified in the BIG-IQ working configuration. The next time you deploy a configuration to that BIG-IP device, BIG-IQ overwrites the object settings to match the settings defined on BIG-IQ.
- Use BIG-IP
- Use the object settings specified in the BIG-IP device's configuration to replace the object settings in the BIG-IQ working configuration. For shared objects, the next time you deploy a configuration to a managed device, BIG-IQ replaces the settings for that object on the target device.
- Create Version
- For LTM monitors or profiles, you can create and store a copy of the BIG-IP device's object(s), specific to the software version on that BIG-IP device. For shared objects, the next time you deploy a configuration to a managed device, BIG-IQ replaces the settings for that object if that BIG-IP device is running that specific version. This option allows you to store multiple versions of LTM monitors or profiles knowing that BIG-IQ will deploy the appropriate stored version to your managed devices. The next time you import services that contain LTM monitors or profiles, BIG-IQ automatically resolves conflicts against the appropriate version.
Considerations when managing BIG-IP device configurations
- It's important that you don't make configuration changes directly on a BIG-IP device your managing from BIG-IQ.If you do make changes locally directly on the BIG-IP device, you must re-import the BIG-IP device's configuration to resolve those changes with the BIG-IQ working configuration. If you do not re-import the configuration, a subsequent deployment of the configuration from the BIG-IQ will overwrite your local changes on the BIG-IP device.
- Be aware of the BIG-IP device versions and features supported by your version of BIG-IQ. For example, in BIG-IQ, a feature that is supported for only BIG-IP devices running version 15.0 or later might not appear as an option to be managed for an earlier version of a BIG-IP device.You can find compatibility information in theBIG-IQ Centralized Management compatibility matrixon the F5 support web site, support.f5.com. In addition, review the BIG-IQ service documentation, since some features might be supported only with certain versions of BIG-IP devices.
Evaluating and reviewing configuration differences
- When you begin the evaluation process, the BIG-IQ captures the current service configuration on the BIG-IP device, creates a snapshot of the BIG-IQ working configuration, and then compares the two configurations for that device.
- You now can review the configuration differences using a graphical summary of the differences. You can also view the JSON code differences for each object that has been modified, added, or removed.
- After reviewing the differences, you take one of these actions:
- If you are satisfied with the evaluation results, proceed with deploying the BIG-IQ working configuration to the BIG-IP device.
- If you are not satisfied with the evaluation results, make whatever changes are needed on the BIG-IQ working configuration, and evaluate the configurations again. If you want to keep changes that were made directly on the BIG-IP device, re-import the BIG-IP device configuration, and evaluate the configuration again.
- If there are changes to the Local Traffic service configuration, you should evaluate that working configuration first, since any changes you need to make there could affect other configurations.
- You can use the evaluation process to review not only working configuration changes, but also changes in a configuration you captured in a snapshot.
- You can also evaluate and deploy a selected set of objects rather than an entire configuration. This is sometimes referred to as apartial deployment.
Deploying the configurations
Other common BIG-IQ tasks and concepts
- Re-discovering and re-importing configurations when you encounter configuration problems.
- Capturing and restoring snapshots of configurations so you can roll back to a previous set of changes.
- Reviewing audit logs to see what changes have been made on the BIG-IQ system, and by whom.
- Recognizing the difference between device-specific and shared objects, particularly when doing deployments.
- Using device configuration templates to simplify device configuration.
- Monitoring statistics through the dashboard.
- Creating and managing applications.
Re-discovering and re-importing configurations when needed
- If you added, changed, or deleted management IP addresses or virtual servers directly on the BIG-IP device.
- If you made changes to other parts of the configuration locally on the BIG-IP device, rather than from BIG-IQ.
- If you made upgraded the BIG-IP device's software that needs to be recognized by the BIG-IQ.
Capturing and restoring configurations using snapshots
- To evaluate and deploy a snapshot to a BIG-IP device, you use the screens at.
- To create and compare snapshots, you use the screens at.
- To restore the BIG-IQ working configuration to a snapshot configuration, you use the screens at.
Reviewing BIG-IQ system changes using audit logs
How do shared objects impact my deployments?
About configuration templates
What is an application and how do I create one?
- An application is a collection of application services that all work to support a common business process. By combining these into one container, you can manage all of the services required to operate that process from one place in the BIG-IQ user interface.
- A multi-cloud, or multi-site application distributes multiple versions of a common application service across different physical locations or cloud platforms. With versions hosted on different platforms or locations, your availability improves, and the overall application health is more robust. If one data center or cloud platform goes down, application traffic just flows to the other one. Or, you might just want the performance benefits that can come from processing traffic locally.
- Create or modify an AS3 or service catalog template that defines the objects you need in your application service.
- Create a new application. This creates the 'container' along with a single application service.
- Add additional application services needed to perform the business process you need to support.
- Create or modify an AS3 or service template that defines the objects you need in your application services.
- Create the application that will house your application services.
- Use the template to deploy an application service to one cloud provider or data center.
- Use the template to deploy the same application service to a second cloud provider or data center.
- Use a template to create a DNS application service that load balances the traffic between the two application services.