Manual Chapter :
Overview: BIG-IQ Centralized Management
Security
Applies To:
Show VersionsBIG-IQ Centralized Management
- 7.1.0
Overview: BIG-IQ Centralized Management
Security
Understanding Network Security and firewall
management
Network Security is a platform designed for the central management of security firewalls for
multiple BIG-IP systems, where firewall administrators have installed and
provisioned the BIG-IP Advanced Firewall Manager™ (AFM™)
module.
Network Security system provides:
- Device discovery with import of firewalls referenced by discovered devices
- Management of shared objects (address lists, port lists, rule lists, policies, and schedules)
- L3/L4 firewall policy support, including staged and enforced policies
- Firewall audit log used to record every firewall policy change and event
- Role-based access control
- Deployment of configurations from snapshots, and the ability to preview differences between snapshots
- Multi-user editing through a locking mechanism
- Monitoring of rules
- Reports on security
Managing a firewall configuration includes discovering, importing, editing,
and deploying changes to the firewall configuration, as well as consolidation of shared firewall
objects (policies, rule lists, rules, address lists, port lists, and schedules). Network Security
provides a centralized management platform so you can perform all these tasks from a single
location. Rather than log in to each device to manage the security policy locally, it is more
efficient to use one interface to manage many devices. Not only does this simplify logistics, but
you can maintain a common set of firewall configuration objects and deploy a common set of
policies, rule lists, and other shared objects to multiple, similar devices from a central
interface.
Bringing a device under central management means that its configuration is stored in the
Network Security database, which is the authoritative source for all firewall configuration
entities. This database is also known as the working configuration or working-configuration
set.
Once a device is under central management, do not make changes locally (on the BIG-IP device)
unless there is an exceptional need. If changes are made locally for any reason, reimport the
device to reconcile those changes with the Network Security working configuration set. Unless
local changes are reconciled, the deployment process overwrites any local changes.
In addition, Network Security is aware of functionality that exists in one BIG-IP system
version but not in another. This means, for example, that it prohibits using policies on BIG-IP
devices that do not have the software version required to support them.
Understanding Shared Security
BIG-IQ Centralized Management Security contains several groups of
capabilities. The Shared Security group contains objects that can be used with Network Security
objects and with Web Application Security objects.
Understanding Web Application Security and
application management
Web Application Security enables enterprise-wide management and
configuration of multiple BIG-IP devices from a central
management platform. You can centrally manage BIG-IP devices and security policies, and import
policies from files on those devices.
From this central management platform, you can perform the following
actions:
- Import Application Security Manager™ (ASM) policies from files.
- Import ASM™ policies from discovered devices.
- Distribute policies to BIG-IP devices.
- Export policies, including an option to export policy files in XML format.
- Manage configuration snapshots.
- Edit policy settings. Refer to the table inAbout security policies in Web Application Securityfor the supported settings.
- Manage and distribute custom signature sets.
- Manage and distribute custom signatures.
- Distribute signature files to BIG-IP devices.
About BIG-IQ Centralized Management
configuration sets
The BIG-IQ Centralized Management system uses the following
terminology to refer to configuration sets for a centrally-managed BIG-IP device:
- Current configuration set
- The configuration of the BIG-IP device as discovered by BIG-IQ Centralized Management. Thecurrent configurationis updated during a re-discover and re-import, and before calculating differences during the deployment process.
- Working configuration set
- The configuration as maintained by BIG-IQ Centralized Management. Theworking configurationis the configuration that is edited on BIG-IQ Centralized Management and deployed back to BIG-IP devices.The working configuration is created when the administrator first manages the BIG-IP device from the BIG-IQ Centralized Management system. The working configuration is updated when a device is re-imported or re-discovered.If conflicts are observed during a re-discover and re-import, the object in conflict is only updated in the working configuration when theUse BIG-IPresolution conflict option is used.
About managing BIG-IP devices with BIG-IQ
Centralized Management
After you have placed a BIG-IP device under management by the BIG-IQ Centralized
Management system by discovering and importing that device configuration, you should avoid
directly changing the BIG-IP device configuration. All changes to the BIG-IP device
configuration should be made using the BIG-IQ Centralized Management system to avoid
errors.
A BIG-IP software release may include features that the BIG-IQ Centralized Management system
does not yet manage. If changes are made to the configuration of that feature directly on the
BIG-IP device, the BIG-IQ Centralized Management system might remove those changes when a
subsequent deployment is made to the BIG-IP device.
During the deployment process, the BIG-IQ Centralized Management system
imports the current configuration of the targeted BIG-IP devices. Subsequent changes made
directly on the BIG-IP device, which add new objects to the configuration, will be labeled as
being
not_imported
, but these objects
will not be removed during the next deployment. These objects will continue to be labeled as
not imported, until you reimport the configuration using the Device Management BIG-IP Devices
screen.To avoid this situation, when you directly modify a BIG-IP device, you
must re-discover and re-import the BIG-IP device from the BIG-IQ Centralized Management system
to reconcile the configuration differences.
Filtering content in firewall
policies
There are several filter fields you can use to select the data displayed for firewall
objects. The filter text you enter is used to perform a search of the underlying object's
representation in storage (in JSON), which includes not only the name and other displayed
data, but also metadata for the object, such as timestamps. Make the text you enter in the
filter field specific enough to uniquely identify the one or more objects you want to
display.
- Go to.
- Edit one of the firewall policy objects, such as the firewall policy.
- In the appropriate filter text field, type the text you want to filter on, and press Enter.Filter field at top right of screenUse the filter field at the right top of the screen to search only the displayed objects for a match to the filter. You select filter options by clicking the arrow to the left of the filter field, and then selecting an option from each option group. The bottom option group in the list controls whether the filter text must be a partial match or an exact match.
- Containsindicates that the filter text matches any object that contains it. This is the default. When searching for times or dates, such as those in a schedule, a partial time, such as September, may be specified.
- Exactindicates that the filter text matches any object that exactly matches it. This match is not case-sensitive. When searching for times or dates, such as those in a schedule, the complete time and date must be specified.
The top options group in the list control which objects are filtered. Not all options are displayed on all screens; if none of these options are displayed (IP Address,NameorPort), the default isAll.- Allindicates that all objects should be filtered using the filter text.
- IP Addressindicates that only IP address objects should be filtered using the filter text. A complete IPV4 or IPV6 address must be entered as the filter text.
- When used with theContainsoption, the filter text is matched by an IPV4 or IPV6 address that is the same as the filter text, or an IPV4 address range or subnet that includes the filter text. IPV6 addresses can not be found within a range or subnet.
- When used with theExactoption, the filter text is matched by an IPV4 or IPV6 address that is the same as the filter text only.
- Nameindicates that only object names should be filtered using the filter text.
- Portindicates that only port objects should be filtered using the filter text. A complete port number must be entered as the filter text.
- When used with theContainsoption, the filter text is matched by a port number that is the same as the filter text, or a port number range that includes the filter text.
- When used with theExactoption, the filter text is matched by a port number that is the same as the filter text only.
If the navigation list is displayed, a count of the matching objects appears to the right of each object type in the navigation list.To remove the filter, click theXto the right of the filter expression area near the filter field.Filter field in Toolbox at bottomUse the filter field in the upper right of the toolbox (displayed at the bottom of the page when active) to search the shared objects list in the toolbox and display only those that have a full or partial match to the filter. To remove the filter, click theXto the right of the filter expression area near the filter field.When specifying a date in a filter, only these date and time formats are supported:- Sep 1, 2015 2:05:04 PM
- Sep 1, 2015 2:05:04 AM
- Sep 1, 2015 14:05:04
- Sep 1, 2015 2:05
- Sep 1, 2015
- Sep 1 2015
- Sep 1
- September 1
- 2015-09-01T14:05:04
- 2015-09-01T14:05
- 2015-09-01 2015-09
- 2015
You clear filter fields by clicking theXto the right of the filter field.
Objects are filtered on the text entered and a count for each appears to the right of
each object type.
Filter matches are only displayed for an object and its containing
object. For example, when a filter matches a rule name in a rule list within a policy, only
the rule and rule list will be shown as matching, but the policy will not.