Manual Chapter : Security Deployment Best Practices

Applies To:

Show Versions Show Versions
Manual Chapter

Security Deployment Best Practices

Understanding roles required for deploying security policies

When you want to deploy a Web Application Security configuration, or a Network Security configuration, you need to use one of the following built-in roles.
  • To deploy Network Security or Web Application Security configurations, use an account with the Security Manager role.
  • To deploy only Network Security configurations, use an account with the Security Manager, Network Security Manager, or Network Security Deployer roles.
  • To deploy only Web Application Security configurations, use an account with the Security Manager, Web App Security Manager, or Web App Security Deployer roles.
For more information on roles, refer to the role descriptions on the Roles screen (
System
ROLE MANAGEMENT
Roles
) or refer to
F5 BIG-IQ Centralized Management: Authentication, Roles, and User Management
on
support.f5.com
.

Verifying firewall rules have compiled on all BIG-IP devices

Once a firewall deployment has completed successfully,
Check Rule Compilation
is enabled on the View Deployment screen.
Use
Check Rule Compilation
to verify that your firewall rules are active on the BIG-IP devices to which you deployed those rules.
  1. On the Deployments screen, click the name of the deployment that contains the firewall rules you want to verify.
    The View Deployment screen for that deployment displays.
  2. On the View Deployment screen, click
    Check Rule Compilation
    to determine if rules have been compiled on all the BIG-IP devices in the firewall deployment.
    The rule compilation status and last activation time for each BIG-IP device included in the deployment are listed in a popup.
  3. Verify that the last activation time for each BIG-IP device is after the end time of the BIG-IQ deployment task to ensure that firewall rules have been compiled on each BIG-IP devices. You can repeat this step multiple times.
    Review the following considerations when using
    Check Rule Compilation
    :
    • Be aware of any time differences, due to time zones and so on, between the BIG-IQ system and the BIG-IP device.
    • BIG-IP device versions earlier than 11.5.1 HF4 do not support the compilation statistics used by this feature and will display the message,
      Compilation stats not provided for this version of BIG-IP
      .
    • If the Check Rule Compilation feature is used with an older deployment, where the state of the BIG-IP device has changed since the deployment, the status returned will include all active firewall rule changes on the BIG-IP device since the deployment.
    • If the Check Rule Compilation feature returns the message
      Local Last Activation Time
      or the message
      No stats found on device
      , then the state of the BIG-IP device has changed since the deployment, and compilation statistics have been reset. This can be caused by a reboot of the BIG-IP device.

Reviewing deployment process states to diagnose problems

When a firewall security policy or a web application security policy is deployed, that policy goes through several deployment states. Reviewing these states may be useful in understanding what occurred during deployment in order to diagnose a problem. Note that not all states may appear in the log, since what states are displayed depends on how the deployment was processed.
Review the
restjavad.n.log
file to view deployment states for either a firewall security policy or a web application security policy.

Device deployment states

This table displays states that can occur during the deployment process, and a brief description of each state.
Deployment States
State
Description
CHECK_LICENSE
Licenses for BIG-IQ systems are checked to be valid.
CHECK_OTHER_RUNNING_TASKS
Verifies that no tasks are running that could cause errors during deployment. Tasks that could cause errors include:
  • Other BIG-IQ Security deployment tasks running at the same time as this deployment, even if they are from different modules.
  • Tasks to declare management authority over a BIG-IP device.
  • Tasks that rescind management authority of a BIG-IP device.
GET_DEVICES
Finds all devices managed by the BIG-IQ Security system.
CHECK_DEVICE_AVAILABILITY
Determines whether the devices to be deployed are available.
LOOKUP_CLUSTERS
Determines if any devices included in the deployment are part of a cluster, and if so, verifies that both devices in the cluster are configured with the same sync mode and sync failover group on the BIG-IP device.
REFRESH_CURRENT_CONFIG_SOAP
Using the SOAP API, refreshes the current configuration for all devices included in the deployment. This process adds any new configuration items from the BIG-IP device to the current configuration.
REFRESH_CURRENT_CONFIG_REST
Using the REST API, refreshes the current configuration for all devices included in deployment. This process adds any new configuration items from the BIG-IP device to the current configuration.
CREATE_SNAPSHOT
Creates a snapshot of the working configuration.
CREATE_DIFFERENCE
Generates the differences between the snapshot taken and the current configuration.
VERIFY_CONFIG
Verifies that devices to be deployed do not have configuration problems that could lead to deployment errors.
GET_CHILD_DEPLOY_DEVICES
Finds all devices managed by Shared Security objects. These devices are considered to be child deployments of a parent firewall security or web application security deployment.
START_CHILD_DEPLOY
Starts the deployment of devices managed by Shared Security objects.
WAIT_FOR_CHILD_DEPLOY
Waits for deployment of devices managed by Shared Security objects to complete.
CLEANUP_PREVIOUS_EVALUATE
Cleans up processing artifacts from the previous evaluation.
DISTRIBUTE_DSC_CLUSTERS
Distributes changes to devices identified as being in a cluster by the
LOOKUP_CLUSTERS
process and that are configured to use the BIG-IP Device Service Clustering (DSC) to keep the BIG-IP devices synchronized.
DISTRIBUTE_CONFIG
Distributes configuration changes to the specified devices.
DISTRIBUTE_CONFIG_SOAP
Using the SOAP API, distributes configuration changes to the specified devices.
DISTRIBUTE_CONFIG_REST
Using the REST API, distributes configuration changes to the specified devices.
FOLDBACK_DEPLOYED_ADDITIONS
Inserts any newly-added objects directly into the current configuration to that the BIG-IQ system will already know about those objects on the next refresh of the current configuration.
DONE
Indicates the deployment process has completed.