Manual Chapter : CE for pre-req and considerations when discovering devices

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

CE for pre-req and considerations when discovering devices

Before you can add BIG-IP devices to BIG-IQ Centralized Management:
  • The BIG-IP device must be located in your network and running a compatible software version. Refer to K14592 for more information.
  • The BIG-IP management address must be open (typically this is on port 22 and 443), or any alternative IP address. Ports 22 and 443 and the management IP address are open by default on BIG-IQ.
  • If you are adding a BIG-IP device provisioned with the ASM service that is part of a DSC cluster, that device must also be a member of a sync-only device group, and ASM synchronization must be enabled for the device group. Without these DSC group settings, deploying changes to the ASM device can cause the cluster to get out of sync. For details on configuring these groups, refer to
    Creating a Sync-Only device group
    and
    Synchronizing an ASM-enabled device group
    in the
    Automatically Synchronizing Application Security Configurations
    article on
    support.f5.com
    .
If you are running BIG-IP versions earlier than version 11.6.0, you might need root user credentials to discover and add the device to the BIG-IP devices inventory. You don't need root user credentials for BIG-IP devices running versions 11.6.0 and later.
A BIG-IP device running versions 10.2.0 - 11.5.0 is considered a
legacy device
, and cannot be added to the BIG-IQ system's inventory for management. If you were managing a legacy device in a previous version of BIG-IQ and upgrade, the legacy device displays as impaired with a yellow triangle next to it in the BIG-IP Devices inventory. To manage it, you must upgrade it to version 11.5.0 or later. For instructions, refer to the section titled,
Upgrading a Legacy Device
.
For BIG-IP devices with ASM services, you can only add five devices at a time.
You cannot add multiple BIG-IP devices with SSLO services. You must add those BIG-IP devices individually. After you import a BIG-IP device with SSLO services, make future configuration changes only from BIG-IQ. If you make a change to the SSLO service configuration directly on the BIG-IP device, you cannot re-discover or re-import that device.
If you're adding a BIG-IP VE device located in a third party cloud environment, refer to the documentation for managing a BIG-IP VE in a third party cloud environment.
  1. On the left, click
    BIG-IP DEVICES
    .
  2. At the top of the screen, click
    Devices
    .
  3. On the left, click
    BIG-IP VE CREATION
    .
  4. Click the
    Add Device(s)
    button.
  5. Click the
    Add Device(s)
    button.
  6. For the Discovery Type setting, select
    Add a single BIG-IP device and discover and import services in a separate step
    .
  7. For the Discovery Type setting, select
    Add BIG-IP device(s) and discover and import services in one step
    .
  8. Click the
    Upload CSV
    button.
  9. Click
    Create
    .
  10. For
    Task Name
    , type a name for this onboarding task.
  11. For
    BIG-IP VE Name
    , type a name to identify the BIG-IP VE you are creating.
  12. From the
    Cloud Environment
    list, select the cloud environment this BIG-IP VE is in.
  13. Click the
    Create
    button at the bottom of the screen.
  14. Type the user name and password for these devices.
  15. In the
    Hostname
    field, type a host name.
    Use the FQDN for the host name. The BIG-IP system displays its host name in the left corner of its Configuration utility and in the command prompt of the Advanced Shell.
  16. In the
    Target Username
    and
    Target Passphrase
    fields, type the admin credentials for this BIG-IP VE.
    Do not use the colon character in the username.
  17. Enter the
    Target SSH Key
    .
    BIG-IQ uses the private key for SSH operations when initially creating BIG-IP VE devices in the cloud environment. The corresponding public key must be in the target
    username's ~/.ssh/authorized_keys
    file on the targetHost.
  18. In the
    Port
    field, type the management port for this BIG-IP VE device.
    This is the port BIG-IQ uses to send the API call to the BIG-IP VE and to manage the BIG-IP VE once it's onboarded. If you use port 0, BIG-IQ tries common ports to reach this BIG-IP VE device.
  19. In the Onboard Classes area, select each class you want to configure for this BIG-IP VE device and specify the configuration settings for this BIG-IP VE device.
    The
    BIG-IQ Settings
    class is required. If you don't select and specify its settings, BIG-IQ adds it to the API with default settings.
  20. When you provision the services, there are four settings to select from:
    • None
      - The service is not provisioned and will not run.
    • Dedicated
      - The system allocates all CPU, memory, and disk resources to the service. If you select this option for a service, BIG-IQ sets all other services to
      None
    • Nominal
      - When you select this option, the associated service gets the least amount of resources required. If other services are disabled in the future, this service gets a portion of the remaining resources.
    • Minimum
      - When selected for a service, the service gets the least amount of resources required. Additional resources are never allocated to this service even if other services are disabled.
  21. Click the
    Onboard
    button at the bottom of the screen.
  22. Click the
    Edit
    button.
  23. For
    Device Type,
    select
    Import Devices
    .
  24. Type the
    User Name
    and
    Password
    for the device.
  25. For
    IP Address
    , type the IPv4 or IPv6 address of the device.
  26. In the
    Port
    box, type the management port for this BIG-IP device.
    The port number must be between 4 and 65535. In many cases, it's the default port 443.
    Chrome and Safari browsers don't allow access to web applications running on port 65535. So if you use port 65535 as the management port, you won't be able to access the BIG-IP device's interface from BIG-IQ when using Chrome or Safari. You can still discover and manage BIG-IP devices that are using port 65535.
  27. In the
    Port
    box, type the management port for these BIG-IP devices.
    The port number must be between 4 and 65535. In many cases, it's the default port 443.
    Chrome and Safari browsers don't allow access to web applications running on port 65535. So if you use port 65535 as the management port, you won't be able to access the BIG-IP device's interface from BIG-IQ when using Chrome or Safari. You can still discover and manage BIG-IP devices that are using port 65535.
  28. Select the check box next to each licensed service running on the device(s) you are adding.
  29. If you are collecting statistics, for
    Status
    select the
    Enabled
    check box and a zone from the
    Zone
    list.
    If you do not define a zone, this device sends its statistics to DCDs assigned to the default zone.
    Zones
    are names created to associate BIG-IP devices with one or more DCD systems to help segregate statistic traffic by network topology, load, availability, and so forth, for optimal statistics traffic routing.
  30. If this device is part of a DSC group, for the
    Cluster Display Name
    setting, specify how to handle it:
    • For an existing DSC group, select
      Use Existing
      from the list, and then select the name of the DSC group from the next list.
    • To create a new DSC group, select
      Create New
      from the list, and type a name in the field.
    For BIG-IQ to properly associate the devices in the same DSC group, the
    Cluster Display Name
    must be the same for all members in a group.
    There can be up to eight members in a DSC group.
  31. If this device is part of a DSC group, for the
    Cluster Display Name
    setting, you must choose an existing DSC group from the list.
  32. If this device is configured in a DSC group or you are creating a new DSC group, for the
    Cluster Properties
    , specify how to handle it:
    • Initiate BIG-IP DSC sync when deploying configuration changes (Recommended)
      : Select this option if you want this device to automatically synchronize configuration changes with other members in the DSC.
    • Allow deployment when DSC configured devices have changes pending ( Not Recommended)
      : Select this option if you want to deploy changes to this device even if there are changes pending for devices in the DSC group.
      This option is not recommended, because it can lead to unpredictable results.
    • Ignore BIG-IP DSC sync when deploying configuration changes
      : Select this option if you want to manually synchronize configurations changes between members in the DSC group.
  33. Click the
    Add
    button at the bottom of the screen.
    The BIG-IQ system opens communication to the BIG-IP device, and checks the BIG-IP device framework.
    The BIG-IQ system can properly manage a BIG-IP device only if the BIG-IP device is running a compatible version of the REST framework.
  34. Click the
    Save & Close
    button at the bottom of the screen.
  35. If a framework upgrade is required, in the popup window, in the
    Root User Name
    and
    Root Password
    fields, type the root user name and password for the BIG-IP device, and click
    Continue
    .
  36. To centrally manage this device's configurations for licensed services, select the check box next to each service you want to discover.
    You can select other service configurations after you add the BIG-IP device to the inventory.
  37. Click the
    Add
    button at the bottom of the screen.
  38. To ignore conflicts for objects shared between BIG-IQ and the BIG-IP device(s) you're adding, leave the
    Conflict Resolution
    check box selected.
    This allows you to continue to import services that have no conflicts, and fix the conflicts individually later, from the
    BIG-IP DEVICES
    SERVICES
    screen, to complete the import process for those services.
  39. To change the password for a device, or group of devices, click the check box next to it, and click the
    Set Password
    button.
    After you add or upload device(s) and before you discover and import services, you can change the device's password. If you added or imported devices in bulk, the password for all devices in a group must be the same.
  40. When you are ready to discover and import services for these devices, click the
    Discover and Import
    button at the bottom of the screen.
    The BIG-IQ system opens communication to the BIG-IP devices, and checks the BIG-IP device framework.
    The BIG-IQ system can properly manage a BIG-IP device only if the BIG-IP device is running a compatible version of the REST framework.
  41. Click the
    Add
    button at the bottom of the screen.
    When complete, a popup screen displays a status and options to discover device service configurations immediately.
  42. To discover configurations for services on the device, select them and click
    Discover
    ; otherwise, click
    Cancel
    .
    You can discover service configurations now or do it later.
  43. On the Add to Access Group popup screen, specify either a new or existing Access group:
    • Select
      Create New
      , in the
      Name
      field type a name, and click
      Add
      .
    • Select
      Add to existing
      , select a name from the
      Name
      list, and click
      Add
      .
    You must add both members of an HA pair to the same Access group.
  44. Select the check box next to each service you want to collect data for, and then click
    Continue
    .
  45. THIs STEP LEFT EMPTY ON PURPOSE to allow for storing multiple prerequisites in this common elements file. DO NOT ADD IT TO A TASK.
    You must discover a service configuration before you can import it.
    You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  46. Select the check box next to the BIG-IP devices you want to discover and import services for, and click the
    Discover and Import
    button at the bottom of the screen.
  47. Click the
    Discover and Import
    button at the bottom of the screen.
  48. For each service this BIG-IP device is licensed for, perform the following steps:
    You must discover and import the LTM service before any others, so make sure you do that first.
    1. click the
      Discover
      button.
    2. To create a snapshot of the BIG-IQ configuration before importing services, select the
      Create a snapshot of the current configuration before importing
      check box.
    3. Click the
      Import
      button next to the service to import it.
    4. If BIG-IQ detects a conflict between the working configuration on BIG-IQ and the objects you are importing, a popup displays so you can specify how you want to resolve conflicts. You can either choose to handle all conflicts the same way, or you can specify a specific resolution for each conflict, or you can choose to resolve conflicts later by importing this device to a silo.
      • If you want to handle all conflicts the same way, you can choose
        Set all BIG-IQ
        to keep all of the object settings from the BIG-IQ working configuration. The next time you deploy a configuration to that BIG-IP device, BIG-IQ overwrites all object settings to match the settings on BIG-IQ.
      • If you want to handle all conflicts the same way, you can choose
        Set all BIG-IP
        to use all of the object settings from the BIG-IP device's configuration to replace the object settings in the BIG-IQ working configuration. The next time you deploy a configuration, BIG-IQ overwrites the object settings for any shared objects to match the settings on this BIG-IP device.
      • If you want to handle each conflict individually, you can choose
        BIG-IQ
        to keep the object settings from the BIG-IQ working configuration. The next time you deploy a configuration to a BIG-IP device, BIG-IQ overwrites the object settings to match the settings on BIG-IQ.
      • If you want to handle each conflict individually, you can choose
        BIG-IP
        to use the object settings from the BIG-IP device's configuration to replace the object settings in the BIG-IQ working configuration. If this is a shared object, the next time you deploy a configuration, BIG-IQ overwrites the object settings on the target BIG-IP device to match the settings from this BIG-IP device's configuration.
      • If you want to handle each conflict individually, for conflicts in LTM monitor or profile settings you can choose
        Create Version
        . This option creates and stores a copy of the BIG-IP device's object(s), specific to the software version on that BIG-IP device. The next time you deploy a configuration, BIG-IQ replaces that object for any target BIG-IP device running that specific version with the object on this BIG-IP. You can store multiple versions of LTM monitors or profiles. BIG-IQ deploys the appropriate stored version to your managed devices. BIG-IQ automatically resolves conflicts against the appropriate version the next time it imports services that contain LTM monitors or profiles.
    5. Click the
      Continue
      button to apply the options you selected, or click the
      Resolve Conflicts Later
      button to import this device to a silo.
    6. Click
      Resolve
      to confirm the conflict resolution options you specified.
    BIG-IQ imports the device and it's configuration objects based on the options you specified.
  49. To create a snapshot of the BIG-IQ configuration before importing services, select the
    Snapshot
    check box.
    Clear this check box if you are adding devices that are in an access group you just created. If you don't, BIG-IQ won't be able to add the device(s).
  50. Click the
    Import
    button next to the service to import it.
  51. For the Target Silo setting, select
    Use an Existing Silo
    and select it, or select
    Create a New Silo
    and name it.
    When you select a silo other than
    Default
    , BIG-IQ displays only the LTM service. You cannot import services other than LTM to a silo.
  52. If BIG-IQ detects a conflict for services between the working configuration on BIG-IQ and the current configuration on BIG-IP, select a conflict resolution policy option for each object type.
    • Use BIG-IQ
      Keep the object settings in the BIG-IQ working configuration. The next time you deploy a configuration to that BIG-IP device, BIG-IQ overwrites the object settings to match the settings defined on BIG-IQ.
      Use BIG-IP
      Use the object settings from this BIG-IP device's configuration to replace the object in the BIG-IQ working configuration. The next time you deploy a configuration to your BIG-IP devices, BIG-IQ replaces that object settings for all of your managed BIG-IP devices to match the object settings on this BIG-IP device.
      Create Version
      For LTM monitors or profiles only, you can create and store a copy of the BIG-IP device's object(s), specific to the software version on that BIG-IP device. The next time you deploy a configuration, BIG-IQ replaces that object for all the managed BIG-IP devices running that specific version with the object on this BIG-IP. You can store multiple versions of LTM monitors or profiles. BIG-IQ deploys the appropriate stored version to your managed devices. BIG-IQ automatically resolves conflicts against the appropriate version the next time it imports services that contain LTM monitors or profiles.
  53. To place this BIG-IP device in an existing or newly-created silo so you can view and resolve conflicts later
    Click the Resolve Conflicts Later
    button.
    This option is available only for the LTM service.
  54. Click the
    Cancel Import
    button to stop the importation process for this BIG-IP device.
  55. If you do not want to import any services that you know have conflicts between the BIG-IQ working configuration and the BIG-IP current configuration, select the
    Do not import a service if it contains a shared object conflict between this BIG-IP device and BIG-IQ
    check box to skip any services that have conflicts.
    If you do not select this check box, BIG-IQ will not add the BIG-IP device with a conflict.
  56. If you think this device might have some conflicts for the LTM service between the working configuration on BIG-IQ and the current configuration on the BIG-IP device when you import that service, and you want to address the conflicts later using a silo, clear the
    Do not import a service if it contains a shared object conflict between this BIG-IP device and BIG-IQ
    .
    Using a silo as an option to review conflicts is available only for the LTM service.
  57. If you suspect there are LTM service conflicts between the working configuration on BIG-IQ and the current configuration on a BIG-IP you are adding, for the Silo Properties, select or create a silo for the device(s) so you can address those conflicts later.
    The Silo Properties display only if you cleared the
    Do not import a service if it contains a shared object conflict between this BIG-IP device and BIG-IQ
    check box on the previous screen. Using a silo as an option to review conflicts is available only for the LTM service. BIG-IQ
When BIG-IQ successfully completes a BIG-IP VE creation task, the task displays on the BIG-IP VE creation screen. The BIG-IP VE creation process can take up to 10 minutes, depending on the cloud environment and the BIG-IP VE configuration.
BIG-IQ displays a discovering message in the Services column of the inventory list.
If you want to manage the configuration for the services you specified, you must import the device's configuration.
To view status and address any conflicts between BIG-IQ and BIG-IP device objects, on the left, click
BIG-IP DEVICES
.