Manual Chapter :
Device Discovery and Basic Device Management
Applies To:
Show VersionsBIG-IQ Centralized Management
- 7.1.0
Device Discovery and Basic Device Management
Establish trust and add BIG-IP devices for management by
BIG-IQ
The first task in managing a BIG-IP device from BIG-IQ is to add it to BIG-IQ.
Largely, this is making sure that the BIG-IQ system can access the device at the
specified IP address and ports. This is sometimes referred to as
establishing trust
with the BIG-IP device.After this task is complete, all of the BIG-IQ Device functionality
(inventory reporting, backup and restore, script management, licensing, password
management, software upgrade, and so on) is available for the discovered device. If at
least one Data Collection Device (DCD) is deployed in the environment, statistics data
for device, LTM, and DNS objects can also be
collected and reported.
In environments that only require centralized device management, this
task might be the only one you need to perform. The remaining tasks are for those
environments that want to manage service configurations, such as Network Security, as
well as the devices.
Adding the BIG-IP device and establishing trust with it involves
several tasks:
- The BIG-IQ administrator adds the IP address, user name and password for an administrative user on the BIG-IP device.
- If the BIG-IP device is clustered, the administrator selects how to handle deployment to the clustered devices.
- The BIG-IP device and the BIG-IQ system exchange certificates to create a trust relationship.
- For earlier versions of BIG-IP devices, the administrator might need to update the REST framework on the BIG-IP device to be able to manage it.There are several ways you can add BIG-IP devices to BIG-IQ so you can manage them:
- Add and configure BIG-IP VE devices in an AWS, Azure, or VMware cloud.
- Add BIG-IP devices to BIG-IQ and import their services in two separate steps.
- Add multiple BIG-IP devices and add their services in one step.
- Import multiple BIG-IP devices and add their services using a CSV file.
How do I start managing BIG-IP devices
To start managing a BIG-IP device, you must add it to BIG-IQ and import and discover its licensed services.
If you only want to do basic management tasks (like software upgrades, license management, and UCS backups) for a BIG-IP device, you do not have to discover and import its service configurations.
There are a few ways you can import BIG-IP VE devices located in your network to BIG-IQ.
- Add one or more BIG-IP device(s) located in your network, and discover and import its services in a separate procedure.
- Import BIG-IP devices located in your network in bulk, using a CSV file.For information about how to add BIG-IP VE devices in your network or a third-party cloudYou cannot add multiple BIG-IP devices with SSLO services. You must add those BIG-IP devices individually. After you import a BIG-IP device with SSLO services, make future configuration changes only from BIG-IQ. If you make a change to the SSLO service configuration directly on the BIG-IP device, you cannot re-discover or re-import that device.
Before you add a BIG-IP to BIG-IQ for management
Before you can add BIG-IP devices to BIG-IQ, keep these things in mind:
- The BIG-IP devices must be located in your network and running a compatible software version. Refer to K14592 for more information.
- The BIG-IP management address must be open (typically this is on port 22 and 443), or any alternative IP address. Ports 22 and 443 and the management IP address are open by default on BIG-IQ.
- The BIG-IQ you are discovering BIG-IP devices from must be using local authentication. You cannot discover BIG-IP devices from remotely-authenticated BIG-IQ because that requires a token.
- A BIG-IP device running versions 10.2.0 - 12.0.x is considered alegacy device, and cannot be added to the BIG-IQ system's inventory for management. Although version 12.1.x is supported, its features are limited, and it is recommended to upgrade to version 13.0 or later. If you were managing a legacy device in a previous version of BIG-IQ and upgrade, the legacy device displays as impaired with a yellow triangle next to it in the BIG-IP Devices inventory. To manage it, you must upgrade it to version 12.1.0 or later. For instructions, refer to the section titled,Upgrading a Legacy Device.
For BIG-IP devices with ASM services, you can only add five devices at a time. If the BIG-IP device(s) provisioned with ASM is part of a DSC cluster, that device must also be a member of a sync-only device group, and ASM synchronization must be enabled for the device group. Without these DSC group settings, deploying changes to the ASM device can cause the cluster to get out of sync. For more information see K12200102, or the ASM Implementations chapter
Automatically
Synchronizing Application Security Configurations
on support.f5.com
.You cannot add multiple BIG-IP devices with SSLO services. You must add those BIG-IP devices individually. After you import a BIG-IP device with SSLO services, make future configuration changes only from BIG-IQ. If you make a change to the SSLO service configuration directly on the BIG-IP device, you cannot re-discover or re-import that device.
About conflict management when importing services
When BIG-IQ manages a BIG-IP device, it stores a copy of that device's service configuration objects. BIG-IQ uses the following terms to describe object configuration settings on your BIG-IQ and BIG-IP devices:
- Working configurationis the BIG-IP service configuration located on BIG-IQ. This is the configuration you manage, edit, and deploy to your managed BIG-IP devices.
- Current configurationis the BIG-IP service configuration running on a BIG-IP device, which can be different than the working configuration on BIG-IQ if changes were made directly on that BIG-IP device.
When importing a BIG-IP device's services, BIG-IQ compares the objects in its working configuration to the objects in the BIG-IP device's current configuration. If BIG-IQ finds the same type of object with the same name but different parameters, it notifies you of the conflict. For example, a conflict would occur if the policy object
Pol021
in the current configuration (imported from the BIG-IP device) contains more properties than the policy object in the working configuration on BIG-IQ.There are three types of objects that can cause conflicts when importing a BIG-IP device's services.
- Shared - All objects shared across BIG-IP devices, such as LTM profiles and monitors, Security policies for ASM, AFM, and APM.
- Shared version-specific - Only LTM profile and monitor objects that are specific to a BIG-IP software version.
- Device-specific - Objects that are specific to a particular BIG-IP device and are not shared among BIG-IP devices. These are objects that have been modified directly on the BIG-IP (not recommended) rather than deployed from BIG-IQ.
When importing a BIG-IP device's services, you must resolve any conflicts found between the BIG-IP device's working configuration and the objects in the BIG-IQ working configuration using one of the following methods:
- Stop importing the services with the conflicts. Resolve each conflict individually on the BIG-IP device'sServicesscreen. Continue importing services after you address the conflicts.
- For the LTM service configuration only: If you encounter LTM configuration conflicts, you can place the device in a silo, continue to discover other BIG-IP devices and later, go back to address the LTM service's conflict(s) for that BIG-IP device. After you address the conflicts, you can re-add the BIG-IP device and discover and import the LTM service (as well as any other licensed services).The option to place a BIG-IP device with a conflict in a silo to address the conflict later is available only for the LTM service. For all other services, you cannot use a silo to address conflicts. For information about managing conflicts from a silo, refer to theBIG-IQ: Using Silos to Resolve LTM Object Conflicts implementationonsupport.askf5.com.
- Use a BIG-IQ conflict resolution policy to automatically treat all configuration object conflicts the same way if a difference is found.
The BIG-IQ conflict resolution policy options are:
- Use BIG-IQ
- Keep the object settings specified in the BIG-IQ working configuration. The next time you deploy a configuration to that BIG-IP device, BIG-IQ overwrites the object settings to match the settings defined on BIG-IQ.
- Use BIG-IP
- Use the object settings specified in the BIG-IP device's configuration to replace the object settings in the BIG-IQ working configuration. For shared objects, the next time you deploy a configuration to a managed device, BIG-IQ replaces the settings for that object on the target device.
- Create Version
- For LTM monitors or profiles, you can create and store a copy of the BIG-IP device's object(s), specific to the software version on that BIG-IP device. For shared objects, the next time you deploy a configuration to a managed device, BIG-IQ replaces the settings for that object if that BIG-IP device is running that specific version. This option allows you to store multiple versions of LTM monitors or profiles knowing that BIG-IQ will deploy the appropriate stored version to your managed devices. The next time you import services that contain LTM monitors or profiles, BIG-IQ automatically resolves conflicts against the appropriate version.
Add BIG-IP devices to BIG-IQ and import their services in one
step
To add multiple BIG-IP devices simultaneously,
the devices must:
- Be running the same BIG-IP software version and licensed for the same services.
- Have the same user name and password.
- Be using the same port.Before you can add BIG-IP devices to BIG-IQ, keep these things in mind:
- The BIG-IP devices must be located in your network and running a compatible software version. Refer to K14592 for more information.
- The BIG-IP management address must be open (typically this is on port 22 and 443), or any alternative IP address. Ports 22 and 443 and the management IP address are open by default on BIG-IQ.
- The BIG-IQ you are discovering BIG-IP devices from must be using local authentication. You cannot discover BIG-IP devices from remotely-authenticated BIG-IQ because that requires a token.
A BIG-IP device running versions 10.2.0 - 12.0.x is considered alegacy device, and cannot be added to the BIG-IQ system's inventory for management. Although version 12.1.x is supported, its features are limited, and it is recommended to upgrade to version 13.0 or later. If you were managing a legacy device in a previous version of BIG-IQ and upgrade, the legacy device displays as impaired with a yellow triangle next to it in the BIG-IP Devices inventory. To manage it, you must upgrade it to version 12.1.0 or later. For instructions, refer to the section titled,Upgrading a Legacy Device.For BIG-IP devices with ASM services, you can only add five devices at a time. If the BIG-IP device(s) provisioned with ASM is part of a DSC cluster, that device must also be a member of a sync-only device group, and ASM synchronization must be enabled for the device group. Without these DSC group settings, deploying changes to the ASM device can cause the cluster to get out of sync. For more information see K12200102, or the ASM Implementations chapterAutomatically Synchronizing Application Security Configurationsonsupport.f5.com.You cannot add multiple BIG-IP devices with SSLO services. You must add those BIG-IP devices individually. After you import a BIG-IP device with SSLO services, make future configuration changes only from BIG-IQ. If you make a change to the SSLO service configuration directly on the BIG-IP device, you cannot re-discover or re-import that device.
Use this procedure to add one or more BIG-IP
devices in your network and import services in one step.
- At the top of the screen, clickDevices.
- Click theAdd Device(s)button.
- For the Discovery Type setting, selectAdd BIG-IP device(s) and discover and import services in one step.
- To create a snapshot of the BIG-IQ configuration before importing services, select theSnapshotcheck box.Clear this check box if you are adding devices that are in an access group you just created. If you don't, BIG-IQ won't be able to add the device(s).
- If you do not want to import any services that you know have conflicts between the BIG-IQ working configuration and the BIG-IP current configuration, select theDo not import a service if it contains a shared object conflict between this BIG-IP device and BIG-IQcheck box to skip any services that have conflicts.If you do not select this check box, BIG-IQ will not add the BIG-IP device with a conflict.
- Click theAdd Device(s)button.
- ForIP Address, type the IPv4 or IPv6 address of the device.
- Click the+button to add another IP address.
- Type the user name and password for these devices.
- In thePortbox, type the management port for this BIG-IP device.The port number must be between 4 and 65535. In many cases, it's the default port 443.Chrome and Safari browsers don't allow access to web applications running on port 65535. So if you use port 65535 as the management port, you won't be able to access the BIG-IP device's interface from BIG-IQ when using Chrome or Safari. You can still discover and manage BIG-IP devices that are using port 65535.
- For the Target Silo setting, selectUse an Existing Siloand select it, or selectCreate a New Siloand name it.When you select a silo other thanDefault, BIG-IQ displays only the LTM service. You cannot import services other than LTM to a silo.
- Select the check box next to each licensed service running on the device(s) you are adding.
- If BIG-IQ detects a conflict for services between the working configuration on BIG-IQ and the current configuration on BIG-IP, select a conflict resolution policy option for each object type.
- Use BIG-IQ
- Keep the object settings in the BIG-IQ working configuration. The next time you deploy a configuration to that BIG-IP device, BIG-IQ overwrites the object settings to match the settings defined on BIG-IQ.
- Use BIG-IP
- Use the object settings from this BIG-IP device's configuration to replace the object in the BIG-IQ working configuration. The next time you deploy a configuration to your BIG-IP devices, BIG-IQ replaces that object settings for all of your managed BIG-IP devices to match the object settings on this BIG-IP device.
- Create Version
- For LTM monitors or profiles only, you can create and store a copy of the BIG-IP device's object(s), specific to the software version on that BIG-IP device. The next time you deploy a configuration, BIG-IQ replaces that object for all the managed BIG-IP devices running that specific version with the object on this BIG-IP. You can store multiple versions of LTM monitors or profiles. BIG-IQ deploys the appropriate stored version to your managed devices. BIG-IQ automatically resolves conflicts against the appropriate version the next time it imports services that contain LTM monitors or profiles.
- If you are collecting statistics, forStatusselect theEnabledcheck box and a zone from theZonelist.If you do not define a zone, this device sends its statistics to DCDs assigned to the default zone.Zonesare names created to associate BIG-IP devices with one or more DCD systems to help segregate statistic traffic by network topology, load, availability, and so forth, for optimal statistics traffic routing.
- If this device is configured in a DSC group or you are creating a new DSC group, for theCluster Properties, specify how to handle it:
- Initiate BIG-IP DSC sync when deploying configuration changes (Recommended): Select this option if you want this device to automatically synchronize configuration changes with other members in the DSC.
- Allow deployment when DSC configured devices have changes pending ( Not Recommended): Select this option if you want to deploy changes to this device even if there are changes pending for devices in the DSC group.This option is not recommended, because it can lead to unpredictable results.
- Ignore BIG-IP DSC sync when deploying configuration changes: Select this option if you want to manually synchronize configurations changes between members in the DSC group.
- Click theDiscover & importbutton
You can now manage all
devices you successfully added and discovered and imported services for.
Add a single BIG-IP device
Before you can add BIG-IP devices to BIG-IQ, keep these things in mind:
- The BIG-IP devices must be located in your network and running a compatible software version. Refer to K14592 for more information.
- The BIG-IP management address must be open (typically this is on port 22 and 443), or any alternative IP address. Ports 22 and 443 and the management IP address are open by default on BIG-IQ.
- The BIG-IQ you are discovering BIG-IP devices from must be using local authentication. You cannot discover BIG-IP devices from remotely-authenticated BIG-IQ because that requires a token.
A BIG-IP device running versions 10.2.0 - 12.0.x is considered a
legacy device
, and cannot be added to the BIG-IQ system's inventory for management. Although version 12.1.x is supported, its features are limited, and it is recommended to upgrade to version 13.0 or later. If you were managing a legacy device in a previous version of BIG-IQ and upgrade, the legacy device displays as impaired with a yellow triangle next to it in the BIG-IP Devices inventory. To manage it, you must upgrade it to version 12.1.0 or later. For instructions, refer to the section titled, Upgrading a Legacy Device
.You add a BIG-IP device to BIG-IQ so you can
discover and import its services, such as LTM, AFM, and so forth. After you discover and
import a device's services, you can start managing it. This procedure allows you to add a
single BIG-IP device.
If you would prefer to add
several BIG-IP devices at once and handle all object conflicts the same way, select the
Add multiple BIG-IP devices
option. - At the top of the screen, clickDevices.
- On the left, clickBIG-IP DEVICES.
- Click theAdd Device(s)button.
- For the Discovery Type setting, selectAdd a single BIG-IP device and discover and import services in a separate step.
- ForIP Address, type the IPv4 or IPv6 address of the device.
- In thePortbox, type the management port for this BIG-IP device.The port number must be between 4 and 65535. In many cases, it's the default port 443.Chrome and Safari browsers don't allow access to web applications running on port 65535. So if you use port 65535 as the management port, you won't be able to access the BIG-IP device's interface from BIG-IQ when using Chrome or Safari. You can still discover and manage BIG-IP devices that are using port 65535.
- If this device is part of a DSC group, for theCluster Display Namesetting, specify how to handle it:
- For an existing DSC group, selectUse Existingfrom the list, and then select the name of the DSC group from the next list.
- To create a new DSC group, selectCreate Newfrom the list, and type a name in the field.
For BIG-IQ to properly associate the devices in the same DSC group, theCluster Display Namemust be the same for all members in a group.There can be up to eight members in a DSC group.For BIG-IP devices with ASM services, you can only add five devices at a time. If the BIG-IP device(s) provisioned with ASM is part of a DSC cluster, that device must also be a member of a sync-only device group, and ASM synchronization must be enabled for the device group. Without these DSC group settings, deploying changes to the ASM device can cause the cluster to get out of sync. For more information see K12200102, or the ASM Implementations chapterAutomatically Synchronizing Application Security Configurationsonsupport.f5.com. - If this device is configured in a DSC group or you are creating a new DSC group, for theCluster Properties, specify how to handle it:
- Initiate BIG-IP DSC sync when deploying configuration changes (Recommended): Select this option if you want this device to automatically synchronize configuration changes with other members in the DSC.
- Allow deployment when DSC configured devices have changes pending ( Not Recommended): Select this option if you want to deploy changes to this device even if there are changes pending for devices in the DSC group.This option is not recommended, because it can lead to unpredictable results.
- Ignore BIG-IP DSC sync when deploying configuration changes: Select this option if you want to manually synchronize configurations changes between members in the DSC group.
- Click theAddbutton at the bottom of the screen.The BIG-IQ system opens communication to the BIG-IP device, and checks the BIG-IP device framework.The BIG-IQ system can properly manage a BIG-IP device only if the BIG-IP device is running a compatible version of the REST framework.
- Click theDiscover & Importbutton at the bottom of the screen.
- To centrally manage this device's configurations for licensed services, select the check box next to each service you want to discover.You can select other service configurations after you add the BIG-IP device to the inventory.
You can now discover
the services for this device, and manage any differences for shared objects (on an
object-by-object basis) between the BIG-IQ system and the BIG-IP device(s) during import.
Discover and import services for a BIG-IP device you added
Discover and import services for a BIG-IP device you have added to BIG-IQ so you can start managing it. Use this procedure if you added a BIG-IP device, but have not yet discovered and imported its services. When importing services, keep the following information in mind.
To discover IPS services for AFM, you must enable its discovery on BIG-IQ. See
Discover and import IPS services
. When BIG-IQ manages a BIG-IP device, it stores a copy of that device's service configuration objects. BIG-IQ uses the following terms to describe object configuration settings on your BIG-IQ and BIG-IP devices:
- Working configurationis the BIG-IP service configuration located on BIG-IQ. This is the configuration you manage, edit, and deploy to your managed BIG-IP devices.
- Current configurationis the BIG-IP service configuration running on a BIG-IP device, which can be different than the working configuration on BIG-IQ if changes were made directly on that BIG-IP device.
There are three types of objects that can cause conflicts when importing a BIG-IP device's services.
- Shared - All objects shared across BIG-IP devices, such as LTM profiles and monitors, Security policies for ASM, AFM, and APM.
- Shared version-specific - Only LTM profile and monitor objects that are specific to a BIG-IP software version.
- Device-specific - Objects that are specific to a particular BIG-IP device and are not shared among BIG-IP devices. These are objects that have been modified directly on the BIG-IP (not recommended) rather than deployed from BIG-IQ.
- At the top of the screen, clickDevices.
- On the left, clickBIG-IP DEVICES.
- Click the name of the BIG-IP device you're discovering and importing services for.
- On the left, clickSERVICES.
- For each service this BIG-IP device is licensed for, perform the following steps:You must discover and import the LTM service before any others, so make sure you do that first.
- click theDiscoverbutton.
- To create a snapshot of the BIG-IQ configuration before importing services, select theCreate a snapshot of the current configuration before importingcheck box.
- Click theImportbutton next to the service to import it.
- If BIG-IQ detects a conflict between the working configuration on BIG-IQ and the objects you are importing, a popup displays so you can specify how you want to resolve conflicts. You can either choose to handle all conflicts the same way, or you can specify a specific resolution for each conflict, or you can choose to resolve conflicts later by importing this device to a silo.
- If you want to handle all conflicts the same way, you can chooseSet all BIG-IQto keep all of the object settings from the BIG-IQ working configuration. The next time you deploy a configuration to that BIG-IP device, BIG-IQ overwrites all object settings to match the settings on BIG-IQ.
- If you want to handle all conflicts the same way, you can chooseSet all BIG-IPto use all of the object settings from the BIG-IP device's configuration to replace the object settings in the BIG-IQ working configuration. The next time you deploy a configuration, BIG-IQ overwrites the object settings for any shared objects to match the settings on this BIG-IP device.
- If you want to handle each conflict individually, you can chooseBIG-IQto keep the object settings from the BIG-IQ working configuration. The next time you deploy a configuration to a BIG-IP device, BIG-IQ overwrites the object settings to match the settings on BIG-IQ.
- If you want to handle each conflict individually, you can chooseBIG-IPto use the object settings from the BIG-IP device's configuration to replace the object settings in the BIG-IQ working configuration. If this is a shared object, the next time you deploy a configuration, BIG-IQ overwrites the object settings on the target BIG-IP device to match the settings from this BIG-IP device's configuration.
- If you want to handle each conflict individually, for conflicts in LTM monitor or profile settings you can chooseCreate Version. This option creates and stores a copy of the BIG-IP device's object(s), specific to the software version on that BIG-IP device. The next time you deploy a configuration, BIG-IQ replaces that object for any target BIG-IP device running that specific version with the object on this BIG-IP. You can store multiple versions of LTM monitors or profiles. BIG-IQ deploys the appropriate stored version to your managed devices. BIG-IQ automatically resolves conflicts against the appropriate version the next time it imports services that contain LTM monitors or profiles.
- Click theContinuebutton to apply the options you selected, or click theResolve Conflicts Laterbutton to import this device to a silo.
- ClickResolveto confirm the conflict resolution options you specified.
BIG-IQ imports the device and it's configuration objects based on the options you specified. - When you finish importing the services for a device, clickCancelto return to the BIG-IP Devices screen.
After the service(s) are imported, you can manage this device.
Discover and import IPS services
You must ensure that you have the proper licenses for
AFM and IPS on the managed BIG-IP device. You must have access to the BIG-IQ Advanced
Shell. If you do not have access, contact F5 support at support.f5.com.
To manage
IPS (Intrusion Prevention System)
within BIG-IQ CM (console node), you must first
change the default settings that block initial discovery for the host BIG-IP device.
This requires setting
protocolInspectionDisabled
to false
in the file /var/config/rest/config/restjavad.properties.json
. Once you have enabled IPS discovery, you need to re-discover and re-import
AFM services to the appropriate BIG-IP devices.If you have a standby console nodes, complete steps 2-3 of the following process for the standby node.
- Log into the BIG-IQ Advanced Shell (console node) using ssh.
- In therestjavad.properties.jsonfile, locate the"afm"property.
- In the"afm"property, locate the"ips"property.If the"ips"property does not exist, you can add this property using the example provided in step 4. Ensure that the "protocolInspectionDisabled" property is included within"ips".
- Ensure the value for "protocolInspectionDisabled" isfalse.The following example shows a possible configuration of the... "afm" : { ... "ips" : { "protocolInspectionDisabled": false } ... }, ...
- Restart the restjavad process using the following command:bigstart restart restjavad
- In the BIG-IQ UI, re-discover and re-import AFM services, for each licensed device by going to.To perform a bulk re-discovery and re-import for all services, on multiple devices, seeRe-discover and re-import services in bulk.
- Select the device name.
- On the left, clickSERVICES.
- In the Network Security (AFM) area, click theRe-discoverorDiscoverbutton.
- In the Network Security (AFM) area click theRe-importorDiscoverbutton.
After the services re-import/import, the BIG-IP Devices inventory list includes the AFM service (see
). You can now manage this BIG-IP device's IPS services from
BIG-IQ.Re-discover BIG-IP devices and re-import services
If you upgrade or make a change directly on a managed BIG-IP device (which is not recommended), you must re-discover and re-import services for that device so BIG-IQ Centralized Management has the most current configuration for that device.
You cannot re-import SSLO configurations from discovered BIG-IP devices.
- At the top of the screen, clickDevices.
- ClickBIG-IP DEVICES.
- Select the check box next to the device you want to rediscover and reimport services for.
- Click theMorebutton and selectRe-discover and Re-importWhen importing a BIG-IP device's services, you must resolve any conflicts found between the BIG-IP device's working configuration and the objects in the BIG-IQ working configuration using one of the following methods:
- Stop importing the services with the conflicts. Resolve each conflict individually on the BIG-IP device'sServicesscreen. Continue importing services after you address the conflicts.
- For the LTM service configuration only: If you encounter LTM configuration conflicts, you can place the device in a silo, continue to discover other BIG-IP devices and later, go back to address the LTM service's conflict(s) for that BIG-IP device. After you address the conflicts, you can re-add the BIG-IP device and discover and import the LTM service (as well as any other licensed services).The option to place a BIG-IP device with a conflict in a silo to address the conflict later is available only for the LTM service. For all other services, you cannot use a silo to address conflicts. For information about managing conflicts from a silo, refer to theBIG-IQ: Using Silos to Resolve LTM Object Conflicts implementationonsupport.askf5.com.
- Use a BIG-IQ conflict resolution policy to automatically treat all configuration object conflicts the same way if a difference is found.
- Select a conflict resolution policy option for each type of object.
- If you want to save a snapshot of the BIG-IP device's configuration before importing their services, select theCreate a snapshot of the current configuration before importingcheck box.
- Click theCreatebutton.
Once the services are rediscovered and reimported, you can manage these BIG-IP devices.
Details required for adding BIG-IP devices with a CSV file
Before you use a CSV file to add BIG-IP devices to BIG-IQ, you'll need the following information for each BIG-IP.
Refer to the
About importing BIG-IP services with conflicts
section to conflict policy guidelines.Device Details | Description and Action |
---|---|
Management IP address | Specify the management IP address(es) for the BIG-IP device(s) you are adding. |
HTTPS Port | Type the management port for this BIG-IP device(s). This number must be between 4 and 65535 In many cases, it's the default port 443 . Chrome and Safari browsers don't allow access to web applications running on port 65535 . So if you use port 65535 as the management port, you won't be able access the BIG-IP device's interface from BIG-IQ when using Chrome or Safari. You can still discover and manage BIG-IP devices that are using port65535 . |
admin user name | admin |
Password | Specify the admin user's password for the device(s). |
Cluster Name | Specify if these devices are part of a cluster. |
DSC Sync Mode | If these devices are part of a DSC, initiate DSC sync when deploying configuration changes by specifying FALSE. |
Pending Changes | If these devices are part of a DSC, allow deployment of any pending changes by specifying TRUE. |
Services List | List of services running on these devices, separated by a space. For example: LTM APM ASM AFM SSM DNS FPS |
Enable Statistics Collection | If these device are collecting statistics, allow data collection by specifying TRUE. |
Zone | If you are adding data collection devices that need to be in a specific zone, specify the name of the zone to which you want assigned. |
APM Group | If these devices support the APM service, specify the APM group. |
APM Shared Import | If these devices are part of an APM group, set this to TRUE only for the first device in the APM group, leave the rest at FALSE. |
Shared Object Conflict Policy | Specify how you want any shared object conflicts between BIG-IQ and the BIG-IP devices using one of the following values: USE_BIGIQ, USE_BIGIP. |
Version Object Conflict Policy | Conflict Resolution Policy for Version Specific Objects for LTM
monitors and profiles only, specify one of the following values:
USE_BIGIQ, USE_BIGIP, KEEP_VERSION. The default is USE_BIGIQ. |
Device Specific Conflict Policy | Conflict Resolution Policy for Device Specific Objects. Specify one of the following values: USE_BIGIQ, USE_BIGIP. The default is USE_BIGIP. |
Silo Properties | For LTM services only, specify an existing or new silo to put the
BIG-IP device(s) into if a conflict is found. The default is Do Not Use
a Silo. |
Exporting device inventory details to a comma separated values (CSV) file
To export the BIG-IP Device inventory to a CSV file, your browser must be configured to allow popup screens.
Using BIG-IQ, you can quickly access and view the properties for all the devices you manage in your network. These properties include details about the device's IP addresses, platform type, license details, software version, and so forth. You (or another department in your company) can create custom reports containing this information to help manage these assets. To do this, you can export device properties to a CSV file and edit the data as required.
- At the top of the screen, clickDevices.
- On the left, clickBIG-IP DEVICES.
- Click theExport Inventorybutton.
BIG-IQ creates a CSV file and downloads it locally.
Use a CSV file to add BIG-IP devices, and discover and import their services
Before you can add BIG-IP devices to BIG-IQ, keep these things in mind:
You cannot add multiple BIG-IP devices with SSLO services. You must add those BIG-IP devices individually. After you import a BIG-IP device with SSLO services, make future configuration changes only from BIG-IQ. If you make a change to the SSLO service configuration directly on the BIG-IP device, you cannot re-discover or re-import that device.
- At the top of the screen, clickDevices.
- On the left, clickBIG-IP DEVICES.
- Click theAdd Device(s)button.
- For the Discovery Type setting, selectAdd BIG-IP device(s) and discover and import services in one step.
- To create a snapshot of the BIG-IQ configuration before importing services, select theSnapshotcheck box.Clear this check box if you are adding devices that are in an access group you just created. If you don't, BIG-IQ won't be able to add the device(s).
- To create a snapshot of the BIG-IQ configuration before importing services, select theSnapshotcheck box.Clear this check box if you are adding devices that are in an access group you just created. If you don't, BIG-IQ won't be able to add the device(s).
- To ignore conflicts for objects shared between BIG-IQ and the BIG-IP device(s) you're adding, leave theConflict Resolutioncheck box selected.This allows you to continue to import services that have no conflicts, and fix the conflicts individually later, from thescreen, to complete the import process for those services.
- Click theUpload CSVbutton.
- Navigate to the location where you saved your CSV file and clickOpen.
- Select the check box next to the BIG-IP devices you want to discover and import services for, and click theDiscover and Importbutton at the bottom of the screen.
To view status and address any conflicts between BIG-IQ and BIG-IP device objects, on the left, click
BIG-IP DEVICES
.What is a BIG-IP Device Service Clustering (DSC) group and how do I start managing it from BIG-IQ?
Device Service Clustering
, or DSC, is a BIG-IP TMOS feature that lets you organize BIG-IP devices in groups to share configurations. These groups are called device service clusters
(also DSC). With BIG-IQ, you can manage devices configured in a DSC, and their shared objects, from one centralized location. Before you can manage BIG-IP systems configured in a DSC, you must:
- Add the DSC device members to the BIG-IP Devices inventory.
- Add the DSC group to the BIG-IP Clusters inventory.
- Ensure that each DSC group includes at least one sync-failover configuration.
When a DSC group is in the BIG-IP Cluster inventory, you can view its properties and the devices within those groups, and synchronize their configurations, all without having to log in to each device individually. This allows for automatic synchronization among devices for any changes on objects defined in the cluster.
For specific information about BIG-IP DSC groups, refer to the
BIG-IP Device Service Clustering: Administration
guide.It is important to note, that although objects are shared among devices in a DSC group, they appear based on the state of each managed BIG-IP device. This can indicate that objects, such as a shared pool, is offline for a specific device that is experiencing network issues. However, the pool will appear as online for other devices in the DSC group.
Discover BIG-IP Device Service Cluster groups
You must add the BIG-IP devices configured in a DSC to the BIG-IQ system's BIG-IP Device inventory before you can discover DSC groups.
All BIG-IP devices in a cluster must be running the same software version and the same settings for:
- Pools
- Traffic-groups
- VLANs
- Tunnels
- Route domains
The BIG-IQ DSC Groups inventory screen shows you a centralized view specific to DSC clusters.
The
Cluster Display Name
displays on this screen only for managed BIG-IP devices in a DSC. BIG-IQ supports up to 8 BIG-IP systems in a DSC.
- At the top of the screen, clickDevices.
- On the left, click.
- Click theDiscoverbutton.
- Select the devices in theAvailablelist, and then click the right arrow to add them to theSelectedlist.This list is populated from the BIG-IP Device inventory list. If you can't see all of the available devices listed, left-click the right bottom corner of the list and use your cursor to expand the dialog box.
- Click theDiscoverbutton.
The DSC Groups list refreshes to display the discovered DSC group.
Synchronizing configurations between BIG-IP devices in a DSC cluster
You must add a BIG-IP device configured in a DSC to the BIG-IP Devices inventory list and discover the DSC from the DSC Groups inventory list before you can synchronize BIG-IP devices configured in a DSC.
Synchronizing configuration between BIG-IP devices in a DSC cluster saves you time because you don't have to log on to each BIG-IP device in the cluster individually.
Unmanaged BIG-IP devices in a DSC do not display the
Sync
button.- At the top of the screen, clickDevices.
- On the left, click.The screen displays the list of DSC groups defined on this device.
- Click the name of the cluster that you want to synchronize.
- Click theRefresh Statusbutton to get the most current sync status for the devices in the DSC group.
- For theSync Optionsetting, select one of the options:
- Device to Group- Select this option to prompt the BIG-IP device to synchronize its configuration with other device(s) in the DSC group.
- Group to Device- Select this option to prompt the DSC group to load its configuration onto the BIG-IP device.
- Click theSyncbutton.
- To close the screen, click theClosebutton.
About basic device management
After you add BIG-IP devices to BIG-IQ Centralized Management and discover
and import their services, you can start managing those devices.
Using the device list (go to
) you can view, filter and sort your discovered BIG-IP devices. You can
also view details about the managed device, such as: - Status - whether your device is active and running or is experiencing connectivity issues.
- Health - This is based on performance thresholds for CPU, memory, and disk space usage
- Device name (hostname)
- Type - the physical or logical BIG-IP device setup. This can include configurations such as hardware, BIG-IP virtual edition, vCMP etc.
- IP Address
- Cluster Display Name (if applicable)
- Silo (if applicable)
- Statistics collection status - displays whether this setting was enabled or not for the device
- Data Collection Device
- Stats Services- the service modules that have statistics collection enabled
- The last statistics collection period
- Create an instant backup of the device's configuration.
- Change the boot location of the device.
- Edit cluster properties.
- Log directly into the device from BIG-IQ.
- Reboot the device from BIG-IQ.
- Access details about the health of the device.
- Access statistics for the device (if applicable).
- Access services licensed for the device.
Managing a device from the device properties screen
You can use a device's Properties screen to manage that device. You can log directly in to the device, remotely reboot it, and create an instant backup of its configuration.
- At the top of the screen, clickDevices.
- Click the link the Device Name column of the device you want to view.The device Properties screen opens.
You can now view details of the selected devices properties, health, statistics collection configuration, and service (module) discovery and import options.
How can I organize the way devices display in BIG-IQ so they're easier to find and
manage?
To more easily manage a large number of BIG-IP devices, you can organize
them into groups. The types of groups you can use are:
- Static groups
- Dynamic groups
A
static group
contains specific devices that you add to it, and those devices
stay in that group until you remove them. For example you might want to create a static group
named, Seattle
, and add all of the devices located in Seattle to it. In contrast, a
dynamic group
is basically a saved query on a group. For example,
if you created a static group that contained all of your managed devices located in Seattle and
you wanted to view only those devices running a specific application, you could create a dynamic
group with that filter. If one of the devices stops running the specified application, the device
no longer appears in that dynamic group.If you delete a managed BIG-IP device from the parent group, you see that change when you view
the dynamic group.
Creating a static group of managed devices
You must license and discover BIG-IP devices before you can place them into a group.
To more easily manage a large number of devices, you can organize them into groups. For example, you could add devices to groups according to the running applications, geographical location, or department.
- At the top of the screen, clickDevices.
- On the left, clickDEVICE GROUPS.
- Near the top of the screen, click theCreatebutton.
- In theNamefield, type the name you want to use to identify this group.You can change this name at any time, after you save this group.
- In theDescriptionfield, type a description for this group.For example,BIG-IP devices located in Seattle.You can change this description at any time, after you save this group.
- For theGroup Typesetting, selectStatic.
- From theParent Grouplist, select the source for the group you are creating.
- For theAvailable in Servicessetting, select the services licensed for this device.If this BIG-IP device is licensed for services you are not managing, you can reduce the number of devices displayed in the BIG-IP inventory by selecting the check box next to only the services you manage. If you are managing all aspects of BIG-IQ, select the check box next to each service running on this BIG-IP device.
- From theAvailablelist, select the BIG-IP device(s) you want to add to this group.You can filter on specific groups by selecting a group from the list.
- Click theSave & Closebutton.
If you want to further filter specific devices from within this group, you can create a dynamic group.
Creating a dynamic group of managed devices
You must create a static group before you can create a dynamic group.
To filter a static group on certain parameters, you can create a dynamic group. For example, if you have a static group for all devices located in a particular city, and you want to view only those running a specific version of software, you could create a dynamic group to filter on that version number.
- At the top of the screen, clickDevices.
- On the left, clickDEVICE GROUPS.
- Click theAdd Groupbutton.
- In theNamefield, type the name you want to use to identify this group.You can change this name at any time, after you save this group.
- In theDescriptionfield, type a description for this group.For example,BIG-IP Devices located in SeattleYou can change this description any time, after you save this group.
- For theGroup Typesetting, selectDynamic Group.
- From theParent Grouplist, select the source for the group you are creating.
- In theSearch Filterfield, type a term on which you want to filter the group.
- For theAvailable in Servicessetting, select the services licensed for this device.If this BIG-IP device is licensed for services you are not managing, you can reduce the number of devices displayed in the BIG-IP inventory by selecting the check box next to only the services you manage. If you are managing all aspects of BIG-IQ, select the check box next to each service running on this BIG-IP device.
- Click theSave & Closebutton.
This dynamic group reflects any changes made to the static group. For example, if a device is removed from its parent group, it no longer appears in the associated static group. Also, if a device no longer contains the object you filtered on, the device no longer displays in the dynamic group.
Filtering for specific BIG-IP devices
From each BIG-IQ screen that contains a list of items, you can easily find specific items. For example, after you discover several devices, you might want to find a specific device by its name or IP address. To do this, you start by filtering on certain properties. Filtering on a specific criteria saves you time by allowing you to view only those items that contain the criteria you specify.
- At the top of the screen, clickDevices.
- On the left, clickBIG-IP DEVICES.
- To search for a specific object, in theFilterfield at the top right of the screen, type all or part of an object's name and click the filter icon.BIG-IQ refreshes the screen to show only those devices that contain the property you filtered on.
- To remove the filter, click theXicon next to it.
Change several BIG-IP passwords simultaneously
When you manage BIG-IP device from BIG-IQ Centralized Management, it is good practice to change the default admin and root passwords on a regular basis. From BIG-IQ, you can change the passwords for several BIG-IP devices at one time.
You can change the passwords for several BIG-IP devices
simultaneously only if they have the same password.
- At the top of the screen, clickDevices.
- On the left, click.
- Click theCreatebutton.
- In theNameandDescriptionsfields, type a name and optional description to help you identify this task.
- From theAvailablelist, select devices and move them to theSelectedlist.The passwords for the BIG-IP devices you select must all be identical.
- Select an option for theChange Passwordsetting.
- Provide the old and new passwords, as required.
- Click theRunbutton at the bottom of the screen.BIG-IQ will apply the new password to all of the selected BIG-IP devices. You can view the status of this task from the Change Device Passwords screen.
How do Data Collection Device zones work?
There are two ways to use Data Collection Device (DCD) zones to control how data is stored for your managed BIG-IP devices.
- You can use zones to optimize statistics traffic routing. By assigning DCDs to a zone and then assigning managed BIG-IP devices to that zone, you control which DCDs collect statistic traffic for each device.
- DCD zone awareness factors into how the DCD cluster performs during Disaster Recovery scenarios. The role zones play in these scenarios is discussed in the Disaster Recovery Best Practices article onsupport.f5.com.
To specify which DCDs collect statistics traffic for a BIG-IP device, you perform two tasks:
- Log in to each DCD that should collect data for this BIG-IP device and assign them to the correct zone.
- Log in to the BIG-IQ CM and assign the BIG-IP to the zone to which those DCDs are assigned.
Change the zone for a Data Collection Device
Normally, you assign a Data Collection Device (DCD) to a zone as part of the initial setup for that device. But you can change the zone to which a DCD is assigned as needed.
- From BIG-IQ, at the top of the screen, clickSystem, then, on the left, click .The BIG-IQ Data Collection Devices screen opens listing the DCDs in the cluster. The Services column lists the BIG-IP services monitored by each DCD. If no services are enabled for a DCD, this column displaysAdd Servicesinstead.
- Under Device Name, select the DCD that you want to revise.
- On the DCD properties page, clickEditto display the Edit Zone popup.
- To use an existingZone, select the zone you want to assign to this DCD and clickContinue.
- To use a newZone, selectCreate New, then type the name of the zone to want to create and assign to this DCD and clickContinue.
- ClickSave & Closeto close the DCD properties screen.
- Use SSH to log in to DCD asroot.
- Typebigstart restart elasticsearchand press Enter.
- Repeat the last three steps for each DCD that you want to move to this zone.As you run this command on each DCD, it momentarily stops processing DCD data, so the data routes to another node in the cluster and no data is lost.
You can now assign managed BIG-IP devices to this zone for data collection.
Change a zone for a BIG-IP device
Before you can change a BIG-IP device's zone, you must have created the zone on the Data Collection Device (DCD).
Changing the zone assignment for a BIG-IP determines which DCDs collect statistics data for that device. Normally, you assign a BIG-IP to a zone as part of the initial setup for that device, but you can change the zone to which a BIG-IP device is assigned as needed.
- At the top of the screen, clickDevices.
- Click on the name of the device for which you want to change the zone.The properties screen displays for that device.
- On the left, clickSTATISTICS COLLECTION.
- ForCollect Statistics Data, selectEnabled, to collect statistics from this device.
- ForZone, select the zone to which you want to assign this BIG-IP device.
- ClickSave & Closeto close the device properties screen.
DCDs assigned to the zone you selected start collecting the statistics data for this device.