Manual Chapter : Device Discovery and Basic Device Management

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Device Discovery and Basic Device Management

Establish trust and add BIG-IP devices for management by BIG-IQ

The first task in managing a BIG-IP device from BIG-IQ is to add it to BIG-IQ. Largely, this is making sure that the BIG-IQ system can access the device at the specified IP address and ports. This is sometimes referred to as
establishing trust
with the BIG-IP device.
After this task is complete, all of the BIG-IQ Device functionality (inventory reporting, backup and restore, script management, licensing, password management, software upgrade, and so on) is available for the discovered device. If at least one Data Collection Device (DCD) is deployed in the environment, statistics data for device, LTM, and DNS objects can also be collected and reported.
In environments that only require centralized device management, this task might be the only one you need to perform. The remaining tasks are for those environments that want to manage service configurations, such as Network Security, as well as the devices.
Adding the BIG-IP device and establishing trust with it involves several tasks:
  1. The BIG-IQ administrator adds the IP address, user name and password for an administrative user on the BIG-IP device.
  2. If the BIG-IP device is clustered, the administrator selects how to handle deployment to the clustered devices.
  3. The BIG-IP device and the BIG-IQ system exchange certificates to create a trust relationship.
  4. For earlier versions of BIG-IP devices, the administrator might need to update the REST framework on the BIG-IP device to be able to manage it.
    There are several ways you can add BIG-IP devices to BIG-IQ so you can manage them:
    • Add and configure BIG-IP VE devices in an AWS, Azure, or VMware cloud.
    • Add BIG-IP devices to BIG-IQ and import their services in two separate steps.
    • Add multiple BIG-IP devices and add their services in one step.
    • Import multiple BIG-IP devices and add their services using a CSV file.

How do I start managing BIG-IP devices

To start managing a BIG-IP device, you must add it to BIG-IQ and import and discover its licensed services.
If you only want to do basic management tasks (like software upgrades, license management, and UCS backups) for a BIG-IP device, you do not have to discover and import its service configurations.
There are a few ways you can import BIG-IP VE devices located in your network to BIG-IQ.
  • Add one or more BIG-IP device(s) located in your network, and discover and import its services in a separate procedure.
  • Import BIG-IP devices located in your network in bulk, using a CSV file.
    You cannot add multiple BIG-IP devices with SSLO services. You must add those BIG-IP devices individually. After you import a BIG-IP device with SSLO services, make future configuration changes only from BIG-IQ. If you make a change to the SSLO service configuration directly on the BIG-IP device, you cannot re-discover or re-import that device.
    For information about how to add BIG-IP VE devices in your network or a third-party cloud

Before you add a BIG-IP to BIG-IQ for management

Before you can add BIG-IP devices to BIG-IQ, keep these things in mind:
  • The BIG-IP devices must be located in your network and running a compatible software version. Refer to K14592 for more information.
  • The BIG-IP management address must be open (typically this is on port 22 and 443), or any alternative IP address. Ports 22 and 443 and the management IP address are open by default on BIG-IQ.
  • The BIG-IQ you are discovering BIG-IP devices from must be using local authentication. You cannot discover BIG-IP devices from remotely-authenticated BIG-IQ because that requires a token.
  • A BIG-IP device running versions 10.2.0 - 12.0.x is considered a
    legacy device
    , and cannot be added to the BIG-IQ system's inventory for management. Although version 12.1.x is supported, its features are limited, and it is recommended to upgrade to version 13.0 or later. If you were managing a legacy device in a previous version of BIG-IQ and upgrade, the legacy device displays as impaired with a yellow triangle next to it in the BIG-IP Devices inventory. To manage it, you must upgrade it to version 12.1.0 or later. For instructions, refer to the section titled,
    Upgrading a Legacy Device
    .
For BIG-IP devices with ASM services, you can only add five devices at a time. If the BIG-IP device(s) provisioned with ASM is part of a DSC cluster, that device must also be a member of a sync-only device group, and ASM synchronization must be enabled for the device group. Without these DSC group settings, deploying changes to the ASM device can cause the cluster to get out of sync. For more information see K12200102, or the ASM Implementations chapter
Automatically Synchronizing Application Security Configurations
on
support.f5.com
.
You cannot add multiple BIG-IP devices with SSLO services. You must add those BIG-IP devices individually. After you import a BIG-IP device with SSLO services, make future configuration changes only from BIG-IQ. If you make a change to the SSLO service configuration directly on the BIG-IP device, you cannot re-discover or re-import that device.

About conflict management when importing services

When BIG-IQ manages a BIG-IP device, it stores a copy of that device's service configuration objects. BIG-IQ uses the following terms to describe object configuration settings on your BIG-IQ and BIG-IP devices:
  • Working configuration
    is the BIG-IP service configuration located on BIG-IQ. This is the configuration you manage, edit, and deploy to your managed BIG-IP devices.
  • Current configuration
    is the BIG-IP service configuration running on a BIG-IP device, which can be different than the working configuration on BIG-IQ if changes were made directly on that BIG-IP device.
When importing a BIG-IP device's services, BIG-IQ compares the objects in its working configuration to the objects in the BIG-IP device's current configuration. If BIG-IQ finds the same type of object with the same name but different parameters, it notifies you of the conflict. For example, a conflict would occur if the policy object
Pol021
in the current configuration (imported from the BIG-IP device) contains more properties than the policy object in the working configuration on BIG-IQ.
There are three types of objects that can cause conflicts when importing a BIG-IP device's services.
  • Shared - All objects shared across BIG-IP devices, such as LTM profiles and monitors, Security policies for ASM, AFM, and APM.
  • Shared version-specific - Only LTM profile and monitor objects that are specific to a BIG-IP software version.
  • Device-specific - Objects that are specific to a particular BIG-IP device and are not shared among BIG-IP devices. These are objects that have been modified directly on the BIG-IP (not recommended) rather than deployed from BIG-IQ.
When importing a BIG-IP device's services, you must resolve any conflicts found between the BIG-IP device's working configuration and the objects in the BIG-IQ working configuration using one of the following methods:
  • Stop importing the services with the conflicts. Resolve each conflict individually on the BIG-IP device's
    Services
    screen. Continue importing services after you address the conflicts.
  • For the LTM service configuration only: If you encounter LTM configuration conflicts, you can place the device in a silo, continue to discover other BIG-IP devices and later, go back to address the LTM service's conflict(s) for that BIG-IP device. After you address the conflicts, you can re-add the BIG-IP device and discover and import the LTM service (as well as any other licensed services).
    The option to place a BIG-IP device with a conflict in a silo to address the conflict later is available only for the LTM service. For all other services, you cannot use a silo to address conflicts. For information about managing conflicts from a silo, refer to the
    BIG-IQ: Using Silos to Resolve LTM Object Conflicts implementation
    on
    support.askf5.com
    .
  • Use a BIG-IQ conflict resolution policy to automatically treat all configuration object conflicts the same way if a difference is found.
The BIG-IQ conflict resolution policy options are:
Use BIG-IQ
Keep the object settings specified in the BIG-IQ working configuration. The next time you deploy a configuration to that BIG-IP device, BIG-IQ overwrites the object settings to match the settings defined on BIG-IQ.
Use BIG-IP
Use the object settings specified in the BIG-IP device's configuration to replace the object settings in the BIG-IQ working configuration. For shared objects, the next time you deploy a configuration to a managed device, BIG-IQ replaces the settings for that object on the target device.
Create Version
For LTM monitors or profiles, you can create and store a copy of the BIG-IP device's object(s), specific to the software version on that BIG-IP device. For shared objects, the next time you deploy a configuration to a managed device, BIG-IQ replaces the settings for that object if that BIG-IP device is running that specific version. This option allows you to store multiple versions of LTM monitors or profiles knowing that BIG-IQ will deploy the appropriate stored version to your managed devices. The next time you import services that contain LTM monitors or profiles, BIG-IQ automatically resolves conflicts against the appropriate version.

Add BIG-IP devices to BIG-IQ and import their services in one step

To add multiple BIG-IP devices simultaneously, the devices must:
  • Be running the same BIG-IP software version and licensed for the same services.
  • Have the same user name and password.
  • Be using the same port.
    Before you can add BIG-IP devices to BIG-IQ, keep these things in mind:
    • The BIG-IP devices must be located in your network and running a compatible software version. Refer to K14592 for more information.
    • The BIG-IP management address must be open (typically this is on port 22 and 443), or any alternative IP address. Ports 22 and 443 and the management IP address are open by default on BIG-IQ.
    • The BIG-IQ you are discovering BIG-IP devices from must be using local authentication. You cannot discover BIG-IP devices from remotely-authenticated BIG-IQ because that requires a token.
    A BIG-IP device running versions 10.2.0 - 12.0.x is considered a
    legacy device
    , and cannot be added to the BIG-IQ system's inventory for management. Although version 12.1.x is supported, its features are limited, and it is recommended to upgrade to version 13.0 or later. If you were managing a legacy device in a previous version of BIG-IQ and upgrade, the legacy device displays as impaired with a yellow triangle next to it in the BIG-IP Devices inventory. To manage it, you must upgrade it to version 12.1.0 or later. For instructions, refer to the section titled,
    Upgrading a Legacy Device
    .
    For BIG-IP devices with ASM services, you can only add five devices at a time. If the BIG-IP device(s) provisioned with ASM is part of a DSC cluster, that device must also be a member of a sync-only device group, and ASM synchronization must be enabled for the device group. Without these DSC group settings, deploying changes to the ASM device can cause the cluster to get out of sync. For more information see K12200102, or the ASM Implementations chapter
    Automatically Synchronizing Application Security Configurations
    on
    support.f5.com
    .
    You cannot add multiple BIG-IP devices with SSLO services. You must add those BIG-IP devices individually. After you import a BIG-IP device with SSLO services, make future configuration changes only from BIG-IQ. If you make a change to the SSLO service configuration directly on the BIG-IP device, you cannot re-discover or re-import that device.
Use this procedure to add one or more BIG-IP devices in your network and import services in one step.
  1. At the top of the screen, click
    Devices
    .
  2. Click the
    Add Device(s)
    button.
  3. For the Discovery Type setting, select
    Add BIG-IP device(s) and discover and import services in one step
    .
  4. To create a snapshot of the BIG-IQ configuration before importing services, select the
    Snapshot
    check box.
    Clear this check box if you are adding devices that are in an access group you just created. If you don't, BIG-IQ won't be able to add the device(s).
  5. If you do not want to import any services that you know have conflicts between the BIG-IQ working configuration and the BIG-IP current configuration, select the
    Do not import a service if it contains a shared object conflict between this BIG-IP device and BIG-IQ
    check box to skip any services that have conflicts.
    If you do not select this check box, BIG-IQ will not add the BIG-IP device with a conflict.
  6. Click the
    Add Device(s)
    button.
  7. For
    IP Address
    , type the IPv4 or IPv6 address of the device.
  8. Click the
    +
    button to add another IP address.
  9. Type the user name and password for these devices.
  10. In the
    Port
    box, type the management port for this BIG-IP device.
    The port number must be between 4 and 65535. In many cases, it's the default port 443.
    Chrome and Safari browsers don't allow access to web applications running on port 65535. So if you use port 65535 as the management port, you won't be able to access the BIG-IP device's interface from BIG-IQ when using Chrome or Safari. You can still discover and manage BIG-IP devices that are using port 65535.
  11. For the Target Silo setting, select
    Use an Existing Silo
    and select it, or select
    Create a New Silo
    and name it.
    When you select a silo other than
    Default
    , BIG-IQ displays only the LTM service. You cannot import services other than LTM to a silo.
  12. Select the check box next to each licensed service running on the device(s) you are adding.
  13. If BIG-IQ detects a conflict for services between the working configuration on BIG-IQ and the current configuration on BIG-IP, select a conflict resolution policy option for each object type.
    • Use BIG-IQ
      Keep the object settings in the BIG-IQ working configuration. The next time you deploy a configuration to that BIG-IP device, BIG-IQ overwrites the object settings to match the settings defined on BIG-IQ.
      Use BIG-IP
      Use the object settings from this BIG-IP device's configuration to replace the object in the BIG-IQ working configuration. The next time you deploy a configuration to your BIG-IP devices, BIG-IQ replaces that object settings for all of your managed BIG-IP devices to match the object settings on this BIG-IP device.
      Create Version
      For LTM monitors or profiles only, you can create and store a copy of the BIG-IP device's object(s), specific to the software version on that BIG-IP device. The next time you deploy a configuration, BIG-IQ replaces that object for all the managed BIG-IP devices running that specific version with the object on this BIG-IP. You can store multiple versions of LTM monitors or profiles. BIG-IQ deploys the appropriate stored version to your managed devices. BIG-IQ automatically resolves conflicts against the appropriate version the next time it imports services that contain LTM monitors or profiles.
  14. If you are collecting statistics, for
    Status
    select the
    Enabled
    check box and a zone from the
    Zone
    list.
    If you do not define a zone, this device sends its statistics to DCDs assigned to the default zone.
    Zones
    are names created to associate BIG-IP devices with one or more DCD systems to help segregate statistic traffic by network topology, load, availability, and so forth, for optimal statistics traffic routing.
  15. If this device is configured in a DSC group or you are creating a new DSC group, for the
    Cluster Properties
    , specify how to handle it:
    • Initiate BIG-IP DSC sync when deploying configuration changes (Recommended)
      : Select this option if you want this device to automatically synchronize configuration changes with other members in the DSC.
    • Allow deployment when DSC configured devices have changes pending ( Not Recommended)
      : Select this option if you want to deploy changes to this device even if there are changes pending for devices in the DSC group.
      This option is not recommended, because it can lead to unpredictable results.
    • Ignore BIG-IP DSC sync when deploying configuration changes
      : Select this option if you want to manually synchronize configurations changes between members in the DSC group.
  16. Click the
    Discover & import
    button
You can now manage all devices you successfully added and discovered and imported services for.

Add a single BIG-IP device

Before you can add BIG-IP devices to BIG-IQ, keep these things in mind:
  • The BIG-IP devices must be located in your network and running a compatible software version. Refer to K14592 for more information.
  • The BIG-IP management address must be open (typically this is on port 22 and 443), or any alternative IP address. Ports 22 and 443 and the management IP address are open by default on BIG-IQ.
  • The BIG-IQ you are discovering BIG-IP devices from must be using local authentication. You cannot discover BIG-IP devices from remotely-authenticated BIG-IQ because that requires a token.
A BIG-IP device running versions 10.2.0 - 12.0.x is considered a
legacy device
, and cannot be added to the BIG-IQ system's inventory for management. Although version 12.1.x is supported, its features are limited, and it is recommended to upgrade to version 13.0 or later. If you were managing a legacy device in a previous version of BIG-IQ and upgrade, the legacy device displays as impaired with a yellow triangle next to it in the BIG-IP Devices inventory. To manage it, you must upgrade it to version 12.1.0 or later. For instructions, refer to the section titled,
Upgrading a Legacy Device
.
You add a BIG-IP device to BIG-IQ so you can discover and import its services, such as LTM, AFM, and so forth. After you discover and import a device's services, you can start managing it. This procedure allows you to add a single BIG-IP device.
If you would prefer to add several BIG-IP devices at once and handle all object conflicts the same way, select the
Add multiple BIG-IP devices
option.
  1. At the top of the screen, click
    Devices
    .
  2. On the left, click
    BIG-IP DEVICES
    .
  3. Click the
    Add Device(s)
    button.
  4. For the Discovery Type setting, select
    Add a single BIG-IP device and discover and import services in a separate step
    .
  5. For
    IP Address
    , type the IPv4 or IPv6 address of the device.
  6. In the
    Port
    box, type the management port for this BIG-IP device.
    The port number must be between 4 and 65535. In many cases, it's the default port 443.
    Chrome and Safari browsers don't allow access to web applications running on port 65535. So if you use port 65535 as the management port, you won't be able to access the BIG-IP device's interface from BIG-IQ when using Chrome or Safari. You can still discover and manage BIG-IP devices that are using port 65535.
  7. If this device is part of a DSC group, for the
    Cluster Display Name
    setting, specify how to handle it:
    • For an existing DSC group, select
      Use Existing
      from the list, and then select the name of the DSC group from the next list.
    • To create a new DSC group, select
      Create New
      from the list, and type a name in the field.
    For BIG-IQ to properly associate the devices in the same DSC group, the
    Cluster Display Name
    must be the same for all members in a group.
    There can be up to eight members in a DSC group.
    For BIG-IP devices with ASM services, you can only add five devices at a time. If the BIG-IP device(s) provisioned with ASM is part of a DSC cluster, that device must also be a member of a sync-only device group, and ASM synchronization must be enabled for the device group. Without these DSC group settings, deploying changes to the ASM device can cause the cluster to get out of sync. For more information see K12200102, or the ASM Implementations chapter
    Automatically Synchronizing Application Security Configurations
    on
    support.f5.com
    .
  8. If this device is configured in a DSC group or you are creating a new DSC group, for the
    Cluster Properties
    , specify how to handle it:
    • Initiate BIG-IP DSC sync when deploying configuration changes (Recommended)
      : Select this option if you want this device to automatically synchronize configuration changes with other members in the DSC.
    • Allow deployment when DSC configured devices have changes pending ( Not Recommended)
      : Select this option if you want to deploy changes to this device even if there are changes pending for devices in the DSC group.
      This option is not recommended, because it can lead to unpredictable results.
    • Ignore BIG-IP DSC sync when deploying configuration changes
      : Select this option if you want to manually synchronize configurations changes between members in the DSC group.
  9. Click the
    Add
    button at the bottom of the screen.
    The BIG-IQ system opens communication to the BIG-IP device, and checks the BIG-IP device framework.
    The BIG-IQ system can properly manage a BIG-IP device only if the BIG-IP device is running a compatible version of the REST framework.
  10. Click the
    Discover & Import
    button at the bottom of the screen.
  11. To centrally manage this device's configurations for licensed services, select the check box next to each service you want to discover.
    You can select other service configurations after you add the BIG-IP device to the inventory.
You can now discover the services for this device, and manage any differences for shared objects (on an object-by-object basis) between the BIG-IQ system and the BIG-IP device(s) during import.

Discover and import services for a BIG-IP device you added

Discover and import services for a BIG-IP device you have added to BIG-IQ so you can start managing it. Use this procedure if you added a BIG-IP device, but have not yet discovered and imported its services.
To discover IPS services for AFM, you must enable its discovery on BIG-IQ. See
Discover and import IPS services
.
When importing services, keep the following information in mind.
When BIG-IQ manages a BIG-IP device, it stores a copy of that device's service configuration objects. BIG-IQ uses the following terms to describe object configuration settings on your BIG-IQ and BIG-IP devices:
  • Working configuration
    is the BIG-IP service configuration located on BIG-IQ. This is the configuration you manage, edit, and deploy to your managed BIG-IP devices.
  • Current configuration
    is the BIG-IP service configuration running on a BIG-IP device, which can be different than the working configuration on BIG-IQ if changes were made directly on that BIG-IP device.
There are three types of objects that can cause conflicts when importing a BIG-IP device's services.
  • Shared - All objects shared across BIG-IP devices, such as LTM profiles and monitors, Security policies for ASM, AFM, and APM.
  • Shared version-specific - Only LTM profile and monitor objects that are specific to a BIG-IP software version.
  • Device-specific - Objects that are specific to a particular BIG-IP device and are not shared among BIG-IP devices. These are objects that have been modified directly on the BIG-IP (not recommended) rather than deployed from BIG-IQ.
  1. At the top of the screen, click
    Devices
    .
  2. On the left, click
    BIG-IP DEVICES
    .
  3. Click the name of the BIG-IP device you're discovering and importing services for.
  4. On the left, click
    SERVICES
    .
  5. For each service this BIG-IP device is licensed for, perform the following steps:
    You must discover and import the LTM service before any others, so make sure you do that first.
    1. click the
      Discover
      button.
    2. To create a snapshot of the BIG-IQ configuration before importing services, select the
      Create a snapshot of the current configuration before importing
      check box.
    3. Click the
      Import
      button next to the service to import it.
    4. If BIG-IQ detects a conflict between the working configuration on BIG-IQ and the objects you are importing, a popup displays so you can specify how you want to resolve conflicts. You can either choose to handle all conflicts the same way, or you can specify a specific resolution for each conflict, or you can choose to resolve conflicts later by importing this device to a silo.
      • If you want to handle all conflicts the same way, you can choose
        Set all BIG-IQ
        to keep all of the object settings from the BIG-IQ working configuration. The next time you deploy a configuration to that BIG-IP device, BIG-IQ overwrites all object settings to match the settings on BIG-IQ.
      • If you want to handle all conflicts the same way, you can choose
        Set all BIG-IP
        to use all of the object settings from the BIG-IP device's configuration to replace the object settings in the BIG-IQ working configuration. The next time you deploy a configuration, BIG-IQ overwrites the object settings for any shared objects to match the settings on this BIG-IP device.
      • If you want to handle each conflict individually, you can choose
        BIG-IQ
        to keep the object settings from the BIG-IQ working configuration. The next time you deploy a configuration to a BIG-IP device, BIG-IQ overwrites the object settings to match the settings on BIG-IQ.
      • If you want to handle each conflict individually, you can choose
        BIG-IP
        to use the object settings from the BIG-IP device's configuration to replace the object settings in the BIG-IQ working configuration. If this is a shared object, the next time you deploy a configuration, BIG-IQ overwrites the object settings on the target BIG-IP device to match the settings from this BIG-IP device's configuration.
      • If you want to handle each conflict individually, for conflicts in LTM monitor or profile settings you can choose
        Create Version
        . This option creates and stores a copy of the BIG-IP device's object(s), specific to the software version on that BIG-IP device. The next time you deploy a configuration, BIG-IQ replaces that object for any target BIG-IP device running that specific version with the object on this BIG-IP. You can store multiple versions of LTM monitors or profiles. BIG-IQ deploys the appropriate stored version to your managed devices. BIG-IQ automatically resolves conflicts against the appropriate version the next time it imports services that contain LTM monitors or profiles.
    5. Click the
      Continue
      button to apply the options you selected, or click the
      Resolve Conflicts Later
      button to import this device to a silo.
    6. Click
      Resolve
      to confirm the conflict resolution options you specified.
    BIG-IQ imports the device and it's configuration objects based on the options you specified.
  6. When you finish importing the services for a device, click
    Cancel
    to return to the BIG-IP Devices screen.
After the service(s) are imported, you can manage this device.

Discover and import IPS services

You must ensure that you have the proper licenses for AFM and IPS on the managed BIG-IP device. You must have access to the BIG-IQ Advanced Shell. If you do not have access, contact F5 support at support.f5.com.
To manage IPS (Intrusion Prevention System) within BIG-IQ CM (console node), you must first change the default settings that block initial discovery for the host BIG-IP device. This requires setting
protocolInspectionDisabled
to
false
in the file
/var/config/rest/config/restjavad.properties.json
. Once you have enabled IPS discovery, you need to re-discover and re-import AFM services to the appropriate BIG-IP devices.
If you have a standby console nodes, complete steps 2-3 of the following process for the standby node.
  1. Log into the BIG-IQ Advanced Shell (console node) using ssh.
  2. In the
    restjavad.properties.json
    file, locate the
    "afm"
    property.
  3. In the
    "afm"
    property, locate the
    "ips"
    property.
    If the
    "ips"
    property does not exist, you can add this property using the example provided in step 4. Ensure that the "
    protocolInspectionDisabled
    " property is included within
    "ips"
    .
  4. Ensure the value for "
    protocolInspectionDisabled
    " is
    false
    .
    The following example shows a possible configuration of the
    ... "afm" : { ... "ips" : { "protocolInspectionDisabled": false } ... }, ...
  5. Restart the restjavad process using the following command:
    bigstart restart restjavad
  6. In the BIG-IQ UI, re-discover and re-import AFM services, for each licensed device by going to
    Devices
    BIG-IP DEVICES
    .
    To perform a bulk re-discovery and re-import for all services, on multiple devices, see
    Re-discover and re-import services in bulk
    .
  7. Select the device name.
  8. On the left, click
    SERVICES
    .
  9. In the Network Security (AFM) area, click the
    Re-discover
    or
    Discover
    button.
  10. In the Network Security (AFM) area click the
    Re-import
    or
    Discover
    button.
After the services re-import/import, the BIG-IP Devices inventory list includes the AFM service (see
Devices
BIG-IP DEVICES
). You can now manage this BIG-IP device's IPS services from BIG-IQ.

Re-discover BIG-IP devices and re-import services

If you upgrade or make a change directly on a managed BIG-IP device (which is not recommended), you must re-discover and re-import services for that device so BIG-IQ Centralized Management has the most current configuration for that device.
You cannot re-import SSLO configurations from discovered BIG-IP devices.
  1. At the top of the screen, click
    Devices
    .
  2. Click
    BIG-IP DEVICES
    .
  3. Select the check box next to the device you want to rediscover and reimport services for.
  4. Click the
    More
    button and select
    Re-discover and Re-import
    When importing a BIG-IP device's services, you must resolve any conflicts found between the BIG-IP device's working configuration and the objects in the BIG-IQ working configuration using one of the following methods:
    • Stop importing the services with the conflicts. Resolve each conflict individually on the BIG-IP device's
      Services
      screen. Continue importing services after you address the conflicts.
    • For the LTM service configuration only: If you encounter LTM configuration conflicts, you can place the device in a silo, continue to discover other BIG-IP devices and later, go back to address the LTM service's conflict(s) for that BIG-IP device. After you address the conflicts, you can re-add the BIG-IP device and discover and import the LTM service (as well as any other licensed services).
      The option to place a BIG-IP device with a conflict in a silo to address the conflict later is available only for the LTM service. For all other services, you cannot use a silo to address conflicts. For information about managing conflicts from a silo, refer to the
      BIG-IQ: Using Silos to Resolve LTM Object Conflicts implementation
      on
      support.askf5.com
      .
    • Use a BIG-IQ conflict resolution policy to automatically treat all configuration object conflicts the same way if a difference is found.
  5. Select a conflict resolution policy option for each type of object.
  6. If you want to save a snapshot of the BIG-IP device's configuration before importing their services, select the
    Create a snapshot of the current configuration before importing
    check box.
  7. Click the
    Create
    button.
Once the services are rediscovered and reimported, you can manage these BIG-IP devices.

Details required for adding BIG-IP devices with a CSV file

Before you use a CSV file to add BIG-IP devices to BIG-IQ, you'll need the following information for each BIG-IP.
Refer to the
About importing BIG-IP services with conflicts
section to conflict policy guidelines.
Device Details
Description and Action
Management IP address
Specify the management IP address(es) for the BIG-IP device(s) you are adding.
HTTPS Port
Type the management port for this BIG-IP device(s). This number must be between
4
and
65535
In many cases, it's the default port
443
.
Chrome and Safari browsers don't allow access to web applications running on port
65535
. So if you use port
65535
as the management port, you won't be able access the BIG-IP device's interface from BIG-IQ when using Chrome or Safari. You can still discover and manage BIG-IP devices that are using port
65535
.
admin user name
admin
Password
Specify the admin user's password for the device(s).
Cluster Name
Specify if these devices are part of a cluster.
DSC Sync Mode
If these devices are part of a DSC, initiate DSC sync when deploying configuration changes by specifying FALSE.
Pending Changes
If these devices are part of a DSC, allow deployment of any pending changes by specifying TRUE.
Services List
List of services running on these devices, separated by a space. For example: LTM APM ASM AFM SSM DNS FPS
Enable Statistics Collection
If these device are collecting statistics, allow data collection by specifying TRUE.
Zone
If you are adding data collection devices that need to be in a specific zone, specify the name of the zone to which you want assigned.
APM Group
If these devices support the APM service, specify the APM group.
APM Shared Import
If these devices are part of an APM group, set this to TRUE only for the first device in the APM group, leave the rest at FALSE.
Shared Object Conflict Policy
Specify how you want any shared object conflicts between BIG-IQ and the BIG-IP devices using one of the following values: USE_BIGIQ, USE_BIGIP.
Version Object Conflict Policy
Conflict Resolution Policy for Version Specific Objects for LTM monitors and profiles only, specify one of the following values: USE_BIGIQ, USE_BIGIP, KEEP_VERSION. The default is USE_BIGIQ.
Device Specific Conflict Policy
Conflict Resolution Policy for Device Specific Objects. Specify one of the following values: USE_BIGIQ, USE_BIGIP. The default is USE_BIGIP.
Silo Properties
For LTM services only, specify an existing or new silo to put the BIG-IP device(s) into if a conflict is found. The default is Do Not Use a Silo.

Exporting device inventory details to a comma separated values (CSV) file

To export the BIG-IP Device inventory to a CSV file, your browser must be configured to allow popup screens.
Using BIG-IQ, you can quickly access and view the properties for all the devices you manage in your network. These properties include details about the device's IP addresses, platform type, license details, software version, and so forth. You (or another department in your company) can create custom reports containing this information to help manage these assets. To do this, you can export device properties to a CSV file and edit the data as required.
  1. At the top of the screen, click
    Devices
    .
  2. On the left, click
    BIG-IP DEVICES
    .
  3. Click the
    Export Inventory
    button.
BIG-IQ creates a CSV file and downloads it locally.

Use a CSV file to add BIG-IP devices, and discover and import their services

Before you can add BIG-IP devices to BIG-IQ, keep these things in mind:
You must save your devices' details in a comma separated value (CSV) file.
You cannot add multiple BIG-IP devices with SSLO services. You must add those BIG-IP devices individually. After you import a BIG-IP device with SSLO services, make future configuration changes only from BIG-IQ. If you make a change to the SSLO service configuration directly on the BIG-IP device, you cannot re-discover or re-import that device.
You add BIG-IP devices to BIG-IQ Centralized Management and discover and import their services so you can start managing them. This procedure allows you add multiple BIG-IP devices to BIG-IQ using a comma separated value (CSV) file, and discover and import their services.
  1. At the top of the screen, click
    Devices
    .
  2. On the left, click
    BIG-IP DEVICES
    .
  3. Click the
    Add Device(s)
    button.
  4. For the Discovery Type setting, select
    Add BIG-IP device(s) and discover and import services in one step
    .
  5. To create a snapshot of the BIG-IQ configuration before importing services, select the
    Snapshot
    check box.
    Clear this check box if you are adding devices that are in an access group you just created. If you don't, BIG-IQ won't be able to add the device(s).
  6. To create a snapshot of the BIG-IQ configuration before importing services, select the
    Snapshot
    check box.
    Clear this check box if you are adding devices that are in an access group you just created. If you don't, BIG-IQ won't be able to add the device(s).
  7. To ignore conflicts for objects shared between BIG-IQ and the BIG-IP device(s) you're adding, leave the
    Conflict Resolution
    check box selected.
    This allows you to continue to import services that have no conflicts, and fix the conflicts individually later, from the
    BIG-IP DEVICES
    SERVICES
    screen, to complete the import process for those services.
  8. Click the
    Upload CSV
    button.
  9. Navigate to the location where you saved your CSV file and click
    Open
    .
  10. Select the check box next to the BIG-IP devices you want to discover and import services for, and click the
    Discover and Import
    button at the bottom of the screen.
To view status and address any conflicts between BIG-IQ and BIG-IP device objects, on the left, click
BIG-IP DEVICES
.

What is a BIG-IP Device Service Clustering (DSC) group and how do I start managing it from BIG-IQ?

Device Service Clustering
, or DSC, is a BIG-IP TMOS feature that lets you organize BIG-IP devices in groups to share configurations. These groups are called
device service clusters
(also DSC). With BIG-IQ, you can manage devices configured in a DSC, and their shared objects, from one centralized location.
Before you can manage BIG-IP systems configured in a DSC, you must:
  • Add the DSC device members to the BIG-IP Devices inventory.
  • Add the DSC group to the BIG-IP Clusters inventory.
  • Ensure that each DSC group includes at least one sync-failover configuration.
When a DSC group is in the BIG-IP Cluster inventory, you can view its properties and the devices within those groups, and synchronize their configurations, all without having to log in to each device individually. This allows for automatic synchronization among devices for any changes on objects defined in the cluster.
For specific information about BIG-IP DSC groups, refer to the
BIG-IP Device Service Clustering: Administration
guide.
It is important to note, that although objects are shared among devices in a DSC group, they appear based on the state of each managed BIG-IP device. This can indicate that objects, such as a shared pool, is offline for a specific device that is experiencing network issues. However, the pool will appear as online for other devices in the DSC group.

Discover BIG-IP Device Service Cluster groups

You must add the BIG-IP devices configured in a DSC to the BIG-IQ system's BIG-IP Device inventory before you can discover DSC groups.
All BIG-IP devices in a cluster must be running the same software version and the same settings for:
  • Pools
  • Traffic-groups
  • VLANs
  • Tunnels
  • Route domains
The BIG-IQ DSC Groups inventory screen shows you a centralized view specific to DSC clusters.
The
Cluster Display Name
displays on this screen only for managed BIG-IP devices in a DSC.
BIG-IQ supports up to 8 BIG-IP systems in a DSC.
  1. At the top of the screen, click
    Devices
    .
  2. On the left, click
    BIG-IP CLUSTERS
    DSC groups
    .
  3. Click the
    Discover
    button.
  4. Select the devices in the
    Available
    list, and then click the right arrow to add them to the
    Selected
    list.
    This list is populated from the BIG-IP Device inventory list. If you can't see all of the available devices listed, left-click the right bottom corner of the list and use your cursor to expand the dialog box.
  5. Click the
    Discover
    button.
The DSC Groups list refreshes to display the discovered DSC group.

Synchronizing configurations between BIG-IP devices in a DSC cluster

You must add a BIG-IP device configured in a DSC to the BIG-IP Devices inventory list and discover the DSC from the DSC Groups inventory list before you can synchronize BIG-IP devices configured in a DSC.
Synchronizing configuration between BIG-IP devices in a DSC cluster saves you time because you don't have to log on to each BIG-IP device in the cluster individually.
Unmanaged BIG-IP devices in a DSC do not display the
Sync
button.
  1. At the top of the screen, click
    Devices
    .
  2. On the left, click
    BIG-IQ CLUSTERS
    DSC Groups
    .
    The screen displays the list of DSC groups defined on this device.
  3. Click the name of the cluster that you want to synchronize.
  4. Click the
    Refresh Status
    button to get the most current sync status for the devices in the DSC group.
  5. For the
    Sync Option
    setting, select one of the options:
    • Device to Group
      - Select this option to prompt the BIG-IP device to synchronize its configuration with other device(s) in the DSC group.
    • Group to Device
      - Select this option to prompt the DSC group to load its configuration onto the BIG-IP device.
  6. Click the
    Sync
    button.
  7. To close the screen, click the
    Close
    button.

About basic device management

After you add BIG-IP devices to BIG-IQ Centralized Management and discover and import their services, you can start managing those devices.
Using the device list (go to
Devices
BIG-IP DEVICES
) you can view, filter and sort your discovered BIG-IP devices. You can also view details about the managed device, such as:
  • Status - whether your device is active and running or is experiencing connectivity issues.
  • Health - This is based on performance thresholds for CPU, memory, and disk space usage
  • Device name (hostname)
  • Type - the physical or logical BIG-IP device setup. This can include configurations such as hardware, BIG-IP virtual edition, vCMP etc.
  • IP Address
  • Cluster Display Name (if applicable)
  • Silo (if applicable)
  • Statistics collection status - displays whether this setting was enabled or not for the device
  • Data Collection Device
  • Stats Services- the service modules that have statistics collection enabled
  • The last statistics collection period
From this screen you can also perform the following tasks:
  • Create an instant backup of the device's configuration.
  • Change the boot location of the device.
  • Edit cluster properties.
  • Log directly into the device from BIG-IQ.
  • Reboot the device from BIG-IQ.
  • Access details about the health of the device.
  • Access statistics for the device (if applicable).
  • Access services licensed for the device.

Managing a device from the device properties screen

You can use a device's Properties screen to manage that device. You can log directly in to the device, remotely reboot it, and create an instant backup of its configuration.
  1. At the top of the screen, click
    Devices
    .
  2. Click the link the Device Name column of the device you want to view.
    The device Properties screen opens.
You can now view details of the selected devices properties, health, statistics collection configuration, and service (module) discovery and import options.

How can I organize the way devices display in BIG-IQ so they're easier to find and manage?

To more easily manage a large number of BIG-IP devices, you can organize them into groups. The types of groups you can use are:
  • Static groups
  • Dynamic groups
A
static group
contains specific devices that you add to it, and those devices stay in that group until you remove them. For example you might want to create a static group named,
Seattle
, and add all of the devices located in Seattle to it.
In contrast, a
dynamic group
is basically a saved query on a group. For example, if you created a static group that contained all of your managed devices located in Seattle and you wanted to view only those devices running a specific application, you could create a dynamic group with that filter. If one of the devices stops running the specified application, the device no longer appears in that dynamic group.
If you delete a managed BIG-IP device from the parent group, you see that change when you view the dynamic group.

Creating a static group of managed devices

You must license and discover BIG-IP devices before you can place them into a group.
To more easily manage a large number of devices, you can organize them into groups. For example, you could add devices to groups according to the running applications, geographical location, or department.
  1. At the top of the screen, click
    Devices
    .
  2. On the left, click
    DEVICE GROUPS
    .
  3. Near the top of the screen, click the
    Create
    button.
  4. In the
    Name
    field, type the name you want to use to identify this group.
    You can change this name at any time, after you save this group.
  5. In the
    Description
    field, type a description for this group.
    For example,
    BIG-IP devices located in Seattle
    .
    You can change this description at any time, after you save this group.
  6. For the
    Group Type
    setting, select
    Static
    .
  7. From the
    Parent Group
    list, select the source for the group you are creating.
  8. For the
    Available in Services
    setting, select the services licensed for this device.
    If this BIG-IP device is licensed for services you are not managing, you can reduce the number of devices displayed in the BIG-IP inventory by selecting the check box next to only the services you manage. If you are managing all aspects of BIG-IQ, select the check box next to each service running on this BIG-IP device.
  9. From the
    Available
    list, select the BIG-IP device(s) you want to add to this group.
    You can filter on specific groups by selecting a group from the list.
  10. Click the
    Save & Close
    button.
If you want to further filter specific devices from within this group, you can create a dynamic group.

Creating a dynamic group of managed devices

You must create a static group before you can create a dynamic group.
To filter a static group on certain parameters, you can create a dynamic group. For example, if you have a static group for all devices located in a particular city, and you want to view only those running a specific version of software, you could create a dynamic group to filter on that version number.
  1. At the top of the screen, click
    Devices
    .
  2. On the left, click
    DEVICE GROUPS
    .
  3. Click the
    Add Group
    button.
  4. In the
    Name
    field, type the name you want to use to identify this group.
    You can change this name at any time, after you save this group.
  5. In the
    Description
    field, type a description for this group.
    For example,
    BIG-IP Devices located in Seattle
    You can change this description any time, after you save this group.
  6. For the
    Group Type
    setting, select
    Dynamic Group
    .
  7. From the
    Parent Group
    list, select the source for the group you are creating.
  8. In the
    Search Filter
    field, type a term on which you want to filter the group.
  9. For the
    Available in Services
    setting, select the services licensed for this device.
    If this BIG-IP device is licensed for services you are not managing, you can reduce the number of devices displayed in the BIG-IP inventory by selecting the check box next to only the services you manage. If you are managing all aspects of BIG-IQ, select the check box next to each service running on this BIG-IP device.
  10. Click the
    Save & Close
    button.
This dynamic group reflects any changes made to the static group. For example, if a device is removed from its parent group, it no longer appears in the associated static group. Also, if a device no longer contains the object you filtered on, the device no longer displays in the dynamic group.

Filtering for specific BIG-IP devices

From each BIG-IQ screen that contains a list of items, you can easily find specific items. For example, after you discover several devices, you might want to find a specific device by its name or IP address. To do this, you start by filtering on certain properties. Filtering on a specific criteria saves you time by allowing you to view only those items that contain the criteria you specify.
  1. At the top of the screen, click
    Devices
    .
  2. On the left, click
    BIG-IP DEVICES
    .
  3. To search for a specific object, in the
    Filter
    field at the top right of the screen, type all or part of an object's name and click the filter icon.
    BIG-IQ refreshes the screen to show only those devices that contain the property you filtered on.
  4. To remove the filter, click the
    X
    icon next to it.

Change several BIG-IP passwords simultaneously

When you manage BIG-IP device from BIG-IQ Centralized Management, it is good practice to change the default admin and root passwords on a regular basis. From BIG-IQ, you can change the passwords for several BIG-IP devices at one time.
You can change the passwords for several BIG-IP devices simultaneously only if they have the same password.
  1. At the top of the screen, click
    Devices
    .
  2. On the left, click
    PASSWORD MANAGEMENT
    Change Device Passwords
    .
  3. Click the
    Create
    button.
  4. In the
    Name
    and
    Descriptions
    fields, type a name and optional description to help you identify this task.
  5. From the
    Available
    list, select devices and move them to the
    Selected
    list.
    The passwords for the BIG-IP devices you select must all be identical.
  6. Select an option for the
    Change Password
    setting.
  7. Provide the old and new passwords, as required.
  8. Click the
    Run
    button at the bottom of the screen.
    BIG-IQ will apply the new password to all of the selected BIG-IP devices. You can view the status of this task from the Change Device Passwords screen.

How do Data Collection Device zones work?

There are two ways to use Data Collection Device (DCD) zones to control how data is stored for your managed BIG-IP devices.
  • You can use zones to optimize statistics traffic routing. By assigning DCDs to a zone and then assigning managed BIG-IP devices to that zone, you control which DCDs collect statistic traffic for each device.
  • DCD zone awareness factors into how the DCD cluster performs during Disaster Recovery scenarios. The role zones play in these scenarios is discussed in the Disaster Recovery Best Practices article on
    support.f5.com
    .
To specify which DCDs collect statistics traffic for a BIG-IP device, you perform two tasks:
  • Log in to each DCD that should collect data for this BIG-IP device and assign them to the correct zone.
  • Log in to the BIG-IQ CM and assign the BIG-IP to the zone to which those DCDs are assigned.

Change the zone for a Data Collection Device

Normally, you assign a Data Collection Device (DCD) to a zone as part of the initial setup for that device. But you can change the zone to which a DCD is assigned as needed.
  1. From BIG-IQ, at the top of the screen, click
    System
    , then, on the left, click
    BIG-IQ DATA COLLECTION
    BIG-IQ Data Collection Devices
    .
    The BIG-IQ Data Collection Devices screen opens listing the DCDs in the cluster. The Services column lists the BIG-IP services monitored by each DCD. If no services are enabled for a DCD, this column displays
    Add Services
    instead.
  2. Under Device Name, select the DCD that you want to revise.
  3. On the DCD properties page, click
    Edit
    to display the Edit Zone popup.
    • To use an existing
      Zone
      , select the zone you want to assign to this DCD and click
      Continue
      .
    • To use a new
      Zone
      , select
      Create New
      , then type the name of the zone to want to create and assign to this DCD and click
      Continue
      .
  4. Click
    Save & Close
    to close the DCD properties screen.
  5. Use SSH to log in to DCD as
    root
    .
  6. Type
    bigstart restart elasticsearch
    and press Enter.
  7. Repeat the last three steps for each DCD that you want to move to this zone.
    As you run this command on each DCD, it momentarily stops processing DCD data, so the data routes to another node in the cluster and no data is lost.
You can now assign managed BIG-IP devices to this zone for data collection.

Change a zone for a BIG-IP device

Before you can change a BIG-IP device's zone, you must have created the zone on the Data Collection Device (DCD).
Changing the zone assignment for a BIG-IP determines which DCDs collect statistics data for that device. Normally, you assign a BIG-IP to a zone as part of the initial setup for that device, but you can change the zone to which a BIG-IP device is assigned as needed.
  1. At the top of the screen, click
    Devices
    .
  2. Click on the name of the device for which you want to change the zone.
    The properties screen displays for that device.
  3. On the left, click
    STATISTICS COLLECTION
    .
  4. For
    Collect Statistics Data
    , select
    Enabled
    , to collect statistics from this device.
  5. For
    Zone
    , select the zone to which you want to assign this BIG-IP device.
  6. Click
    Save & Close
    to close the device properties screen.
DCDs assigned to the zone you selected start collecting the statistics data for this device.