Manual Chapter : Managing Address Lists

Applies To:

BIG-IQ Centralized Management

  • 8.4.0
  • 8.3.0
  • 8.2.0
  • 8.1.0
  • 8.0.0
  • 7.1.0
back-action BIG-IQ Centralized Management: Local Traffic and Network Implementations

Managing Address Lists

Address lists, also called network address lists, are collections of IPv4 or IPv6 addresses, address ranges, nested address lists, geolocations, and subnets. These can be used by other parts of the BIG-IQ Centralized Management system, such as firewall rules or firewall policies.

You can manage address lists from the following locations:

  • Configuration > NETWORK > Address Lists
  • Configuration > SECURITY > Network Security > Address Lists

Be aware of the following considerations about address lists.

  • Address lists are containers and must contain at least one entry. You cannot create an empty address list; you cannot remove an entry in an address list if it is the only one.
  • To pin an address list to a deployment, you must do so from the Local Traffic pinning policy user interface: Configuration > LOCAL TRAFFIC > Pinning Policies.
  • You can add geolocation awareness to address lists, which enables you to specify source or destination IP addresses by geographic location rather than by their IP addresses. The geolocation is validated when the address list is saved. If you use a geolocation specification that is valid on BIG-IQ, but not supported on a particular BIG-IP device because the device has a different geolocation database, it causes a deployment failure for that device. Importing a BIG-IP device with an invalid geolocation specification causes a discovery failure for that device.

You create address lists so that you can use them with other parts of the BIG-IQ Centralized Management system, such as firewall rules. Address lists are a collection of addresses. You can access address lists from either the network or the network security configuration menu.

  • To use the network configuration, click Configuration > NETWORK > Address Lists.
  • To use the security configuration, click Configuration > SECURITY > Network Security > Address Lists.

  1. Open the Address Lists screen.

    You can access the address list from either the network or network security configuration menu and it will behave in the same way.

  2. Click Create.

    The New Address List screen opens.

  3. On the left, click Properties.

  4. Supply the properties for the address list.

    • In the Name setting, type a unique name for the address list.
    • In the Description setting, type an optional description for the address list.
    • In the Partition setting, type a partition if needed. The Common partition is the default.

  5. On the left, click Addresses.

  6. Supply the addresses for the address list.

    The screen displays a template address for you to complete. An address list must contain at least one address.

  7. In the Type column, select the address type, and then provide the address information in the Addresses column. You can also add a description for each address in the Description column.

    • To add a single address, select Address and type an IPV4 or IPV6 address.
    • To add an address list, select Address List and select the name of the address list.
    • To add a range of addresses, select Address Range and type the beginning and ending IPV4 or IPV6 addresses.
    • To add a location to the address list, select Country/Region and select the country and optionally, the region of the country. You can also select Unknown as the country or region option. Address locations can be used when defining rules based on where a system is located (the geolocation of the system), rather than on the IP address of the system.
    • To add a domain name, select Domain Name and type the domain name.

  8. In the Add/Remove column, click + to add the address to the list.

    You can click X to delete an address from the list.

  9. Continue to add or delete addresses to the address list until the address list is complete.

  10. Save your work.

You edit address lists to change the properties of the address list or to add, modify, or remove addresses from the address list, or both. You can access address lists from either the network or the network security configuration menu.

  • To use the network configuration, click Configuration > NETWORK > Address Lists.
  • To use the security configuration, click Configuration > SECURITY > Network Security > Address Lists.

  1. Open the Address Lists screen.

    You can access an address list from either area and it will behave in the same way.

  2. Click the name of the address list to edit it.

  3. To modify the address list Description, click Properties and in the Description setting, type or revise an optional description for the address list.

  4. On the left, click Addresses.

  5. Add, modify, or delete addresses for the address list.

    • To modify that address, click the pencil icon to the left of the address.
    • To delete an address, click X in the Add/Remove column.
    • To add an address, click + in the Add/Remove column. An address list must contain at least one address.

  6. If you are adding or modifying an address, supply or modify the settings.

    In the Type column, select the address type, and then provide the address information in the Addresses column. You can also add a description for each address in the Description column.

    • To add a single address, select Address and type an IPV4 or IPV6 address.
    • To add an address list, select Address List and select the name of the address list.
    • To add a range of addresses, select Address Range and type the beginning and ending IPV4 or IPV6 addresses.
    • To add a location to the address list, select Country/Region and select the country and optionally, the region of the country. You can also select Unknown as the country or region option. Address locations can be used when defining rules based on where a system is located (the geolocation of the system), rather than on the IP address of the system.
    • To add a domain name, select Domain Name and type the domain name.

  7. In the Add/Remove column, click + to add the address to the list.

    You can click X to delete an address from the list.

  8. Continue to add, modify, or delete addresses in the address list until the address list is complete.

  9. Save your work.

You can clone an address list to create a copy of it, which you can then edit to address any special considerations. You can access address lists from either the network or the network security configuration menu.

  • To use the network configuration, click Configuration > NETWORK > Address Lists.
  • To use the security configuration, click Configuration > SECURITY > Network Security > Address Lists.

  1. Open the Address Lists screen.

    You can access an address list from either area and it will behave in the same way.

  2. Select the check box next to the address list to clone.

  3. Click Clone.

    The system makes a copy of that address list with the same name, but with -CLONE appended to the name and a blank Description field.

  4. Change the address list properties and contained addresses as needed, such as providing a meaningful name or changing an address within the list.

  5. Save your work.

The new address list is now defined and you can assigned it to an object.

You rename an address list when you want to make that name more accurate or distinct. Renaming an address list causes a new address list to be created and the old address list to be deleted in a single transaction. All references to the old address list are updated to refer to the renamed address list.

  1. Click Configuration > SECURITY > Network Security > Address Lists.

    You cannot rename an address list from the Configuration > NETWORK > Address Lists area.

  2. Select the check box next to the address list to rename.

  3. Click Rename.

    A dialog box displays.

  4. Enter the new name in the dialog box and click Save.

    The BIG-IQ system shows the status of the renaming operation in the dialog box.

  5. Click Close to exit the dialog box.

The address list has been renamed.

If you want to do a quicker deployment by only deploying the address list portion of a configuration, you can do a partial deployment of the address list, instead of deploying the entire configuration. You can access address lists from either the network or the network security configuration menu.

  • To use the network configuration, click Configuration > NETWORK > Address Lists.
  • To use the security configuration, click Configuration > SECURITY > Network Security > Address Lists.

  1. Open the Address Lists screen.

    You can access an address list from either area and it will behave in the same way.

  2. Select the check box next to the address list to deploy.

  3. Click Deploy.

The system displays the selected address list, with options for partial deployment selected. You can now continue the partial deployment process.

You delete address lists you no longer use to avoid confusion in the user interface. You can access address lists from either the network or the network security configuration menu.

  • To use the network configuration, click Configuration > NETWORK > Address Lists.
  • To use the security configuration, click Configuration > SECURITY > Network Security > Address Lists.

  1. Open the Address Lists screen.

    You can access an address list from either area and it will behave in the same way.

  2. Click the check box next to the address list to delete.

  3. Click Delete.

  4. In the confirmation dialog box that opens, click Delete to confirm the removal.

    If the address list is pinned to a BIG-IP device pinning policy, the deletion will fail.

Before you can import address lists, you need to have permissions of the Network Security Editor user role if you do not already .

You can create address list entries in a text editor on your local machine and import them as a CSV file into BIG-IQ in order to save time from doing manual entry.

  1. At the top of the screen click Configuration, then, on the left click SECURITY > Network Security > Network Firewall > Address Lists.

  2. Select Import and confirm your selection in the popup screen.

    The import process might take about a minute, depending on the number of the address list you are importing. There is no maximum number of address lists you may import. You can close the import popup once you are finished by selectingClose.

    BIG-IQ populates the Address Lists page with your data.

Once the address lists are imported into BIG-IQ, you can view, clone, delete, deploy, and rename the lists from BIG-IQ, as well as view and edit individual IP addresses within each list.

Before you can import address lists, you need to have permissions of the Network Security Editor user role if you do not already.

You can export address lists from a production BIG-IQ to replicate the system in your lab so you can troubleshoot network firewall issues efficiently.

  1. At the top of the screen, click Configuration , then, on the left, click SECURITY > Network Security > Network Firewall > Address Lists.

    1. Select Export and confirm your selection in the popup screen.

    The export process might take about a minute, depending on the size of the address lists. There is no maximum number of address lists you may export. You can cancel the export process at any time during the file conversion by selecting Cancel in the popup screen.

    BIG-IQ generates a CSV file containing the address lists that will be downloaded onto your local machine.

Once the address lists are compiled into a CSV file, you can upload this file into an editor of choice in your environment for troubleshooting.