My Support
  1. AskF5 Home
  2. Knowledge Center
  3. Planning and Implementing a BIG-IQ Deployment
  4. Managing a BIG-IQ System
Manual Chapter : Managing a BIG-IQ System

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Managing a BIG-IQ System

BIG-IQ navigation and customization

BIG-IQ includes navigation, search tools, and a customizable user interface to help you complete your tasks efficiently and find objects easily. The icons listed here are displayed from left to right on most BIG-IQ screens.
  • Menu Finder
    To quickly locate a particular menu item, click the grid icon in the left corner of the screen and type a term in the field. This search is a simple text search. BIG-IQ displays links to all screens and on line help that contains that term anywhere in the string.
  • Customized system user preferences
    You can specify the amount of time that passes before BIG-IQ logs you out when the system is idle, what default screen displays when you log back in, or change your password by clicking the arrow at the upper-right corner of the screen and select
    User Preferences
    .
  • Global search, related content, and preview pane
    BIG-IQ has a robust and interactive global search feature that allows you to easily find a specific content and related content. From any screen, you can click the magnifying glass icon in the upper-right corner of the screen and type a search string. Search results are grouped by content type. From the results, you can click an object to go directly to that object's properties screen in BIG-IQ.
  • Product documentation, F5 modules for Ansible, and online help
    To access BIG-IP, API, Ansible documentation, and F5 modules for Ansible, click the book icon in the upper-right corner of any screen.
  • Online help
    To view the context-sensitive online help, click the question mark in the upper-right corner on any screen.
  • Filters
    For each screen that contains a list, you can use a context-sensitive filter to search on a term, and then narrow your search further to view only those items that are relevant to you at the moment. For example, say you wanted to see local traffic and network audit logs. You can use the search on local traffic, and further refine what is displayed by filtering again on network audit logs.
  • Customized log in screen
    To customize your log in screen for users (for example, if you want to provide special guidance or make sure all users see a certain message), you can navigate to
    System
    THIS DEVICE
    General Properties
    , click the
    Edit
     button and type your message (up to 8,192 characters) in the
    Custom Login Message
    field.
  • Flexible access to objects and configuration options
    For some objects, you can view and edit settings that are located in other places in the user interface, without having to stop what you're doing and navigate to another part of BIG-IQ. For example, you could be editing a firewall policy and find an address list in the toolbox that you want to look at. Right there, you can click the address to access the details, and then view or edit it as you want.
    You can also configure some types of objects from different places in BIG-IQ, depending on what your user role is or what work flow you're in. For example, you can create an access group from the Configuration area of BIG-IQ, as well as from the Devices area. This makes it convenient for you to access during other tasks you're doing in different areas of BIG-IQ.
  • Customizing and sorting columns
    You can customize the columns that display in each screen that has a list by clicking the gear icon at the top right side of the screen, next to the filter, hiding any information that isn't important to you. You can also rearrange columns by dragging and dropping them to a different location or sort objects by clicking the arrow at the top of a column. This helps you to focus on only those attributes that are relevant to you.

How do I configure BIG-IQ systems in a high availability configuration?

Setting up BIG-IQ in a high availability configuration ensures that you always have access to the BIG-IP devices you are managing. In a BIG-IQ high availability configuration, the BIG-IQ system replicates configuration changes since the last synchronization from the primary device to the secondary device every 30 seconds. If it ever becomes necessary, you can have the secondary peer take over management of the BIG-IP devices.
You can set up BIG-IQ in an auto failover configuration or a manual failover configuration.

Add BIG-IQ SSL certificates to the active and standby BIG-IQ in an HA pair

If you've configured SSL certificate verification for BIG-IQ by enabling the
Verify Hosts
 setting from the
System
SSL CERTIFICATE VERIFICATION
 screen, you must use this procedure for successful communication between the components in the high availability configuration.
SSL certificate verification is disabled by default. If you haven’t enabled SSL verification, you do not need to complete this task for your auto failover high availability configuration.
Before you create an auto-failover BIG-IQ high availability configuration for a BIG-IQ you've enabled SSL certificate verification for, you need to add the SSL certificates for both BIG-IQ systems and the DCD quorum to what will be the active BIG-IQ so you can validate the end-user host. This is required for all BIG-IQ systems and the DCD quorum with SSL certificate verification enabled to communicate with your managed devices, regardless of which BIG-IQ system is active. BIG-IQ validates the SSL certificate presented by the communicating host either against a list of certificates you provide (for example, self-signed certificates), or internal or public certificate authority certificates.
  1. Save the BIG-IQ SSL public key certificates on your local system.
  2. At the top of the screen, click
    System
    .
  3. On the left, click
    SSL CERTIFICATION VERIFICATION
    .
  4. Click
    Import
    .
  5. From the
    Import Type
     list, select
    Certificate
    .
  6. Type a
    Name
     for this BIG-IQ certificate.
    BIG-IQ stores and identifies this certificate by the name you specify here. Therefore, if the certificate you are importing is currently named
    mycertificate.crt
    , but you when you import it you name it
    f5.crt
    , BIG-IQ renames the certificate as you specified, to
    f5.crt
    .
  7. Click
    Upload File
     and navigate to the certificate.
  8. Repeat steps 4 - 8 to add the standby BIG-IQ system's certificate device to this active BIG-IQ system.

Add a standby BIG-IQ for a high availability configuration

Before you can set up BIG-IQ in a high availability (HA) configuration, you must have two licensed BIG-IQ systems and you must have added the primary and secondary SSL certificate to the primary BIG-IQ system. It's a good idea to have the BIG-IQ systems in a high availability configuration to be on different platforms for additional insurance that both BIG-IQ systems won't fail.
For the high-availability pair to synchronize properly, each system must be running the same BIG-IQ software version, and the clocks on each system must be synchronized to within 60 seconds. To make sure the clocks are in sync, take a look at the NTP settings on each system before you add a peer.
Configuring BIG-IQ in a high availability (HA) pair means that you can still manage your BIG-IP devices even if one BIG-IQ systems fails.
fail over to work properly, the second BIG-IQ system is not on the same underlying hardware as the primary BIG-IQ system to avoid having both BIG-IQ systems fail.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    BIG-IQ HA
    .
  3. Click the
    Add Secondary
     button.
  4. Type the properties for the BIG-IQ system that you are adding.
  5. Click the
    Add
     button at the bottom of the screen.
The BIG-IQ system synchronize. Once they are finished, both appear as ready (green).

Change a BIG-IQ system in a high availability pair to a standalone system

If the one of your BIG-IQ systems in an HA pair is having any type of system issue, you might want to make it a standalone system until you can fix the problem or until you are finished setting up BIG-IQ again.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    BIG-IQ HA
    .
  3. Click the
    BIG-IQ HA Settings
     button and then click the
    Reset to Standalone
     button.
This BIG-IQ system becomes a standalone system from which you can start managing your devices.

Remove the standby BIG-IQ system from the HA pair

If the F5 BIG-IQ Centralized Management system is configured in an HA pair, you must remove the standby BIG-IQ system before you upgrade the active BIG-IQ.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    BIG-IQ HA
    .
  3. Click
    Remove Standby
    .
    A dialog box opens, prompting you to confirm that you want to remove the standby BIG-IQ from this group.
  4. Click
    Remove
     to confirm that you want to take the standby BIG-IQ from the group.
    The system logs you out of the BIG-IQ while it removes the standby BIG-IQ.
  5. Log back in to the active BIG-IQ.
    For a while, both the active and the standby BIG-IQ continue to display. After a few minutes, the screen updates to display a single standalone BIG-IQ.

Add a BIG-IQ data collection device

You can add a new BIG-IQ data collection device (DCD) to the list of devices from which a BIG-IQ can retrieve data. A DCD is necessary if you want to view statistics, event, or alert log data generated by your managed devices.
  1. At the top of the screen, click
    System
    , then, on the left, click
    BIG-IQ DATA COLLECTION
    BIG-IQ Data Collection Devices
    .
    The BIG-IQ Data Collection Devices screen opens listing the data collection devices in the cluster. The Services column lists the BIG-IP services monitored by each DCD. If no services are enabled for a DCD, this column displays
    Add Services
     instead.
  2. For the
    Discovery/Listener Address
    , type one of the self IP addresses for this DCD.
    The BIG-IQ system uses this address to discover the DCD. The DCD uses this address to listen for alerts from your managed devices.
  3. In the
    Username
     field, type the admin account user name.
  4. In the
    Password
     field, type the admin password.
  5. In the
    Data Collection IP Address
     field, type one of the self IP addresses for this DCD.
    The DCD uses this address to exchange data and replicas with other DCDs in the cluster.
    The DCD and BIG-IQ should both use the same VLAN.
  6. Note the
    Data Collection Port
     value (
    9300
    ). This field displays the number of the port that DCDs in your cluster use for internal polling and communication with each other.
    You cannot change the port, but knowing the port number might be useful when resolving DCD communications issues.
  7. For the
    Zone
     setting, either select the disaster recovery zone in which you want this DCD to reside, or use the default setting.
    • If your organization does not use zones, use
      default
      .
    • To use an existing zone, select it.
    • To create a zone:
      • Select
        Create New
        . A new text box opens.
      • Type the name for the new zone.
      DCD zones serve two purposes:
      • You can use zones to optimize statistics traffic routing. By assigning DCDs to a zone and then assigning managed BIG-IP devices to that zone, you control which DCDs collect statistic traffic for each device.
      • DCD zone awareness factors into how the DCD cluster performs during Disaster Recovery scenarios. The role zones play in these scenarios is discussed in the
        Managing Disaster Recovery Scenarios with Two Data Centers
         article on
        support.f5.com
        .
  8. Click
    Save & Close
    .

Configuring additional VLAN and and self IP address for device management after BIG-IQ deployment

During the licensing and initial configuration procedures, you specify the management port for BIG-IQ, as well as any VLAN an self-IP address from which you want to manage devices.

Configure additional VLAN to manage BIG-IP devices

You must have licensed the BIG-IQ system before you can configure a VLAN.
If you decide you want to manage BIG-IP devices from a VLAN rather than the BIG-IQ system's management port, or if you want to add an additional VLAN, you can configure it using this procedure.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    Network Settings
    VLANs
    .
  3. Click the
    Create
     button.
  4. In the
    Name
     and
    Description
     fields, type a unique name and description to identify this new VLAN.
  5. In the
    Tag
     field, type an optional tag number.
    A VLAN
    tag
     is a unique ID number between 1 and 4094. All messages sent from a host in this VLAN includes the tag as a header in the message to identify the specific VLAN where the source or destination host is located. If you do not assign a tag, BIG-IQ assigns one automatically.
  6. From the
    Interface
     list, select the port that you want this VLAN to use.
    The
    interface
     is a physical or virtual port that you use to connect the BIG-IQ system to managed devices in your network.
  7. In the
    MTU
     field, type an optional frame size value for Path Maximum Transmission Unit (MTU).
    By default, BIG-IP devices use the standard Ethernet frame size of 1518 bytes (1522 bytes if VLAN tagging is used) with the corresponding MTU of 1500 bytes. For BIG-IP devices that support Jumbo Frames, you can specify another MTU value.
  8. Click the
    Save & Close
     button.

Specify a self-IP address for a VLAN

You need to configure BIG-IQ with at least a VLAN before you can associate a self IP address with it.
If you've configured a VLAN to manage BIG-IP devices, you can then associate a self IP address with that VLAN.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    NETWORK SETTINGS
    Self IPs
    .
  3. At the top of the screen, click the
    Create
     button.
  4. In the
    Name
     field, type a unique name to identify this new self IP address.
  5. In the
    Address
     field, type the self IP address and netmask.
    The format is
    <self IP address/netmask>
    .
  6. In the
    Description
     field, type a description for this self IP address.
  7. From the
    VLAN
     list, select the VLAN to associate with this self IP address.
  8. Click the
    Save & Close
     button.

Specify a web proxy for secure communication to F5 iHealth and license servers

Before you can specify a web proxy, you must license and perform the initial configuration for BIG-IQ.
For security purposes, you can specify a web proxy for BIG-IQ to use for communication with the F5 iHealth server and the F5 license server.
  1. At the top of the screen, click
    Applications
    .
  2. On the left, click
    PROXIES
    .
  3. Near the top of the screen, click the
    Add
     button.
  4. In the
    Name
     field, type a name to identify this web proxy.
    You must use the exact same proxy name on all BIG-IQ systems in a cluster.
  5. In the
    Address
     and
    Port
     fields, type the IP address and port for the web proxy server.
    The proxy address and port don't have to be the same for all BIG-IQ systems in a cluster.
  6. If the web proxy server requires authentication, provide the credentials in the
    User Name
     and
    Password
     fields.
  7. For the
    Functions
     setting, select the check box next to each function you want to use this web proxy for communication between BIG-IQ and the internet.
  8. Click the
    Create
     button at the bottom of the screen.
BIG-IQ will now use this web proxy for communication when accessing the internet for the functionality you specified.

How do I change the Master Key?

If you configure two BIG-IQ system separately and then want to add a peer BIG-IQ system for a high availability configuration, or you added BIG-IQ systems in a data collection device cluster, you'll need to change the Master Key on one or more of the BIG-IQ system so they match.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    General Properties.
  3. Click the
    Edit
     button on the right.
  4. Click the
    Change Master Key
     button.
  5. Type the current and new Master Key passphrases and confirm the new passphrase.
  6. Click the
    Save button.

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks

©2020 F5, Inc. All rights reserved.

Policies Privacy Trademarks