Manual Chapter : Initial Connections for BIG-IQ Centralized Management

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Initial Connections for BIG-IQ Centralized Management

BIG-IQ navigation and customization

BIG-IQ includes navigation, search tools, and a customizable user interface to help you complete your tasks efficiently and find objects easily. The icons listed here are displayed from left to right on most BIG-IQ screens.
  • Menu Finder
    To quickly locate a particular menu item, click the grid icon in the left corner of the screen and type a term in the field. This search is a simple text search. BIG-IQ displays links to all screens and on line help that contains that term anywhere in the string.
  • Customized system user preferences
    You can specify the amount of time that passes before BIG-IQ logs you out when the system is idle, what default screen displays when you log back in, or change your password by clicking the arrow at the upper-right corner of the screen and select
    User Preferences
    .
  • Global search, related content, and preview pane
    BIG-IQ has a robust and interactive global search feature that allows you to easily find a specific content and related content. From any screen, you can click the magnifying glass icon in the upper-right corner of the screen and type a search string. Search results are grouped by content type. From the results, you can click an object to go directly to that object's properties screen in BIG-IQ.
  • Product documentation, F5 modules for Ansible, and online help
    To access BIG-IP, API, Ansible documentation, and F5 modules for Ansible, click the book icon in the upper-right corner of any screen.
  • Online help
    To view the context-sensitive online help, click the question mark in the upper-right corner on any screen.
  • Filters
    For each screen that contains a list, you can use a context-sensitive filter to search on a term, and then narrow your search further to view only those items that are relevant to you at the moment. For example, say you wanted to see local traffic and network audit logs. You can use the search on local traffic, and further refine what is displayed by filtering again on network audit logs.
  • Customized log in screen
    To customize your log in screen for users (for example, if you want to provide special guidance or make sure all users see a certain message), you can navigate to
    System
    THIS DEVICE
    General Properties
    , click the
    Edit
    button and type your message (up to 8,192 characters) in the
    Custom Login Message
    field.
  • Flexible access to objects and configuration options
    For some objects, you can view and edit settings that are located in other places in the user interface, without having to stop what you're doing and navigate to another part of BIG-IQ. For example, you could be editing a firewall policy and find an address list in the toolbox that you want to look at. Right there, you can click the address to access the details, and then view or edit it as you want.
    You can also configure some types of objects from different places in BIG-IQ, depending on what your user role is or what work flow you're in. For example, you can create an access group from the Configuration area of BIG-IQ, as well as from the Devices area. This makes it convenient for you to access during other tasks you're doing in different areas of BIG-IQ.
  • Customizing and sorting columns
    You can customize the columns that display in each screen that has a list by clicking the gear icon at the top right side of the screen, next to the filter, hiding any information that isn't important to you. You can also rearrange columns by dragging and dropping them to a different location or sort objects by clicking the arrow at the top of a column. This helps you to focus on only those attributes that are relevant to you.

Configure static routes

For details about which routes your solution needs and why, refer to
Routing considerations for a BIG-IQ solution
in the
Planning a Centralized Management & Visibility Deployment
article on
support.ask5.com
. You must have this information before you can proceed.
You need to create the static routes needed to enable communication between the components in your BIG-IQ solution. For details on how to create these routes refer to this article: K13833.

Confirm connectivity between BIG-IQ solution components

After your routes are set up and all of your components are online, you should confirm that all connections are performing correctly. Checking your connections and discovering a bad route now can spare a lot of headaches down the road.
You need to verify that there is bidirectional communication between each component in your solution. Your network administrator likely has all the tools necessary to confirm this. But F5 also has a script (accessible on a public Git repository) that you can use to determine whether each component in the solution is connected correctly. You run this script on both the primary and secondary BIG-IQ VEs, following the prompts to identify the IP addresses for each component. The script then uses
Ncat
(a Unix utility) to find and report the routes it finds to that device, including the port status and (optionally) the latency encountered.
Access the F5 public Git repository using this link: f5-bigiq-connectivityChecks. Instructions for installing and using the script are in a ReadMe file, which is available at the same location.

Add a proxy for secure communication

Before you can perform this task, you must be logged in as Admin, and you must have configured a proxy server that your data collection device (DCD) cluster can access.
As a security precaution, you might want to configure a proxy to route DCD cluster communications that need to pass through your firewall. When you configure a proxy for the BIG-IQ, you designate the operations that you want to use it for communicating outside your firewall. Here are some common situations in which that communication is needed:
  • Communicate with the F5 licensing server when you use BIG-IQ to license BIG-IP devices.
  • Send iHealth data to F5 for troubleshooting help.
  • Route forwarded alerts.
  • Download alert rules from the security operations center.
  • Download ASM signature files.
To use a proxy for Fraud Protection Service, you must configure a proxy on each device (every DCD and both the primary and the secondary BIG-IQ devices) in the DCD cluster. The proxy names you specify for each node in the cluster must match exactly, but the IP address and port number for the proxy can be different from device to device.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    PROXIES
    .
  3. On the Proxies screen, click
    Add
    .
  4. If the BIG-IQ is in a high availability configuration, you can assign the proxy to either the active or standby device. For
    Proxied Device
    , select the hostname of the device for which you are creating this proxy.
  5. For
    Name
    , type a name for this proxy.
    The proxy name must match across all devices in the cluster. The proxy addresses and port can vary.
  6. For
    Address
    , type the IP address of the proxy server.
  7. For
    Port
    , type the port that you want the proxy server to use.
  8. If the proxy server requires authentication, type the
    User Name
    and
    Password
    for the proxy.
  9. Select the check box next to the Functions (
    Licensing
    or
    iHealth
    ) that you want BIG-IQ to use this proxy for.
    When you create a proxy, the BIG-IQ uses that proxy when it accesses FPS alerts or ASM signature files. BIG-IQ uses this proxy any time you use a function that requires outside the firewall communications .
  10. Click the plus sign in the upper right hand corner, and then repeat the preceding 4 steps to add a proxy for each data collection device in the cluster.
    Remember, the proxy name must match across all devices in the cluster. The proxy addresses and port can vary.
  11. Click
    Save & Close
    .
  • To use this proxy for a BIG-IQ used only as a license server, follow the task sequence laid out in
    Deploy BIG-IQ to use as a license manager for BIG-IP VE devices
    on
    support.f5.com
    .
  • To use this proxy to configure BIG-IQ authentication credentials for iHealth & Reports, refer to
    How do I get access to send QKView files for my managed devices to the F5 iHealth diagnostics server
    on
    support.f5.com
    .
If the proxy resides on a network subnet not directly connected to the DCD cluster, you must set up a static route for it. For details about configuring static routes, refer to
Routing requirements for four subnets
article in the
Planning a Centralized Management & Visibility Deployment
guide on
support.f5.com
.

Replace the default SSL certificate on a BIG-IQ system

To perform the procedures discussed in this task, you must have Advanced Shell (bash) access to the BIG-IQ system with administrator credentials.
The BIG-IQ, data collection devices (DCDs), and BIG-IP devices all use SSL encryption to secure incoming communication. By default, F5 devices use a default, self signed certificate to authenticate themselves. When you use these default certificates and a component attempts to connect to the BIG-IQ, your browser may refuse to connect or trigger a warning against a potentially insecure connection.
Instead, you might want to replace the default SSL certificate with either a new self-signed private key/certificate pair, or use a certificate issued by a trusted CA (Certificate Authority). Both of these options are detailed in the following article: K52425065 on
support.f5.com
.

Configure trusted certificates for outgoing SSL connections

If you plan to use the default certificates that reside on each F5 device for SSL verification, you need copies of those certificates on the local device you use to access the BIG-IQ before you begin.
By default, BIG-IQ does not validate the certificates of the hosts it connects to. If you have not explicitly enabled SSL certificate verification, you do not need to perform this task.
When you enable SSL certificate verification, the BIG-IQ attempts to validate the certificate for every host it initiates connections to (that is, BIG-IQ HA peer, each
data collection devices
(DCD),
and each BIG-IP device). BIG-IQ validates the SSL certificate presented by the communicating host either against a list of certificates you provide (for example, self-signed certificates, or certificates issued by a corporate certificate authority), or against a list of publicly known CA certificates (typically the default certificates in the Java TrustStore).
For example, when SSL certificate verification is enabled, before you can add DCDs to the cluster, each DCD must present the certificate type you specify or the connection attempt fails. All the components in a BIG-IQ solution are equipped with a list of well-known certificate authorities, so if you choose that option, BIG-IQ recognizes them automatically. However, if you choose to provide your own certificates, then those SSL certificates must be available on each device that the BIG-IQ needs to communicate with (BIG-IQ HA peer, each DCD and each BIG-IP device).
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    SSL CERTIFICATION VERIFICATION
    .
  3. For
    Verify Hosts
    confirm that the
    Enabled
    check box is enabled.
  4. Use
    Verify Using
    to specify the type of certificate to use for end-user host verification.
    Choose
    Description
    Well-known certificate authorities
    BIG-IQ accepts certificates issued by any CA in its default trust store. If you choose this option, your task is complete.
    Certificates I provide
    BIG-IQ accepts only the certificates that you identify and import.
    If you import the certificate of a trusted CA, BIG-IQ will trust all certificate issued by that CA.
  5. Click
    Import
    .
  6. For
    Import Method
    , select
    Create New
    .
  7. Type a
    Name
    for the first certificate you are adding.
    It's good practice to use a name that distinguishes this certificate from others you import. BIG-IQ stores and identifies this certificate by the name you specify here. That is, if the certificate you are importing is currently named
    mycertificate.crt
    , but when you import it you name it
    f5.crt
    , BIG-IQ stores the certificate as you specified, to
    f5.crt
    .
  8. From the
    Certificate Source
    list, select
    Upload File
    .
  9. Click the
    Choose File
    button, navigate to the certificate for the first component in your solution, and then click
    Open
    .
  10. Click
    Save
    .
    BIG-IQ adds the certificate to the list of trusted certificates it uses to validate the certificates of the hosts it connects to.
    You might have to refresh your screen display the new certificate.
  11. Repeat steps 7 through 9 to add certificates for the remaining components in your system (each DCD, each BIG-IP, and the standby BIG-IQ). As you add each certificate, use a name to help you identify which component it belongs to.
  12. Click
    Save & Close
    .
    The SSL Certificate Verification screen lists the certificates for all of the components in your BIG-IQ solution.

Restrict BIG-IQ access to clients using high-encryption SSL ciphers and protocols

You can control which SSL protocols and cipher suites the BIG-IQ supports on incoming connection requests. This control applies to both browser-based connection requests to the user interface and to REST API calls.
By default, the BIG-IQ allows incoming requests to use a large range of SSL protocols and ciphers for clients to connect to the user interface or for REST API calls. If you require a more restricted list of SSL protocols and ciphers, offering stronger security, you can modify the default lists BIG-IQ uses. Details about how and why you might want to restrict BIG-IQ user interface access to clients using SSL ciphers and protocols offering stronger encryption are provided in this article: K17007.on support.f5.com