Manual Chapter : How do I evaluate changes made to managed objects?

Applies To:

BIG-IQ Centralized Management

  • 8.4.0
back-action Deploying Object Changes To Managed Devices

How do I evaluate changes made to managed objects?

To change the object settings on a managed device, there are four tasks to perform.

This figure illustrates the workflow for managing the objects on BIG-IP devices. Evaluating the changes you have made is the third step in this process.

Overview of evaluating changes made to managed objects

Note: If you need to make an urgent change, you can skip the evaluation step. However, we highly recommend evaluation in all but emergency situations. See Making an urgent deployment for details.

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.

  1. At the top of the screen, click Deployment.

  2. At the left, under EVALUATE & DEPLOY, click Access.

    The screen opens a list of Access evaluations and deployments that have been created on this device.

  3. Under Evaluations, click Create.

    The New Evaluation screen opens.

  4. Type a Name and an optional Description for the evaluation task you are creating.

  5. Type a brief Description for the evaluation task you are creating.

  6. For the Source, select what you want to evaluate.

    • When you want to compare the object settings currently on the managed device with the object settings in the pending version, select Current Changes.
    • When you want to compare the object settings currently on the managed device with the object settings in a stored snapshot, select Existing Snapshot, then choose the snapshot you want to use.

  7. For the Unused Objects setting, specify whether you want the system to delete unused objects from the BIG-IP devices that you are deploying changes to.

    |**If you do not want the system to delete unused objects:**|select **Keep Unused Objects**.|

    |If you want the system to delete objects not referenced (directly or indirectly) by an object:|leave Remove Unused Objects (the default) selected.|

    To understand what an unused object is, consider the following example:

    There are two address lists on the BIG-IP device to which you are about to deploy changes (AddressList-a and AddressList-b).

    • AddressList-a is referenced by a policy that in turn is referenced by a firewall context.
    • AddressList-b is not referenced (directly or indirectly) by any objects. If you leave Remove Unused Objects (the default) selected, then when you deploy changes to the BIG-IP device, AddressList-b is deleted. If you don’t want it deleted, select Keep Unused Objects.

  8. To deploy an Access configuration with associated LTM objects, for Supporting Objects, select Include associated LTM Objects.

  9. In the Target settings, from the Group list, select the Access group that you want to evaluate.

    Devices in the group display in the field.

  10. Move the devices that you want to evaluate to the Selected list.

    • If you are evaluating a device that is a member of a cluster that is set to initiate BIG-IP DSC sync at deployment, you can select either member of the HA pair.
    • If you are evaluating a device that is a member of a cluster that is set to ignore BIG-IP DSC sync, you should select both devices in the cluster.

  11. If you want to apply access policies on each BIG-IP device after deployment, select Automatically apply policies after deployment.

  12. Review the evaluation to determine whether you are going to deploy it.

    1. If there are critical errors, you cannot deploy these changes. In the Critical Errors column, click each error to see what it is, and then go back to where you made the change to fix it.

      After resolving any critical errors, you can come back and repeat the evaluation.

    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. In the Verification Warnings column, click each warning to see what it is, and then go back to where you made the change to fix it.

      After resolving any verification warnings, you can come back and repeat the evaluation.

    3. If there are no critical errors or verification warnings, review the changes by clicking the view link.

      Each change is listed. You can review each one by clicking the name.

      Note: When you create an evaluation to deploy an ASM or AFM object that is referenced by a Local Traffic & Network object, it can trigger a verification error. This occurs for a few related object types that require manual intervention before you can deploy objects that reference them. To deploy these objects, you must deploy the related object and the object that references it using the Local Traffic & Network user interface. In some cases, before you deploy, you need to pin the related object to a pinning policy that establishes the relationship between a device and that object.

      • If you get a verification error that requires a Local Traffic & Network deployment, use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      • If you get a verification error with a Pin Object button that requires a Local Traffic & Network deployment, click the button to associate the two objects, and then use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error. For additional detail on pinning related objects, refer to Managing Object Pinning in F5 BIG-IQ Centralized Management: Security on support.f5.com.

    4. When you finish reviewing the differences, click Cancel.

  13. If the evaluation shows that you must evaluate and deploy Local Traffic configurations, do that before you deploy this evaluation.

Before BIG-IQ applies these just-evaluated object changes to the managed device, you must deploy them. Refer to Deploy configuration changes for instructions.

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.

  1. At the top of the screen, click Deployment.

  2. Under EVALUATE & DEPLOY, select DNS.

    The screen opens a list of DNS evaluations and deployments that have been created on this device.

  3. Under Evaluations, click Create.

    The New Evaluation screen opens.

  4. Type a Name and an optional Description for the evaluation task you are creating.

  5. Type a brief Description for the evaluation task you are creating.

  6. For the Source, select what you want to evaluate.

    • When you want to compare the object settings currently on the managed device with the object settings in the pending version, select Current Changes.
    • When you want to compare the object settings currently on the managed device with the object settings in a stored snapshot, select Existing Snapshot, then choose the snapshot you want to use.

  7. Specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select Keep Unused Objects.

    To understand what an unused object is, consider the following example:

    There are two address lists on the BIG-IP device to which you are about to deploy changes (AddressList-a and AddressList-b).

    • AddressList-a is referenced by a policy that is in turn referenced by a firewall context.
    • AddressList-b is not referenced (directly or indirectly) by any objects. If you leave Remove Unused Objects (the default) selected, then when you deploy changes to the BIG-IP device, AddressList-b is deleted. If you don’t want it deleted, select Keep Unused Objects.

  8. In the Target area, specify how you want to deploy these changes.

    • To deploy the changes to specific devices, click Deploy to Devices. Then move the devices you want from the Available list to the Selected list.
    • To deploy the changes to all devices in one or more sync groups, click Deploy to Sync Groups. Then move the sync groups you want from the Available list to the Selected list.

  9. If you decide you want to remove one of the objects selected for deployment, you can select it and then click Remove.

  10. Click the Create button at the bottom of the screen.

    The system adds the new evaluation to the list, and analyzes the changes for errors. When the configuration evaluation finishes, you see how many changes or errors the evaluation found.

  11. Review the evaluation to determine whether you are going to deploy it.

    1. If there are critical errors, you cannot deploy these changes. In the Critical Errors column, click each error to see what it is, and then go back to where you made the change to fix it.

      After resolving any critical errors, you can come back and repeat the evaluation.

    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. In the Verification Warnings column, click each warning to see what it is, and then go back to where you made the change to fix it.

      After resolving any verification warnings, you can come back and repeat the evaluation.

    3. If there are no critical errors or verification warnings, review the changes by clicking the view link.

      Each change is listed. You can review each one by clicking the name.

      Note: When you create an evaluation to deploy an ASM or AFM object that is referenced by a Local Traffic & Network object, it can trigger a verification error. This occurs for a few related object types that require manual intervention before you can deploy objects that reference them. To deploy these objects, you must deploy the related object and the object that references it using the Local Traffic & Network user interface. In some cases, before you deploy, you need to pin the related object to a pinning policy that establishes the relationship between a device and that object.

      • If you get a verification error that requires a Local Traffic & Network deployment, use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      • If you get a verification error with a Pin Object button that requires a Local Traffic & Network deployment, click the button to associate the two objects, and then use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error. For additional detail on pinning related objects, refer to Managing Object Pinning in F5 BIG-IQ Centralized Management: Security on support.f5.com.

    4. When you finish reviewing the differences, click Cancel.

Before BIG-IQ applies these just-evaluated object changes to the managed device, you must deploy them. Refer to Deploy configuration changes for instructions.

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.

  1. At the top of the screen, click Deployment.

  2. On the left, under EVALUATE & DEPLOY, select Fraud Protection.

    The screen displays a list of Fraud Protection evaluations and deployments defined on this device.

  3. Under Evaluations, click Create.

    The New Evaluation screen opens.

  4. Type a Name and an optional Description for the evaluation task you are creating.

  5. Type a brief Description for the evaluation task you are creating.

  6. For the Source, select what you want to evaluate.

    • When you want to compare the object settings currently on the managed device with the object settings in the pending version, select Current Changes.
    • When you want to compare the object settings currently on the managed device with the object settings in a stored snapshot, select Existing Snapshot, then choose the snapshot you want to use.

  7. For the Unused Objects setting, specify whether you want the system to delete unused objects from the BIG-IP devices that you are deploying changes to.

    |**If you do not want the system to delete unused objects:**|select **Keep Unused Objects**.|

    |If you want the system to delete objects not referenced (directly or indirectly) by an object:|leave Remove Unused Objects (the default) selected.|

    To understand what an unused object is, consider the following example:

    There are two address lists on the BIG-IP device to which you are about to deploy changes (AddressList-a and AddressList-b).

    • AddressList-a is referenced by a policy that in turn is referenced by a firewall context.
    • AddressList-b is not referenced (directly or indirectly) by any objects. If you leave Remove Unused Objects (the default) selected, then when you deploy changes to the BIG-IP device, AddressList-b is deleted. If you don’t want it deleted, select Keep Unused Objects.

  8. For Target Devices, select the devices that you want to deploy changes to, and move the ones you want from the Available list to the Selected list.

  9. Click the Create button at the bottom of the screen.

    The system adds the new evaluation to the list, and analyzes the changes for errors. When the configuration evaluation finishes, you see how many changes or errors the evaluation found.

  10. Review the evaluation to determine whether you are going to deploy it.

    1. If there are critical errors, you cannot deploy these changes. Click each error to see what it is, and then go back to where you made the change to fix it.

      After resolving any critical errors, you can come back and repeat the evaluation.

    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. Click each warning to see what it is, and then go back to where you made the change to fix it.

      After resolving any verification warnings, you can come back and repeat the evaluation.

    3. If there are no critical errors or verification warnings, review the changes by clicking the view link.

      Each change is listed. You can review each one by clicking the name.

    4. When you finish reviewing the differences, click Cancel.

Before BIG-IQ applies these just-evaluated object changes to the managed device, you must deploy them. Refer to Deploy configuration changes for instructions.

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.

  1. At the top of the screen, click Deployment.

  2. On the left, under EVALUATE & DEPLOY, select Fraud Protection.

    The screen displays a list of Fraud Protection evaluations and deployments defined on this device.

  3. Under Evaluations, click Create.

    The New Evaluation screen opens.

  4. Type a Name and an optional Description for the evaluation task you are creating.

  5. Type a brief Description for the evaluation task you are creating.

  6. For the Source, select what you want to evaluate.

    • When you want to compare the object settings currently on the managed device with the object settings in the pending version, select Current Changes.
    • When you want to compare the object settings currently on the managed device with the object settings in a stored snapshot, select Existing Snapshot, then choose the snapshot you want to use.

  7. For the Unused Objects setting, specify whether you want the system to delete unused objects from the BIG-IP devices that you are deploying changes to.

    |**If you do not want the system to delete unused objects:**|select **Keep Unused Objects**.|

    |If you want the system to delete objects not referenced (directly or indirectly) by an object:|leave Remove Unused Objects (the default) selected.|

    To understand what an unused object is, consider the following example:

    There are two address lists on the BIG-IP device to which you are about to deploy changes (AddressList-a and AddressList-b).

    • AddressList-a is referenced by a policy that in turn is referenced by a firewall context.
    • AddressList-b is not referenced (directly or indirectly) by any objects. If you leave Remove Unused Objects (the default) selected, then when you deploy changes to the BIG-IP device, AddressList-b is deleted. If you don’t want it deleted, select Keep Unused Objects.

  8. For Target Devices, select the devices that you want to deploy changes to, and move the ones you want from the Available list to the Selected list.

  9. Click the Create button at the bottom of the screen.

    The system adds the new evaluation to the list, and analyzes the changes for errors. When the configuration evaluation finishes, you see how many changes or errors the evaluation found.

  10. Review the evaluation to determine whether you are going to deploy it.

    1. If there are critical errors, you cannot deploy these changes. Click each error to see what it is, and then go back to where you made the change to fix it.

      After resolving any critical errors, you can come back and repeat the evaluation.

    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. Click each warning to see what it is, and then go back to where you made the change to fix it.

      After resolving any verification warnings, you can come back and repeat the evaluation.

    3. If there are no critical errors or verification warnings, review the changes by clicking the view link.

      Each change is listed. You can review each one by clicking the name.

    4. When you finish reviewing the differences, click Cancel.

Before BIG-IQ applies these just-evaluated object changes to the managed device, you must deploy them. Refer to Deploy configuration changes for instructions.

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.

  1. At the top of the screen, click Deployment.

  2. Under EVALUATE & DEPLOY, select Local Traffic & Network.

    The screen opens a list of LTM evaluations and deployments that have been created on this device.

  3. Under Evaluations, click Create.

    The New Evaluation screen opens.

  4. If the device to which you are deploying these changes is in a silo as part of a conflict resolution work flow, select that Silo here; otherwise, leave the default setting.

  5. Type a Name and an optional Description for the evaluation task you are creating.

  6. Type a brief Description for the evaluation task you are creating.

  7. For the Source, select what you want to evaluate.

    • When you want to compare the object settings currently on the managed device with the object settings in the pending version, select Current Changes.
    • When you want to compare the object settings currently on the managed device with the object settings in a stored snapshot, select Existing Snapshot, then choose the snapshot you want to use.

  8. Determine the Source Scope; that is, choose whether you want to evaluate all of the changes from the selected source, or specify which changes to evaluate (either All Changes or Partial Changes).

    If you choose to do a partial deployment, the screen displays additional controls.

    Important: If you select All Changes, skip the rest of this step.

    1. If you want to evaluate changes only to the selected objects, for Supporting Objects, clear the Include check box. It is almost always best to evaluate changes to the associated objects, as well.

      Important: The objects that you manage using BIG-IQ depend on associations with other, supporting objects. These object associations form relationship trees that are sometimes quite complex. Generally, when you deploy a change to a managed object, it is a very good idea to include these supporting objects in the deployment. This diagram illustrates a typical relationship tree for a Network Services managed object. For Local Traffic objects, the trees are equally complex and just as vital to include.

      Network Services supporting objects tree

    2. Under Available, select the object type for which you want to evaluate changes.

    3. From the list of objects, select the ones that you want to deploy, and move them to the Selected list.

      Note: If you include objects in an deployment that have not been changed, the unchanged objects are not deployed to your BIG-IP device. Only objects that have been changed are deployed.

    4. If you want to include additional object types in this deployment, repeat the last two sub-steps (steps 3 and 4) for each object type.

    5. If you add an object to the deployment and then change your mind, you can move it back to the Available list.

    6. Under Target Device(s), click Find Relevant Devices.

      Note: The objects you select for deployment determine which devices display in the Available list. You cannot deploy a device-specific object (like a pool) to a device on which it does not already exist. You can deploy a shared object (like a profile) to a device on which it does not exist, as long as the shared object is referenced by an object on that device. For example, consider a device (BIG-IP1) with a virtual server (Virt1). If you add a profile named Pro1 to Virt1, then BIG-IP1 will appear in the list of devices that you can deploy changes to.

      BIG-IQ lists all devices to which you can deploy the selected objects.

    7. From the list of relevant devices, select the devices that you want to deploy these changes to, and move them to the Selected list.

  9. If you selected All Changes, there are a couple of extra options to specify.

    1. Specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select Keep Unused Objects.

      To understand what an unused object is, consider the following example:

      There are two address lists on the BIG-IP device to which you are about to deploy changes (AddressList-a and AddressList-b).

      • AddressList-a is referenced by a policy that is in turn referenced by a firewall context.
      • AddressList-b is not referenced (directly or indirectly) by any objects. If you leave Remove Unused Objects (the default) selected, then when you deploy changes to the BIG-IP device, AddressList-bis deleted. If you don’t want it deleted, select Keep Unused Objects.

    2. From the Available list under Target Devices, select the devices to which you want to deploy changes, and move them to the Selected list.

      Important: If you deploy changes to a device in a DSC cluster, you must make changes to all devices in the cluster before you can create the evaluation.

  10. Click the Create button at the bottom of the screen.

    The system adds the new evaluation to the list, and analyzes the changes for errors. When the configuration evaluation finishes, you see how many changes or errors the evaluation found.

  11. Review the evaluation to determine whether you are going to deploy it.

    1. If there are critical errors, you cannot deploy these changes. In the Critical Errors column, click each error to see what it is, and then go back to where you made the change to fix it.

      After resolving any critical errors, you can come back and repeat the evaluation.

    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. In the Verification Warnings column, click each warning to see what it is, and then go back to where you made the change to fix it.

      After resolving any verification warnings, you can come back and repeat the evaluation.

    3. If there are no critical errors or verification warnings, review the changes by clicking the view link.

      Each change is listed. You can review each one by clicking the name.

      Note: When you create an evaluation to deploy an ASM or AFM object that is referenced by a Local Traffic & Network object, it can trigger a verification error. This occurs for a few related object types that require manual intervention before you can deploy objects that reference them. To deploy these objects, you must deploy the related object and the object that references it using the Local Traffic & Network user interface. In some cases, before you deploy, you need to pin the related object to a pinning policy that establishes the relationship between a device and that object.

      • If you get a verification error that requires a Local Traffic & Network deployment, use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      • If you get a verification error with a Pin Object button that requires a Local Traffic & Network deployment, click the button to associate the two objects, and then use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error. For additional detail on pinning related objects, refer to Managing Object Pinning in F5 BIG-IQ Centralized Management: Security on support.f5.com.

    4. When you finish reviewing the differences, click Cancel.

Before BIG-IQ applies these just-evaluated object changes to the managed device, you must deploy them. Refer to Deploy configuration changes for instructions.

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.

  1. At the top of the screen, click Deployment.

  2. Under EVALUATE & DEPLOY, select Network Security.

    The screen opens a list of Network Security evaluations and deployments that have been created on this device.

  3. Under Evaluations, click Create.

    The New Evaluation screen opens.

  4. Type a Name and an optional Description for the evaluation task you are creating.

  5. Type a brief Description for the evaluation task you are creating.

  6. For the Source, select what you want to evaluate.

    • When you want to compare the object settings currently on the managed device with the object settings in the pending version, select Current Changes.
    • When you want to compare the object settings currently on the managed device with the object settings in a stored snapshot, select Existing Snapshot, then choose the snapshot you want to use.

  7. Determine the Source Scope; that is, choose whether you want to evaluate all of the changes from the selected source, or specify which changes to evaluate (either All Changes or Partial Changes).

    If you choose to do a partial deployment, the screen displays additional controls.

    Important: If you select All Changes, skip the rest of this step.

    1. If you want to evaluate changes only to the selected objects, for Supporting Objects, clear the Include check box. It is almost always best to evaluate changes to the associated objects, as well.

      Important: The objects that you manage using BIG-IQ depend on associations with other, supporting objects. These object associations form relationship trees that are sometimes quite complex. Generally, when you deploy a change to a managed object, it is a very good idea to include these supporting objects in the deployment.

      Network Services supporting objects tree

    2. Under Available, select the object type for which you want to deploy changes.

    3. From the list of objects, select the ones that you want to deploy, and move them to the Selected list.

      Note: If you include objects in an deployment that have not been changed, the unchanged objects are not deployed to your BIG-IP device. Only objects that have been changed are deployed.

    4. If you want to include additional object types in this deployment, repeat the last two sub-steps (steps 3 and 4) for each object type.

    5. If you add an object to the deployment and then change your mind, you can move it back to the Available list.

    6. Under Target Device(s), click Find Relevant Devices.

      Note: The objects you select for deployment determine which devices display in the Available list. You cannot deploy a device-specific object (like a pool) to a device on which it does not already exist. You can deploy a shared object (like a profile) to a device on which it does not exist, as long as the shared object is referenced by an object on that device. For example, consider a device (BIG-IP1) with a virtual server (Virt1). If you add a profile named Pro1 to Virt1, then BIG-IP1 will appear in the list of devices that you can deploy changes to.

      BIG-IQ lists all devices to which you can deploy the selected objects.

    7. From the list of relevant devices, select the devices that you want to deploy these changes to, and move them to the Selected list.

  8. If you selected All Changes, there are a couple of extra options to specify.

    1. Specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select Keep Unused Objects.

      To understand what an unused object is, consider the following example:

      There are two address lists on the BIG-IP device to which you are about to deploy changes (AddressList-a and AddressList-b).

      • AddressList-a is referenced by a policy that is in turn referenced by a firewall context.
      • AddressList-b is not referenced (directly or indirectly) by any objects. If you leave Remove Unused Objects (the default) selected, then when you deploy changes to the BIG-IP device, AddressList-bis deleted. If you don’t want it deleted, select Keep Unused Objects.

    2. From the Available list under Target Devices, select the devices to which you want to deploy changes, and move them to the Selected list.

      Important: If you deploy changes to a device in a DSC cluster, you must make changes to all devices in the cluster before you can create the evaluation.

  9. Click the Create button at the bottom of the screen.

    The system adds the new evaluation to the list, and analyzes the changes for errors. When the configuration evaluation finishes, you see how many changes or errors the evaluation found.

  10. Review the evaluation to determine whether you are going to deploy it.

    1. If there are critical errors, you cannot deploy these changes. In the Critical Errors column, click each error to see what it is, and then go back to where you made the change to fix it.

      After resolving any critical errors, you can come back and repeat the evaluation.

    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. In the Verification Warnings column, click each warning to see what it is, and then go back to where you made the change to fix it.

      After resolving any verification warnings, you can come back and repeat the evaluation.

    3. If there are no critical errors or verification warnings, review the changes by clicking the view link.

      Each change is listed. You can review each one by clicking the name.

      Note: When you create an evaluation to deploy an ASM or AFM object that is referenced by a Local Traffic & Network object, it can trigger a verification error. This occurs for a few related object types that require manual intervention before you can deploy objects that reference them. To deploy these objects, you must deploy the related object and the object that references it using the Local Traffic & Network user interface. In some cases, before you deploy, you need to pin the related object to a pinning policy that establishes the relationship between a device and that object.

      • If you get a verification error that requires a Local Traffic & Network deployment, use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      • If you get a verification error with a Pin Object button that requires a Local Traffic & Network deployment, click the button to associate the two objects, and then use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error. For additional detail on pinning related objects, refer to Managing Object Pinning in F5 BIG-IQ Centralized Management: Security on support.f5.com.

    4. When you finish reviewing the differences, click Cancel.

Before BIG-IQ applies these just-evaluated object changes to the managed device, you must deploy them. Refer to Deploy configuration changes for instructions.

Evaluating your changes gives you a chance to spot critical errors and review your revisions one more time before deploying them.

  1. At the top of the screen, click Deployment.

  2. Under EVALUATE & DEPLOY, select Shared Security.

    The screen opens a list of Shared Security evaluations and deployments that have been created on this device.

  3. Under Evaluations, click Create.

    The New Evaluation screen opens.

  4. Type a Name and an optional Description for the evaluation task you are creating.

  5. Type a brief Description for the evaluation task you are creating.

  6. For the Source, select what you want to evaluate.

    • When you want to compare the object settings currently on the managed device with the object settings in the pending version, select Current Changes.
    • When you want to compare the object settings currently on the managed device with the object settings in a stored snapshot, select Existing Snapshot, then choose the snapshot you want to use.

  7. Determine the Source Scope; that is, choose whether you want to evaluate all of the changes from the selected source, or specify which changes to evaluate (either All Changes or Partial Changes).

    If you choose to do a partial deployment, the screen displays additional controls.

    Important: If you select All Changes, skip the rest of this step.

    1. If you want to evaluate changes only to the selected objects, for Supporting Objects, clear the Include check box. It is almost always best to evaluate changes to the associated objects, as well.

      Important: The objects that you manage using BIG-IQ depend on associations with other, supporting objects. These object associations form relationship trees that are sometimes quite complex. Generally, when you deploy a change to a managed object, it is a very good idea to include these supporting objects in the deployment. This diagram illustrates a typical relationship tree for a Network Services managed object. For Local Traffic or Web Application Security objects, the trees are equally complex and just as vital to include.

      Network Services supporting objects tree

    2. Under Available, select the object type for which you want to deploy changes.

    3. From the list of objects, select the ones that you want to deploy, and move them to the Selected list.

      Note: If you include objects in an deployment that have not been changed, the unchanged objects are not deployed to your BIG-IP device. Only objects that have been changed are deployed.

    4. If you want to include additional object types in this deployment, repeat the last two sub-steps (steps 3 and 4) for each object type.

    5. If you add an object to the deployment and then change your mind, you can move it back to the Available list.

    6. Under Target Device(s), click Find Relevant Devices.

      Note: The objects you select for deployment determine which devices display in the Available list. You cannot deploy a device-specific object (like a pool) to a device on which it does not already exist. You can deploy a shared object (like a profile) to a device on which it does not exist, as long as the shared object is referenced by an object on that device. For example, consider a device (BIG-IP1) with a virtual server (Virt1). If you add a profile named Pro1 to Virt1, then BIG-IP1 will appear in the list of devices that you can deploy changes to.

      BIG-IQ lists all devices to which you can deploy the selected objects.

    7. From the list of relevant devices, select the devices that you want to deploy these changes to, and move them to the Selected list.

  8. If you selected All Changes, there are a couple of extra options to specify.

    1. Specify whether you want unused objects to be deleted from the BIG-IP devices to which you are deploying changes. If you do not want unused objects to be deleted, select Keep Unused Objects.

      To understand what an unused object is, consider the following example:

      There are two address lists on the BIG-IP device to which you are about to deploy changes (AddressList-a and AddressList-b).

      • AddressList-a is referenced by a policy that is in turn referenced by a firewall context.
      • AddressList-b is not referenced (directly or indirectly) by any objects. If you leave Remove Unused Objects (the default) selected, then when you deploy changes to the BIG-IP device, AddressList-bis deleted. If you don’t want it deleted, select Keep Unused Objects.

    2. From the Available list under Target Devices, select the devices to which you want to deploy changes, and move them to the Selected list.

      Important: If you deploy changes to a device in a DSC cluster, you must make changes to all devices in the cluster before you can create the evaluation.

  9. Click the Create button at the bottom of the screen.

    The system adds the new evaluation to the list, and analyzes the changes for errors. When the configuration evaluation finishes, you see how many changes or errors the evaluation found.

  10. Review the evaluation to determine whether you are going to deploy it.

    1. If there are critical errors, you cannot deploy these changes. In the Critical Errors column, click each error to see what it is, and then go back to where you made the change to fix it.

      After resolving any critical errors, you can come back and repeat the evaluation.

    2. If there are verification warnings, you can still deploy your changes, but you will probably want to resolve the warnings first. In the Verification Warnings column, click each warning to see what it is, and then go back to where you made the change to fix it.

      After resolving any verification warnings, you can come back and repeat the evaluation.

    3. If there are no critical errors or verification warnings, review the changes by clicking the view link.

      Each change is listed. You can review each one by clicking the name.

      Note: When you create an evaluation to deploy an ASM or AFM object that is referenced by a Local Traffic & Network object, it can trigger a verification error. This occurs for a few related object types that require manual intervention before you can deploy objects that reference them. To deploy these objects, you must deploy the related object and the object that references it using the Local Traffic & Network user interface. In some cases, before you deploy, you need to pin the related object to a pinning policy that establishes the relationship between a device and that object.

      • If you get a verification error that requires a Local Traffic & Network deployment, use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error.
      • If you get a verification error with a Pin Object button that requires a Local Traffic & Network deployment, click the button to associate the two objects, and then use the partial deployment option to deploy the Local Traffic & Network object. After you complete the partial deployment, you can complete the deployment that triggered the error. For additional detail on pinning related objects, refer to Managing Object Pinning in F5 BIG-IQ Centralized Management: Security on support.f5.com.

    4. When you finish reviewing the differences, click Cancel.

Before BIG-IQ applies these just-evaluated object changes to the managed device, you must deploy them. Refer to Deploy configuration changes for instructions.