Applies To:
Show VersionsBIG-IP APM
- 12.0.0
Maintaining OPSWAT Libraries with a Sync-Failover Device Group
Overview: Updating antivirus and firewall libraries with a Sync-Failover device group
This implementation describes how to upload antivirus and firewall libraries from OPSWAT to one BIG-IP® Access Policy Manager® device, and to install an antivirus and firewall library to that device, or to multiple devices in a device group.
To download OPSWAT OESIS library updates, you must download the OPSWAT hotfix from the F5 Downloads site.
To synchronize installation between multiple devices, you configure a Sync-Failover device group, which includes the devices between which you want to synchronize installation of updates. Device group setup requires establishing trust relationships between devices, creating a device group, and synchronization of settings.
About device groups and synchronization
When you have more than one BIG-IP® device in a local trust domain, you can synchronize BIG-IP configuration data among those devices by creating a device group. A device group is a collection of BIG-IP devices that trust each other and synchronize their BIG-IP configuration data. If you want to exclude certain devices from ConfigSync, you can simply exclude them from membership in that particular device group.
You can synchronize some types of data on a global level across all BIG-IP devices, while synchronizing other data in a more granular way, on an individual application level to a subset of devices.
Before you configure device trust
Before you configure device trust, you should consider the following:
- Only version 11.x or later systems can join the local trust domain.
- You can manage device trust when logged in to a certificate signing authority only. You cannot manage device trust when logged in to a subordinate non-authority device.
- If you reset trust authority on a certificate signing authority by retaining the authority of the device, you must subsequently recreate the local trust domain and the device group.
- As a best practice, you should configure the ConfigSync and mirroring addresses on a device before you add that device to the trust domain.
Task summary
The configuration process for a BIG-IP® system entails adding the OPSWAT library update to one system, then installing it to that same system, or to a device group. You must pre-configure a device group to install the update to multiple systems.
Task list
Establishing device trust
Before you begin this task, verify that:
- Each BIG-IP® device that is to be part of the local trust domain has a device certificate installed on it.
- The local device is designated as a certificate signing authority.
You perform this task to establish trust among devices on one or more network segments. Devices that trust each other constitute the local trust domain. A device must be a member of the local trust domain prior to joining a device group.
By default, the BIG-IP software includes a local trust domain with one member, which is the local device. You can choose any one of the BIG-IP devices slated for a device group and log into that device to add other devices to the local trust domain. For example, devices Bigip_1, Bigip_2, and Bigip_3 each initially shows only itself as a member of the local trust domain. To configure the local trust domain to include all three devices, you can simply log into device Bigip_1 and add devices Bigip_2 and Bigip_3 to the local trust domain; there is no need to repeat this process on devices Bigip_2 and Bigip_3.
- On the Main tab, click Peer List or Subordinate List. , and then either
- Click Add.
- Type a device IP address, administrator user name, and administrator password for the remote BIG-IP® device with which you want to establish trust. The IP address you specify depends on the type of BIG-IP device:
- If the BIG-IP device is an appliance, type the management IP address for the device.
- If the BIG-IP device is a VIPRION® device that is not licensed and provisioned for vCMP®, type the primary cluster management IP address for the cluster.
- If the BIG-IP device is a VIPRION device that is licensed and provisioned for vCMP, type the cluster management IP address for the guest.
- If the BIG-IP device is an Amazon Web Services EC2 device, type one of the Private IP addresses created for this EC2 instance.
- Click Retrieve Device Information.
- Verify that the certificate of the remote device is correct.
- Verify that the management IP address and name of the remote device are correct.
- Click Finished.
Adding a device to the local trust domain
- On the Main tab, click Peer List or Subordinate List. , and then either
- In the Peer Authority Devices or the Subordinate Non-Authority Devices area of the screen, click Add.
- Type a device IP address, administrator user name, and administrator password for the remote BIG-IP® device with which you want to establish trust. The IP address you specify depends on the type of BIG-IP device:
- If the BIG-IP device is an appliance, type the management IP address for the device.
- If the BIG-IP device is a VIPRION® device that is not licensed and provisioned for vCMP®, type the primary cluster management IP address for the cluster.
- If the BIG-IP device is a VIPRION device that is licensed and provisioned for vCMP, type the cluster management IP address for the guest.
- If the BIG-IP device is an Amazon Web Services EC2 device, type one of the Private IP addresses created for this EC2 instance.
- Click Retrieve Device Information.
- Verify that the displayed information is correct.
- Click Finished.
Creating a Sync-Failover device group
This task establishes failover capability between two or more BIG-IP® devices. If an active device in a Sync-Failover device group becomes unavailable, the configuration objects fail over to another member of the device group and traffic processing is unaffected. You perform this task on any one of the authority devices within the local trust domain.
Repeat this task for each Sync-Failover device group that you want to create for your network configuration.
Manually synchronizing the BIG-IP configuration
Uploading an OPSWAT update to Access Policy Manager
Installing an OPSWAT update on one or more Access Policy Manager devices
Viewing supported products in the installed OPSWAT EPSEC version
- To view the details for the current device group:
- To view the details for another device group or another OESIS version:
Implementation result
To summarize, you now have uploaded an OPSWAT update to one BIG-IP® system, and installed it to one system, or to multiple systems in a device group.
You can view the installed and available OPSWAT versions on the
screen.