Manual Chapter : Maintaining OPSWAT Libraries with a Sync-Failover Device Group

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter
 

Overview: Updating antivirus and firewall libraries with a Sync-Failover device group

This implementation describes how to upload antivirus and firewall libraries from OPSWAT to one BIG-IP® Access Policy Manager® device, and to install an antivirus and firewall library to that device, or to multiple devices in a device group.

To download OPSWAT OESIS library updates, you must download the OPSWAT hotfix from the F5 Downloads site.

To synchronize installation between multiple devices, you configure a Sync-Failover device group, which includes the devices between which you want to synchronize installation of updates. Device group setup requires establishing trust relationships between devices, creating a device group, and synchronization of settings.

About device groups and synchronization

When you have more than one BIG-IP® device in a local trust domain, you can synchronize BIG-IP configuration data among those devices by creating a device group. A device group is a collection of BIG-IP devices that trust each other and synchronize their BIG-IP configuration data. If you want to exclude certain devices from ConfigSync, you can simply exclude them from membership in that particular device group.

You can synchronize some types of data on a global level across all BIG-IP devices, while synchronizing other data in a more granular way, on an individual application level to a subset of devices.

Important: To configure redundancy on a device, you do not need to explicitly specify that you want the BIG-IP device to be part of a redundant configuration. Instead, this occurs automatically when you add the device to an existing device group.

Before you configure device trust

Before you configure device trust, you should consider the following:

  • Only version 11.x or later systems can join the local trust domain.
  • You can manage device trust when logged in to a certificate signing authority only. You cannot manage device trust when logged in to a subordinate non-authority device.
  • If you reset trust authority on a certificate signing authority by retaining the authority of the device, you must subsequently recreate the local trust domain and the device group.
  • As a best practice, you should configure the ConfigSync and mirroring addresses on a device before you add that device to the trust domain.

Task summary

The configuration process for a BIG-IP® system entails adding the OPSWAT library update to one system, then installing it to that same system, or to a device group. You must pre-configure a device group to install the update to multiple systems.

Task list

Establishing device trust

Before you begin this task, verify that:

  • Each BIG-IP® device that is to be part of the local trust domain has a device certificate installed on it.
  • The local device is designated as a certificate signing authority.

You perform this task to establish trust among devices on one or more network segments. Devices that trust each other constitute the local trust domain. A device must be a member of the local trust domain prior to joining a device group.

By default, the BIG-IP software includes a local trust domain with one member, which is the local device. You can choose any one of the BIG-IP devices slated for a device group and log into that device to add other devices to the local trust domain. For example, devices Bigip_1, Bigip_2, and Bigip_3 each initially shows only itself as a member of the local trust domain. To configure the local trust domain to include all three devices, you can simply log into device Bigip_1 and add devices Bigip_2 and Bigip_3 to the local trust domain; there is no need to repeat this process on devices Bigip_2 and Bigip_3.

  1. On the Main tab, click Device Management > Device Trust > Device Trust Members .
  2. Click Add.
  3. From the Device Type list, select Peer or Subordinate.
  4. Type a device IP address, administrator user name, and administrator password for the remote BIG-IP® device with which you want to establish trust. The IP address you specify depends on the type of BIG-IP device:
    • If the BIG-IP device is an appliance, type the management IP address for the device.
    • If the BIG-IP device is a VIPRION® device that is not licensed and provisioned for vCMP®, type the primary cluster management IP address for the cluster.
    • If the BIG-IP device is a VIPRION device that is licensed and provisioned for vCMP, type the cluster management IP address for the guest.
    • If the BIG-IP device is an Amazon Web Services EC2 device, type one of the Private IP addresses created for this EC2 instance.
  5. Click Retrieve Device Information.
  6. Verify that the certificate of the remote device is correct, and then click Device Certificate Matches.
  7. In the Name field, verify that the name of the remote device is correct.
  8. Click Add Device.
After you perform this task, the local device is now a member of the local trust domain. Also, the BIG-IP system automatically creates a special Sync-Only device group for the purpose of synchronizing trust information among the devices in the local trust domain, on an ongoing basis.
Repeat this task to specify each device that you want to add to the local trust domain.

Adding a device to the local trust domain

Verify that each BIG-IP® device that is to be part of a local trust domain has a device certificate installed on it.
Follow these steps to log in to any BIG-IP® device on the network and add one or more devices to the local system's local trust domain.
Note: Any BIG-IP devices that you intend to add to a device group at a later point must be members of the same local trust domain.
  1. On the Main tab, click Device Management > Device Trust > Device Trust Members .
  2. Click Add.
  3. From the Device Type list, select Peer or Subordinate.
  4. Type a device IP address, administrator user name, and administrator password for the remote BIG-IP® device with which you want to establish trust. The IP address you specify depends on the type of BIG-IP device:
    • If the BIG-IP device is an appliance, type the management IP address for the device.
    • If the BIG-IP device is a VIPRION® device that is not licensed and provisioned for vCMP®, type the primary cluster management IP address for the cluster.
    • If the BIG-IP device is a VIPRION device that is licensed and provisioned for vCMP, type the cluster management IP address for the guest.
    • If the BIG-IP device is an Amazon Web Services EC2 device, type one of the Private IP addresses created for this EC2 instance.
  5. Verify that the certificate of the remote device is correct, and then click Device Certificate Matches.
  6. In the Name field, verify that the name of the remote device is correct.
  7. Click Add Device.
After you perform this task, the local device and the device that you specified in this procedure have a trust relationship and, therefore, are qualified to join a device group.

Creating a Sync-Failover device group

This task establishes failover capability between two or more BIG-IP® devices. If an active device in a Sync-Failover device group becomes unavailable, the configuration objects fail over to another member of the device group and traffic processing is unaffected. You perform this task on any one of the authority devices within the local trust domain.

Repeat this task for each Sync-Failover device group that you want to create for your network configuration.

  1. On the Main tab, click Device Management > Device Groups .
  2. On the Device Groups list screen, click Create.
    The New Device Group screen opens.
  3. In the Name field, type a name for the device group.
  4. From the Group Type list, select Sync-Failover.
  5. In the Description field, type a description of the device group.
    This setting is optional.
  6. From the Configuration list, select Advanced.
  7. For the Members setting, select a host name from the Available list for each BIG-IP device that you want to include in the device group, including the local device. Use the Move button to move the host name to the Includes list.
    The Available list shows any devices that are members of the device's local trust domain but not currently members of a Sync-Failover device group. A device can be a member of one Sync-Failover group only. Also, for vCMP-provisioned systems on platforms that contain a hardware security module (HSM) supporting FIPS multi-tenancy, the FIPS partitions on the guests in the device group must be identical with respect to the number of SSL cores allocated to the guest's FIPS partition and the maximum number of private SSL keys that the guest can store on the HSM.
  8. From the Sync Type list:
    • Select Automatic with Incremental Sync when you want the BIG-IP system to automatically sync the most recent BIG-IP configuration changes from a device to the other members of the device group. In this case, the BIG-IP system syncs the configuration data whenever the data changes on any device in the device group.
    • Select Manual with Incremental Sync when you want to manually initiate a config sync operation. In this case, the BIG-IP system syncs the latest BIG-IP configuration changes from the device you choose to the other members of the device group. We strongly recommend that you perform a config sync operation whenever configuration data changes on one of the devices in the device group.
    • Select Manual with Full Sync when you want to manually initiate a config sync operation. In this case, the BIG-IP system syncs the full set of BIG-IP configuration data from the device you choose to the other members of the device group. We strongly recommend that you perform a config sync operation whenever configuration data changes on one of the devices in the device group.
  9. In the Maximum Incremental Sync Size (KB) field, retain the default value of 1024, or type a different value.
    This value specifies the total size of configuration changes that can reside in the incremental sync cache. If the total size of the configuration changes in the cache exceeds the specified value, the BIG-IP system performs a full sync whenever the next config sync operation occurs.
  10. For the Network Failover setting, select or clear the check box:
    • Select the check box if you want device group members to handle failover communications by way of network connectivity. This is the default value and is required for active-active configurations.
    • Clear the check box if you want device group members to handle failover communications by way of serial cable (hard-wired) connectivity.
    For active-active configurations, you must select network failover, as opposed to serial-cable (hard-wired) connectivity.
  11. In the Link Down Time on Failover field, use the default value of 0.0, or specify a new value.
    This setting specifies the amount of time, in seconds, that interfaces for any external VLANs are down when a traffic group fails over and goes to the standby state. Specifying a value other than 0.0 for this setting causes other vendor switches to use the specified time to learn the MAC address of the newly-active device.
    Important: This setting is a system-wide setting, and does not apply to this device group only. Specifying a value in this field causes the BIG-IP system to assign this value to the global bigdb variable failover.standby.linkdowntime.
  12. Click Finished.
You now have a Sync-Failover type of device group containing BIG-IP devices as members.

Manually synchronizing the BIG-IP configuration

Before you perform this task, verify that device trust has been established and that all devices that you want to synchronize are members of a device group.
You perform this task when the automatic sync feature is disabled and you want to manually synchronize BIG-IP® configuration data among the devices in the device group. This synchronization ensures that any device in the device group can process application traffic successfully. You can determine the need to perform this task by viewing sync status in the upper left corner of any BIG-IP Configuration utility screen. A status of Changes Pending indicates that you need to perform a config sync within the device group.
Important: You can log into any device in the device group to perform this task.
  1. On the Main tab, click Device Management > Overview .
  2. In the Device Groups area of the screen, click the arrow next to the name of the relevant device group.
    The screen expands to show a summary and details of the sync status of the selected device group, as well as a list of the individual devices within the device group.
  3. In the Devices area of the screen, choose a device.
  4. In the Sync Options area of the screen, choose an option:
    Option Description
    Push the selected device configuration to the group Select this option when you want to synchronize the configuration of the selected device to the other device group members.
    Pull the most recent configuration to the selected device Select this option when you want to synchronize the most recent configurations of one or more device group members to the selected device.
  5. Click Sync.
After you initiate a manual config sync, the BIG-IP system compares the configuration data on the local device with the data on each device in the device group, and synchronizes the most recently-changed configuration data from one or more source devices to one or more target devices. Note that the system does not synchronize non-floating self IP addresses.

Uploading an OPSWAT update to Access Policy Manager

When new updates to OPSWAT antivirus and firewall libraries are made available, you can add these updates to the BIG-IP® system. To upload an update to the BIG-IP system, you must first download the OPSWAT hotfix from the F5 Downloads site.
  1. On the Main tab, click System > Software Management > Antivirus Check Updates .
    The Antivirus Check Updates screen displays a list of OPSWAT packages available on the device.
  2. Click the Upload button to add an OPSWAT update.
    The Upload Package screen appears.
  3. Click Browse and select an OPSWAT package ZIP file to upload.
  4. Select an install option from the list.
    • Select Do Not Install to upload the package to the local device, but without installing the OPSWAT package on the system.
    • Select Install on this device to upload the package to the local device, and then install the OPSWAT package to this device.
    • Select Install on device group to upload the package to the local device, and then install the OPSWAT package on the device group. A list of available device groups appears, and you can select the device group on which to install.
  5. Click OK.
The OPSWAT package file is added to the list on the Antivirus Check Updates screen. You can install or delete OPSWAT packages from this page.

Installing an OPSWAT update on one or more Access Policy Manager devices

After you have uploaded an OPSWAT antivirus and firewall library update to the BIG-IP® system, you can install the update to one or more BIG-IP systems in a device group.
  1. On the Main tab, click System > Software Management > Antivirus Check Updates .
    The Antivirus Check Updates screen displays a list of OPSWAT packages available on the device.
  2. Double-click an OPSWAT package to view details about the update and included firewall or antivirus libraries.
  3. Select an OPSWAT package and click Install.
    The Install Package screen opens.
  4. Select Install on device group to upload the package to the local device, and then install the OPSWAT package on the device group. A list of available device groups appears, and you can select the device group on which to install.
  5. Click Ok.
The OPSWAT update is installed on the selected systems. You can view the installed and available OPSWAT versions on the Software Management > Antivirus Check Updates screen.

Viewing supported products in the installed OPSWAT EPSEC version

You can always view details about any installed OPSWAT version, including supported antivirus, firewall, anti-spyware, hard disk encryption, peer-to-peer software, patch management software, and Windows Health Agent features for supported platforms.
  1. To view the details for the current device group:
    1. Click the F5® logo to go to the start (Welcome) page.
    2. In the Support area, click the OSWAT application integration support charts link.
      The OPSWAT Integration web page opens in a new browser tab or window. By default, this page shows Antivirus Integration for Windows.
    3. From the lists at the top of the screen, select the page to view. You can select the supported EPSEC feature, and you can select to view supported products for Windows, Mac, or Linux.
    4. Click the Show button to view the list of supported products for the type and platform you selected.
  2. To view the details for another device group or another OESIS version:
    1. On the Main tab, click System > Software Management > Antivirus Check Updates .
      The Package Status screen displays a list of OPSWAT packages available on the device.
    2. Click the Device EPSEC Status button.
      The Device EPSEC Status screen appears and shows the installed OPSWAT version.
    3. To select a different device group on which to view the installed OPSWAT version, select the device group from the Local Device/Device Group list.
    4. Under Installed OESIS version, click the version number for which you want to view the OPSWAT features chart.
      The OPSWAT Integration web page opens in a new browser tab or window. By default, this page shows Antivirus Integration for Windows.
    5. From the lists at the top of the screen, select the page to view. You can select the supported EPSEC feature, and you can select to view supported products for Windows, Mac, or Linux.
    6. Click the Show button to view the list of supported products for the type and platform you selected.

Implementation result

To summarize, you now have uploaded an OPSWAT update to one BIG-IP® system, and installed it to one system, or to multiple systems in a device group.

You can view the installed and available OPSWAT versions on the Software Management > Antivirus Check Updates screen.