Manual Chapter : View and Edit the Access Configuration

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 6.0.0
Manual Chapter

View and Edit the Access Configuration

Work with device-specific resources

Find, edit, and share device-specific resources with the Access module of BIG-IQ® Centralized Management.

Find a device-specific resource

BIG-IQ Centralized Management allows you to find a device-specific resource by searching for it in the search field, or under the specific device to which it belongs.
  1. To search for a resource among the shared resources, click the question mark at the top right of the screen.
  2. In the Search field, type all or part of the name of the object, and press Enter.
    The Search screen displays each shared object type, with the number of matching resources it has found, marked in parentheses. For example, ACCESS PROFILES (1), PORTAL ACCESS (0), and so on.
  3. To search among device-specific resources, expand the Access group name, click the name of a device, then use the Filter field to sort the resources.
  4. If you do not know the name of the resource you want to find, to find it you must browse through the shared resource types and device-specific resource types for the devices.

Edit a device-specific resource

BIG-IQ Centralized Management allows you to can update the properties of a device-specific resource in the working configuration.
  1. At the top of the screen, select Configuration, then on the left side of the screen, clickACCESS > Access Groups.
  2. In the Access Groups screen, click the name of an Access group.
    The screen displays a list of resource types.
  3. Expand the resource types and select the particular type of resource that you want to change.
    A screen displays a list of resources displays.
  4. Click the name of the resource that you want to edit.
    The properties screen for that resource opens.
  5. Edit the resource properties.
    Note: Click the question mark (?) icon for help on each property.
  6. Click Save.
The change is distributed to the BIG-IP device when you deploy the configuration.

Share a device-specific resource

BIG-IQ Centralized Management allows you to make a device-specific resource act like a shared resource.
Note: When you make a device-specific resource shared, the resource takes the properties defined for it on the source device
  1. At the top of the screen, select Configuration, then on the left side of the screen, clickACCESS > Access Groups.
  2. Select an existing Access group.
  3. Select the type of resource that you want to change.
    The screen displays a list of resources of that type on the right.
  4. From the list, select the check box for the resource that you want to make shared.
  5. Click Mark Shared.
    The resource no longer displays on the list of device-specific resources.
You can now find the resource on the Shared resources list.

Return a shared resource to device-specific resources

If you made a device-specific resource into a shared resource, you can return it to device-specific resources and configure its properties for each device in the Access group.
Note: Device-specific resources are a system-defined subset of shared resources. Not all shared resources can be made device-specific.
  1. At the top of the screen, select Configuration, then on the left side of the screen, clickACCESS > Access Groups.
  2. Select an existing Access group.
  3. Select the type of resource that you want to change.
    The screen displays a list of resources of that type on the right.
  4. From the list, select the resource that you want to return to its device-specific state.
  5. Click Make Device Specific.
    The resource no longer displays on the list of shared resources.
The resource is now located with the device in Device-specific resources.
You can now change the resource properties to meet the device-specific requirements that you have.

What local traffic objects does Access support?

In BIG-IQ® Centralized Management, you can associate various local traffic objects without manually configuring the objects in individual BIG-IP® devices before deploying the Access configuration on these devices. You must create these objects in either the BIG-IQ local traffic component or in BIG-IP local traffic. :

  • Virtual Server
    • You can configure sections of a virtual server specific to BIG-IQ system in the BIG-IQ system. This includes configuring Access profiles, connectivity profiles, per-request policies, VDI profiles, enabling App Tunnels, enabling OAM support, and PingAccessProfile.
    • You can configure the SAML artifact resolution service with the virtual server for each BIG-IP device in BIG-IQ Access.
  • SSL Certificate and SSL Key
    • On the BIG-IP device, you can export the certificate and key files for each CERT and KEY object, and manually import them to the same object in BIG-IQ system.
    • On the BIG-IP device, you can configure SAML, SAML IdP Connector, and OCSP Respond with SSL Cert and SSL Key.
    • You can configure OamAccessGate for each device with SSL Key and Cert in BIG-IQ system.
  • Net Tunnels Fec
    • You can create the connectivity profile on a BIG-IP device with a Fec profile.
    • NetTunnels Fec MUST be associated with Connectivity Profile in BIG-IQ, and deployed to other devices in Access Group.
  • Route Domains
    • You can create route domains for each BIG-IP device in BIG-IQ system.
    • You can configure the Route Domain Selection Agent for each BIG-IP device in BIG-IQ system by editing the Access policy.
  • iRules
    • You can create iRules® in BIG-IP Access, and configure them in the virtual server.
    • If you are using iRules in an OAuth server, create the iRule first, then associate the OAuth server in the BIG-IP device.
  • DNS Resolver
    • You can create DNS resolvers in either the BIG-IP device or BIG-IQ system.
    • The best practice is to create the DNS resolver in the BIG-IP device, then associate the DNS resolver with the OAuth server.
  • SSL Client Profile and HTTP Profile
    • You can create either profile in BIG-IQ system, and configure it in the local traffic virtual server.
  • Server SSL Profile
    • You can create this in either the BIG-IP device or in BIG-IQ system.
    • The best practice is to create the server SSL profile in the BIG-IP device, and associate it with the SAML IdP connector.
    • You can configure LDAP and Endpoint Management systems with a server SSL profile in either the BIG-IP device or in BIG-IQ system.
  • Rewrite Profile and Classification Profile
    • You must create these in the BIG-IP device.
    • You can associate both these profiles with the local traffic virtual server in the BIG-IQ system.
    • You can associate the rewrite profile in portal mode with the Access group virtual server in the BIG-IQ system.
  • Import SSL Keys and Certs
    • These are used in SAML configurations, SAML IdP connectors, OAM access gates, and OCSP responders.
  • CA Profile
    • This is used in MachineCertAuthAgent.
    • Configure CA Profile in BIG-IP, import, and deploy to other devices in Access Group.
    • Associate CA Profile in "Machine Cert Auth" Agent either in BIG-IP or in BIG-IQ.
  • SMTP Server
    • This is used in email agents.
    • Configure SMTP Server, and associate with Email Agent in policy in BIG-IP, import, and deploy to other devices in Access Group.
    • If you add the email agent to the access policy in BIG-IQ, create the SMTP Server in BIG-IQ if one does not exists and then choose it in the email agent.

For more information about configuring BIG-IQ local traffic objects, refer to the online help, and to the guide, F5 BIG-IQ Centralized Management: Local Traffic & Network.

Edit a virtual server

You must create a virtual server in BIG-IP LTM. The created virtual servers are listed in the Access group for the corresponding Access group devices. You must manually configure a virtual server for each device in the Access group. During deployment, you must deploy the Access-specific virtual server properties.
A virtual server is an LTM resource that you can configure in BIG-IQ Access.
  1. At the top of the screen, select Configuration, then on the left side of the screen, clickACCESS > Access Groups.
  2. In the Access Groups screen, click the name of an Access group.
    The screen displays a list of resource types.
  3. Expand the resource types and select the particular type of resource that you want to change.
    A screen displays a list of resources displays.
  4. Click Virtual Server.
    The Virtual Server (Device-specific) screen displays on the right.
  5. Select an existing virtual server to edit.
    A new screen displays.
  6. Type a description.
  7. From the Access Profile list, select a profile for managing secure access.
  8. From the Connectivity Profile list, select a profile for managing specific connection options for a secure access connection.
  9. From the Per Request Policy list, select an already configured per-request policy.
  10. From the Per Request Policy list, select a VDI profile for use when you want to provide connections to virtual desktop resources.
  11. For Application Tunnels(Java & Per App VPN), select the check box to support connections from Java applications or to support a SOCKS tunnel from an iOS mobile device that initiates per-app VPN.
  12. For OAM Support, select the check box to provide native integration with the OAM server for authentication and authorization.
  13. For ADFS Proxy, select this check box to use this virtual server in an APM ADFS proxy configuration.
    For more information, see the "BIG-IP Access Policy Manager: Third-Party Integration" guide on the AskF5 web sites
  14. From the PingAccess Profile list, select an already configured Ping Access Profile for authentication with a Ping Access policy server.
  15. From the Rewrite Profile list, select a rewrite profile to rewrite web application data or to perform URI translation with the reverse proxy.
You have configured a virtual server.

Where are local traffic objects supported in Access?

This table describes the relationship between local traffic objects and APM objects. Specifically, this explains which local traffic objects are used in which Access objects.

Table 1. Local Traffic objects are supported in which Access objects?
LTM Object Access Object
Virtual server
  • Artifact Resolution Service
  • OAM Access gate
SSL Key
  • SAML
  • SAML IDP connector
  • OAM Access gate
  • OCSP Responder
SSL Cert
  • SAML
  • SAML IdP connector
  • OAM Access gate
  • OCSP Responder
SNAT Pool
  • Network Access
  • RouteDomain Selection Agent
Server SSL Profile
  • Endpoint management system
  • LDAP
  • SAML IdP connector
Net Tunnels Fec
  • Connectivity Profile
Route Domain
  • Route domain selection agent
iRules
  • iRule Event Agent
  • OAuth Server
DNS Resolver
  • OAuth Server
ReWrite Profile
  • Portal access
LogPublisher
  • Access log settings
  • Classification profile
Preset
  • Classification profile

About access policies

In an access policy, you define the criteria for granting access to various servers, applications, and other resources on your network. An access policy can be either a per-session policy or a per-request policy. You create an access policy by creating an access profile, which automatically creates a blank access policy. Every access profile has an access policy associated with it. You configure that access policy through the access profile, using the Visual Policy Editor.

About per-session and per-request policies

Access in BIG-IQ® Centralized Management provides two types of policies.

Per-session policy
The per-session policy runs when a client initiates a session. Depending on the actions you include in the access policy, it can authenticate the user and perform other actions that populate session variables with data for use throughout the session.
Per-request policy
After a session starts, a per-request policy runs each time the client makes an HTTP or HTTPS request. A per-request policy can include a subroutine, which starts a subsession. Multiple subsessions can exist at one time.

One per-session policy and one per-request policy are specified in a virtual server.

View an access policy

After you've imported a device, you can view the access policies that are configured on it. An access policy is either a per-session policy or a per-request policy. In either case, an access policy is made up of policy items, such as Start, Logon, Deny, and macros. A macro is a sub-policy with a beginning, one or more policy items, and one or more endings.
Note: These policies are deployed to all the devices in the Access group. You can view the properties of the actions and the flow of actions in the policy.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then on the left side of the screen, clickACCESS > Access Groups.
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. On the left, expand Profiles / Policies, click Access Profiles (Per-Session Policies) (Shared) or Per-Request Policies(Shared).
    A new screen opens, showing a list of access policies associated with this Access group.
  5. Select an access policy.
    The VPE screen opens.
  6. Use the vertical and horizontal scrollbars to move to another section of the policy.
  7. To save your changes, click the Save button.
  8. To close the screen, click the Close button.

Create an access profile and per-session policy

You must create a access profile and its accompanying per-session policy before you can configure it in the visual policy editor.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then on the left side of the screen, clickACCESS > Access Groups.
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. On the left, expand Profiles / Policies and click Per-Session Policies.
    The Per-Session Policies (Shared) screen opens, displaying a list of access policies associated with this Access group.
  5. Click Create.
    The New Access Policy screen opens.
  6. In the Name field, type a name for the access profile.
    Note: A access profile name must be unique among all access profile and any per-request policy names.
  7. From the Profile Type list, select one these options:
    • LTM-APM: Select for a web access management configuration.
    • SSL-VPN: Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
    • ALL: Select to support LTM-APM and SSL-VPN access types.
    • SSO: Select to configure matching virtual servers for Single Sign-On (SSO).
      Note: No access policy is associated with this type of access profile
    • RDG-RAP: Select to validate connections to hosts behind APM when APM acts as a gateway for RDP clients.
    • SWG - Explicit: Select to configure access using Secure Web Gateway explicit forward proxy.
    • SWG - Transparent: Select to configure access using Secure Web Gateway transparent forward proxy.
    • System Authentication: Select to configure administrator access to the BIG-IP system (when using APM as a pluggable authentication module).
    • Identity Service: Used internally to provide identity service for a supported integration. Only APM creates this type of profile.
      Note: You can edit Identity Service profile properties.
    Note: Depending on licensing, you might not see all of these profile types.
    Additional settings display.
  8. From the Scope list, retain the default value or select another.
    • Profile: Gives a user access only to resources that are behind the same per-session profile. This is the default value.
    • Virtual Server: Gives a user access only to resources that are behind the same virtual server.
    • Global: Gives a user access to resources behind any per-session profile that has global scope.
  9. In the Language Settings area, add and remove accepted languages, and set the default language. This setting does not display if the profile type is RDG-RAP
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  10. To save and display the policy diagram, click the Save & Close button.
The policy name appears on the Per-Session Policies (Shared) screen.

Create a per-request policy

You must create a per-request policy before you can configure it in the visual policy editor.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then on the left side of the screen, clickACCESS > Access Groups.
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. On the left, expand Profiles / Policies and click Per-Request Policies.
    The Per-Request Policies (Shared) screen opens, displaying a list of access policies associated with this Access group.
  5. Click Create.
    The Create per-req policy screen opens.
  6. In the Name field, type a name for the policy and click Save.
    A per-request policy name must be unique among all per-request policy and access profile names.
The policy name appears on the Per-Request Policies (Shared) screen.

Edit an access policy

You can edit an existing access policy using the Access Visual Policy Editor (VPE) if the policy items are action, ending, or macro calls. Although Start and In are policy items, you cannot edit them. You can undo any edited actions, and if you cancel an editing session before saving, the Policy Editor makes no changes to the policy. However, some actions or objects cannot be undone or discarded. These include the following:
  • Creating a per-session policy macro.
  • Creating a per-request policy macro, subroutine, or subroutine macro.
  • Creating new endings or terminals
  • Deleting endings or terminals.
  • Changing macros or subroutine properties.
  • Modifying any policy ending or macro terminal.

These actions can't be undone and also can't be undone if there are any pending diagram changes.

  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then on the left side of the screen, clickACCESS > Access Groups.
  3. Click the name of the Access group that interests you.
    A new screen displays the Access group properties.
  4. On the left, expand Profiles / Policies, and click Access Profiles (Per-Session Policies) (Shared) or Per-Request Policies(Shared).
    A new screen opens, showing a list of access policies associated with this Access group.
  5. Select an access policy.
    The VPE screen opens.
  6. Modify the policy by clicking the diagram to insert new items, modify existing items, delete items, or change endings.

    Undo returns you to the access policy before your most recent change.

    Redo allows you to redo an action you have undone.

    Revert returns the access diagram to the state before you made any changes to the diagram.

  7. Click Save.
    Saving the policy saves all changes in the policy diagram, including all workflows and modified macros. You can also discard pending changes and macros by clicking Discard.

Add a policy item

You can add a policy item using the Access Visual Policy Editor (VPE).
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then on the left side of the screen, clickACCESS > Access Groups.
  3. Click the name of the Access group that interests you.
    A new screen displays the Access group properties.
  4. On the left, expand Profiles / Policies, and click Access Profiles (Per-Session Policies) (Shared) or Per-Request Policies(Shared).
    A new screen opens, showing a list of access policies associated with this Access group.
  5. Select an access policy.
    The VPE screen opens.
  6. Move your mouse over a policy branch, depicted by the blue line.
    An add icon (+) displays.
  7. Click the (+) icon.
    The Item Insertion Selection popup screen opens.
  8. From the selection list on the left, select the type of policy item.
    Example: Logon, or Authentication.
    The screen displays a list of policy items on the right.
  9. From either the Caption or Description list, select a policy item.
    Another popup screen with properties and branch rules opens.
  10. On the Properties tab, modify or fill in the fields.
  11. To add a new branch rule or select an existing rule from the list, on the Branch Rules tab, click Add.
  12. Click either Simple or Advanced, and modify the branch rule.
  13. Click the Save button.
The policy item displays in the VPE at the location on the policy branch where you clicked the add icon (+).

Add an action item or macro-call to a policy

You can modify an existing policy or sub-policy by adding additional action items and macro-calls. When modifying a policy, such as a macro, all diagram operations, insertions, deletions, modifications, and branch swaps are the same from the policy or sub-policy.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then on the left side of the screen, clickACCESS > Access Groups.
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. On the left, expand Profiles/Policies, and click Access Profiles (Per-Session Policies) (Shared) or Per-Request Policies(Shared).
    A new screen opens, showing a list of access policies associated with this Access group.
  5. Select an access policy.
    The VPE screen opens. The macros that you can insert are in the Insertion dialog that displays when you click the + button.
  6. Hover your cursor over a branch line between two items.
    An add icon (+) displays.
  7. Click the icon +.
    The Item Insertion Selection popup screen opens.
  8. From the Item Insertion Selection screen, select a macro or an action item.
    A new screen opens if you select an action item.
  9. Fill in the relevant parameters and fields.
  10. Click Branch Rules.
  11. Click Add.
    The Branch Rules popup section displays more settings.
  12. On the left, select either Simple or Advanced to create a branch rule configuration.
  13. Fill in the relevant parameters and fields.
  14. Click OK.
    The new branch rule displays in the Branch Rules screen.
  15. Click the Save button.
    The Save button is only enabld if the form is valid.
The Access policy now includes the new action item.

Swap policy branches

When examining the policy workflow, you can swap one branch with another. You swap branches as an easy way to change the policy workflow without deleting the existing branches and creating new ones. Swapping branches does not change the order of the branch rule, only the destination of the two branches involved in the swap. When moving a branch, a highlighted bold blue line indicates that the swap is allowed. You cannot swap branches from an agent's upstream and downstream agent branches.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then on the left side of the screen, clickACCESS > Access Groups.
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. On the left, expand Profiles/Policies, and click Access Profiles (Per-Session Policies)s (Shared) or Per-Request Policies(Shared).
    A new screen opens, showing a list of access policies associated with this Access group.
  5. Select an access policy.
    The VPE screen opens*.
  6. Click on a branch and hold your mouse button.
  7. Drag the branch up or down.
    A red dotted line previews where the branch ends up.
  8. Release your mouse button.
    The VPE displays an access policy with swapped branches.
  9. Click the Save button when you are done editing the policy.

About timeouts and crashes

During an editing session, if you remain inactive for a prolonged period of time, the session times out. Other times, the browser might freeze. In either case, you might have to prematurely terminate an editing session without a chance to save your changes. However, regardless of why you had to terminate a session, BIG-IQ® Centralized Management saves a draft of the policy and saves any unsaved macro when you make a modification. The next time you log in, locate the policy, and open the editing screen. The system notifies you that an unsaved draft exists, and prompts you to select whether you want to continue editing the draft or start over.

The system saves the change history in the draft, so actions such as Undo and Redo work for all changes you make before the session was interrupted. Lastly, if someone else was the previous editor, you can see the user and the time of the last edit. This allows you to choose whether or not to resume that person's editing session.

Per-Session and per-request policy comparison

The table summarizes per-session policy and per-request policy similarities and differences.

Feature Per-Session policy Per-request policy
Supports macros Yes Yes
Requires that users click an Apply Access Policy link to go into effect. Yes No
When run At session start. After session is created, on every request.
Policy ending types Allow, Deny, Redirect; endings apply to the session. Allow, Redirect, Reject; endings apply to URL requests processed in the per-request policy. A Reject ending triggers the Deny ending in the access policy.
Supports variables Creates session variables that are available throughout a session. Reads available session variables. Creates per-flow variables that are available only while the per-request policy runs.

About access policy endings

An ending provides a result for an access policy branch. An ending for an access policy branch is one of three types.

Allow
Starts the SSL VPN session and loads assigned resources and a webtop, if assigned, for the user. Typically, you assign this when the user passes specific checks.
Deny
Disallows the SSL VPN session and shows the user an access denied web page. Typically, you assign this when the user does not have access to resources, or fails authentication. Alternatively after a session starts, shows a URL filter denied web page after a per-session policy rejects a request for a URL.
Redirect
Redirects the client to the URL specified in the ending configuration. You can define a redirect URL for each redirect ending. Typically, you can assign a redirect when the user requires remediation, or a separate resource. For example, a user who fails the antivirus check because virus definitions are out of date can be redirected to the software manufacturer's site to get an antivirus update.

What is a terminal?

A terminal is a sub-policy ending in an access policy. Differing from a policy ending, terminals do not have types and you can re-order them. The order of a terminal in a sub-policy determines the order of the branches in the macro-calls. Similar to policy endings, you can't create, change, or delete a terminal if there are pending changes in the policy.

Create a policy ending

Every branch in a workflow has one of three policy endings: Deny, Redirect, or Allow. Macro endings are called terminals. As with action items, you can create, modify, or delete endings. You must include at least one ending for a policy or a macro, with one ending as the default. The default ending cannot be deleted. If you delete an ending that is in-use, the ending changes to the default ending. Alternatively, you can assign an ending as the default ending.
Note: Creating a policy ending can only be done if there are no pending changes to the policy flows.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then on the left side of the screen, clickACCESS > Access Groups.
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. On the left, expand Profiles/Policies, and click Access Profiles (Per-Session Policies) (Shared) .
    A new screen opens, showing a list of access policies associated with this Access group.
  5. Select an Access policy.
    The VPE screen opens.
  6. At the top of the screen, click Edit Endings.
    The Manage Policy Endings popup screen opens.
  7. Click New.
    The popup screen displays New Ending settings.
  8. In the Name field, type a name for this policy ending.
  9. In the Color field, select a color that the Policy Editor displays to represent this policy ending.
  10. For the Type setting, select one of the options:
    • Success if the policy branch ends in success.
    • Fail if the policy branch ends in failure.
    • Redirect if the policy branch redirects to a new URL, and then type a valid URL in the URL field.
  11. Click Save.
  12. Click Close.
You have created a new policy ending.

Edit a policy ending

You can edit a policy ending by changing the color, caption, type, and redirect URL (if the sub-policy is a Deny ending).
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then on the left side of the screen, clickACCESS > Access Groups.
  3. On the left, click Access Groups.
    The Access Groups screen opens.
  4. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  5. On the left, expand Profiles/Policies, and click Access Profiles (Per-Session Policies) (Shared) or Per-Request Policies(Shared).
    A new screen opens, showing a list of access policies associated with this Access group.
  6. Select an access policy.
    The VPE screen opens.
  7. At the top of the screen, click Edit Endings.
    The Manage Policy Endings popup screen opens.
  8. From the list under Policy Endings, select an existing ending.
    The popup screen displays configurable fields.
  9. In the Name field, type a name for this policy ending.
  10. In the Color field, select a color that the Policy Editor displays to represent this policy ending.
  11. For the Type option, select one of the options:
    • Success if the policy branch ends in success.
    • Fail if the policy branch ends in failure.
    • Redirect if the policy branch redirects to a new URL ,and then type a valid URL in the URL field.
  12. If you are editing the Deny ending, modify the fields under Customization.
  13. Click Save.
  14. Click Close.
You have edited a policy ending.

Delete a policy ending

You can delete any policy ending except for the Deny ending.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then on the left side of the screen, clickACCESS > Access Groups.
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. On the left, expand Profiles/Policies, click Access Profiles (Per-Session Policies) (Shared) or Per-Request Policies(Shared).
    A new screen opens, showing a list of access policies associated with this Access group.
  5. Select an access policy.
    The VPE screen opens.
  6. At the top of the screen, click Edit Endings.
    The Manage Policy Endings screen opens.
  7. From the list under Policy Endings, click the ending you want to delete.
    You cannot delete the Deny ending.
    An X button displays next to the ending.
  8. Click the X button.
    The Delete Diagram Component Confirmation popup screen opens.
  9. Click OK.
  10. Click Close.
You have deleted a policy ending.

About editing conflicts

If you and other users can edit a policy, then multiple users can attempt to modify the same policy at the same time. As a result, changes made by another user can override your changes. However, in Access, if you start an editing session while another user is still editing, the system notifies you that you won't be able to make changes to the policy. The policy appears to you as read-only, and the warning message shows you who is currently editing the policy. You can then choose one of the following actions:
  • Contact the other editor.
  • Try again another time.
  • Take over the original user's session. You can then choose to save or discard the original user's changes or continue editing.
Note: When you choose a policy that has pending changes, the system displays a warning message tell you who was the last editor, and when the last edit was made. You can then choose to either resume the editing session or view the policy in read-only mode.
Note: If you choose to continue editing, the screen displays an orange line indicating that the policy has unsaved changes. The Details screen shows a summary of where the changes are.

What is a macro sub-policy?

A macro is a sub-policy with a beginning, one or more policy items, and one or more endings. You can create or edit a macro as you would a policy. In a policy, a macro-call in the workflow represents the macro. When you insert a macro-call in a policy or another macro, it displays as a node in the workflow diagram. Typically, you use a macro in multiple branches of the workflow.

Macros are specific to an access policy. You cannot create a macro if there are pending changes to the access policy. You can also create special macros. These have the same workflow as the base macro type. However, you can only use subroutines in per-request policies and subroutine macros in subroutines.

Create a macro sub-policy

You can create a macro sub-policy by using the Access visual policy editor.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then on the left side of the screen, clickACCESS > Access Groups.
  3. Click the name of the Access group that interests you.
    A new screen displays the Access group's properties.
  4. On the left, expand Profiles / Policies, and click Access Profiles (Per-Session Policies) (Shared) or Per-Request Policies(Shared).
    A new screen opens, showing a list of access policies associated with this Access group.
  5. Select an access policy.
    The VPE screen opens.
  6. At the lower left, ensure that Macros shows on the drop-down menu.
    Macros should be the default option. Macros always appear in the lower area of the VPE screen. This is where you edit them. You can change the properties of a macro in Edit Properties and manage macro terminals (endings) in Edit Terminals. You cannot modify properties or terminals that have pending changes.
  7. Click New.
    The Create New popup screen opens.
  8. From the Template drop-down list, select an existing template or an empty macro.
  9. In the Caption field, type a name for the macro.
  10. Click OK.
    The macro template displays in the VPE screen.
After creating a macro, you can edit the macro sub-policy by inserting actions or macros in the branches, or by selecting either the default ending or different endings.

Managing Configuration Snapshots

What is snapshot management?

You can manage configuration snapshots for the configurations you have created on the BIG-IQ® Centralized Management system. A snapshot is a backup copy of a configuration. Configuration snapshots are created manually. This type of snapshot does not include events or alerts.
Note: If an Access group version changes to a later BIG-IQ version and you attempt to restore a snapshot created during the previous version, then restoring that snapshot can cause working configuration changes that can cause a deployment failure.

Comparing snapshots

You can compare two snapshots, or compare a snapshot to the configuration on the BIG-IQ Centralized Management system to view their differences.

  1. Log in to F5 BIG-IQ Centralized Management with your user name and password.
  2. At the top left of the screen, select Change Management from the BIG-IQ menu.
  3. Under SNAPSHOT & RESTORE, select Access.
    The screen displays a list of Access snapshots that have been created on this device.
  4. Select the check box to the left of the snapshot that you want to use as the source snapshot.
  5. Click the Compare button.
    The Differences screen opens.
  6. Analyze the configuration differences between the snapshot and the comparison target. When you are finished, click Cancel to close the Differences screen, then click Close.
    The screen closes and you return to the Snapshot screen.