Applies To:
Show VersionsBIG-IQ Centralized Management
- 6.0.0
Understanding Core Features of BIG-IQ Centralized Management
Why should I use centralized management?
You can save time by using BIG-IQ® Centralized Management to manage and monitor multiple BIG-IP® devices and service configurations (such as Network Security and Access) from a single, central location.
With centralized management, you can:
- Manage and monitor multiple BIG-IP devices and service configurations from one BIG-IQ Centralized Management system, rather than having to log in and manage and monitor each BIG-IP device (physical, virtual, or vCMP) individually.
- Centrally manage and monitor security policies across your BIG-IP devices, such as firewall policies and web application policies, depending on what service configurations you have installed.
- Maintain and edit shared configuration objects, such as policies, in one place, and then deploy those objects to multiple BIG-IP devices.
- Apply role based authorization within the BIG-IQ system. You can restrict roles and permissions for some users who use only a portion of the BIG-IQ system, and define broader permissions for administrative users. For example, you can permit application owners to see only their configuration objects across multiple devices, while an overall administrator can see all objects.
- Find information about objects across all configurations known to the BIG-IQ system using global search (available from the search icon on the upper right of most BIG-IQ system screens). You can restrict the scope of the search using various search options. Once an object is found, you can review additional information about that object.
What elements make up a centralized management solution?
An F5®BIG-IQ® Centralized Management solution can involve a number of different elements. The topology for these elements depends on your needs, and on whether you include data collection devices (DCDs) in your solution. A typical solution can include the following elements:
- BIG-IQ system(s)
- BIG-IP devices
- Data collection devices (optional)
- Remote storage devices (optional)
BIG-IQ Centralized Management system
Using BIG-IQ Centralized Management, you can centrally manage your BIG-IP(R) devices, performing operations such as backups, licensing, monitoring, and configuration management. And because access to each area of BIG-IQ is role-based, you can limit access to users, thus maximizing work flows while minimizing errors and potential security issues.
BIG-IP device
A BIG-IP device runs a number of licensed components designed around application availability, access control, and security solutions. These components run on top of ®F5 TMOS®. This custom operating system is an event driven operating system designed specifically to inspect network and application traffic and make real-time decisions based on the configurations you provide. The BIG-IP software runs on both hardware and virtualized environments.
BIG-IQ data collection device
A data collection device (DCD) is a specially provisioned BIG-IQ system that you use to manage and store alerts, events, and statistical data from one or more BIG-IP systems.
Configuration tasks on the BIG-IP system determine when and how alerts or events are triggered on the client. The alerts or events are sent to a BIG-IQ data collection device, and the BIG-IQ system retrieves them for your analysis. When you opt to collect statistical data from the BIG-IP devices, the DCD periodically (at an interval that you configure) retrieves those statistics from your devices, and then processes and stores that data.
The group of data collection devices and BIG-IQ systems that work together to store and manage your data are referred to as the data collection cluster. The individual data collection devices are generally referred to as nodes.
Remote storage device
The remote storage device is necessary only when your deployment includes a data collection device (DCD) and you plan to store backups of your events, alerts, and statistical data for disaster recovery requirements. Remote storage is also required so that you can retain this data when you upgrade your software.
Simple view of the BIG-IQ system architecture
A simple view of the BIG-IQ® system architecture illustrates the relationship between the components of the system.
This graphic shows a BIG-IQ® Centralized Management system, composed of two BIG-IQ systems in a high availability configuration and a cluster of data collection devices (DCD) using remote storage, with the entire system managing multiple BIG-IP® devices.
Overview of process to centrally manage BIG-IP devices
You typically use this process to manage BIG-IP® devices using BIG-IQ® Centralized Management. Centrally managing a BIG-IP device using the BIG-IQ system is sometimes referred to as declaring management authority (DMA) over a BIG-IP device. All required components should be already installed on the BIG-IP device and the BIG-IQ system. You perform all these tasks using the BIG-IQ system. Some of these tasks are optional, depending on what you want to manage using the BIG-IQ system.
- Add the BIG-IP device to the list of devices managed by the BIG-IQ system, and establish a trust relationship between the device and the BIG-IQ system. If you do not want to manage service configurations on your BIG-IP devices, the other tasks are not needed.
- Discover the service configurations on the BIG-IP device that you want to manage, such as Local Traffic, Web Application Security, and so on. You usually only need to discover the service configurations when you are first beginning to manage a BIG-IP device.
- Import the discovered configurations from the BIG-IP device to the BIG-IQ system. You usually only need to perform this task when you are first beginning to manage the BIG-IP device.
- Edit the configurations as needed on the BIG-IQ system.
- Evaluate the configurations to ensure that there will be no deployment issues.
- Deploy the updated configurations back to the BIG-IP
devices.
Essentially, you perform the first three tasks to initially set up centralized management of your BIG-IP devices and services. The last three tasks (edit, evaluate, and deploy) are performed regularly as you manage your BIG-IP devices and services.
Adding the BIG-IP device to the list of managed devices
The first task in managing a BIG-IP device is to add it to the list of devices managed by the BIG-IQ® Centralized Management system using the Devices screens. Largely, this is making sure that the BIG-IQ system can access the BIG-IP® device at the specified IP address and ports. This is sometimes referred to as establishing trust with the BIG-IP device.
After this task is complete, all of the BIG-IQ Device functionality (inventory reporting, backup and restore, script management, licensing, password management, software upgrade, and so on) is available for the discovered device. If at least one Data Collection Device (DCD) is deployed in the environment, statistics data for device, LTM®, and DNS objects can also be collected and reported.
In environments that only require centralized device management, this task might be the only one you need to perform. The remaining tasks are for those environments that want to manage service configurations, such as Network Security, as well as the devices.
Adding the BIG-IP device and establishing trust with it involves several tasks:
- The BIG-IQ administrator adds the IP address, user name and password for an administrative user on the BIG-IP device.
- If the BIG-IP device is clustered, the administrator selects how to handle deployment to the clustered devices.
- The BIG-IP device and the BIG-IQ system exchange certificates to create a trust relationship.
- For earlier versions of BIG-IP devices, the administrator might need to update the REST framework on the BIG-IP device to be able to manage it.
Discovering the configurations on the BIG-IP device
Once the BIG-IP® device has been added to the list of managed devices, you can optionally discover and import the service configurations on the BIG-IP device, such as Local Traffic, Web Application Security, and so on. In general, you want to manage all the service configurations you discover. You always need to discover and import the Local Traffic service first, since the other services depend upon it.
You use the Devices screens to discover configurations.
Importing the configurations
After discovering the service configurations, you need to import each of them from the BIG-IP® device to the BIG-IQ® Centralized Management system. You need to do this for each service to be managed, using the screen at
, then selecting a device and clicking SERVICES.You can create a snapshot of your BIG-IQ service configuration before you perform the import. The snapshot can be used in case you want to roll back from the configuration you are about to import from the BIG-IP device.
If the BIG-IQ system detects differences between the objects in the service configuration on the BIG-IP device and the configuration on the BIG-IQ system, it displays those differences so that you can resolve them and complete the import.
You resolve each difference by selecting whether to keep the value that is already on the BIG-IQ system (by selecting Use BIG-IQ in the differences screen), or to use the value imported from the BIG-IP device to update the BIG-IQ object value (by selecting Use BIG-IP).
In either case, the object is not changed on any managed BIG-IP devices until you deploy the configuration from the BIG-IQ system to the BIG-IP devices later in the process.
The BIG-IQ system uses the following terms to describe differences and configuration types:
- The working configuration is the configuration that is maintained and edited on the BIG-IQ system. This is the configuration you deploy to the BIG-IP device during a deployment.
- The current configuration is the configuration discovered on the BIG-IP device. This is also sometimes referred to as the running configuration. The current configuration is updated during re-import or re-discovery and before calculating differences during the deployment process. The current configuration is also updated after a successful deployment to the BIG-IP device.
- A difference is when an object with the same type and name occurs in both the current configuration and the working configuration but with different data. For example, a difference would occur if the policy object Pol021 in the current configuration (imported from the BIG-IP device) contains more properties than that policy object in the working configuration (on the BIG-IQ Centralized Management system).
Editing the configurations
Once you have imported the configurations, you can use the Configuration screens to review and edit them before deploying them back to the BIG-IP devices. Essentially, you are modifying the configurations and staging them to be deployed back to the BIG-IP devices. You will probably spend most of your time in this part of the process, since there are potentially many configuration settings that you will want to review.
When reviewing the configurations:
- Be aware of dependencies between configurations. For example, your changes to the Network Security configuration settings might require that you make changes to the Local Traffic settings.
- Be aware of the version of the BIG-IP devices to which you are going to deploy the configuration. Different versions of BIG-IP might require different settings or values.
- If needed, refer to the documentation or online help for clarification on what settings are valid.
Changes you make to the configuration on the BIG-IQ system are not immediately deployed to the BIG-IP devices, but are staged as part of the BIG-IQ working configuration. The exception to this staging, is in the Local Traffic service, where you can use the Change Now setting to more quickly enable or disable virtual servers or pool members, when needed.
Evaluating and reviewing configuration differences
You evaluate your working configuration changes before you attempt to deploy them to your BIG-IP devices using the screens found at
. Evaluating your working configuration changes allows you to review and fix any potential problems before you deploy the configuration.When you perform an evaluation, it compares the working configuration on the BIG-IQ system to the configuration running on the BIG-IP device, and then displays the differences for you to review. Differences can be caused by changes made to the configuration on the BIG-IQ system, or by changes made directly to the configuration on the BIG-IP device without using the BIG-IQ system. You can create an evaluation for one or for multiple BIG-IP devices.
This is a summary of what happens during the evaluation process.
- When you begin the evaluation process, the BIG-IQ system captures the current service configuration on the BIG-IP device, creates a snapshot of the BIG-IQ working configuration, and then compares the two configurations for that device.
- You now can review the configuration differences using a graphical summary of the differences. You can also view the JSON code differences for each object that has been modified, added, or removed.
- After reviewing the differences, you take one of these
actions:
- If you are satisfied with the evaluation results, proceed with deploying the BIG-IQ working configuration to the BIG-IP device.
- If you are not satisfied with the evaluation results, make whatever changes are needed on the BIG-IQ working configuration, and evaluate the configurations again. If you want to keep changes that were made directly on the BIG-IP device, re-import the BIG-IP device configuration, and evaluate the configuration again.
Keep the following considerations in mind when performing evaluations:
- If there are changes to the Local Traffic service configuration, you should evaluate that working configuration first, since any changes you need to make there could affect other configurations.
- You can use the evaluation process to review not only working configuration changes, but also changes in a configuration you captured in a snapshot.
- You can also evaluate and deploy a selected set of objects rather than an entire configuration. This is sometimes referred to as a partial deployment.
Deploying the configurations
When you have successfully evaluated your configurations, you can then deploy them to the BIG-IP® devices. You can schedule the deployment to occur at a later time, when your systems are not busy, and the deployment can be performed by another user with the appropriate deployment role if necessary. You might even want to have someone else review the configuration before it is deployed, to avoid issues.
When you deploy the BIG-IQ® configuration, it makes the BIG-IP configuration look exactly like what is on BIG-IQ, including overwriting changes that were made directly to the BIG-IP device or deleting items that were created directly on the BIG-IP device. The BIG-IQ configuration that is deployed is the same for all the BIG-IP devices managed. This idea of a single configuration being the same for multiple devices is sometimes referred to as the BIG-IQ configuration being the source of truth for all the managed BIG-IP devices. You can perform a deployment immediately or you can schedule it to occur later.
If there are changes to the Local Traffic service configuration, you should deploy that configuration before any other configuration, since the Local Traffic service configuration can affect the other configurations.
If only a few changes were made to the configuration, you might be able to perform a partial deployment. Partial deployments typically complete more quickly than full deployments since only some of the configuration is being deployed. You use the screens at
to perform deployments.The BIG-IQ system deploys all configuration changes to the BIG-IP device using the REST API. Once the deployment is complete, you can review the deployment job to see what changes were deployed. An object-by-object difference view in JSON format is available as well.
Considerations when managing BIG-IP devices
You should consider these facts when managing your BIG-IP® devices using BIG-IQ® Centralized Management.
- Avoid making configuration changes directly on a BIG-IP device that is
managed by the BIG-IQ Centralized Management system.
If you make changes locally on the BIG-IP device, you must re-import the configuration to reconcile those changes with the BIG-IQ Centralized Management working configuration. If you do not re-import the configuration, a subsequent deployment of the configuration from the BIG-IQ Centralized Management system will overwrite your local changes on the BIG-IP device.
- Be aware of the BIG-IP device versions and features supported by your
version of BIG-IQ Centralized Management. BIG-IQ Centralized Management tracks the
BIG-IP device versions and can act based on the version. For example, in BIG-IQ
Centralized Management, a feature that is only supported for BIG-IP devices version
13.0 or later might not appear as an option to be managed for an earlier version of
a BIG-IP device.
You can find compatibility information in the BIG-IQ Centralized Management compatibility matrix on the F5 support web site, support.f5.com. In addition, review the BIG-IQ Centralized Management service documentation, since some features might be supported only with certain versions of BIG-IP devices.
Overview of other common BIG-IQ tasks and concepts
You use the essential BIG-IQ® Centralized Management features when you add a BIG-IP® device to the BIG-IQ system, and manage the service configurations on that BIG-IP device.
- Re-discovering and re-importing configurations when you encounter configuration problems.
- Capturing and restoring snapshots of configurations so you can roll back to a previous set of changes.
- Reviewing audit logs to see what changes have been made on the BIG-IQ system, and by whom.
- Recognizing the difference between device-specific and shared objects, particularly when doing deployments.
- Using device configuration templates to simplify device configuration.
Re-discovering or re-importing configurations when needed
Typically, once configurations are imported, there is no need to re-import or re-discover a BIG-IP device. However, you might need to do so in the following cases:
- If you added, changed, or deleted management IP addresses or virtual servers directly on the BIG-IP device.
- If you made changes to other parts of the configuration locally on the BIG-IP device, without using BIG-IQ Centralized Management.
- If you made updates to the BIG-IP device software that need to be recognized by the BIG-IQ Centralized Management system.
If any of these events occurred, you must re-import and re-discover the configuration to synchronize those changes with the configuration maintained on the BIG-IQ system. If you do not reconcile changes, a subsequent deployment will overwrite the changes made locally on the BIG-IP device. You re-discover and re-import a configuration using the screens found here,
.Capturing and restoring configurations using snapshots
You can capture the working configuration on the BIG-IQ® Centralized Management system using snapshots. Once created, snapshots can be compared to other snapshots or to the working configuration on the BIG-IQ system. You can also deploy a snapshot if needed.
If you need to roll back a change that was made to the BIG-IP® device, you can perform an evaluation operation that compares the configuration on the BIG-IP device to a snapshot, and then deploys the snapshot to the BIG-IP device. Rolling back changes in this manner is easier and more reliable than editing the configuration to return it to a previous state. Snapshots can also be used to correct errors in the BIG-IQ working configuration, if an error is made there.
- To evaluate and deploy a snapshot to a BIG-IP device, you use the screens at .
- To create and compare snapshots, you use the screens at .
- To restore the BIG-IQ working configuration to a snapshot configuration, you use the screens at .
Reviewing BIG-IQ system changes using audit logs
You can use the BIG-IQ Centralized Management audit logs to view changes on the BIG-IQ system. The audit log contains information on which user account made the change, when they made the change, and other related information.
You can review audit log entries and search the audit log entries for changes using the system interface. Changes are shown as highlighted differences between JSON files. You use the screens at
to view audit logs for each of the services, such as Network Security or Local Traffic and Network. The Monitoring screens contain many other useful tools for understanding what is occurring on your BIG-IQ system.How do shared objects impact my deployments?
The objects that you manage using BIG-IQ® depend on associations with other, supporting objects. These objects are called shared objects. When the BIG-IQ evaluates a deployment to a managed device, it starts by deploying the device-specific objects. Then it examines the managed device to compile a list of the objects that are needed by other objects on that device. Then (based on the recent analysis) the BIG-IQ deletes any shared objects that exist on the managed device but are not used. So if there are objects on a managed device that are not being used, the next time you deploy changes to that device, the unused objects are deleted.
About configuration templates
BIG-IQ® can manage multiple devices simultaneously. These devices can be located in several data centers that may be located in many different locations. To help you easily manage required configuration changes to DNS, NTP, SMTP, and Syslog for a large number of devices, you can use configuration templates.
To start, you create a configuration template, then deploy that template to certain devices. This can save a significant amount of time because you are not required to log in to each device individually to make configuration changes.