Manual Chapter : Restore the BIG-IQ and DCD Cluster to Pre-upgrade State

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 6.0.1
Manual Chapter

Restore the BIG-IQ and DCD Cluster to Pre-upgrade State

What are the post-upgrade tasks?

Once you have upgraded the BIG-IQ system with a DCD cluster, you need to:

  • Add the secondary BIG-IQ to the primary BIG-IQ.
  • Re-discover devices and re-import services.
  • Re-discover devices and re-import LTM, ASM, AFM, and DNS services in bulk using a script.
  • Use a script to remove and recreate access groups in bulk for devices running APM services.
  • Re-import access groups (without SWG data) from the user interface for devices running APM services.

  • Remove and recreate access groups (without SWG data) from the user interface for devices running APM services.

Re-discover devices and re-import services

After you upgrade F5 BIG-IQ Centralized Management, you must rediscover your managed devices and reimport their services for AFM, ASM, DNS, and LTM so you can start managing those devices with the new features introduced in this release.
Note: If you upgraded a BIG-IQ system that's running Network Security or Web App Security services, you'll see evaluation differences for the default logging profile objects imported from BIG-IP devices (global-network, log all requests, log illegal requests, and local-dos). This is expected because BIG-IQ version 6.0.1 imports information about default logging profiles that were not present in version 6.0.0. After you complete the upgrade to version 6.0.1 and re-import your Network Security or Web Application Security service, these differences should no longer occur.
  1. At the top of the screen, click Devices.
  2. Select the check box next to the devices for which you want to rediscover and reimport services.
  3. Click the More button and select Re-discover and Re-import.
  4. In the Name field, type a name for this task.
  5. For the Shared Object Conflict Resolution Policy setting, select an option for how you want to handle any differences found between the configuration on BIG-IQ and the BIG-IP device during the re-discover and re-import task.
    • Use BIG-IQ to use the configuration setting stored on BIG-IQ if any differences are found.
    • Use BIG-IP to override the configuration settings stored on BIG-IQ with the settings from the BIG-IP device.
    Important:

    Some new features are introduced with each BIG-IQ release, so it's a good idea to use the BIG-IP device's configuration after you upgrade BIG-IQ. This ensures that you don't inadvertently overwrite a configuration that wasn't previously supported. BIG-IP devices are re-imported in the order listed, from top to bottom. You can use the arrow keys to change the processing order.

    When you select Use BIG-IP to resolve conflicts, the BIG-IP device used to resolve those conflicts should appear last in the re-import list. If two or more BIG-IP devices contain the same object with different values, only the value in the last imported BIG-IP is used to resolve the conflict for all the BIG-IP devices.

  6. If you want to save a snapshot of the BIG-IP device's configuration before importing these services, select the check box for Create a snapshot of the current configuration before importing.
  7. Click the Create button at the bottom of the screen.

Re-discover devices and re-import LTM, ASM, AFM, and DNS services in bulk using a script

After you upgrade BIG-IQ Centralized Management, you can use a script to re-discover devices and re-import the LTM, ASM, AFM, and DNS services in bulk. To run this script, you must have root access to the BIG-IQ command line.
Warning: Before you run this script, make sure that you don't have any pending configuration changes staged for your managed BIG-IP devices. This script prompts BIG-IQ to import the configurations for all your BIG-IP devices. So, if you don't deploy staged configuration changes before you run this script, you will lose them after you run the script. If you need assistance, contact F5 Support.
You use this script to re-discover devices and re-import LTM, ASM, AFM, and DNS services all at once, so that you can start managing your devices with the new version of BIG-IQ software.
Note: If you'd rather re-discover devices and re-import their services individually through the user interface, refer to Re-discover devices and re-import LTM, ASM, AFM, and DNS services from the user interface.
  1. Log in to the downloads.f5.com site, click the Find a Download button, and click BIG-IQ Centralized Management.
  2. Click the v6.0.1 link.
  3. Review the End User Software License agreement and click the I Accept button to accept the terms.
    The Select a Download screen opens.
  4. Click the bulkDiscovery.zip file name, and unzip it on your local system.
  5. Log in to the BIG-IQ system as the root user and upload the script.
  6. Enable executable permissions, by typing: chmod +x ./bulkDiscovery.pl
    Note: To access help for this script, type ./bulkDiscovery.pl -h
  7. Export the IP addresses for the BIG-IP devices in your network to a CSV file using the bulkDiscovery script.
    To run this script, type: ./bulkDiscovery.pl -c masterDeviceList.csv -m -o
  8. Re-discover your BIG-IP devices and re-import their services, by using the associated command:
    Note: This command prompts BIG-IQ to import all the configurations from the specified BIG-IP devices. It's important that you've already deployed any configuration changes you have staged for these devices, because they'll be overwritten on BIG-IQ after you run this script. If you'd rather re-discover devices and re-import services individually so you can address any potential configuration conflicts for each device, you can do that from the BIG-IQ system's user interface instead of using this script. For more information, refer to, Re-discover devices and re-import services from the user interface.
    • For LTM, type ./bulkDiscovery.pl -c myDeviceList.csv -l -m
      Note: You must re-discover devices running the LTM service before re-discovering devices running any other service.
    • For ASM, type ./bulkDiscovery.pl -c myDeviceList.csv -l -s -m
    • For AFM, type ./bulkDiscovery.pl -c myDeviceList.csv -l -f -m
    • For DNS, type ./bulkDiscovery.pl -c myDeviceList.csv -l -d -m
You can now start managing your BIG-IP devices using the latest version of BIG-IQ Centralized Management.

Use a script to remove and recreate access groups in bulk for devices running APM services

After you upgrade F5 BIG-IQ Centralized Management, you must remove and recreate the access groups for devices running the APM service.
Warning: Before you run this script, make sure that you don't have any pending configuration changes staged for your managed BIG-IP devices. This script prompts BIG-IQ to import the configurations for all your BIG-IP devices. So, if you don't deploy staged configuration changes before you run this script, you will lose them after you run the script. If you need assistance, contact F5 Support.
You can use this script to remove and recreate the access groups for devices running the APM service so you can start managing those devices with the new version of BIG-IQ.
Note: If you'd rather do this from the user interface, refer to, Remove and recreate access groups (with SWG data) from the user interface for devices running APM services or Reimport access groups (without SWG data) from the user interface for devices running APM services.
  1. Log in to the BIG-IQ system as admin.
  2. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  3. In a separate file (such as a Notepad or Excel file), make a note of:
    • Each access group and the IP addresses of the devices contained within each.
    • The source device, from which you want to copy the configuration to all devices in the access group.
      Note: You'll deploy the configuration from this source device to all of the devices in the access group.
  4. Select the check box next to each access group and click the Remove button.
  5. Log in to the downloads.f5.com site, click the Find a Download button, and click BIG-IQ Centralized Management.
  6. Click the v6.0.1 link.
  7. Review the End User Software License agreement and click the I Accept button to accept the terms.
    The Select a Download screen opens.
  8. Click the bulkDiscovery.zip file name, and unzip it on your local system.
  9. Log in to the BIG-IQ system as the root user and upload the script.
  10. Enable executable permissions, by typing: chmod +x ./bulkDiscovery.pl
    Note: To access help for this script, type ./bulkDiscovery.pl -h
  11. Export the IP addresses for the BIG-IP devices in your network to a CSV file using the bulkDiscovery script.
    To run this script, type: ./bulkDiscovery.pl -c masterDeviceList.csv -m -o
  12. For each access group:
    1. Create a device list, by typing cp masterDeviceList.csv <access_group_name>_devices.csv
    2. Edit the file as follows:
      • Remove any devices that don't belong to the access groups by comparing it to the list you made in step 3.
      • Place the source BIG-IP device you identified in step 3, at the top of the <access_group_name>_devices.csv file.
      • Verify the credentials for each device (the script uses ADMIN/APWD by default).
    3. Save your changes to the file.
    4. Import devices in the access group by, typing: ./bulkDiscovery.pl -c <access_group_name>_devices.csv -g <access_group_name> -l -p -o -v
  13. Log in to the BIG-IQ system as admin.
  14. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  15. Review the access groups to verify that all the groups properly imported.
You can now start managing your BIG-IP devices using the latest version of BIG-IQ Centralized Management.

Re-import access groups (without SWG data) from the user interface for devices running APM services

After you upgrade F5 BIG-IQ Centralized Management, you must re-import the access groups running the APM service without SWG data.
You can use this procedure to reimport groups for devices running APM services without F5 Secure Web Gateway configuration data so you can start using the new features introduced in this release.
Important: If you'd rather use a script to do this, refer to Use a script to remove and recreate access groups in bulk for devices running APM services. If your APM configuration includes SWG data, refer to Remove and recreate access groups (with SWG data) from the user interface for devices running APM services.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the access group.
  3. From the Device list, select the device from which to reimport the shared access policy configuration, and click the Reimport button.
    This device will share the access policy configuration with all other devices in this access group.
  4. Select Shared Access Group and Device Specific configuration and click the Reimport button at the bottom of the screen.
  5. If the differences window displays for the LTM service, select USE_BIGIP and click the Resolve button.
  6. If the differences window displays for the APM service, click the Accept button.
  7. For the remainder of the devices in this access group:
    1. Select the check box next to the device, and click the Reimport button.
    2. Select Device specific configuration and click the Reimport button at the bottom of the screen.
    3. If the differences window displays for the LTM service, select USE_BIGIP and click the Resolve button.
    4. If the differences window displays for the APM service, click the Accept button.
  8. Repeat steps 2-7 for the rest of the access groups.
You can now start managing your BIG-IP devices using the latest version of BIG-IQ Centralized Management.

Remove and recreate access groups (with SWG data) from the user interface for devices running APM services

After you upgrade F5 BIG-IQ Centralized Management to the latest version, you must recreate the access groups running the APM service.
You can use this procedure to remove and recreate access groups for devices running APM services with F5 Secure Web Gateway configuration data so that you can start using the new features introduced in this release.
Important: If you'd rather use a script to do this, refer to Use a script to remove and recreate access groups in bulk for devices running APM services. If your APM configuration doesn't include SWG data, refer to Reimport access groups (without SWG data) from the user interface for devices running APM services.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. In a separate file (such as a Notepad or Excel file), make a note of:
    • Each access group and the IP addresses of the devices contained within each.
    • The source device, from which you want to copy the configuration to all devices in the access group.
      Note: You'll deploy the configuration from this source device to all of the devices in the access group.
  3. Select the check box next to each access group and click the Remove button.
  4. Click the Create button.
  5. Type a name for this access group in the Name field.
  6. From the Device list, select the device from which to reimport the shared access policy configuration, and click the Reimport button.
    This device will share the access policy configuration with all other devices in this access group.
  7. Click the Create button at the bottom of the screen.
  8. If the differences window displays for the LTM service, select USE_BIGIP and click the Resolve button.
  9. Click the name of the access group you added.
  10. Click the Add Device button.
  11. From the Device list, select a device to add to this access group.
  12. Click the Add button at the bottom of the screen.
  13. If the differences window displays for the LTM service, select USE_BIGIP and click the Resolve button.
  14. If the differences window displays for the APM service, click the Accept button.
  15. Repeat steps 10-14 for each device in each access group before creating the next access group.
You can now start managing your BIG-IP devices using the latest version of BIG-IQ Centralized Management.