Manual Chapter : Managing Access Groups

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.4.0
Manual Chapter

How do I start to centrally manage APM configurations from BIG-IQ?

Here is an overview of your first steps for setting up an Access Policy Manager® (APM®) configuration once, and then being able to deploy that configuration from the BIG-IQ® system to other BIG-IP® devices.

Step 1. Add the BIG-IP device to the inventory list on the BIG-IQ system. You enter the IP address and credentials of the BIG-IP device you're adding, and associate it with a cluster (if applicable).

Step 2. Manage the APM configuration by adding to the existing Access Group or creating a new Access Group.

Note: For more information, refer to the "BIG-IQ Centralized Managment: Device" guide.

What is the best way to create an Access group?

After you add devices to the BIG-IQ® system and discover them, you can create an Access group in either of two ways. Use whichever you prefer, based on your requirements.

  • Select one device and create an Access group or add it to existing group. The Access group automatically discovers and imports the LTM and APM configurations.
  • From the Device Management user interface, you can add one device at a time to an Access group when you import the APM service from each device. This requires that you discover the BIG-IP® Access Policy Manager® (APM)and the Local Traffic Manager™ (LTM) configurations manually. You must discover LTM first, because APM uses some resources that are managed by LTM. Afterwards, import the LTM configuration into the BIG-IQ system

Adding devices to the BIG-IQ inventory

Before you can add BIG-IP® devices to the BIG-IQ® inventory:

  • The BIG-IP device must be located in your network and running a compatible software version. Refer to https://support.f5.com/kb/en-us/solutions/public/14000/500/sol14592.html for more information.
  • The management address of the BIG-IP device must be open (typically this is port 22 and 443), or any alternative IP address used to add the BIG-IP device to the BIG-IQ inventory. Ports 22 and 443 and the management IP address are open by default on BIG-IQ.
Note: A BIG-IP device running versions 10.2.0 - 11.5.0 is considered a legacy device, and cannot be discovered from BIG-IQ version 5.2. If you were managing a legacy device in a previous version of BIG-IQ and upgraded to version 5.2, the legacy device displays as impaired with a yellow triangle next to it in the BIG-IP Devices inventory. To manage it, you must upgrade it to version 11.5.0 or later. For instructions, refer to the section titled, Upgrading a Legacy Device.
Note: Access supports BIG-IP system software version 12.1 and 13.0 only.
You add BIG-IP devices to the BIG-IQ system inventory as the first step to managing them.
  1. At the top of the screen, click Devices.
  2. Click the Add Device button.
  3. In the IP Address field, type the IPv4 or IPv6 address of the device.
  4. In the User Name and Password fields, type the user name and password for the device.
  5. To add this device to a new cluster:
    Important: If a device is not a member of a Sync-Failover group that you configured to support an Active-Standby configuration for APM, do not add it to a cluster.
    If the device is the first member of a Sync-Failover group that you have added to the BIG-IQ system, add it to a new cluster. It does not matter whether this device is the Active or the Standby member of the group.
    1. From the Cluster Display Name list, select Create New, and then type a new name for this new cluster.
      A cluster name must be unique on the BIG-IQ system. It does not need to match the name of the Sync-Failover group on the BIG-IP device. However, ensuring some similarity between the names might be useful to you, because when you add the second member of the group, you must add it to the same cluster.
    2. Select an option from the Deployment Settings:
    • Initiate BIG-IP DSC sync when deploying configuration changes (Recommended) Select this option to prompt BIG-IQ to start the DSC synchronization process so that any configuration change made to this device is synchronized with other members of the DSC. This option makes sure all members of the DSC have the most current configuration.
    • Ignore BIG-IP DSC sync when deploying configuration changes Select this option to have BIG-IQ deploy any configuration changes for this device to all cluster members. Use this option only if this device is not configured in a DSC Sync-Failover device group, or if any members of the cluster are disabled.
  6. To add this device to an existing cluster:
    If the device is the second member of a Sync-Failover group that you have added to the BIG-IQ system, add the device to the existing cluster for that Sync-Failover group.
    1. From the Cluster Display Name list, select Use Existing, and then select the cluster from the list.
    2. Select an option from the Deployment Settings:
    • Initiate BIG-IP DSC sync when deploying configuration changes (Recommended) Select this option to prompt BIG-IQ to push any configuration changes to this device to other members of the DSC. This option makes sure all members of the DSC have the most current configuration.
    • Ignore BIG-IP DSC sync when deploying configuration changes Select this option to have BIG-IQ deploy any configuration changes for this device to all cluster members. Use this option only if this device is not configured in a DSC Sync-Failover device group, or if any members of the cluster are disabled.
  7. Click the Add button at the bottom of the screen.
    The BIG-IQ system opens communication to the BIG-IP device, and checks the BIG-IP device framework.
    Note: The BIG-IQ system can properly manage a BIG-IP device only if the BIG-IP device is running a compatible version of the REST framework.
  8. Click the Add button at the bottom of the screen.
    When complete, a popup screen displays a status and options to discover device service configurations immediately.
  9. To discover configurations for APM® and LTM® now, select Access Policy Manager (APM), and the Local Traffic Manager (LTM) check box is selected automatically; click Discover.
    You can discover service configurations now or do it later.
    BIG-IQ discovers the configurations for the APM and LTM services.
BIG-IQ displays a discovering message in the Services column of the inventory list.

Creating an Access group from the Configuration tab

You create an Access group to start to manage the Access configuration for a group of devices.
Note: When you create an Access group, the service configurations for the devices are imported.
Important: You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the Create button.
    The New Group screen opens.
  3. In the Name field, type a name for the Access group.
  4. From Device, select the device to be the source of the shared configuration for other devices in the group.
  5. For the Snapshot option, click the check box to create a snapshot at the time this Access group is created.
  6. Click Create.
    The Access Groups screen opens. Progress information displays in the Status column.

Adding a device to an Access group from the Configuration tab

Before you start, you must have at least one device with the APM® service discovered. You must also have imported the LTM® service configuration from the device before you can add that device to an Access group.
You add a device to an Access group so you can manage its configuration from Access. When you add a device to an existing Access group, its device-specific configuration resources are imported into Access. A device can only belong to one Access group.
Note: If you add a second device to an access group, the system does not automatically create sub-collections or pool members that are associated with a device-specific object. You must manually add or create these sub-collections or pool members.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group you want to change.
    The General Properties screen for the access group displays, listing the devices in the Access group.
  3. Click Add Device.
    The Add Device popup screen displays.
  4. For Device, select the device from the dropdown menu.
  5. (Optional) To create a snapshot of the existing configuration, for Snapshot, select the check box Create a snapshot of the current configuration before importing.
  6. Click Add.
    The popup screen closes, displaying the Access Groups screen. The new device displays under the Devices list.

Reimporting an Access group configuration or device-specific configuration

You must have an existing Access group.
You can reimport a shared Access group configuration or a device-specific configuration from any device in an Access group. This reduces the need to manually edit the configuration by hand.
Note: You can an reimport from the Access groups UI screen.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click Reimport.
  3. For the Configuration Type option, Select whether you want to import a Shared Access Group and Device Specific configuration or just a Device specific configuration.
  4. (Optional) For the Snapshot option, select whether you want to create a snapshot of the current configuration before importing.
  5. Click Reimport.
You now have reimported an existing configuration.

Removing a device from an Access group

You remove a device from an Access group if you no longer want to manage the Access configuration for the device, or if you want to add the device to a different Access group. An Access group can exist in the BIG-IQ system without any devices. You can remove all devices from an Access group, leave it empty, and then add new devices later.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group you want to change.
    The properties screen for that group opens, listing the devices in the Access group.
  3. Select the check box for the device you want to remove and click Remove.
    A confirmation popup screen opens.
  4. Confirm that you want to remove the device.
    The device no longer displays in the Access group. The APM service configuration on the device is no longer managed.
Before you can see new data from the device in Access reports or add the device to another Access group, you must discover the APM service configuration on the device.

Removing an Access group

You remove an Access group that you previously created.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the check box next to an existing Access group.
    The Remove button becomes available and a message displays.
  3. In the Remove Access Group Configuration? message windows, click OK.
You have removed an Access group from your BIG-IQ system.

Creating an Access group from the Devices tab

Before you can create an Access group, you must discover at least one device. You must import the LTM® service configuration from a device before you can add that device to an Access group
You create an Access group to start managing the Access configuration for a group of devices.
Note: When you create an Access group, the service configurations for the devices are imported.
Important: You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  1. At the top of the screen, click Devices > BIG-IP CLUSTERS > Access Groups .
    The Access Groups screen displays.
  2. Click the Create button.
    The New Group screen opens.
  3. In the Name field, type a name for the Access group.
  4. From Device, select the device to be the source of the shared configuration for other devices in the group.
  5. For the Snapshot option, click the check box to create a snapshot at the time this Access group is created.
  6. Click Create.
    The Access Groups screen displays. Progress information displays in the Status column.

Discovering the LTM and APM service configurations

Before you can import configurations from a device, you must first discover them. To prepare to create an Access configuration on the BIG-IQ ®system, you must discover the Local Traffic Manager™ (LTM®) service configuration, and then discover the Access Policy Manager® (APM) service configuration.
  1. At the top of the screen, click Devices.
  2. Click the name of the device you want to discover the service configuration from.
  3. On the left, click Services.
  4. For Local Traffic Manager (LTM), click Discover.
    You must wait for discovery to complete before you continue.
  5. For Access Policy Manager (APM), click Discover.

Importing the LTM service configuration

You must discover a service configuration before you can import it.
Before you can import the Access Policy Manager® (APM) service configuration from a discovered device, you must import the Local Traffic Manager™ (LTM®) service configuration.
Important: You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  1. At the top of the screen, click Devices.
  2. Click the name of the device you want to import the service configuration from.
  3. On the left, click Services.
  4. For Local Traffic Manager (LTM), select the Create a snapshot of the current configuration before importing check box to save a copy of the device's current configuration.
    You're not required to create a snapshot, but it is a good idea in case you have to revert to the previous configuration for any reason.
  5. For Local Traffic Manager (LTM), click Import.
    The LTM Import screen displays.
  6. Click Proceed to Import.
The LTM service configuration is imported. Click the back arrow to return to the previous screen.

Importing the APM configuration into an Access group

You must discover a service configuration before you can import it.
You import Access Policy Manager® (APM) configuration objects from a device to manage the device configuration from the BIG-IQ® system. As part of the import process, you select an Access group.
Important: You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  1. Click the name of the device you want to import the service configuration from.
  2. On the left, click Services.
  3. For Access Policy (APM), select the Create a snapshot of the current configuration before importing. check box to save a copy of the device's current configuration.
    You're not required to create a snapshot, but it is a good idea in case you have to revert to the previous configuration for any reason.
  4. For Access Policy (APM), click Import.
  5. On the Add to Access Group popup screen, specify either a new or existing Access group:
    • Select Create New, in the Name field type a name, and click Add.
    • Select Add to existing, select a name from the Name list, and click Add.
    Important: You must add both members of an HA pair to the same Access group.
The APM service configuration is imported.

Adding a device to an Access group from the Devices tab

Before you add an APM® device, you must discover at least one device with the APM® service. You must also import the LTM® service configuration from the device before you can add that device to an Access group.
You add a device to an Access group so you can manage its configuration from Access. When you add a device to an existing Access group, its device-specific configuration resources are imported into Access. A device can only belong to one Access group.
  1. At the top of the screen, click Devices > BIG-IP Devices .
    The BIG-IP Devices screen displays.
  2. Click Add Device.
    The Add Device popup screen displays.
  3. Type an IP address.
  4. Type a user name.
  5. Type a password.
  6. From the Cluster Display Name list, select either a a new DSC group or an existing DSC group.
  7. Click Add.