F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Centralized Management
  4. Planning and Implementing an F5 BIG-IQ Centralized Management Deployment
  5. Planning and Implementing a Centralized Management Deployment
Manual Chapter : Planning and Implementing a Centralized Management Deployment

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.4.0
Manual Chapter
Table of Contents | Next Chapter >>

Which type of centralized management solution do you want to deploy?

There are two license types for a centralized management solution, one for BIG-IQ device management and one for a data collection device (DCD).

BIG-IQ device management

F5® BIG-IQ® Centralized Management is a platform that you use as a tool to help you manage BIG-IP® devices and all of their services (such as LTM®, AFM®, ASM®, and so forth), from one location. BIG-IQ can manage up to 200 (physical, virtual, or vCMP®) BIG-IP devices and handle licensing for up to 5,000 unmanaged devices.

Using BIG-IQ helps you more efficiently manage your BIG-IP devices. That means you and your co-workers don't have to log in to individual BIG-IP systems to get your job done. Instead, you can discover, upgrade, deploy policy changes, manage licenses, and more, from just one place.

From BIG-IQ, you can manage a variety of tasks from software updates to health monitoring, and traffic to security. And because permissions for users are role-based, you can limit access to just a few trusted administrators to minimize downtime and potential security issues. You can also allow users to view or edit only those BIG-IP objects that they need to do their job.

Here's an example of how BIG-IQ can fit into a data center. This topology does not include any DCDs.

Centralized Management network topology

Data collection device

A data collection device (DCD) is a specially provisioned BIG-IQ system that you use to manage and store alerts, events, and statistical data from one or more BIG-IP systems. The next diagram illustrates a simplified example of how DCDs add to your BIG-IQ Centralized Management solution.

Centralized Management network topology with DCDs

What elements make up a centralized management solution?

An F5® BIG-IQ® Centralized Management solution can involve a number of different elements. The topology for these elements depends on your needs, and on whether you include data collection devices (DCDs) in your solution. A typical solution can include the following elements:
  • BIG-IQ system(s)
  • BIG-IP devices
  • Data collection devices (optional)
  • Remote storage devices

BIG-IQ Centralized Management system

Using BIG-IQ Centralized Management, you can centrally manage your BIG-IP® devices, performing operations such as backups, licensing, monitoring, and configuration management. And because access to each area of BIG-IQ is role-based, you can limit access to users, thus maximizing work flows while minimizing errors and potential security issues.

BIG-IP device

A BIG-IP device runs a number of licensed components that are designed around application availability, access control, and security solutions. These components run on top of F5® TMOS®. This custom operating system is an event-driven operating system designed specifically to inspect network and application traffic, and make real-time decisions based on the configurations you provide. The BIG-IP software runs on both hardware and virtualized environments.

Data collection device

A data collection device (DCD) is a specially provisioned BIG-IQ system that you use to manage and store alerts, events, and statistical data from one or more BIG-IP systems.

Configuration tasks on the BIG-IP system determine when and how alerts or events are triggered on the client. The alerts or events are sent to a data collection device in a BIG-IQ Centralized Management deployment, and the BIG-IQ system retrieves them for your analysis. When you opt to collect statistical data from the BIG-IP devices, the DCD periodically retrieves those statistics from your devices, and then processes and stores that data.

The group of data collection devices and BIG-IQ systems that work together to store and manage your data are referred to as the data collection cluster. The individual data collection devices are generally referred to as nodes.

Remote storage device

You need a remote storage device only when your deployment includes a data collection device (DCD) and you plan to store backups of your events, alerts, and statistical data for disaster recovery requirements. You also need remote storage so that you can retain this data when you upgrade your software.

Network requirements for a BIG-IQ Centralized Management deployment

Before you deploy a centralized management solution

Before you begin to deploy a BIG-IQ® system, you should complete these preparations.

  • Determine the deployment scenario that works best for your needs.
  • Create the interfaces, communications, and networks needed to support your deployment scenario.
  • Configure your network (including switches and firewalls) to permit BIG-IQ network traffic to flow based on the deployment scenario you choose.
  • Assemble the passwords, IP addresses, and licensing information needed for the BIG-IQ cluster components.

Planning for a centralized management deployment

To successfully deploy a BIG-IQ® Centralized Management solution, you might need to coordinate with several people in your company.

If you use BIG-IQ virtual editions, you might need to coordinate with the people who manage your virtual environment, so they can provision the virtual machines with the required amount of CPUs, memory, and network interfaces. Further, you’ll need to coordinate with the people who manage the storage for the virtual machines to make sure each virtual machine is provisioned with the necessary storage to support the BIG-IQ environment. You also might need to provide the virtual environment team a copy of the BIG-IQ virtual machine image (available from https://downloads.f5.com), depending on how they operate.

If you use BIG-IQ 7000 devices in your network, you need to coordinate with the people who manage the data center where the BIG-IQ devices are housed, to make arrangements for the devices to be racked, powered on, and connected to your network.

There are also several tasks to coordinate with your networking team:
  • IP address allocation for the BIG-IQ nodes, depending on your deployment model.
  • Creation of networks, VLANs, and so on, that are dependent on your deployment model.
  • Any routing configuration required to ensure that traffic passes between the BIG-IQ nodes and the BIG-IP® devices.
  • Additional networking configuration required to support the BIG-IQ system's operation.

Finally, you might need to coordinate with your network firewall administrators, depending on the network configuration at your company. The BIG-IQ software needs to communicate between BIG-IQ nodes and BIG-IP systems; and, if there are firewalls in the network path, firewall rules probably need to be configured to permit that traffic. For additional detail about required network ports and protocols, refer to Open ports required for BIG-IQ system deployment.

Determining the network configuration needed for your deployment

There are three common deployment scenarios for F5® BIG-IQ® Centralized Management. The scenario most appropriate for you depends on what you want to do.
Table 1. BIG-IQ deployment options
What functions does your deployment need to perform? Which hardware components and networks do you need? Which deployment type should you choose?
Manage and configure BIG-IP® devices. For example, take backups, license virtual editions, and configure local traffic and security policies. All you need is one or more BIG-IQ systems, and the BIG-IP devices you want to manage. This configuration uses a single management network. Simple device management and configuration
Manage and configure BIG-IP devices.

Collect and view Local Traffic, DNS, and Device statistical data from the BIG-IP devices.

Collect, manage, and view events and alerts from BIG-IP devices provisioned with the APM®, FPS, ASM® or IPsec components.

 You need one or more BIG-IQ systems, data collection devices, and an external storage device. This configuration requires a single management network and a data collection device (DCD) cluster network. Advanced device management and configuration incorporating DCDs
Manage and configure BIG-IP devices.

Collect and view Local Traffic, DNS, and Device statistical data from the BIG-IP devices.

Collect, manage, and view events and alerts from BIG-IP devices provisioned with the APM, FPS, ASM, or IPsec components.

Separate network traffic to support large, distributed deployments of the F5 BIG-IQ Centralized Management solution for improved performance, security, and interactions in multiple data center environments.

Or, for disaster recovery capability, you could operate multiple data centers, each with its own set of BIG-IQ systems. (For additional detail, refer to Managing Disaster Recovery Scenarios.) 		You need one or more BIG-IQ systems, data collection devices, and an external storage device. This configuration requires an internal network, a management network, and a DCD cluster network. Large-scale, distributed device management and configuration incorporating DCDs
Network environment for simple device management and configuration

To deploy a simple device management and configuration environment, all you need is one or more BIG-IQ® systems and the BIG-IP® devices that you want to manage. The number of BIG-IQ systems you need depends on how much redundancy your business requires. A second system provides high availability failover capability.

The simple management and configuration solution uses a single management network. The BIG-IQ system uses traffic on the management network to do these things:

  • Enable bidirectional traffic between the BIG-IQ systems and the BIG-IP devices.
  • Enable traffic between the BIG-IQ systems. If you use a secondary high availability BIG-IQ system, this traffic keeps the state information synchronized.
  • Provide access to the BIG-IQ user interface. You can also use the management network to access the BIG-IQ system using SSH if you need to run manual commands.
Note: The number of devices of each type that will best meet your company's needs depends on a number of factors. Refer to the F5 BIG-IQ Centralized Management: Data Collection Device Sizing Guide on support.f5.com for details.

This figure illustrates the network topology required for a simple management and configuration deployment.

Simple device management and configuration network topology

Use the space in the table to record the IP address for each device in the BIG-IQ deployment.

Device type Management IP address(es)
Primary BIG-IQ system  
Secondary BIG-IQ system  
BIG-IP devices  
Network environment for advanced device management and configuration incorporating DCDs

To deploy the advanced management and configuration environment, you need BIG-IQ® systems, data collection devices (DCDs), and an optional external storage device for backing up alert, event, and statistical data. This configuration needs a single management network and an elastic search cluster network.

Note: With the addition of the DCD cluster, you can manage alerts and events on your managed devices as well as monitor performance analytics.
Note: The number of devices of each type that will best meet your company's needs depends on a number of factors. Refer to the F5 BIG-IQ Centralized Management: Data Collection Device Sizing Guide on support.f5.com for details.

The BIG-IQ system uses traffic on the management network to do these things:

  • Enable bidirectional traffic between the Big-IQ systems and the Big-IP devices.
  • Enable traffic between the BIG-IQ systems. If you use a secondary high availability BIG-IQ system, this traffic keeps the state information synchronized.
  • Provide access to the BIG-IQ user interface. You can also use the management network to access the BIG-IQ system using SSH if you need to run manual commands.
The elastic search cluster network is used to replicate data to maintain the BIG-IQ Centralized Management cluster.
Note: It is best practice to isolate the traffic between BIG-IQ cluster nodes for performance and improved security.

This figure illustrates the network topology required for an advanced management and configuration deployment.

Advanced device management and configuration incorporating DCDs network topology

Use the space in the table to record the IP addresses for the devices in the BIG-IQ deployment.

Device type Management IP addresses Elastic search cluster IP addresses
Primary BIG-IQ system    
Secondary BIG-IQ system    
Data collection device management IP addresses    
BIG-IP devices    
Remote storage device    
Network environment for large-scale, distributed device management and configuration incorporating DCDs

To deploy a large-scale, distributed management and configuration environment, you need BIG-IQ® systems, data collection devices, and an optional external storage device for backing up alert, event, and statistical data. This configuration needs an internal network, a management network, and an elastic search cluster network.

The BIG-IQ system uses traffic on the management network to do these things:

  • Enable traffic between the BIG-IQ systems. If you use a secondary high availability BIG-IQ system, this traffic keeps the state information synchronized.
  • Provide access to the BIG-IQ user interface. You can also use the management network to access the BIG-IQ system using SSH if you need to run manual commands.
The elastic search cluster network is used to provide communication between the BIG-IQ system and the DCD nodes, and to replicate data that maintains the BIG-IQ Centralized Management cluster.
Note: It is best practice to isolate the traffic between BIG-IQ cluster nodes for performance and improved security.

The internal network is used to route bidirectional traffic between the BIG-IQ Centralized Management cluster and the BIG-IP® devices.

Note: With the addition of the DCD cluster, you can manage alerts and events on your managed devices as well as monitor performance analytics.
Note: The number of devices of each type that will best meet your company's needs depends on a number of factors. Refer to the F5 BIG-IQ Centralized Management: Data Collection Device Sizing Guide on support.f5.com for details.

This figure illustrates the network topology required for this deployment.

Large-scale, distributed device management and configuration incorporating DCDs

Use the space in the table to record the IP addresses for the devices in the BIG-IQ deployment.

Device type Management IP addresses Elastic search cluster network IP addresses Internal network IP addresses
Primary BIG-IQ system      
Secondary BIG-IQ system      
Data collection device management IP addresses      
BIG-IP devices      
Remote storage device      

Determine the resources required for deployment

The resources (CPUs, RAM, and disk space) required for your deployment vary depending on a number of factors.
  • Are you deploying a BIG-IQ system or a data collection device (DCD)?
  • If you are deploying a DCD, how much storage do you need?
  • How much performance do you need?
Note: When you first deploy the BIG-IQ software, there are two sizes (95 and 500 GB) you can choose. The larger footprint provides additional storage space when needed. If you choose the 500GB footprint, bear in mind that before you can use the extra disk space you must allocate it. Initially, only 95GB of the 500GB is allocated. Usually, the extra storage space is for DCDs. However, there are also situations in which BIG-IQ systems can use the extra space. For example, you might want to store a large number of UCS backups. Or, your business needs might require you to store multiple versions of the BIG-IQ software so you can upgrade back and forth between BIG-IQ versions.
Note: If you find you need to increase the disk space available to your BIG-IQ deployment, you can do so. Refer to K16103: Extending disk space on BIG-IQ Virtual Edition at support.f5.com/csp/article/K16103.
Table 2. BIG-IQ resource deployment requirements
Deployment type CPUs RAM Disk Space
BIG-IQ system 4 16 GB Generally, 95 GB.
For higher performance and scale 8 32 or 64 GB If extra space is needed, 500 GB
Data collection device 4 16 GB Initially: 500 GB.
For higher performance and scale: 8 32 or 64 GB VE disk space can be extended further as needed.
Important: CPU and RAM pairings other than those listed above have not been tested.
Note: Disk space requirements for a DCD depend on a number of factors. Refer to the F5 BIG-IQ Centralized Management: Disk Space Management Guide on support.f5.com for details.

Open ports required for BIG-IQ system deployment

The BIG-IQ® system and data collection device require bidirectional communication with the devices in your network to successfully manage them. The ports described in the table must be open to allow for this required two-way communication. You might have to contact a firewall or network administrator to verify that these ports are open, or to have them opened if they are not.

Table 3. Ports required for BIG-IQ deployment
Source IP Address Destination IP Address Destination Port Protocol Is port Configurable? Is the Protocol Configurable? Purpose Connection Origination
Management IP address or external self IP address of the BIG-IQ.

*See table note 1.

 Management IP address or self IP address of the BIG-IP device.

*See table note 1.

443 (SSL)

22 (SSH)

*See table note 4.

 TCP No No Device-level discovery, device configuration changes, and device operations (backup, licensing, and so on), health checking, and some statistics (for example, Access or ADC object status). From BIG-IQ to BIG-IP devices.
Management IP address or external self IP address of the BIG-IQ data collection device.

*See table notes 1 and 2.

 Management IP address or self IP address of the BIG-IP device.

*See table note 1.

 443 (SSL) TCP No No Statistics collection for Local Traffic, Device, and DNS objects. From BIG-IQ data collection devices to BIG-IP devices.
Management IP address or internal self IP address of the BIG-IQ.

*See table note 1.

 Management IP address or internal self IP address of the BIG-IQ.

*See table note 1.

 443 (SSL) TCP No No BIG-IQ cluster synchronization and cluster maintenance.

From the active BIG-IQ to the standby BIG-IQ.

From the BIG-IQ standby to the BIG-IQ active.
Management IP address or internal self IP address of the active BIG-IQ.

*See table note 1.

 Management IP address or internal self IP address of the standby BIG-IQ.

*See table note 1.

 27017 TCP No No BIG-IQ high availability cluster data replication.

From the active BIG-IQ to the standby BIG-IQ.

From the BIG-IQ standby to the BIG-IQ active.
Internal self IP address of the BIG-IQ and the data collection device.

*See table notes 1 and 2.

 Internal self IP address of the BIG-IQ and the data collection device.

*See table notes 1 and 3.

 9300 TCP Yes No Internal node-to-node communication to maintain data consistency and replication across clusters when data collection nodes are used. When you add a DCD to the cluster, this address is called the Data Collection IP Address, Full Mesh. That is, all BIG-IQ and data collection devices can originate a connection for this purpose.
Management IP address or self IP address of the BIG-IP device.

*See table note 1.

 Management IP address or self IP address of the BIG-IQ data collection device.

*See table notes 1 and 3.

 8514 TCP No No Logging profile communication for Web Application Security. This traffic uses the syslog protocol documented in RFC 5424. From BIG-IP devices to BIG-IQ data collection devices. When you have multiple data collection devices, you need to make sure data can pass to all devices in the cluster.
Management IP address or self IP address of the BIG-IP device.

*See table note 1.

 Management IP address or self IP address of the BIG-IQ data collection device.

*See table notes 1 and 3.

 8008 TCP No No Logging profile communication for Fraud Protection Service, this traffic uses the syslog protocol documented in RFC 5424. From BIG-IP devices to BIG-IQ data collection devices. When you have multiple data collection devices, you need to make sure data can pass to all devices in the cluster.
Management IP address or self IP address of the BIG-IP device. Management IP address or self IP address of the BIG-IQ data collection device.

*See table notes 1 and 3.

 9997 TCP No No For access to events; this traffic uses the syslog protocol documented in RFC 5424. From BIG-IP devices to BIG-IQ data collection devices. When you have multiple data collection devices, you need to make sure data can pass to all devices in the cluster.
Client IP address BIG-IQ Management IP address or self IP address for all BIG-IQ instances in the cluster.

443 (SSL)

22 (SSH)

 TCP No No For management access to BIG-IQ system interface or API (port 443) or shell access to BIG-IQ (port 22). From the client workstation to the BIG-IQ device.
Note: 1: Whether you use the management IP address or the self IP address depends on your network configuration.
Note: 2: For clusters with multiple data collection devices, traffic must be able to originate from any device in the cluster.
Note: 3: For clusters with multiple data collection devices, the destination can be any device in the cluster.
Note: 4: Port 22 (SSH) is required only for BIG-IP® versions 11.5.0 to 11.6.0
Note: 5: You can use the management address as the discovery address or for the Data Collection IP Address, but F5 recommends against it.

Passwords required for BIG-IQ system deployment

To install and configure a BIG-IQ® system or data collection device (DCD) cluster, you use the default passwords for all of the devices. For DCD clusters, if you intend to schedule regular snapshots of your logging data (as recommended), you need root access credentials for the machine on which you plan to store these snapshots.

Table 4. Passwords for data collection device cluster deployment
User Name Default Password Access Rights/Role
admin admin This user type can access all aspects of the BIG-IQ system from the system's user interface.
root default This user has access to all aspects of the BIG-IQ system from the system's console command line.

Licenses required for BIG-IQ system deployment

To install and configure a BIG-IQ system or data collection device cluster, you need a license for each device.

BIG-IQ Centralized Management Deployment

How do I deploy a BIG-IQ system?

To manage your BIG-IP® devices using BIG-IQ® Centralized Management, you deploy a BIG-IQ system and then configure it to meet your business needs.

To deploy a BIG-IQ system, you should:
  • Prepare your network environment
  • Deploy a BIG-IQ virtual machine or BIG-IQ 7000 Series platform
  • License and configure the BIG-IQ system
  • Deploy and configure a second BIG-IQ system for HA, if needed.

How do I license and do the basic setup to start using BIG-IQ?

After you download the software image from the F5 Downloads site and start BIG-IQ® in your virtual environment, you can license the system using the base registration key provided by F5. The base registration key is a character string the F5 license server uses to provide BIG-IQ a license to access the subscription licensing feature.

You license BIG-IQ in one of the following ways:

  • If the system has access to the Internet, you can have the BIG-IQ system contact the F5 license server and automatically activate the base registration key to get a license.
  • If the system is not connected to the Internet, you can manually license the BIG-IQ using the F5 license server web portal.
  • If the system is in a closed-circuit network (CCN) that does not allow you to export any encrypted information, you must open a case with F5 support at: support.f5.com/csp/my-support/home.

When licensing BIG-IQ, you:

  1. Activate the license.
  2. Accept the EULA.
  3. Specify the system personality as BIG-IQ Centralized Management.
  4. Specify a host name, and IP addresses for the management port, DNS server, and network time protocol (NTP) servers.
  5. Specify the master key pass phrase.
  6. Change the default admin and root passwords.

Automatic license and initial setup for a BIG-IQ

You must have a base registration key before you can license the BIG-IQ® system. If you do not have a base registration key, contact the F5 Networks sales group (f5.com).
If the BIG-IQ® system is connected to the public internet, you can follow these steps to automatically perform the license activation and perform the initial setup.
  1. Use a browser to log in to BIG-IQ by typing https://<management_IP_address> , where <management_IP_address> is the address you specified for device management.
  2. In the Base Registration Key field, type or paste the BIG-IQ registration key.
    Important: If you are setting up a data collection device, you have to use a registration key that supports a data collection device license.
  3. In the Add-On Keys field, paste any additional license key you have.
  4. To add another additional add-on key, click the + sign and paste the additional key in the new Add-On Keys field.
  5. For the Activation Method setting, select Automatic, and click the Activate button.
  6. Click Next.
    If you are setting up this device for the first time, the Accept User Legal Agreement screen opens.
  7. To accept the license agreement, click the Agree button.
  8. Click the Next button at the bottom of the screen.
    If your license supports both BIG-IQ Data Collection Device and BIG-IQ Central Management Console, the System Personality screen displays. Otherwise the Management Address screen opens.
  9. If you are prompted with the System Personality screen, select the option you're licensed for, and then click OK. If you are not prompted, proceed to the next step.
    Important: You cannot undo this choice. Once you license a device as a BIG-IQ Management Console, you can't change your mind and license it as a data collection device.
    The Management Address screen opens.
  10. In the Hostname field, type a fully-qualified domain name (FQDN) for the system.
    The FQDN can consist of letters and numbers, as well as the characters underscore ( _ ), dash ( - ), or period ( . ).
  11. In the Management Port IP Address and Management Port Route fields, type the IP address for the management port IP address and route.
    Note: The management port IP address must be in Classless Inter-Domain Routing (CIDR) format. For example: 10.10.10.10/24.
  12. Specify what you want the BIG-IQ to use for the Discovery Address.
    BIG-IQ advertises this address to other devices that want to communicate with it. For example BIG-IQ HA peers and DCD nodes communicate using their respective discovery addresses.
    • To use the management IP address, select Use Management Address.
    • To use the internal self IP address, select Self IP Address, and type the IP address.
      Important: If you are configuring a data collection device (DCD), F5 strongly recommends using the internal self IP address.
      Important: If you plan to manage both IPv4 and IPv6 devices, you must configure an additional interface. BIG-IQ does not manage both protocols on the same interface. You can use a self IP address for this. So if your deployment includes DCDs, your discovery address will use one internal self IP address and you will need to add a second self IP to facilitate discovery of both protocol types.
      Note: The self IP address must be in Classless Inter-Domain Routing (CIDR) format. For example: 10.10.10.10/24.
  13. Click the Next button at the bottom of the screen.
    The Services screen opens.
  14. In the DNS Lookup Servers field, type the IP address of your DNS server.
    You can click the Test Connection button to verify that BIG-IQ can reach that IP address.
  15. In the DNS Search Domains field, type the name of your search domain.
    The DNS search domain list allows the BIG-IQ system to search for local domain lookups to resolve local host names.
  16. In the Time Servers field, type the IP addresses of your Network Time Protocol (NTP) server.
    You can click the Test Connection button to verify that BIG-IQ can reach the IP address.
  17. From the Time Zone list, select your local time zone.
  18. Click the Next button at the bottom of the screen.
    The Master Key screen opens.
  19. For the Passphrase, type a phrase that satisfies the requirements specified on screen, and then type the same phrase for Confirm Passphrase.
    Important: BIG-IQ uses the pass phrase to generate a Master Key. For High Availability and data collection device cluster configurations, this pass phrase must be the same on all related BIG-IP systems.
    • If this BIG-IQ is not part of an HA or DCD configuration, you can change the Master Key any time from the System > THIS DEVICE > General Properties screen.
    • If this BIG-IQ is part of an HA or DCD configuration, make sure you keep track of the pass phrase, because it cannot be recovered if you lose it.
  20. In the Old Password fields, type the default admin and root passwords, and then type a new password in the Password and Confirm Password fields.
  21. Click the Next button at the bottom of the screen.
    The screen Summary displays the details you just specified for this device configuration.
  22. If the details are as you intended, click Launch to continue; if you want to make corrections, use the Previous button to navigate back to the screen you want to change.

Manual license and initial setup for BIG-IQ

You must have a base registration key before you can license the BIG-IQ® system. If you do not have a base registration key, contact the F5 Networks sales group (f5.com).
If the BIG-IQ® system is not connected to the public internet, you can follow these steps to contact the F5 license web portal then perform the initial setup.
  1. Use a browser to log in to BIG-IQ by typing https://<management_IP_address> , where <management_IP_address> is the address you specified for device management.
  2. In the Base Registration Key field, type or paste the BIG-IQ registration key.
    Important: If you are setting up a data collection device, you have to use a registration key that supports a data collection device license.
  3. In the Add-On Keys field, paste any additional license key you have.
  4. For the Activation Method setting, select Manual and click the Generate Dossier button.
    The BIG-IQ system refreshes and displays the dossier in the Device Dossier field.
  5. Select and copy the text displayed in the Device Dossier field.
  6. Click the Access F5 manual activation web portal link.
    The Activate F5 Product site opens.
  7. Into the Enter your dossier field, paste the dossier.
    Alternatively, if you saved the file, click the Choose File button and navigate to it.
    After a pause, the screen displays the license key text.
  8. Click Next.
    If you are setting up this device for the first time, the Accept User Legal Agreement screen opens.
  9. To accept the license agreement, select I have read and agree to the terms of this license, and click Next. button.
    The licensing server creates the license key text.
  10. Copy the license key.
  11. In the License Text field on BIG-IQ, paste the license text.
  12. Click the Activate License button.
  13. Click the Next button at the bottom of the screen.
    If your license supports both BIG-IQ Data Collection Device and BIG-IQ Central Management Console, the System Personality screen displays. Otherwise the Management Address screen opens.
  14. If you are prompted with the System Personality screen, select the option you're licensed for, and then click OK. If you are not prompted, proceed to the next step.
    Important: You cannot undo this choice. Once you license a device as a BIG-IQ Management Console, you can't change your mind and license it as a data collection device.
    The Management Address screen opens.
  15. In the Hostname field, type a fully-qualified domain name (FQDN) for the system.
    The FQDN can consist of letters and numbers, as well as the characters underscore ( _ ), dash ( - ), or period ( . ).
  16. In the Management Port IP Address and Management Port Route fields, type the IP address for the management port IP address and route.
    Note: The management port IP address must be in Classless Inter-Domain Routing (CIDR) format. For example: 10.10.10.10/24.
  17. Specify what you want the BIG-IQ to use for the Discovery Address.
    BIG-IQ advertises this address to other devices that want to communicate with it. For example BIG-IQ HA peers and DCD nodes communicate using their respective discovery addresses.
    • To use the management IP address, select Use Management Address.
    • To use the internal self IP address, select Self IP Address, and type the IP address.
      Important: If you are configuring a data collection device (DCD), F5 strongly recommends using the internal self IP address.
      Important: If you plan to manage both IPv4 and IPv6 devices, you must configure an additional interface. BIG-IQ does not manage both protocols on the same interface. You can use a self IP address for this. So if your deployment includes DCDs, your discovery address will use one internal self IP address and you will need to add a second self IP to facilitate discovery of both protocol types.
      Note: The self IP address must be in Classless Inter-Domain Routing (CIDR) format. For example: 10.10.10.10/24.
  18. Click the Next button at the bottom of the screen.
    The Services screen opens.
  19. In the DNS Lookup Servers field, type the IP address of your DNS server.
    You can click the Test Connection button to verify that BIG-IQ can reach that IP address.
  20. In the DNS Search Domains field, type the name of your search domain.
    The DNS search domain list allows the BIG-IQ system to search for local domain lookups to resolve local host names.
  21. In the Time Servers field, type the IP addresses of your Network Time Protocol (NTP) server.
    You can click the Test Connection button to verify that BIG-IQ can reach the IP address.
  22. From the Time Zone list, select your local time zone.
  23. Click the Next button at the bottom of the screen.
    The Master Key screen opens.
  24. For the Passphrase, type a phrase that satisfies the requirements specified on screen, and then type the same phrase for Confirm Passphrase.
    Important: BIG-IQ uses the pass phrase to generate a Master Key. For High Availability and data collection device cluster configurations, this pass phrase must be the same on all related BIG-IP systems.
    • If this BIG-IQ is not part of an HA or DCD configuration, you can change the Master Key any time from the System > THIS DEVICE > General Properties screen.
    • If this BIG-IQ is part of an HA or DCD configuration, make sure you keep track of the pass phrase, because it cannot be recovered if you lose it.
  25. Click the Next button at the bottom of the screen.
    The Password screen opens.
  26. In the Old Password fields, type the default admin and root passwords, and then type a new password in the Password and Confirm Password fields.
  27. Click the Next button at the bottom of the screen.
    The screen Summary displays the details you just specified for this device configuration.
  28. If the details are as you intended, click Launch to continue; if you want to make corrections, use the Previous button to navigate back to the screen you want to change.

BIG-IQ Data Collection Device Deployment

How do I deploy a data collection device cluster?

To manage the data generated by BIG-IP® devices on BIG-IQ® Centralized Management, you deploy a network of devices called a data collection device (DCD) cluster, and then configure that cluster to meet your business needs.

To deploy a DCD cluster, you should:
  • Prepare your network environment.
  • Install the DCDs.
  • Discover and activate the DCDs.
  • Define an external location to store snapshots.
  • Enable data collection for the DCD cluster (or configure a BIG-IP system to send alerts or events to the cluster).
  • Configure the BIG-IQ console that manages the DCD cluster for HA, if needed.

Licensing and setting up a data collection device

The BIG-IQ® data collection device runs as a virtual machine in supported hypervisors, or on the BIG-IQ 7000 series platform. You license the data collection device using the base registration key you purchased. The base registration key is a character string that the F5 license server uses to provide access to data collection device features.

You license data collection device in one of the following ways:

  • If the system has access to the internet, you can have the data collection device contact the F5 license server and automatically activate the license.
  • If the system is not connected to the internet, you can manually retrieve the activation key from a system that is connected to the internet, and transfer it to the data collection device.
  • If your data collection device is in a closed-circuit network (CCN) that does not allow you to export any encrypted information, you must open a case with F5 support.

When you license the data collection device, you:

  • Specify a host name for the system.
  • Assign a management port IP address.
  • Specify the IP address of your DNS server and the name of the DNS search domain.
  • Specify the IP address of your Network Time Protocol (NTP) servers and select a time zone.
  • Change the administrator’s default admin and root passwords.
Automatic license and initial setup for a DCD
You must have a base registration key before you can license the BIG-IQ® system. If you do not have a base registration key, contact the F5 Networks sales group (f5.com).
If the data collection device (DCD) is connected to the public internet, you can follow these steps to automatically perform the license activation and perform the initial setup.
  1. Use a browser to log in to BIG-IQ by typing https://<management_IP_address> , where <management_IP_address> is the address you specified for device management.
  2. In the Base Registration Key field, type or paste the BIG-IQ registration key.
    Important: If you are setting up a data collection device, you have to use a registration key that supports a data collection device license.
  3. In the Add-On Keys field, paste any additional license key you have.
  4. To add another additional add-on key, click the + sign and paste the additional key in the new Add-On Keys field.
  5. For the Activation Method setting, select Automatic, and click the Activate button.
  6. Click Next.
    If you are setting up this device for the first time, the Accept User Legal Agreement screen opens.
  7. To accept the license agreement, click the Agree button.
  8. Click the Next button at the bottom of the screen.
    If your license supports both BIG-IQ Data Collection Device and BIG-IQ Central Management Console, the System Personality screen displays. Otherwise the Management Address screen opens.
  9. If you are prompted with the System Personality screen, select the option you're licensed for, and then click OK. If you are not prompted, proceed to the next step.
    Important: You cannot undo this choice. Once you license a device as a BIG-IQ Management Console, you can't change your mind and license it as a data collection device.
    The Management Address screen opens.
  10. In the Hostname field, type a fully-qualified domain name (FQDN) for the system.
    The FQDN can consist of letters and numbers, as well as the characters underscore ( _ ), dash ( - ), or period ( . ).
  11. In the Management Port IP Address and Management Port Route fields, type the IP address for the management port IP address and route.
    Note: The management port IP address must be in Classless Inter-Domain Routing (CIDR) format. For example: 10.10.10.10/24.
  12. Specify what you want the DCD to use for the Discovery Address.
    The DCD advertises this address to other devices that want to communicate with it. DCD nodes communicate using their respective discovery addresses.
    • To use the management IP address, select Use Management Address.
    • To use the internal self IP address, select Self IP Address, and type the IP address.
      Important: F5 strongly recommends using the internal self IP address as the Discovery Address for a DCD.
      Note: The self IP address must be in Classless Inter-Domain Routing (CIDR) format. For example: 10.10.10.10/24.
  13. Click the Next button at the bottom of the screen.
    The Services screen opens.
  14. In the DNS Lookup Servers field, type the IP address of your DNS server.
    You can click the Test Connection button to verify that BIG-IQ can reach that IP address.
  15. In the DNS Search Domains field, type the name of your search domain.
    The DNS search domain list allows the BIG-IQ system to search for local domain lookups to resolve local host names.
  16. In the Time Servers field, type the IP addresses of your Network Time Protocol (NTP) server.
    You can click the Test Connection button to verify that BIG-IQ can reach the IP address.
  17. From the Time Zone list, select your local time zone.
  18. Click the Next button at the bottom of the screen.
    The Master Key screen opens.
  19. For the Passphrase, type a phrase that satisfies the requirements specified on screen, and then type the same phrase for Confirm Passphrase.
    Important: BIG-IQ uses the pass phrase to generate a Master Key. For High Availability and data collection device cluster configurations, this pass phrase must be the same on all related BIG-IP systems. Make sure you keep track of the pass phrase, because it cannot be recovered if you lose it
  20. In the Old Password fields, type the default admin and root passwords, and then type a new password in the Password and Confirm Password fields.
  21. Click the Next button at the bottom of the screen.
    The screen Summary displays the details you just specified for this device configuration.
  22. If the details are as you intended, click Launch to continue; if you want to make corrections, use the Previous button to navigate back to the screen you want to change.
Manual license and initial setup for a DCD
You must have a base registration key before you can license the BIG-IQ® system. If you do not have a base registration key, contact the F5 Networks sales group (f5.com).
If the BIG-IQ® system is not connected to the public internet, you can follow these steps to contact the F5 license web portal then perform the initial setup.
  1. Use a browser to log in to BIG-IQ by typing https://<management_IP_address> , where <management_IP_address> is the address you specified for device management.
  2. In the Base Registration Key field, type or paste the BIG-IQ registration key.
    Important: If you are setting up a data collection device, you have to use a registration key that supports a data collection device license.
  3. In the Add-On Keys field, paste any additional license key you have.
  4. For the Activation Method setting, select Manual and click the Generate Dossier button.
    The BIG-IQ system refreshes and displays the dossier in the Device Dossier field.
  5. Select and copy the text displayed in the Device Dossier field.
  6. Click the Access F5 manual activation web portal link.
    The Activate F5 Product site opens.
  7. Into the Enter your dossier field, paste the dossier.
    Alternatively, if you saved the file, click the Choose File button and navigate to it.
    After a pause, the screen displays the license key text.
  8. Click Next.
    If you are setting up this device for the first time, the Accept User Legal Agreement screen opens.
  9. To accept the license agreement, select I have read and agree to the terms of this license, and click Next. button.
    The licensing server creates the license key text.
  10. Copy the license key.
  11. In the License Text field on BIG-IQ, paste the license text.
  12. Click the Activate License button.
  13. Click the Next button at the bottom of the screen.
    If your license supports both BIG-IQ Data Collection Device and BIG-IQ Central Management Console, the System Personality screen displays. Otherwise the Management Address screen opens.
  14. If you are prompted with the System Personality screen, select the option you're licensed for, and then click OK. If you are not prompted, proceed to the next step.
    Important: You cannot undo this choice. Once you license a device as a BIG-IQ Management Console, you can't change your mind and license it as a data collection device.
    The Management Address screen opens.
  15. In the Hostname field, type a fully-qualified domain name (FQDN) for the system.
    The FQDN can consist of letters and numbers, as well as the characters underscore ( _ ), dash ( - ), or period ( . ).
  16. In the Management Port IP Address and Management Port Route fields, type the IP address for the management port IP address and route.
    Note: The management port IP address must be in Classless Inter-Domain Routing (CIDR) format. For example: 10.10.10.10/24.
  17. Specify what you want the DCD to use for the Discovery Address.
    The DCD advertises this address to other devices that want to communicate with it. DCD nodes communicate using their respective discovery addresses.
    • To use the management IP address, select Use Management Address.
    • To use the internal self IP address, select Self IP Address, and type the IP address.
      Important: F5 strongly recommends using the internal self IP address as the Discovery Address for a DCD.
      Note: The self IP address must be in Classless Inter-Domain Routing (CIDR) format. For example: 10.10.10.10/24.
  18. Click the Next button at the bottom of the screen.
    The Services screen opens.
  19. In the DNS Lookup Servers field, type the IP address of your DNS server.
    You can click the Test Connection button to verify that BIG-IQ can reach that IP address.
  20. In the DNS Search Domains field, type the name of your search domain.
    The DNS search domain list allows the BIG-IQ system to search for local domain lookups to resolve local host names.
  21. In the Time Servers field, type the IP addresses of your Network Time Protocol (NTP) server.
    You can click the Test Connection button to verify that BIG-IQ can reach the IP address.
  22. From the Time Zone list, select your local time zone.
  23. Click the Next button at the bottom of the screen.
    The Master Key screen opens.
  24. For the Passphrase, type a phrase that satisfies the requirements specified on screen, and then type the same phrase for Confirm Passphrase.
    Important: BIG-IQ uses the pass phrase to generate a Master Key. For High Availability and data collection device cluster configurations, this pass phrase must be the same on all related BIG-IP systems.
    • If this BIG-IQ is not part of an HA or DCD configuration, you can change the Master Key any time from the System > THIS DEVICE > General Properties screen.
    • If this BIG-IQ is part of an HA or DCD configuration, make sure you keep track of the pass phrase, because it cannot be recovered if you lose it.
  25. Click the Next button at the bottom of the screen.
    The Password screen opens.
  26. In the Old Password fields, type the default admin and root passwords, and then type a new password in the Password and Confirm Password fields.
  27. Click the Next button at the bottom of the screen.
    The screen Summary displays the details you just specified for this device configuration.
  28. If the details are as you intended, click Launch to continue; if you want to make corrections, use the Previous button to navigate back to the screen you want to change.

Discover and activate a data collection device

Using BIG-IQ® Centralized Management, you can discover a data collection device (DCD) and add it to the Logging Group, where the BIG-IQ system can access its data. You can then receive data from multiple BIG-IP® systems. This unified view makes browsing easier, and provides a complete view of application alert or event activity and statistics data.
  1. At the top of the screen, click System, and then, on the left, click BIG-IQ DATA COLLECTION > BIG-IQ Data Collection Devices .
    The BIG-IQ Data Collection Devices screen opens to list the data collection devices in the cluster.
  2. Click Add.
  3. On the New BIG-IQ Data Collection Device screen, specify the details for this DCD:
    1. In Discovery/Listener Address, type one of the self IP addresses for this DCD.
      The BIG-IQ system uses this address to discover the DCD. The DCD uses this address to listen for alerts from your managed devices.
    2. In Username, type the user name for an administrator on the data collection device (for example, admin).
    3. In Password, type the password for an administrator on the data collection device (for example, admin).
    4. In Data Collection IP Address, type one of the self IP addresses for this DCD.
      The DCD uses this address to exchange data and replicas with other DCDs in the cluster.
      Note: The DCD and BIG-IQ should both use the same VLAN.
    5. Note the Data Collection Port value (9300). This field displays the number of the port that DCDs in your cluster use for internal polling and communication with each other.
      You cannot change the port, but knowing the port number may be useful in resolving DCD communications issues.
    6. For Zone, either select the disaster recovery zone in which you want this DCD to reside, or use the default setting.
      • If your organization does not use disaster recovery zones, use default.
      • If disaster recovery zones have been created, select the zone for this device and click Update.
      • If you want to create a disaster recovery zone:
        • Select Create New. A new text box opens.
        • Type the name for the new zone in text box, and click Update.
      You set up the zones so that the BIG-IQ devices and DCDs in your cluster are distributed equitably for disaster recovery purposes.
      Important: When you change the setting for the Zone, the DCD cluster restarts. Data collection is interrupted until the service resumes.
    7. Click the Add button at the bottom of the screen to add the data collection device to the system.
      Note: This operation might take a minute or two.
  4. Repeat the preceding steps for each data collection device you want to configure.
  5. To activate the services you want to monitor on each DCD, on the BIG-IQ Data Collection Devices screen, in the Services column, click Add Services.
    The Services screen for the data collection device opens.
  6. For the service you want to add, confirm that the Listener Address specifies the correct self IP address on the data collection device, and then click Activate.
    When the service is successfully added, the Service Status changes to Active.
  7. Click Save & Close.
After it has been discovered and activated, this data collection device collects the data generated by the configured BIG-IP systems. Thus, BIG-IQ provides a single view of all alert or event entries and statistics data.
Important: The Total Document Count is not a report of the number of alerts or events sent to the data collection device. Instead, it is a sum of various document types sent to the data collection device. Events and alerts are included in this list, but this total includes other document types as well.

Deciding whether to configure log indices

The Indices settings specify the physical characteristics of how the data collection device manages your data. The DCD stores data coming in from BIG-IP® devices in a data index. As data is received, it accumulates in the current index. When the accumulated data reaches the rotation threshold that you set, four things happen.
  • A new current index is created.
  • BIG-IP data begins accumulating in the new index.
  • The former current index becomes one of the retained indices.
  • If the total number of indexes is now larger than the retained index count, the oldest one is dropped.
When you set up index rotation, you determine what triggers the rotation threshold.
Important: The ideal configuration for log indices depends on the flow of data your devices send to the DCD. The default settings are designed to satisfy most user scenarios, but you might want to explore the settings for the data types that you plan to send to the DCD, to make sure that those settings meet your needs.
Modify alert log indices for Access
Before you can configure the indices for a data collection device, you must activate services for the components that you want to collect data for.
You can modify the event log indices if you decide to optimize the index rotation that triggers the rotation threshold for your log data.
Important: The ideal log indices configuration depends on the flow of data your devices send to the DCD. Use the rotation type that best suits your business needs.
  1. At the top of the screen, click System, and then, on the left, click BIG-IQ DATA COLLECTION and select BIG-IQ Data Collection Cluster.
    • Under Summary, you can view information detailing how much data is stored, as well as how the data is stored.
    • Under Configuration, you can access the screens that control DCD cluster performance.
  2. On the left, click Configuration > Logging Data Collection .
    The Logging Data Collection Settings screen opens.
  3. For Access Policy (APM), click the Configure button.
    The Access Indices screen opens.
  4. Perform the next two steps for each section on this screen.
    Important: To avoid a mismatch in the reports generated from your logging data, use the same indices values for the access-event-logs and access stats.
  5. Specify the Rotation Type.
    • To chunk your data based on the amount of data:
      1. Select Size Based.
      2. For the Max Index Size, type the size of the indexes you want to create.
      Note: For example, if you type 1000, when the current index size reaches 1 GB, it becomes a retained index. New data from your BIG-IP system begins accumulating in a new current index. If your Retained Index Count is set to 10, then the maximum disk space used by these indexes will be approximately 10 GB.
    • To chunk your data based on time increments:
      1. Select Time Based.
      2. For the Rotation Period, specify a time unit, and type the number of units you want to comprise indexes you want to create.
      Note: For example, if you type .5 and select Hours, a new index is created every half hour. If your Retained Index Count is set to 10, then each retained index will contain approximately 5 hours of data.
  6. For the Retained Index Count, type the total number of indices you want to store on the DCD.
    This setting determines the maximum amount of data stored on the DCD. When this limit is reached, the oldest data is truncated or discarded. For example, if you select Time Based rotation and your data accumulates to 1 GB during each rotation period, then if you set the number of indices to 10, you must have 10 GB of storage available on your DCD.
  7. Click Save & Close to save the indices configuration settings.
Modify alert log indices for Web Application Security
Before you can configure the indices for a data collection device, you must activate the services for the components that you want to collect data for.
You can modify the event log indices if you decide to optimize the index rotation that triggers the rotation threshold for your log data.
Important: The ideal log indices configuration depends on the flow of data your devices send to the DCD. Use the rotation type that best suits your business needs.
  1. At the top of the screen, click System, and then, on the left, click BIG-IQ DATA COLLECTION and select BIG-IQ Data Collection Cluster.
    • Under Summary, you can view information detailing how much data is stored, as well as how the data is stored.
    • Under Configuration, you can access the screens that control DCD cluster performance.
  2. On the left, click Configuration > Logging Data Collection .
    The Logging Data Collection Settings screen opens.
  3. For Web Application Security (ASM), click the Configure button.
    The ASM Indices screen opens.
  4. Specify the Rotation Type.
    • To chunk your data based on the amount of data:
      1. Select Size Based.
      2. For the Max Index Size, type the size of the indexes you want to create.
      Note: For example, if you type 1000, when the current index size reaches 1 GB, it becomes a retained index. New data from your BIG-IP system begins accumulating in a new current index. If your Retained Index Count is set to 10, then the maximum disk space used by these indexes will be approximately 10 GB.
    • To chunk your data based on time increments:
      1. Select Time Based.
      2. For the Rotation Period, specify a time unit, and type the number of units you want to comprise indexes you want to create.
      Note: For example, if you type .5 and select Hours, a new index is created every half hour. If your Retained Index Count is set to 10, then each retained index will contain approximately 5 hours of data.
  5. For the Retained Index Count, type the total number of indices you want to store on the DCD.
    This setting determines the maximum amount of data stored on the DCD. When this limit is reached, the oldest data is truncated or discarded. For example, if you select Time Based rotation and your data accumulates to 1 GB during each rotation period, then if you set the number of indices to 10, you must have 10 GB of storage available on your DCD.
  6. Click Save & Close to save the indices configuration settings.
Modify event log indices for FPS
Before you can configure the indices for a data collection device, you must activate services for the components that you want to collect data for.
You can modify the event log indices if you decide to optimize the index rotation that triggers the rotation threshold for your log data.
Important: The ideal log indices configuration depends on the flow of data your devices send to the DCD. Use the rotation type that best suits your business needs.
  1. At the top of the screen, click System, and then, on the left, click BIG-IQ DATA COLLECTION and select BIG-IQ Data Collection Cluster.
    • Under Summary, you can view information detailing how much data is stored, as well as how the data is stored.
    • Under Configuration, you can access the screens that control DCD cluster performance.
  2. On the left, click Configuration > Logging Data Collection .
    The Logging Data Collection Settings screen opens.
  3. For Fraud Protection (FPS), click the Configure button.
    The FPS Indices screen opens.
  4. Specify the Rotation Type.
    • To chunk your data based on the amount of data:
      1. Select Size Based.
      2. For the Max Index Size, type the size of the indexes you want to create.
      Note: For example, if you type 1000, when the current index size reaches 1 GB, it becomes a retained index. New data from your BIG-IP system begins accumulating in a new current index. If your Retained Index Count is set to 10, then the maximum disk space used by these indexes will be approximately 10 GB.
    • To chunk your data based on time increments:
      1. Select Time Based.
      2. For the Rotation Period, specify a time unit, and type the number of units you want to comprise indexes you want to create.
      Note: For example, if you type .5 and select Hours, a new index is created every half hour. If your Retained Index Count is set to 10, then each retained index will contain approximately 5 hours of data.
  5. For the Retained Index Count, type the total number of indices you want to store on the DCD.
    This setting determines the maximum amount of data stored on the DCD. When this limit is reached, the oldest data is truncated or discarded. For example, if you select Time Based rotation and your data accumulates to 1 GB during each rotation period, then if you set the number of indices to 10, you must have 10 GB of storage available on your DCD.
  6. Click Save & Close to save the indices configuration settings.
Modify alert log indices for IPsec
Before you can configure the indices for a data collection device, you must activate services for the components that you want to collect data for.
You can modify the event log indices if you decide to optimize the index rotation that triggers the rotation threshold for your log data.
Important: The ideal log indices configuration depends on the flow of data your devices send to the DCD. Use the rotation type that best suits your business needs.
  1. At the top of the screen, click System, and then, on the left, click BIG-IQ DATA COLLECTION and select BIG-IQ Data Collection Cluster.
    • Under Summary, you can view information detailing how much data is stored, as well as how the data is stored.
    • Under Configuration, you can access the screens that control DCD cluster performance.
  2. On the left, click Configuration > Logging Data Collection .
    The Logging Data Collection Settings screen opens.
  3. For IPsec, click the Configure button.
    The IPsec Indices screen opens.
  4. Specify the Rotation Type.
    • To chunk your data based on the amount of data:
      1. Select Size Based.
      2. For the Max Index Size, type the size of the indexes you want to create.
      Note: For example, if you type 1000, when the current index size reaches 1 GB, it becomes a retained index. New data from your BIG-IP system begins accumulating in a new current index. If your Retained Index Count is set to 10, then the maximum disk space used by these indexes will be approximately 10 GB.
    • To chunk your data based on time increments:
      1. Select Time Based.
      2. For the Rotation Period, specify a time unit, and type the number of units you want to comprise indexes you want to create.
      Note: For example, if you type .5 and select Hours, a new index is created every half hour. If your Retained Index Count is set to 10, then each retained index will contain approximately 5 hours of data.
  5. For the Retained Index Count, type the total number of indices you want to store on the DCD.
    This setting determines the maximum amount of data stored on the DCD. When this limit is reached, the oldest data is truncated or discarded. For example, if you select Time Based rotation and your data accumulates to 1 GB during each rotation period, then if you set the number of indices to 10, you must have 10 GB of storage available on your DCD.
  6. Click Save & Close to save the indices configuration settings.

Manage the retention policy for your statistics data

Before you can set the statistics retention policy, you must have added a data collection device.
You can manage the settings that determine how your statistics data is retained. The highest quality data is the raw data, (data that has not been averaged), but that consumes a lot of disk space, so you need to consider your needs in choosing your data retention settings. When you choose how much raw data to retain, you need to consider how much disk space you have available. The controls on this screen are simple to set up, but understanding how they work takes a bit of explanation.
The fields on the Statistics Retention Policy screen all work in similar fashion. One way to understand how these fields work is to think of your data storage space as a set of containers. The values you specify on this screen determine how much storage space each container consumes. Because data is saved for the time periods you specify, the longer the time period that you specify, the more space you consume. The disk storage that is consumed depends on several factors.
  • The number of BIG-IP® devices you manage
  • The number of objects on the BIG-IP devices you manage (for example, virtual servers, pools, pool members, and iRules®)
  • The frequency of statistics collection
  • The data retention policy
  • The data replication policy
There are three key concepts to understand about how the retention policy works.
How long is data in each container retained? Data is retained in each container for the time period you specify. When the specified level is reached, the oldest chunk of data is deleted. For example, if you specify a raw data value of 48 hours, then when 48 hours of raw data accumulate, the next hour of incoming raw data causes the oldest hour to be deleted.
When does data from one container pass on to the next? Data passes from one container to the next in increments that are the size of the next (larger) container. That is, every 60 minutes, the last 60 minutes of raw data is aggregated into a data set and passed to the Hour(s) container. Every 24 hours, the last 24 hours of hourly data is aggregated into a data set and passed to the Day(s) container, and so on for the Month(s) container.
What about limits? Limit Max Storage to specifies the percentage of total disk space that you want data to consume on the data collection devices in your cluster.

If more disk space is consumed than the percentage you specified, BIG-IQ takes two actions:

  1. New statistical data is not accepted until the available disk space complies with the Limit max storage to setting.
  2. Statistical data not required to calculate the next higher time layer is removed (for example, you need 60 minutes of raw data to aggregate to the Hours level). Data is removed starting with the raw data container, then the hourly data container, then the daily time container. This process stops when storage consumption is below the Limit max storage to setting.
The BIG-IQ takes this action to prevent data corruption when storage is completely exhausted.
  1. At the top of the screen, click System, and then, on the left, click BIG-IQ DATA COLLECTION and select BIG-IQ Data Collection Cluster.
    • Under Summary, you can view information detailing how much data is stored, as well as how the data is stored.
    • Under Configuration, you can access the screens that control DCD cluster performance.
  2. On the left, click Configuration > Statistics Data Collection .
    The Statistics Collection Status screen displays the percentage of available disk space currently consumed by statistics data for each container.
  3. To change the retention settings for your statistics data, click Configure.
    The Statistics Retention Policy screen opens.
  4. In the Keep real-time (raw) data up to field, type the number of hours of raw data to retain.
    You must specify a minimum of 1 hour, so that there is sufficient data to average and create a data point for the Keep hourly data up to container.
  5. In the Keep hourly data up to field, type the number of hourly data points to retain.
    You must specify a minimum of 24 hours, so that there is sufficient data to average and create a data point for the Keep daily data up to container.
  6. In the Keep daily data up to field, type the number of daily data points to retain.
    You must specify a minimum of 31 days, so that there is sufficient data to average and create a data point for the Keep monthly data up to container.
  7. In the Keep monthly data up to field, type the number of monthly data points to retain.
    Once the specified number of months passes, the oldest monthly data set is deleted.
  8. In the Limit max storage to field, type the percentage of disk space that you want collected data to consume before the oldest monthly data set is deleted.
  9. Expand Advanced Settings, and then select the Enable Replicas check box.
    Replicas are copies of a data set that are available to the DCD cluster when one or more devices within that cluster become unavailable. By default, data replication for statistics is not enabled. Disabling replication reduces the amount of disk space required for data retention. However, this provides no protection from data corruption that can occur when you remove a data collection device. You should enable replicas to provide this protection.
  10. When you are satisfied with the values specified for data retention, click Save & Close.

Configure secure communications for data collection device

You need a signed SSL certificate before you can configure HTTPS communications to a data collection device.
If you want to secure the communications between the BIG-IP® devices and your data collection device cluster using SSL encryption, you must provide a signed SSL certificate to the BIG-IP devices and F5® BIG-IQ® Centralized Management systems. You do this by configuring both the BIG-IP device and the data collection device.
Note: The BIG-IP device that generates Fraud Protection Service alerts must be configured to send its alerts to the data collection device (DCD). This process is documented in a separate guide. The guide F5 Fraud Protection Service: Configuration, Version 13.0 provides complete setup instructions for using FPS on a BIG-IP system. Complete the standard setup as documented in the guide, except when you configure the alert server pool, add your DCDs to an alerts pool using their internal self IP addresses.
  1. Use SSH to log in to the data collection device.
  2. Replace the content of the /etc/httpd/conf/ssl.crt/ directory on the data collection device with your signed SSL certificate.
  3. Replace the content of the /etc/httpd/conf/ssl.key/ directory on the data collection device with your signed SSL key.
  4. To apply these changes to the data collection device, type: bigstart restart webd and then press Enter.
  5. Log out of the data collection device.

Add a proxy for secure communication

Before you can perform this task, you must be logged in as Admin, and you must have configured a proxy server that your data collection device cluster can access.

As a security precaution, you may want to configure a proxy to route communications. For example you might use it to route your forwarded alerts or download alert rules from the security operations center. Or you might want to use a proxy to avoid exposing the BIG-IQ® device when you download ASM® signature files.
Important: To use a proxy for Fraud Protection Service, you must configure a proxy on each device (each data collection device and both the primary and the secondary BIG-IQ devices) in the cluster. The proxy names you specify for each node in the cluster must match exactly, but the IP address and port number for the proxy can be different from device to device.
  1. At the top of the screen, click System.
  2. On the left, click PROXIES.
  3. On the Proxies screen, click Add.
  4. If you are configuring an HA peer group, from Device, select the primary BIG-IQ system.
  5. For Name, type a name for the proxy you want to use.
    Important: The proxy name must match across all devices in the cluster. The proxy addresses and port can vary.
  6. For Address, type the IP address of the proxy server.
  7. For Port, type the port that you want the proxy server to use.
  8. If the proxy server requires authentication, type the User Name and Password for the proxy.
  9. To add another proxy, click the plus sign in the upper right hand corner, and then repeat the preceding 4 steps.
  10. If your network configuration includes an HA peer, repeat steps 3 - 9, but this time, in step 4, select the HA secondary system.
    Note: The proxy name for the HA secondary must match the name used for the primary. The proxy addresses and port can vary.
  11. Click Save & Close
You need to add a proxy for each data collection device in the cluster.
Note: Remember, the proxy name must match across all devices in the cluster. The proxy addresses and port can vary.

Define external storage snapshots location

Before you configure the external snapshot storage location, collect the following information for the machine that will store your data collection device (DCD) snapshots:
  • IP address for the storage machine
  • Storage file path
  • User name, password, and (optionally) domain for the user account configured on the external storage device
  • Read/Write permissions for the storage file path
You need snapshots to perform software upgrades and to restore your old data.
Note: Creating external storage so you can create snapshots is an optional task. However, F5 strongly recommends that you create snapshots to safeguard your data.

If you set up external storage for this logging node cluster in 5.1.and plan to retain that setup after you upgrade, continue setting up the external storage location. When you create DCD snapshots, they need to be stored on a machine other than the DCD. You define the location for the snapshot using the BIG-IQ® Centralized Management device.

  1. At the top of the screen, click System, and then, on the left, click BIG-IQ DATA COLLECTION and select BIG-IQ Data Collection Cluster.
    • Under Summary, you can view information detailing how much data is stored, as well as how the data is stored.
    • Under Configuration, you can access the screens that control DCD cluster performance.
  2. On the left, click Configuration > External Storage & Snapshots > .
    The External Storage & Snapshots screen opens.
  3. For External Storage, click Configure.
    The External Storage popup screen opens.
  4. In the User name and Password fields, type the user name and password for the user account configured on the external storage device.
  5. For the Domain, you can type the domain name for the user account configured on the external storage device.
  6. For the Storage Path, type the path to the external storage location.
    You can specify the device using the IP address or the host name. Additionally, you need to specify the path to the folder on the external storage device. For example:
    //<storage machine ip-address>/<storage-file-path>
    Note: Remember, the folder you specify must have full read, write, and execute permissions.
  7. To test the settings just specified, click Test.
    A message displays to tell you whether the test completes successfully. If it does not, correct the settings and permissions.
  8. When the external storage is specified successfully, click Save.
The storage location is accessible to the all of the devices in the DCD cluster.

Define snapshot schedules

Before you define snapshot schedules, you must have defined the snapshot storage location.
Snapshots of the data sent to your data collection devices are an essential safeguard for your data. If the machine that stores the data fails, the data can be restored using these snapshots. These snapshots are created based on the snapshot schedules you define. F5 recommends that you schedule snapshots at least every 6 hours, and retain at least 4 snapshots.
Note: You perform this task on the BIG-IQ® Centralized Management device; not on the data collection device (DCD).
  1. At the top of the screen, click System, and then, on the left, click BIG-IQ DATA COLLECTION and select BIG-IQ Data Collection Cluster.
    • Under Summary, you can view information detailing how much data is stored, as well as how the data is stored.
    • Under Configuration, you can access the screens that control DCD cluster performance.
  2. On the left, click Configuration > External Storage & Snapshots > .
    The External Storage & Snapshots screen opens.
  3. To view the list of snapshot schedules for this device, for Snapshot Schedules click the View Schedules button.
    The BIG-IQ Data Collection Snapshot Schedules screen opens.
  4. To define a new snapshot schedule for this device, click , click Create.
    The New Logging Snapshot Schedules screen opens.
  5. For the Snapshot Name Prefix, type the string that you want to use to identify the snapshots created by this schedule.
    For example snapshot_.
  6. In Snapshots to Keep, specify the number of snapshots that you want to accumulate before they are deleted for space constraints.
    For example, if you specify 25, then the system retains a maximum of 25 snapshots before it starts to delete older snapshots as new snapshots are created. You can save up to 100.
  7. Define how you want the snapshots scheduled.
    Option Description
    Schedule the interval at which you want to create snapshots:

    You schedule the system to take snapshots indefinitely. Snapshots are created at the frequency you specify.

    1. Select Repeat Interval.
    2. Specify the Snapshot Frequency.
    3. Select a time increment.

    For example, if you set the frequency to 6 and Hours, the first DCD snapshot is taken immediately (on Save). Subsequent snapshots are taken every 6 hours.
    Schedule specific days on which you want to create snapshots:

    You schedule the system to take snapshots on specific days.

    1. Select Days of the Week.
    2. For the Days of the Week setting, select the days on which you want backups to occur.
    3. For the Start Date, select the time (date, hour, minute, and AM or PM) on which you want backups to start.
  8. Click Save & Close to save the new schedule.

Overview of configuring the data collection device to BIG-IP device connection

The workflow to configure data to route from the BIG-IP® devices to your data collection device (DCD) cluster depends on the type of data you want to collect.

  • To collect statistics data, refer to Discover and activate a data collection device.
  • To collect Access Policy Manager® data, refer to Configuring remote logging for Access Policy Manager.
  • To collect Fraud Protection Services data, refer to Configuring BIG-IP FPS devices to route alerts to a data collection device.
  • To collect Web Application Security data, refer to:
    • Configuring the BIG-IP logging profile
    • Virtual servers that remote logging uses to route event logs
    • Assigning the logging profile to a virtual server
    .
Configure remote logging for Access Policy Manager
BIG-IP® devices that you configure for remote logging send Access reporting and SWG log report data to the BIG-IQ® data collection device for storage and management.
  1. At the top left of the screen, click Monitoring > DASHBOARDS > Access .
  2. Click Remote Logging Configuration.
    The Remote Logging Configuration screen opens to display all of the discovered BIG-IP devices that are provisioned with the Access service.
  3. Select the BIG-IP devices for which you want to enable remote logging, and then click Configure.
    The hostname of the primary data collection device is displayed, and the status changes to let you know whether the enable request was successful.
Configuring BIG-IP FPS devices to route alerts to a data collection device

The BIG-IP® device that generates Fraud Protection Service alerts must be configured to send its alerts to the data collection device (DCD). This process is documented in a separate guide. The guide F5® Fraud Protection Service: Configuration, Version 13.0 provides complete setup instructions for using FPS on a BIG-IP® system. Complete the standard setup as documented in the guide, except when you configure the alert server pool, add your DCDs to an alerts pool using their internal self IP addresses.

Note: Although DCDs use their own version of load balancing to level the data stored on each node, it is best practice to configure the BIG-IP pool members with a load balancing method that ensures smooth traffic flow to the DCDs. The load balancing method you configure should:
  • Distribute traffic between the nodes.
  • Ensure that, if a DCD goes offline, the BIG-IP device must still be able send traffic to the available DCDs without dropping alerts.

The default port to specify is 8008, but you can use a different port if your DCD is configured for it. To ensure that alerts are received even if one DCD goes down, specify at least one alternative DCD.

Configure the BIG-IP logging profile
For Web Application Security users, this is the first of three tasks required to route the BIG-IP® event logs to a BIG-IQ® data collection device. You configure the BIG-IP system by creating a logging profile and assigning the logging profile to a virtual server, and then deploying it to the BIG-IP system. The logging profile defines the content of the events, and identifies the data collection device to which the events are sent.
  1. At the top of the screen, click Configuration.
  2. On the left, click SECURITY > Shared Security > Logging Profiles .
    The Logging Profiles screen opens to display the logging profiles that have been configured on this device.
  3. On the Logging Profiles screen, click Create.
    The New Logging Profile screen opens, showing the Properties information.
  4. On the Properties screen, edit as appropriate:
    1. In the Name field, type a unique name for this new profile. This field is required.
    2. For the Description, you can specify an optional description for the logging profile.
    3. For the Partition, you can specify the partition to which the logging profile belongs. Only users with access to a partition can view the objects (such as the logging profile) that it contains. If the logging profile resides in the Common partition, all users can access it. Although this field is pre-populated with Common by default, you can set the partition when creating logging profiles by typing a unique name for the partition.
      Note: The partition with the name you specify must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
    4. To specify the devices to which you want to deploy this logging profile, select the devices in the Available list, and click the right arrow to add them to the Selected list.
  5. On the left, click Application Security, and then select the Enabled check box.
    The screen displays the Application Security settings.
    1. Select the Remote Storage Enabled check box.
      The screen displays additional settings, and the Local Storage option becomes active.
    2. Clear the Local Storage check box.
    3. Specify the appropriate Logging Format.
      • If the BIG-IP device runs version 12.0 or later, select BIG-IQ.
      • If the BIG-IP device runs a version earlier than 12.0, select Comma-Separated Values. Several new settings appear.
        • For Storage Format, select User Defined.
        • In the Selected field, paste the following text: 
          unit_hostname="%unit_hostname%",management_ip_address="%management_ip_address%",
http_class_name="%http_class_name%",web_application_name="%http_class_name%",policy_name="%policy_name%",
policy_apply_date="%policy_apply_date%",violations="%violations%",support_id="%support_id%",
request_status="%request_status%",response_code="%response_code%",ip_client="%ip_client%",
route_domain="%route_domain%",method="%method%",protocol="%protocol%",query_string="%query_string%",
x_forwarded_for_header_value="%x_forwarded_for_header_value%",sig_ids="%sig_ids%",sig_names="%sig_names%",
date_time="%date_time%",severity="%severity%",attack_type="%attack_type%",geo_location="%geo_location%",
ip_address_intelligence="%ip_address_intelligence%",username="%username%",session_id="%session_id%",
src_port="%src_port%",dest_port="%dest_port%",dest_ip="%dest_ip%",sub_violations="%sub_violations%",
virus_name="%virus_name%",uri="%uri%",request="%request%",violation_details="%violation_details%",
header="%headers%",response="%response%
          Note: The line breaks in the example above were necessary due to screen width; remove all of them after you paste this data. It must be a single string with no white space.
    4. For Protocol, select TCP.
    5. For the Server Addresses settings, specify the address you want to use:
      1. In the IP Address field, type the data collection node's management IP address.
      2. Specify the port to use for your data.
        • If you are setting up a logging profile for Web Application Security, type 8514 in the Port field.
        • If you are setting up a logging profile for Fraud Protection Service, type 8008 in the Port field.
      3. Click the Add button to add the address and port to the list of servers.
    6. For the Maximum Entry Length, select 64k.
    7. In the Storage Filter area, from the Request Type list, select All requests.
  6. If you want to specify Protocol Security options, on the left click Protocol Security, then select the Enabled check box: the Protocol Security settings display. Edit as appropriate.
  7. If you want to specify Network Firewall options, on the left click Network Firewall, then select the Enabled check box: the Network Firewall settings display. Edit as appropriate.
  8. If you want to specify Network Address Translation options, on the left click Network Address Translation, then select the Enabled check box: the Network Address Translation settings display. Edit as appropriate.
  9. If you want to specify DoS Protection options, on the left click DoS Protection, then select the Enabled check box: the DoS Protection settings display. Edit as appropriate.
  10. Click Save & Close to save the new profile.
The new logging profile is added to the list of profiles defined on this device.
Before you can begin using this profile, you must assign it to a virtual server and then deploy the virtual server to the BIG-IP device.
Virtual servers that remote logging uses to route alert or event logs

You can either create a new virtual server on the BIG-IP® device that creates the alert or event, or you can use a virtual server that already exists on that device.

Creating a virtual server for remote logging
If the device for which you are configuring remote logging does not have a virtual server, you need to create one.
  1. At the top of the screen, click Configuration.
  2. On the left, expand LOCAL TRAFFIC.
  3. Under LOCAL TRAFFIC, select Virtual Servers.
    The screen displays a list of virtual servers defined on this device.
  4. Click Create.
    The Virtual Servers - New Item screen opens.
  5. In the Name field, type in a name for the virtual server you are creating.
  6. From the Device list, select the device on which to create the virtual server.
  7. In the Description field, type in a brief description for the virtual server you are creating.
  8. For the Destination Address, type the IP address of the destination you want to add to the Destination list.

    The format for an IPv4 address is I<a>.I<b>.I<c>.I<d>. For example, 172.16.254.1.

    The format for an IPv6 address is I<a>:I<b>:I<c>:I<d>:I<e>:I<f>:I<g>:I<h>..

    For example, 2001:db8:85a3:8d3:1319:8a2e:370:7348.
  9. In the Service Port field, type a service port number, or select a type from the list.
    When you select a type from the list, the value in the Service Port field changes to reflect the associated default, which you can change.
  10. Click Save.
    The system creates the new virtual server with the settings you specified.
  11. Click Save to save the assignment. Or, click Save & Close to save the assignment and return to the Virtual Servers screen.
A virtual server that can be used to route alert or event data to the logging node is created for the BIG-IP® device.
Before the BIG-IP device can actually use this new virtual server, you must deploy it to the device.
Assign the logging profile to a virtual server
After configuring a logging profile on the BIG-IQ® system, you must assign it to a virtual server and deploy it to the BIG-IP® device from which you want to collect event logs.
  1. At the top of the screen, click Configuration.
  2. On the left, click SECURITY > Shared Security > Virtual Servers .
    The screen displays a list of virtual servers that are configured with devices that have been provisioned and discovered.
  3. On the Virtual Servers screen, click the name of the virtual server you want to use.
    The Virtual Servers - Properties screen opens.
  4. From the Log Profiles list, under Available, click a logging profile and move it to the Selected list.
  5. Click Save & Close to save the assignment and return to the Virtual Servers screen.
The virtual server is now associated with the logging profile.
Before the BIG-IP system(s) can start sending alert or event logs to the data collection device, you must deploy the changes you just made to the BIG-IP device.

Data collection device sizing guidelines

The number of devices of each type that will best meet your company's needs depends on a number of factors. Refer to the F5 BIG-IQ Centralized Management: Data Collection Device Sizing Guide on support.f5.com for details.

Table of Contents | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information