Manual Chapter : Adding BIG-IP Devices to Manage

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.0.0
Manual Chapter

How do I start managing BIG-IP devices from BIG-IQ?

To start managing a BIG-IP® device, you must add it to the BIG-IP Devices inventory list on the BIG-IQ® system.

Adding a device to the BIG-IP Devices inventory is a two-stage process.

Stage 1:

  • You enter the IP address and credentials of the BIG-IP device you're adding, and associate it with a cluster (if applicable).
  • BIG-IQ opens communication (establishes trust) with the BIG-IP device.
  • BIG-IQ discovers the current configuration for any selected services you specified are licensed on the BIG-IP system, like LTM® (optional).

Stage 2:

  • BIG-IQ imports the licensed services configuration you selected in stage 1 (optional).
Note: If you only want to do basic management tasks (like software upgrades, license management, and UCS backups) for a BIG-IP device, you do not have to discover and import service configurations.

Adding devices to the BIG-IQ inventory

Before you can add BIG-IP® devices to the BIG-IQ® inventory:

  • The BIG-IP device must be located in your network.
  • The BIG-IP device must be running a compatible software version. Refer to https://support.f5.com/kb/en-us/solutions/public/14000/500/sol14592.html for more information.
  • Port 22 and 443 must be open to the BIG-IQ management address, or any alternative IP address used to add the BIG-IP device to the BIG-IQ inventory. These ports and the management IP address are open by default on BIG-IQ.

If you are running BIG-IP version 11.5.1 up to version 11.6.0, you might need root user credentials to successfully discover and add the device to the BIG-IP devices inventory. Root user credentials are not required for BIG-IP devices running 11.5.0 - 11.5.1 and 11.6.0 - 12.x.

Note: A BIG-IP device running versions 10.2.0 - 11.4.1 is considered a legacy device and cannot be discovered from BIG-IQ version 5.0. If you were managing a legacy device in previous version of BIG-IQ and upgraded to version 5.0, the legacy device displays as impaired with a yellow triangle next to it in the BIG-IP Devices inventory. To manage it, you must upgrade it to 11.5.0 or later. For instructions, refer to the section titled, Upgrading a Legacy Device.
You add BIG-IP devices to the BIG-IQ system inventory as the first step to managing them.
Note: The ADC component is automatically included (first) any time you discover or import services for a device.
  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select Device Management from the BIG-IQ menu.
  3. At the top of the screen, click Inventory.
  4. Click the Add Device button.
  5. In the IP Address field, type the IPv4 or IPv6 address of the device.
  6. In the User Name and Password fields, type the user name and password for the device.
  7. If this device is part of a DSC group, from the Cluster Display Name list, select one of the following:
    • For an existing DSC group, select Use Existing from the list and select the DSC group from the list.
    • For a new DSC group, select Create New from the list and type a name in the field.
    For BIG-IQ to properly associate devices in the same DSC group, the Cluster Display Name must be the same for each member in a group.
  8. If this device is configured in a DSC group, select an option:
    • Initiate BIG-IP DSC sync when deploying configuration changes (Recommended) Select this option if this device is part of a DSC group and you want this device to automatically synchronize configuration changes with other members in the DSC group.
    • Ignore BIG-IP DSC sync when deploying configuration changes Select this option if you want to manually synchronize configurations changes between members in the DSC group.
  9. Click the Add button at the bottom of the screen.
    The BIG-IQ system opens communication to the BIG-IP device, and checks its framework.
    Note: The BIG-IQ system can properly manage a BIG-IP device only if the BIG-IP device is running a compatible version of the REST framework.
  10. If a framework upgrade is required, in the popup window, in the Root User Name and Root Password fields, type the root user name and password for the BIG-IP device, and click Continue.
  11. If in addition to basic management tasks (like software upgrades, license management, and UCS backups) you also want to centrally manage this device's configurations for licensed services, select the check box next to each service you want to discover.
    You can also select these service configuration after you add the BIG-IP device to the inventory.
  12. Click the Add button at the bottom of the screen.
BIG-IQ displays a discovering message in the Services column of the inventory list.
If you discovered service configurations to manage, you must import them.

Importing security service configurations for devices

Before you can import the security properties defined on a BIG-IP device, the BIG-IQ must discover that device.

Once you import the properties for security configuration objects (virtual servers, firewall policies, signature files, and so on) defined on a BIG-IP device, you can use the BIG-IQ to manage these objects.
  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select Device Management from the BIG-IQ menu.
  3. At the top of the screen, click Inventory.
  4. For the device you want to manage, click the link in the Services column.
    The services currently managed for this device are listed. The link text in the Services column varies depend on what services are imported.
  5. For the device you want to manage, under Services, click the Complete import tasks link.
    The services currently managed for this device are listed.
  6. Click Import in the Configuration Import row for the security service you want to import.
    • Use the Configuration Import row under Advanced Firewall (AFM) to import and manage network firewall security objects.
    • Use the Configuration Import row under Application Security (ASM) to import and manage web application security objects.
    The BIG-IQ imports the settings for the selected objects defined on the BIG-IP. If the current configuration on the BIG-IQ system is different than the one on the BIG-IP device, BIG-IQ displays a screen for you to resolve the conflicts.
  7. If there are conflicts, select one of the following options for each object that is different, and then click the Continue button:
    • Use BIG-IQ to use the configuration settings stored on BIG-IQ.
    • Use BIG-IP to override the configuration setting stored on BIG-IQ with the settings from the BIG-IP device.
  8. Click Close.
Now you can use this BIG-IQ to manage the security settings on this BIG-IP.

About managing BIG-IP devices

Once you have placed a BIG-IP® device under management by the BIG-IQ® system by discovering and importing that device configuration, you should avoid directly changing the BIG-IP device configuration. All changes to the BIG-IP device configuration should be made using the BIG-IQ system to avoid errors.

During the deployment process, the BIG-IQ system imports the current configuration of the targeted BIG-IP devices. Subsequent changes made directly on the BIG-IP device which add new objects to the configuration will be labeled as being not imported and those objects will not be removed during the next deployment. These objects will continue to be labeled as not imported, until you reimport the configuration using the Device Management BIG-IP Devices screen.

To avoid this situation, when you directly modify a BIG-IP device, you must re-discover and re-import the BIG-IP device from the BIG-IQ system to reconcile the configuration differences.