Manual Chapter : Overview BIG-IQ Centralized Management Security

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.2.0
Manual Chapter

Understanding Network Security and firewall management

Network Security is a platform designed for the central management of security firewalls for multiple BIG-IP® systems, where firewall administrators have installed and provisioned the BIG-IP Advanced Firewall Manager™ (AFM™) module.

Network Security system provides:

  • Device discovery with import of firewalls referenced by discovered devices
  • Management of shared objects (address lists, port lists, rule lists, policies, and schedules)
  • L3/L4 firewall policy support, including staged and enforced policies
  • Firewall audit log used to record every firewall policy change and event
  • Role-based access control
  • Deployment of configurations from snapshots, and the ability to preview differences between snapshots
  • Multi-user editing through a locking mechanism
  • Monitoring of rules
  • Reports on security

Managing a firewall configuration includes discovering, importing, editing, and deploying changes to the firewall configuration, as well as consolidation of shared firewall objects (policies, rule lists, rules, address lists, port lists, and schedules). Network Security provides a centralized management platform so you can perform all these tasks from a single location. Rather than log in to each device to manage the security policy locally, it is more expedient to use one interface to manage many devices. Not only does this simplify logistics, but you can maintain a common set of firewall configuration objects and deploy a common set of policies, rule lists, and other shared objects to multiple, similar devices from a central interface.

Bringing a device under central management means that its configuration is stored in the Network Security database, which is the authoritative source for all firewall configuration entities. This database is also known as the working configuration or working-configuration set.

Once a device is under central management, do not make changes locally (on the BIG-IP device) unless there is an exceptional need. If changes are made locally for any reason, reimport the device to reconcile those changes with the Network Security working configuration set. Unless local changes are reconciled, the deployment process overwrites any local changes.

In addition, Network Security is aware of functionality that exists in one BIG-IP system version but not in another. This means, for example, that it prohibits using policies on BIG-IP devices that do not have the software version required to support them.

Understanding Shared Security

BIG-IQ® Centralized Management Security contains several groups of capabilities. The Shared Security group contains objects that can be used with Network Security objects and with Web Application Security objects.

Understanding Web Application Security and application management

Web Application Security enables enterprise-wide management and configuration of multiple BIG-IP® devices from a central management platform. You can centrally manage BIG-IP devices and security policies, and import policies from files on those devices.

For each device that it discovers, the BIG-IQ®Centralized Management system creates a logical container to hold all security policies that are not related to any virtual server on the device. This logical container is called the inactive virtual server, and is only used to track policies that are not directly attached to other virtual servers on that device. Policies attached to the inactive virtual server that are distributed are not enforced.

In order for you to deploy a policy to a BIG-IP device, the policy must be attached to one of the device's virtual servers, or to the inactive virtual server. You can deploy policies to a device that already has the policy by overwriting it. If the policy does not yet exist on the device, you can either deploy it as a new policy attached to an available virtual server, or deploy it as a policy attached to the inactive virtual server (which will deploy the policy to the BIG-IP device without attaching it to a virtual server).

From this central management platform, you can perform the following actions:

  • Import Application Security Manager™ (ASM) policies from files.
  • Import ASM™ policies from discovered devices.
  • Distribute policies to BIG-IP devices.
  • Export policies, including an option to export policy files in XML format.
  • Manage configuration snapshots.
  • Edit policy settings. Refer to the table in About security policies in Web Application Security for the supported settings.
  • Manage and distribute custom signature sets.
  • Manage and distribute custom signatures.
  • Distribute signature files to BIG-IP devices.

About browser resolution

F5® recommends a minimum screen resolution of 1280 x 1024 to properly display and use the screens efficiently.

It is possible to shrink the browser screen so that system interface elements (screens, scroll bars, icons) no longer appear in the visible screen. Should this occur, use the browser's zoom-out function to shrink the screens and controls.

About BIG-IQ Centralized Management configuration sets

The BIG-IQ® Centralized Management system uses the following terminology to refer to configuration sets for a centrally-managed BIG-IP® device:

Current configuration set
The configuration of the BIG-IP device as discovered by BIG-IQ Centralized Management. The current configuration is updated during a re-discover and re-import, and before calculating differences during the deployment process.
Working configuration set
The configuration as maintained by BIG-IQ Centralized Management. The working configuration is the configuration that is edited on BIG-IQ Centralized Management and deployed back to BIG-IP devices.

The working configuration is created when the administrator first manages the BIG-IP device from the BIG-IQ Centralized Management system. The working configuration is updated when a device is re-imported or re-discovered.

If conflicts are observed during a re-discover and re-import, the object in conflict is only updated in the working configuration when the Use BIG-IP resolution conflict option is used.

About managing BIG-IP devices

Once you have placed a BIG-IP® device under management by the BIG-IQ® system by discovering and importing that device configuration, you should avoid directly changing the BIG-IP device configuration. All changes to the BIG-IP device configuration should be made using the BIG-IQ system to avoid errors.

During the deployment process, the BIG-IQ system imports the current configuration of the targeted BIG-IP devices. Subsequent changes made directly on the BIG-IP device which add new objects to the configuration will be labeled as being not imported and those objects will not be removed during the next deployment. These objects will continue to be labeled as not imported, until you reimport the configuration using the Device Management BIG-IP Devices screen.

To avoid this situation, when you directly modify a BIG-IP device, you must re-discover and re-import the BIG-IP device from the BIG-IQ system to reconcile the configuration differences.