Manual Chapter : Managing Change Verifications

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.4.0
Manual Chapter

About change verifications

Use change verifications to ensure that the changes you have made to a firewall security policy in BIG-IQ® Network Security are compatible with the specified BIG-IP® devices before attempting to deploy those changes.

In some environments, the person who edits the firewall policy is not the same person as the one who deploys that policy. The person who edits the firewall policy can use the change verifications feature to make sure their changes to the firewall are compatible with the BIG-IP devices before someone else deploys those policy changes.

Firewall policy changes can be verified against either the working configuration or a configuration snapshot. In either case, the entire configuration is verified, not just the latest changes to that configuration. If the working configuration is used, make sure that while the verification is processing, other users are not changing the working configuration by changing address lists, rule lists and so on.

You create, view, and delete change verifications in the Policy Editor by selecting Change Verifications from the navigation list on the left. This displays the list of change verifications, including these details:

  • The name of the change verification.
  • The status of the change verification.
  • When the change verification was created.
  • What BIG-IQ system user created the change verification.
  • What non-critical and critical errors were encountered during the change verification. If the number of errors is not zero, the number of errors are links that you can click for more detailed error information.

To view the properties of a change verification, click the change verification name.

To create a new change verification, click Create.

To delete one more change verifications, select the check box to the left of one or more change verifications and click Delete.

To filter which change verifications are displayed, use the Policy Editor filter fields.

Adding change verifications

You add change verifications to ensure that the changes you have made to a firewall security policy are compatible with the specified BIG-IP® devices before attempting to deploy those changes.
  1. Click Configuration > SECURITY > Network Security > Change Verifications .
    The Change Verifications screen opens.
  2. Click Create.
  3. In the Name setting, type a name for the change verification.
  4. In the Description setting, type a description of the change verification.
  5. Specify a source for the change verification.
    • Select Working Config to use the current working configuration as the source. Be sure that the working configuration does not change while the change verification process is occurring. There could be unexpected results in the verification if other users are editing and changing any part of the current configuration, including address lists, rule lists and so on.
    • Select Snapshot to use a specified snapshot as the source. Click Select Snapshot to display the list of available snapshots, click the name of the snapshot to use, and then click Select. The selected snapshot is displayed.
  6. From Available Devices, select one or more devices to verify the source against.
    • Choose devices by selecting the check box to the left of each device to use for verification.
    • Choose a group of devices by selecting the check box to the left of View by groups to display devices organized by group, and then selecting the check box to the left of the group name to choose all devices in that group for verification.
  7. Click Verify.
    The selected source is verified against each selected device and the change verification is shown in a list with the results. If there are errors in the verification, the number of errors are shown as links that can be clicked for more detail.
    Note: When creating change verifications, you may encounter a critical error dialog box that indicates that an object, such as a logging profile, does not exist on a BIG-IP device. This critical error dialog box also contains a Pin Object button. Click Pin Object to correct the error by pinning the object to the BIG-IP device pinning policy.

Viewing change verification properties

You view change verifications to ensure that the changes you have made to a firewall security policy are compatible with the specified BIG-IP® devices before attempting to deploy those changes.
  1. Click Configuration > SECURITY > Network Security > Change Verifications .
    The Change Verifications screen opens.
  2. Click the name of a change verification to view the properties, the device used, and the number of errors.
    If there are errors in the change verification, the number of errors are shown as links that you can click for more detail on the error.

Change verification properties

This table lists the properties of a change verification and any associated devices.

Table 1. Change verification properties
Property Description
Name Name of the change verification.
Description Optional description of the change verification.
User The BIG-IQ® system user who performed the change verification.
Snapshot Name The name of the snapshot used. If the working configuration was used instead of a snapshot, this field is blank.
Task Status The status of the change verification task.
Start Time When the change verification process started.
End Time When the change verification process completed.
Table 2. Change verification device properties
Property Description
Device Name of the BIG-IQ device.
Verification Errors The number of non-critical verification errors. If this number is greater than zero, it is a link which can be clicked to get more details on the errors.
Critical Errors The number of critical errors. If this number is greater than zero, it is a link which can be clicked to get more details on the errors.
Status The status of the change verification.