F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Centralized Management
  4. F5 BIG-IQ Centralized Management: Security
  5. Security Deployment Best Practices
Manual Chapter : Security Deployment Best Practices

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.4.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Understanding roles required for deploying security policies

When you want to deploy a Web Application Security configuration, or a Network Security configuration, you need to use one of the following built-in roles.

  • To deploy Network Security or Web Application Security configurations, use an account with the Security Manager role.
  • To deploy only Network Security configurations, use an account with the Security Manager, Network Security Manager, or Network Security Deployer roles.
  • To deploy only Web Application Security configurations, use an account with the Security Manager, Web App Security Manager, or Web App Security Deployer roles.

For more information on roles, refer to the role descriptions on the Roles screen ( System > ROLE MANAGEMENT > Roles ) or refer to F5® BIG-IQ® Centralized Management: Authentication, Roles, and User Management on support.f5.com.

Verifying firewall rules have compiled on all BIG-IP devices

Once a firewall deployment has completed successfully, Check Rule Compilation is enabled on the View Deployment screen.
Use Check Rule Compilation to verify that your firewall rules are active on the BIG-IP devices to which you deployed those rules.
  1. On the Deployments screen, click the name of the deployment that contains the firewall rules you want to verify.
    The View Deployment screen for that deployment displays.
  2. On the View Deployment screen, click Check Rule Compilation to determine if rules have been compiled on all the BIG-IP devices in the firewall deployment.
    The rule compilation status and last activation time for each BIG-IP device included in the deployment are listed in a popup.
  3. Verify that the last activation time for each BIG-IP device is after the end time of the BIG-IQ deployment task to ensure that firewall rules have been compiled on each BIG-IP devices. You can repeat this step multiple times.
    Review the following considerations when using Check Rule Compilation:
    • Be aware of any time differences, due to time zones and so on, between the BIG-IQ system and the BIG-IP device.
    • BIG-IP device versions earlier than 11.5.1 HF4 do not support the compilation statistics used by this feature and will display the message, Compilation stats not provided for this version of BIG-IP.
    • If the Check Rule Compilation feature is used with an older deployment, where the state of the BIG-IP device has changed since the deployment, the status returned will include all active firewall rule changes on the BIG-IP device since the deployment.
    • If the Check Rule Compilation feature returns the message Local Last Activation Time or the message No stats found on device, then the state of the BIG-IP device has changed since the deployment, and compilation statistics have been reset. This can be caused by a reboot of the BIG-IP device.

Reviewing deployment process states to diagnose problems

When a firewall security policy or a web application security policy is deployed, that policy goes through several deployment states. Reviewing these states may be useful in understanding what occurred during deployment in order to diagnose a problem. Note that not all states may appear in the log, since what states are displayed depends on how the deployment was processed.

Review the restjavad.n.log file to view deployment states for either a firewall security policy or a web application security policy.

Device deployment states

This table displays states that can occur during the deployment process, and a brief description of each state.

Table 1. Deployment States
State Description
CHECK_LICENSE Licenses for BIG-IQ systems are checked to be valid.
CHECK_OTHER_RUNNING_TASKS Verifies that no tasks are running that could cause errors during deployment. Tasks that could cause errors include:
  • Other BIG-IQ Security deployment tasks running at the same time as this deployment, even if they are from different modules.
  • Tasks to declare management authority over a BIG-IP device.
  • Tasks that rescind management authority of a BIG-IP device.
GET_DEVICES Finds all devices managed by the BIG-IQ Security system.
CHECK_DEVICE_AVAILABILITY Determines whether the devices to be deployed are available.
LOOKUP_CLUSTERS Determines if any devices included in the deployment are part of a cluster, and if so, verifies that both devices in the cluster are configured with the same sync mode and sync failover group on the BIG-IP device.
REFRESH_CURRENT_CONFIG_SOAP Using the SOAP API, refreshes the current configuration for all devices included in the deployment. This process adds any new configuration items from the BIG-IP device to the current configuration.
REFRESH_CURRENT_CONFIG_REST Using the REST API, refreshes the current configuration for all devices included in deployment. This process adds any new configuration items from the BIG-IP device to the current configuration.
CREATE_SNAPSHOT Creates a snapshot of the working configuration.
CREATE_DIFFERENCE Generates the differences between the snapshot taken and the current configuration.
VERIFY_CONFIG Verifies that devices to be deployed do not have configuration problems that could lead to deployment errors.
GET_CHILD_DEPLOY_DEVICES Finds all devices managed by Shared Security objects. These devices are considered to be child deployments of a parent firewall security or web application security deployment.
START_CHILD_DEPLOY Starts the deployment of devices managed by Shared Security objects.
WAIT_FOR_CHILD_DEPLOY Waits for deployment of devices managed by Shared Security objects to complete.
CLEANUP_PREVIOUS_EVALUATE Cleans up processing artifacts from the previous evaluation.
DISTRIBUTE_DSC_CLUSTERS Distributes changes to devices identified as being in a cluster by the LOOKUP_CLUSTERS process and that are configured to use the BIG-IP Device Service Clustering (DSC) to keep the BIG-IP devices synchronized.
DISTRIBUTE_CONFIG Distributes configuration changes to the specified devices.
DISTRIBUTE_CONFIG_SOAP Using the SOAP API, distributes configuration changes to the specified devices.
DISTRIBUTE_CONFIG_REST Using the REST API, distributes configuration changes to the specified devices.
FOLDBACK_DEPLOYED_ADDITIONS Inserts any newly-added objects directly into the current configuration to that the BIG-IQ system will already know about those objects on the next refresh of the current configuration.
DONE Indicates the deployment process has completed.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information