Manual Chapter : Upgrading BIG-IQ Centralized Management with Logging Nodes to Version 5.2

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.2.0, 5.1.0, 5.0.0
Manual Chapter

What you need to do before you upgrade BIG-IQ from version 5.x to 5.2

Before upgrading F5® BIG-IQ® Centralized Management, perform the following tasks.

Tasks Additional information
Re-activate the BIG-IQ system license. You must do this on both the active and the secondary BIG-IQ if they are running in an HA pair. For specific instructions about how to reactivate a license, refer to the F5® BIG-IQ® Central Management: Licensing and Initial Setup guide.
Create a backup of the BIG-IQ system's current compressed user configuration set (UCS) and store it on a remote server. The UCS file includes: system-specific configuration files, license, user account and password information, and SSL certificates and keys. You can use this backup in the event you want to restore to the previous version of BIG-IQ.
Decide which disk volume you want to install the upgrade on. You must have at least two volumes to upgrade BIG-IQ. If you are running BIG-IQ Virtual Edition and you don't have two volumes, refer to: K1740617406: Using the tmsh utility to create a new software volume for installing a new image or hotfix on the BIG-IQ system at: support.f5.com/csp/article/K17406
Deploy any staged configuration changes to your managed devices.

This step is required only if you are going to use the script to re-discover and re-import BIG-IP devices and services after the upgrade (as outlined in the section titled, Re-discover devices and re-import services in bulk using a script).

You must deploy configuration changes you have staged for your devices if you use this script, because they'll be overwritten on BIG-IQ after you run the script. If you'd rather re-discover devices and re-import services from the BIG-IQ user interface (instead of in bulk) so you can address any potential configuration conflicts for each BIG-IP device, refer to the section titled, Re-discover devices and re-import services from the user interface.

Gather the following information:

Required information For my configuration
You'll need to create a passphrase for the Master Key. The passphrase must contain:
  • At least 16 characters
  • Contain at least 1 capital letter
  • Contain at least 1 lower case letter
  • Contain at least 1 number
  • Contain at least 1 special character
    Important: You must use the same Master Key Passphrase for each BIG-IQ system in an HA pair and every device in a Logging Node cluster. The upgrade will complete without it, but the HA pair or Logging Node cluster will not function if the pass phrases don't match.
 
Get the discovery address you specified on the BIG-IQ system during setup. This is the same IP address that the peers in a high availability confirmation use to communicate. You can find this IP address on the BIG-IQ HA screen.  
Get your BIG-IQ administrator and root passwords.  
Get the name for the secondary HA BIG-IQ system if configured in an HA pair.  

If you're currently running a version of BIG-IQ prior to version 5.0, you must first upgrade to version 5.0 before you can upgrade to version 5.2. For more information, refer to the guide titled, F5 BIG-IQ Centralized Management: Upgrading BIG-IQ to Version 5.0.

If you're upgrading BIG-IQ Logging Nodes, refer to the guide titled, F5 BIG-IQ Centralized Management: Upgrading Logging Nodes to version 5.2.

Summary of procedures to upgrade BIG-IQ from version 5.x to 5.2

To upgrade F5® BIG-IQ® Centralized Management from BIG-IQ version 5.x to 5.2, perform these procedures. Upgrading BIG-IQ to the most recent version requires an update to its configuration to incorporate new features introduced. It's a good idea to set aside at least a few hours to complete this process.

Note: It is important that you follow these procedures in the order stated.
  1. Complete all of the pre-requisites outlined in the topic titled, What you need to do before you upgrade BIG-IQ from version 5.x to 5.2.
  2. Download the BIG-IQ version 5.2 iso file from the F5 Downloads site to your desktop.
  3. Upload the software image to the primary BIG-IQ system.
  4. If configured in an HA pair:
    • Remove the secondary BIG-IQ system from the primary BIG-IQ system (if configured in an HA pair).
    • Upgrade the primary BIG-IQ system.
    • Upload the software image to the secondary BIG-IQ system.
    • Install the new software on the secondary BIG-IQ system.
    • Re-establish the HA configuration.
  5. Upgrade the BIG-IP framework on your managed devices.
  6. Re-discover devices and re-import LTM, ASM, AFT, and DNS services. Or, remove and recreate or reimport access groups for devices running APM services.
    Note: You have the option to use a script from the command line to re-discover and re-import services (in bulk) for devices running LTM, ASM, AFM, and DNS or individually through the BIG-IQ user interface. For devices running the APM service, you must remove and recreate access groups for devices running the APM service. For more information, refer to, Use a script to remove and recreate access groups in bulk for devices running APM services,Remove and recreate access groups (with SWG data) from the user interface for devices running APM services or Reimport access groups (without SWG data) from the user interface for devices running APM services.

Download the BIG-IQ version 5.2 software image from F5 Networks

Downloading a software image from F5 Networks is the first step to making it available to install on the BIG-IQ system.
  1. Log in to the F5 Downloads site, downloads.f5.com.
  2. Click the Find a Download button.
  3. Click the name of the product line.
  4. Click the product name, Centralized Management.
  5. Click V5.2.0.
  6. Read the End User Software License agreement and click the I Accept button if you agree with the terms.
  7. Click the BIG-IQ version 5.2 .iso file name.
  8. Click the name of the closest geographical location to you.
    The software image downloads to your local system.
The software image is now available for you to upload.

Upload the BIG-IQ version 5.2 software image

Before you can upload the software image to your BIG-IQ® system, you must have first downloaded it from the F5 Downloads site.

Upload the BIG-IQ version 5.2 software image to your BIG-IQ system to make it available for this upgrade.

  1. At the top of the screen, click System Management.
  2. At the top of the screen, click Inventory.
  3. On the left, click SOFTWARE MANAGEMENT > Available Images .
  4. Click the Upload Image button.
  5. Click the Choose File button and navigate to the location to which you downloaded the image, and click the Open button to upload it to BIG-IQ.
  6. Click the Upload button.
    The screen refreshes to display the progress of the upload.
When the image is done uploading, it shows in the Available Images list.

Remove the secondary BIG-IQ from the HA pair

If the F5®BIG-IQ® Centralized Management system configured in an HA pair, you must remove the secondary BIG-IQ system before you upgrade the primary BIG-IQ.
  1. Log in to the primary BIG-IQ system with your administrator user name and password.
  2. At the top left of the screen, select System Management from the BIG-IQ menu.
  3. At the top of the screen, click Inventory.
  4. On the left, click BIG-IQ HA.
  5. Select the check box next to the secondary BIG-IQ, and click the Remove Device button.
    A dialog box opens, prompting you to confirm that you want to remove the peer device from this group.
  6. Click Delete in the dialog box to confirm the removal.
You can now upgrade the primary BIG-IQ.

Upgrade the primary to BIG-IQ version 5.2

You need at least two volumes to upgrade F5® BIG-IQ® Centralized Management. If you are running BIG-IQ Virtual Edition and don't have two volumes, refer to: K17406: Using the tmsh utility to create a new software volume for installing a new image or hotfix on the BIG-IQ system at support.f5.com/csp/article/K17406.html

Before upgrading BIG-IQ, download the BIG-IQ version 5.2 .iso image from the F5 downloads site. Be sure to have your Master Key pass phrase handy; you'll need it after you reboot.
Warning: These procedures require that the BIG-IQ system is temporarily unavailable, and unable to manage BIG-IP® devices until the upgrade is complete. BIG-IP devices can continue to manage traffic during this time. This process can take up to an hour.

Upgrade BIG-IQ to take advantage of the newest functionality and features..

  1. Log in to the primary BIG-IQ with your admin user name and password.
  2. At the top of the screen, click System Management.
  3. At the top of the screen, click Inventory.
  4. On the left, click BIG-IQ HA.
  5. Click the name of the primary BIG-IQ.
  6. On the left, click Software Version.
  7. Click the Update button.
  8. From the Software Image list, select the image you want to install.
  9. From the Target Volume list, select the volume you want to install the image on.
  10. To prompt BIG-IQ to reboot into the new software installation volume, select the Reboot into Target Volume check box.
  11. Click the Apply button.
  12. Click the Continue button.
  13. Wait while BIG-IQ loads the new software and reboots.
    Depending on your configuration and the number of devices you are managing, this could take up to an hour. During this time, it is important that you not interrupt the installation process by restarting services or the server.
  14. If needed, extend the /var partition.
    The default size of the /var file system in a newly installed node is 10 GB. This volume size might be insufficient to store your data. You can see how to extend this file system to a larger size in knowledge article K16103. refer to: K16103: Extending disk space on BIG-IQ Virtual Edition at support.f5.com/csp/article/K16103. Because upgrading a node requires at least two volumes, you must ensure that both volumes can have their /var file system extended to the same size, or upgrades might fail.
  15. Log back in to the primary BIG-IQ with your admin user name and password, and complete the setup wizard.
Even though you can log in to the primary BIG-IQ after the software is installed, the system continues some database re-indexing processes in the background. For larger configurations, that can take up to an hour. If you perform any searches on objects before it's done re-indexing, BIG-IQ might not return the expected results. During this time, you can continue with the rest of the upgrade process.

Upload the BIG-IQ version 5.2 software image

Before you can upload the software image to your BIG-IQ® system, you must have first downloaded it from the F5 Downloads site.

Upload the BIG-IQ version 5.2 software image to your BIG-IQ system to make it available for this upgrade.

  1. At the top of the screen, click System Management.
  2. At the top of the screen, click Inventory.
  3. On the left, click SOFTWARE MANAGEMENT > Available Images .
  4. Click the Upload Image button.
  5. Click the Choose File button and navigate to the location to which you downloaded the image, and click the Open button to upload it to BIG-IQ.
  6. Click the Upload button.
    The screen refreshes to display the progress of the upload.
When the image is done uploading, it shows in the Available Images list.

Install version 5.2 on the secondary BIG-IQ system

After you upgrade the primary BIG-IQ® Centralized Management system to version 5.2, you can upgrade a secondary BIG-IQ system for an HA configuration.

You need at least two volumes to install BIG-IQ software. If you are running BIG-IQ Virtual Edition and you don't have two volumes, refer to: K17406: Using the tmsh utility to create a new software volume for installing a new image or hotfix on the BIG-IQ system at https://support.f5.com/csp/article/K17406.
Important: Be sure you have the Master Key pass phrase you used for the primary BIG-IQ system; you'll need this when you complete the setup wizard after you reboot. You must use the same Master Key pass phrase on both systems for the pair to successfully communicate and synchronize.
Install version 5.2 on a secondary BIG-IQ system so it'll be running the same version as the peer BIG-IQ system you just upgraded.
  1. Log on to the system you are going to establish as the secondary BIG-IQ system's command line as root and type the following command: /usr/bin/clear-rest-storage.
    While this step is not required, it clears the database storage on the system so the upgrade goes more quickly. Once upgraded, the primary BIG-IQ will synchronize its database with the secondary BIG-IQ and repopulate the database.
  2. Log on to the system you are going to establish as the secondary BIG-IQ system's user interface.
  3. If you ran the clear-rest-storage command, complete the setup wizard. Otherwise, continue to step 4.
  4. At the top of the screen, click System Management.
  5. At the top of the screen, click Inventory.
  6. On the left, click BIG-IQ HA.
  7. Click the secondary BIG-IQ system.
  8. On the left, click Software Version.
  9. Click the Update button.
  10. From the Software Image list, select the image you want to install.
  11. To prompt BIG-IQ to reboot into the new software installation volume, select the Reboot into Target volume check box.
  12. From the Target Volume list, select the volume you want to install the image on.
  13. Click the Apply button.
    A popup screen opens, prompting you to confirm the installation.
  14. Click the Continue button.
  15. Wait while BIG-IQ loads the new software and reboots.
    Depending on your configuration and the number of devices you are managing, this could take up to an hour. During this time, it is important that you not interrupt the installation process by restarting services or the server.
  16. Log in to the secondary BIG-IQ system with your admin user name and password.
  17. Complete the setup wizard.
  18. If needed, extend the /var partition.
    The default size of the /var file system in a newly installed node is 10 GB. This volume size might be insufficient to store your data. You can see how to extend this file system to a larger size in knowledge article K16103. refer to: K16103: Extending disk space on BIG-IQ Virtual Edition at support.f5.com/csp/article/K16103. Because upgrading a node requires at least two volumes, you must ensure that both volumes can have their /var file system extended to the same size, or upgrades might fail.
You can now re-establish the BIG-IQ HA configuration.

Re-establish the HA configuration after upgrading to BIG-IQ version 5.2

After you upgrade both F5® BIG-IQ® Centralized Management systems in a HA configuration, you can re-associate the secondary system with the primary BIG-IQ system.
  1. Log in to primary BIG-IQ system with your administrator user name and password.
  2. At the top of the screen, click System.
  3. On the left, click BIG-IQ HA.
  4. Click the Add Secondary button.
  5. In the IP Address field, type the discovery address you specified on the BIG-IQ system during setup.
    This is the same IP address the peers in a high availability confirmation use to communicate.
  6. In the User name and Password fields, type the administrative user name and password for the system.
  7. In the Root Password field, type the root password for the system.
  8. Click the Add button to add this device to this high availability configuration.

Even though you can log in to the secondary BIG-IQ after the you re-establish the HA configuration, the system continues some database re-indexing processes in the background. For larger configurations, that can take up to an hour. If you perform any searches on objects before it's done re-indexing, BIG-IQ might not return the expected results. During this time, you can use the primary BIG-IQ.

Next, you should verify that both BIG-IQ systems have the same configuration.

Upgrade the BIG-IP framework

To properly communicate, BIG-IQ® Centralized Management and managed BIG-IP® devices must be running a compatible version of its framework. If the frameworks are incompatible, BIG-IQ displays a yellow triangle next to the device in the BIG-IP Device inventory.

When you upgrade a BIG-IP device running version 11.5.x to another 11.5.x version, or to an 11.6.x version (for example, from version 11.5.3 to 11.5.4, or from version 11.5.3 to version 11.6.1), you must upgrade the REST framework so BIG-IQ can manage the device.

When you upgrade BIG-IQ from version 5.x to 5.2, you must also upgrade the REST framework for all BIG-IP devices (currently in the BIG-IP Device inventory) running a version prior to 12.0.0.

  1. At the top of the screen, click Devices.
  2. Select the check box next to a device, click the More button, and select Upgrade Framework.
    A popup screen opens.
  3. Into the fields, type the required credentials, and click the Continue button.
    A REST Framework upgrade in progress message displays.
After the framework is updated, you can successfully manage this device.
Repeat these steps for each device.

Re-discover devices and re-import LTM, ASM, AFM, and DNS services in bulk using a script

After you upgrade to BIG-IQ® Centralized Management version 5.2, you can use a script to re-discover devices and re-import the LTM, ASM, AFT, and DNS services in bulk. To run this script, you must have root access to the BIG-IQ command line.
Warning: Before you run this script, make sure you don't have any pending configuration changes staged for your managed BIG-IP devices. This script prompts BIG-IQ to import the configurations for all your BIG-IP devices. So, if you don't deploy staged configuration changes before you run this script, you will lose them after you run the script. If you need assistance, contact F5 Support.
Use this script to re-discover devices and re-import LTM, ASM, AFT, and DNS services all at once, so you can start managing your devices with the new version of BIG-IQ software.
Note: If you'd rather re-discover devices and re-import their services individually through the user interface, refer to Re-discover devices and re-import LTM, ASM, AFM, and DNS services from the user interface.
  1. Log in to the downloads.f5.com site, click the Find a Download button, and click BIG-IQ Centralized Management.
  2. Click the v5.2.0 link.
  3. Review the End User Software License agreement and click the I Accept button to accept the terms.
    The Select a Download screen opens.
  4. Click the bulkDiscovery.zip file name, and unzip it on your local system.
  5. Log in to the BIG-IQ system as the root user and upload the script.
  6. Enable executable permissions, by typing: chmod +x ./bulkDiscovery.pl
    Note: To access help for this script, type ./bulkDiscovery.pl -h
  7. Export the IP addresses for the BIG-IP devices in your network to a CSV file, by typing: ./bulkDiscovery.pl -c masterDeviceList.csv -m -o
  8. Re-discover your BIG-IP devices and re-import their services, by using the associated command:
    Note: This command prompts BIG-IQ to import all the configurations from the specified BIG-IP devices. It's important that you've already deployed any configuration changes you have staged for these devices, because they'll be overwritten on BIG-IQ after you run this script. If you'd rather re-discover devices and re-import services individually so you can address any potential configuration conflicts for each device, you can do that from the BIG-IQ system's user interface instead of using this script. For more information, refer to, Re-discover devices and re-import services from the user interface.
    • For LTM, type ./bulkDiscovery.pl -c myDeviceList.csv -l -m
      Note: You must re-discover devices running the LTM service before re-discovering devices running any other service.
    • For ASM, type ./bulkDiscovery.pl -c myDeviceList.csv -l -s -m
    • For AFM, type ./bulkDiscovery.pl -c myDeviceList.csv -l -f -m
    • For DNS, type ./bulkDiscovery.pl -c myDeviceList.csv -l -d -m
You can now start managing your BIG-IP devices using BIG-IQ Centralized Management version 5.2.0.

Re-discover devices and re-import LTM, ASM, AFM, and DNS services from the user interface

After you upgrade F5® BIG-IQ Centralized Management to version 5.2, you must rediscover your managed devices and reimport the services you use so you can start using the new features introduced in this release. This process requires you rediscover each device individually and reimport its services.
Important: If you'd rather run a Perl script to perform a bulk rediscovery of your devices and reimport of their services, refer to Re-discover devices and re-import LTM, ASM, AFM, and DNS services using a bulk script.
  1. At the top of the screen, click Devices.
  2. Click the name of the device you want to rediscover and reimport services for.
  3. On the left, click Services.
  4. Important: To avoid any unnecessary conflicts between services, re-discover and re-import the LTM service first, before any other services.
    Click the Re-discover button next to a service.
    When BIG-IQ rediscovers the service, a yellow triangle next to the Re-import button displays to indicate you need to re-import the service.
  5. Click the Re-Import button.
  6. If there are conflicts, select one of the following options for each object that is different, and then click the Continue button:
    • Use BIG-IQ to use the configuration settings stored on BIG-IQ.
    • Use BIG-IP to override the configuration setting stored on BIG-IQ with the settings from the BIG-IP device.
Perform these steps for the rest of your managed devices.

Use a script to remove and recreate access groups in bulk for devices running APM services

After you upgrade F5 BIG-IQ Centralized Management to version 5.2, you must remove and recreate the access groups for devices running the APM service.
Warning: Before you run this script, make sure you don't have any pending configuration changes staged for your managed BIG-IP devices. This script prompts BIG-IQ to import the configurations for all your BIG-IP devices. So, if you don't deploy staged configuration changes before you run this script, you will lose them after you run the script. If you need assistance, contact F5 Support.
You can use this script to remove and recreate the access groups for devices running the APM service so you can start managing those devices with the new version of BIG-IQ.
Note: If you'd rather do this from the user interface, refer to, Remove and recreate access groups (with SWG data) from the user interface for devices running APM services or Reimport access groups (without SWG data) from the user interface for devices running APM services.
  1. Log in to the BIG-IQ system as admin.
  2. At the top of the screen, select Configuration, then expand ACCESS and click Access Groups .
  3. In a separate file (such as a Notepad or Excel file), make a note of:
    • Each access group and the IP addresses of the devices contained within each.
    • The source device, from which you want to copy the configuration to all devices in the access group.
      Note: You'll deploy the configuration from this source device to all of the devices in the access group.
  4. Select the check box next to each access group and click the Remove button.
  5. Log in to the downloads.f5.com site, click the Find a Download button, and click BIG-IQ Centralized Management.
  6. Click the v5.2.0 link.
  7. Review the End User Software License agreement and click the I Accept button to accept the terms.
    The Select a Download screen opens.
  8. Click the bulkDiscovery.zip file name, and unzip it on your local system.
  9. Log in to the BIG-IQ system as the root user and upload the script.
  10. Enable executable permissions, by typing: chmod +x ./bulkDiscovery.pl
    Note: To access help for this script, type ./bulkDiscovery.pl -h
  11. Export the IP addresses for the BIG-IP devices in your network to a CSV file, by typing: ./bulkDiscovery.pl -c masterDeviceList.csv -m -o
  12. For each access group:
    1. Create a device list, by typing cp masterDeviceList.csv <access_group_name>_devices.csv
    2. Edit the file as follows:
      • Remove any devices that don't belong to the access groups by comparing it to the list you made in step 3.
      • Place the source BIG-IP device you identified in step 3, at the top of the <access_group_name>_devices.csv file.
      • Verify the credentials for each device (the script uses ADMIN/APWD by default).
    3. Save your changes to the file.
    4. Impot devices in the access group by, typing: ./bulkDiscovery.pl -c <access_group_name>_devices.csv -g <access_group_name> -l -p -o -v
  13. Log in to the BIG-IQ system as admin.
  14. At the top of the screen, select Configuration, then expand ACCESS and click Access Groups .
  15. Review the access groups to verify all the groups properly imported.
You can now start managing your BIG-IP devices using BIG-IQ Centralized Management version 5.2.0.

Re-import access groups (without SWG data) from the user interface for devices running APM services

After you upgrade F5® BIG-IQ Centralized Management to version 5.2, you must re-import the access groups running the APM service without SWG data.
Use this procedure to access groups for devices running APM services without F5 Secure Web Gateway configuration data so you can start using the new features introduced in this release.
Important: If you'd rather use a script to do this, Use a script to remove and recreate access groups in bulk for devices running APM services. If your APM configuration includes SWG data, refer to Remove and recreate access groups (with SWG data) from the user interface for devices running APM services.
  1. At the top of the screen, select Configuration, then expand ACCESS and click Access Groups .
  2. Click the name of the access group.
  3. From the Device list, select from which to reimport the shared access policy configuration and click the Reimport button.
    This device will share the access policy configuration with all other devices in this access group.
  4. Select Shared Access Group and Device Specific configuration and click the Reimport button at the bottom of the screen.
  5. If the differences window displays for the LTM service, select USE_BIGIP and click the Resolve button.
  6. If the differences window displays for the APM service, click the Accept button.
  7. For the remainder of the devices in this access group:
    1. Select the check box next to the device, and click the Reimport button.
    2. Select Device specific configuration and click the Reimport button at the bottom of the screen.
    3. If the differences window displays for the LTM service, select USE_BIGIP and click the Resolve button.
    4. If the differences window displays for the APM service, click the Accept button.
  8. Repeat steps 2-7 for the rest of the access groups.
You can now start managing your BIG-IP devices using BIG-IQ Centralized Management version 5.2.0.

Remove and recreate access groups (with SWG data) from the user interface for devices running APM services

After you upgrade F5® BIG-IQ Centralized Management to version 5.2, you must recreate the access groups running the APM service.
Use this procedure to remove and recreate access groups for devices running APM services with F5 Secure Web Gateway configuration data so you can start using the new features introduced in this release.
Important: If you'd rather use a script to do this, refer to Use a script to remove and recreate access groups in bulk for devices running APM services. If your APM configuration doesn't include SWG data, refer to Reimport access groups (without SWG data) from the user interface for devices running APM services.
  1. At the top of the screen, select Configuration, then expand ACCESS and click Access Groups .
  2. In a separate file (such as a Notepad or Excel file), make a note of:
    • Each access group and the IP addresses of the devices contained within each.
    • The source device, from which you want to copy the configuration to all devices in the access group.
      Note: You'll deploy the configuration from this source device to all of the devices in the access group.
  3. Select the check box next to each access group and click the Remove button.
  4. Click the Create button.
  5. Type a name for this access group in the Name field.
  6. From the Device list, select from which to reimport the shared access policy configuration and click the Reimport button.
    This device will share the access policy configuration with all other devices in this access group.
  7. Click the Create button at the bottom of the screen.
  8. If the differences window displays for the LTM service, select USE_BIGIP and click the Resolve button.
  9. Click the name of the access group you added.
  10. Click the Add Device button.
  11. From the Device list, select a device to add to this access group.
  12. Click the Add button at the bottom of the screen.
  13. If the differences window displays for the LTM service, select USE_BIGIP and click the Resolve button.
  14. If the differences window displays for the APM service, click the Accept button.
  15. Repeat these steps 10-14 for each device in each access group before creating the next access group.
You can now start managing your BIG-IP devices using BIG-IQ Centralized Management version 5.2.0.