F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Security
  4. BIG-IQ Network Security Administration
  5. Deploying Configuration Changes
Manual Chapter : Deploying Configuration Changes

Applies To:

Show Versions Show Versions

BIG-IQ Security

  • 4.3.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About BIG-IQ Security deployments

The BIG-IQ Security system displays individual deployments and their status (one action per row in the Deployment panel).

After you have completed edits to a firewall and shared objects, you can create a deployment to distribute those changes to selected BIG-IP devices.

To create a deployment, hover over the header of the Deployment panel and then click the + icon. Populate the fields as needed and click Evaluate.

During the evaluation process, BIG-IQ Security:

  1. Contacts the selected remote BIG-IP devices and synchronizes the working-configuration sets for all.
  2. Takes a snapshot of the working-configuration set for each BIG-IP device.
  3. Compares the remote and local configurations.
  4. Calculates the set of changes to be deployed (number and type of each change).
  5. Displays the number and type of each change.

Changes are displayed as follows:

  • ADDED. New shared objects added to a rule and called by an existing rule list, policy, or firewall are counted as ADDED. Newly-created shared objects that are not referenced in a firewall are not counted and are not distributed.
  • MODIFIED. Existing objects already used by an existing rule list, policy, or firewall and subsequently edited are counted as MODIFIED.
  • REMOVED. Existing objects used by an existing rule list, policy, or firewall and subsequently removed are counted as REMOVED. If a shared object is removed from a rule and is no longer being used by any other rules, it is marked for removal from the selected devices. It is not removed from the BIG-IQ Security system unless expressly deleted.
Note: If an individual rule in a rule list, policy, or firewall has been changed, added, or removed, the entire modified object (rule list, policy, or firewall) is marked for deployment. This also applies to adding, modifying, or removing ports in a port list, or addresses in an address list.

During the distribution phase, configuration changes are pushed out to remote BIG-IP devices. The working-configuration set is deployed or the selected BIG-IP device is rolled back to the state reflected in the snapshot. Any changes made locally to the BIG-IP device are overwritten.

With BIG-IQ Security, you can deploy up to 20 devices in a single deployment.

Adding deployments

When you have completed edits to a firewall policy, you can create a deployment to push out to a target device any change that occurred to any configuration object.
  1. To begin the process, navigate to the Deployment panel.
  2. Hover in the Deployment banner and click the + icon to display the Add Deployment panel.
  3. Edit the fields as required. Your changes are saved automatically.
    Option Description
    Deployment Name Name for the deployment that indicates its purpose. It can be useful to develop a convention such as ticket numbers.
    Description Optional description, including the purpose of the deployment or other relevant information.
    Deployment Source Choose between Use Working Config and Use A Snapshot. To deploy the working configuration currently on the BIG-IQ system, select Use Working Config and click Evaluate. To deploy from a snapshot, select Use a Snapshot and from the popup screen, select the snapshot you want to deploy from and click Evaluate.
    Select Devices to Evaluate Available devices are listed. Select or clear check boxes as appropriate.
  4. When you are satisfied that you understand the differences and that you are deploying the changes that you want to, click the Deploy button in the panel.
A deployment is created and listed in the Deployment panel along with its status. A status of READY TO DEPLOY indicates that the working-configuration set can be deployed or the selected BIG-IP device can be rolled back to the state reflected in the snapshot.

Managing deployments

When a deployment displays a status of READY TO DEPLOY, you can distribute configuration changes. If there are no changes to deploy, a message displays to confirm this.
  1. To begin the process, navigate to the Deployment panel.
  2. Hover in the banner of the deployment you want to manage and click the gear icon to expand the panel and display task properties.
    Option Description
    Deployment Name User-provided name of the deployment task.
    Description Optional description, including the purpose of the deployment or other relevant information.
    User Name of the user who initiated the deployment.
    Task Status Status for deployment phases (evaluation and distribution).
    Start Time Time the deployment started in the format yyyy-mm-ddThh:mm:ss-hours-off-GMT. Example: 2013-05-31T08:16:17-07:00
    End Time Time the deployment ended in the format yyyy-mm-ddThh:mm:ss-hours-off-GMT. Example: 2013-05-31T08:16:36-07:00
  3. Click Evaluate to evaluate differences between the selected snapshot and the current configuration.
  4. Click Evaluate to evaluate differences between the selected snapshot and the current configuration.
  5. When you are satisfied that you understand the differences and that you are deploying the changes that you want to, click the Deploy button in the panel.
Deployment states are displayed during the deployment process. The working-configuration set is deployed or if a snapshot was selected, the BIG-IP device is rolled back to the state reflected in the snapshot.

Deploying from snapshots

You can use snapshots to restore a specific configuration state or to deploy a specific set of working configuration edits back to the BIG-IP device.
  1. To begin the process, navigate to the Deployment panel.
  2. Hover in the Deployment banner and click the + icon to display the Add Deployment panel.
  3. Edit the fields as required. Your changes are saved automatically.
    Option Description
    Deployment Name Name for the deployment that indicates its purpose. It can be useful to develop a convention such as ticket numbers.
    Description Optional description, including the purpose of the deployment or other relevant information.
    Deployment Source Choose between Use Working Config and Use A Snapshot. To deploy the working configuration currently on the BIG-IQ system, select Use Working Config and click Evaluate. To deploy from a snapshot, select Use a Snapshot and from the popup screen, select the snapshot you want to deploy from and click Evaluate.
    Select Devices to Evaluate Available devices are listed. Select or clear check boxes as appropriate.
  4. When you see the message READY TO DEPLOY under the deployment name in the Deployment panel, click the gear icon to expand the panel. Under the text Evaluate found the following changes: you will see a device name followed by an arrow. Click the arrow to display differences. Differences are listed by: name, type, change (added, modified, deleted), and device (blank unless the type is firewall). Click an object name to view the JSON in the table under the list of differences.
  5. When you are satisfied that you understand the differences and that you are deploying the changes that you want to, click the Deploy button in the panel.
The specific set of working-configuration edits is deployed to the selected BIG-IP device.

Device deployment states

The following table displays states that occur during the deployment process and a brief description of each state.

NEW The deployment process has started.
COMPLETED_RETRIEVE_DEVICES Devices have been successfully retrieved. All managed devices on the BIG-IQ Security system have been found.
FAILED_RETRIEVE_DEVICES Failed to retrieve devices. Failed to find all managed devices on BIG-IQ Security.
COMPLETED_CHECK_DMA Verified that the process of declaring management authority (DMA) is not currently running. The deployment process cannot run if DMA is running.
FAILED_CHECK_DMA Verified that the process of DMA is currently running. The deployment process cannot run at the same time.
STARTED_REFRESH_CONFIG Refresh of the current configuration for all devices included in deployment has started. This process pulls in any new configuration items from the BIG-IP device in to the current configuration.
COMPLETED_REFRESH_CONFIG Refresh of the current configuration for all devices included in deployment has started has completed. This process pulls in any new configuration items from the BIG-IP device in to the current configuration.
FAILED_REFRESH_CONFIG Refresh of the BIG-IQ Security current configuration has failed. This refresh pulls in any new configuration items from the BIG-IP device in to the current configuration.
STARTED_SNAPSHOT Snapshot of the working configuration has started.
COMPLETED_SNAPSHOT Snapshot of the working configuration has completed.
FAILED_SNAPSHOT Snapshot of the working configuration has failed.
START_DIFFERENCE Preparing to start the process of enumerating differences between the snapshot taken and the current configuration.
STARTED_DIFFERENCE Generating the differences between the snapshot taken and the current configuration has started.
COMPLETED_DIFFERENCE The process of enumerating differences between the snapshot taken and the current configuration has completed.
FAILED_DIFFERENCE The process of enumerating differences between the snapshot taken and the current configuration has failed.
STARTED_PROCESSING_DIFFERENCE Processing differences between the snapshot taken and the current configuration has started. This state transforms the difference data into a form that can be distributed.
COMPLETED_PROCESSING_DIFFERENCE Processing differences between the snapshot taken and the current configuration has completed. This state transforms the difference data into a form that can be distributed.
FAILED_PROCESSING_DIFFERENCE Processing differences between the snapshot taken and the current configuration has failed. This state transforms the difference data into a form that can be distributed.
START_DISTRIBUTION Preparing to start the distribution process.
STARTED_DISTRIBUTION The process of distributing configuration changes to specified devices has started.
FAILED_DISTRIBUTION The process of distributing configuration changes has failed.
COMPLETED The deployment process has completed.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information