To ensure that you always have access to the BIG-IP devices under BIG-IQ management, install two BIG-IQ systems in an active-standby, high-availability (HA) configuration.

Configuring a high-availability pair is optional. However, if you configure a high-availability BIG-IQ system and the active peer fails, the standby peer will become active, enabling you to continue to manage devices.

BIG-IQ Security performs asynchronous replication per transaction, which means that data is replicated continuously, asynchronously, on a transaction-by-transaction basis as changes are made or commands are run on the active system.

Continuous, asynchronous replication ensures you that the stored state on each BIG-IQ system is identical to the state on the other BIG-IQ system(s) in the HA configuration. You can resume managing firewalls after a failover without loss of any configuration change that might have occurred prior to failover.

In addition, all intermediate generations of a configuration object are identical on all HA peers. This is required because snapshots can refer to previous generations, and the system must be able to restore on any node a snapshot that was originally taken on a peer.

Terminology is crucial in understanding the status of the high-availability (HA) relationship. The following list defines some important terms used in HA configurations.

Primary

The node you are logged in to when establishing the pair is deemed the primary node; the system added is deemed the secondary node. The primary node determines which node is active if both nodes are up and communicating. This is the node that wins if a conflict occurs. Initiate the pairing from the primary node.

Secondary

Any node added to the configuration is deemed the secondary node. Currently, BIG-IQ Security supports a 2-node pairing. When finished discovering its peer, the primary node triggers a snapshot of the current state of the storage on the primary node. When the snapshot is finished, it is copied to the secondary node. The restjavad process on the secondary node is restarted.

Active

The node that is running commands is the active node.If you see the status indications Active (Secondary) on the secondary device, you have failed over to the node that is not the primary. In the unlikely event of network segmentation, both systems may report that they are active.

Standby

The standby node is the node that instructs the user to perform all module-related activity on the active node through a yellow status bar at the top of the interface that indicates its standby status.

Cluster

A synonym for a high-availability configuration is cluster. A cluster comprises at least two BIG-IQ systems (fully installed and licensed, and running the same version of software), and is configured in a high-availability relationship through BIG-IQ > BIG-IQ Systems > Properties.

1. Log in to the BIG-IQ system, using administrator credentials.
2. From the BIG-IQ dropdown list, select System.
3. From the BIG-IQ Systems panel header, click + and select Add Device.
4. In the New Device panel, complete the following fields:

   Option	Description
   IP Address	Type the self IP address.
   User name	Type the administrative user name.
   Password	Type the administrative password.
   Group	From the Group dropdown list, select Management Group.
   High Availability Mode	Select Active-Standby.

5. Click Add.

1. Log in to the BIG-IQ system, using administrator credentials.
2. From the BIG-IQ dropdown list, select System.
3. From the BIG-IQ Systems panel, expand the Management Group.
4. Hover over the secondary-standby peer and when the gear icon appears, click it to open the panel.
5. In the expanded panel, click Remove.

BIG-IQ Security forces an automatic failback mechanism in which the Active (Primary) node goes down and the Active (Secondary) node takes over. Subsequently, the Active (Secondary) node may be labeled Active (Secondary). When the Active (Primary) node comes back up, it takes over primary responsibilities automatically, becomes the Active (Primary) node, and synchronizes its configuration with the configuration on the Standby (Secondary) node. Thus, you are guaranteed that no data is lost.