-
Notifications
You must be signed in to change notification settings - Fork 0
/
original.rst
1565 lines (1144 loc) · 52.2 KB
/
original.rst
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
BIG IQ 5.4 Self Guided Lab Guide
Participant Hands-on Lab Guide
Version: 2.0
|image0|
Last Updated: 3/5/2018
©2018 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5
logo are trademarks of F5 Networks, Inc. in the U.S. and in certain
other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be
trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.
These training materials and documentation are F5 Confidential
Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third
party without the express written permission of F5.
`Overview 4 <#_Toc518815019>`__
`Introduction 4 <#_Toc518815020>`__
`Device Information 5 <#device-information>`__
`Dependencies 6 <#dependencies>`__
`How to access the lab in the Ravello environment 7 <#_Toc518815023>`__
`The BIG-IQ User Interface 7 <#_Toc518815024>`__
`Note: 10 <#note>`__
`BIG-IQ Access Policy Manager 11 <#big-iq-access-policy-manager>`__
`WORKFLOW 1: Access Policy Review
11 <#workflow-1-access-policy-review>`__
`WORKFLOW 2: Location Specific Object Modification
12 <#workflow-2-location-specific-object-modification>`__
`WORKFLOW 3: Modifying an existing APM access policy using VPE
14 <#workflow-3-modifying-an-existing-apm-access-policy-using-vpe>`__
`WORKFLOW 4: Create a new VPN Access profile
19 <#workflow-4-create-a-new-vpn-access-profile>`__
`WORKFLOW 5: View APM Audit logs and Dashboards 26 <#_Toc518815031>`__
`BIG-IQ Device Management 33 <#big-iq-device-management>`__
`WORKFLOW 1: Setting up of BIG-IQ Data Collection Devices (DCD).
(REQUIRED)
33 <#workflow-1-removing-previously-discovered-devices-for-this-lab-exercise>`__
`WORKFLOW 2: Importing BIG-IP devices for management and inventory
(REQUIRED) 36 <#_Toc518815034>`__
`WORKFLOW 5: Automating device backups and archiving a copy of the
backup file 44 <#_Toc518815035>`__
`WORKFLOW 6: Uploading QKviews to iHealth for a support case
47 <#_Toc518815036>`__
`BIG-IQ Partial Deployment \| Partial Restore 51 <#_Toc518815037>`__
`WORKFLOW 1: Create multiple changes. Deploy single change. (REQUIRED)
51 <#_Toc518815038>`__
`WORKFLOW 2: Create and deploy multiple changes with selected roll-back.
(REQUIRED) 60 <#_Toc518815039>`__
Overview
========
This document details the lab exercises and steps that should be
followed by the student to learn about BIG-IQ Access specific functions
as they relate to managing BIG-IP Access Policy Manager.
The environment is setup with basic configuration and associated traffic
generation to populate dashboards for these exercises. BIG-IQ could be
managing BIG-IPs in Azure and Google Cloud, as well as on premesis for
example. This can be a powerful management tool for customers that are
talking about multi-cloud management.
Introduction
This lab environment is designed to allow for quick and easy
demonstration of a significant portion of the BIG-IQ product. The Linux
box in the environment has multiple cron jobs that are generating
traffic that populates the monitoring tab.
|image1|
Device Information
==================
+------------------------------------------+-------------+--------------------+------------------+---------------------------------------------+
| Device Name | Mgmt IP | Version | Username/pw | Provisioning |
+==========================================+=============+====================+==================+=============================================+
| BIGIQ\_CM\_5.4 | 10.1.1.4 | 5.4.0 | admin/admin | BIG-IQ Console |
| | | | | |
| | | | root/default | |
+------------------------------------------+-------------+--------------------+------------------+---------------------------------------------+
| BIGIQ\_DCD\_5.4 | 10.1.1.6 | 5.4.0 | admin/admin | BIG-IQ Data Collection Device |
| | | | | |
| | | | root/default | |
+------------------------------------------+-------------+--------------------+------------------+---------------------------------------------+
| BOS-vBIGIP01.termmarc.com | 10.1.1.10 | 13.1.0 | admin/admin | LTM, DNS, ASM, AFM, APM |
| | | | | |
| | | | root/default | |
+------------------------------------------+-------------+--------------------+------------------+---------------------------------------------+
| BOS-vBIGIP02.termmarc.com | 10.1.1.11 | 13.1.0 | admin/admin | LTM, DNS, ASM, AFM, APM |
| | | | | |
| | | | root/default | |
+------------------------------------------+-------------+--------------------+------------------+---------------------------------------------+
| ip-10-1-1-7.us-west-2.compute.internal | 10.1.1.7 | 12.1.1 HF1 | admin/admin | LTM, DNS, AFM |
| | | | | |
| | | | root/default | |
+------------------------------------------+-------------+--------------------+------------------+---------------------------------------------+
| ip-10-1-1-8.us-west-2.compute.internal | 10.1.1.8 | 13.1.0 | admin/admin | LTM, FPS, ASM, APM |
| | | | | |
| | | | root/default | |
+------------------------------------------+-------------+--------------------+------------------+---------------------------------------------+
| ip-10-1-1-9.us-west-2.compute.internal | 10.1.1.9 | 12.1.1 HF1 | admin/admin | LTM, DNS, AFM |
| | | | | |
| | | | root/default | |
+------------------------------------------+-------------+--------------------+------------------+---------------------------------------------+
| Lamp-Server | 10.1.1.5 | CentOS 7 (UDF) | root/default | App Server, LDAP, Radius, TACACS+, syslog |
| | | Ubuntu (Ravello) | | |
| | | | centos/default | |
+------------------------------------------+-------------+--------------------+------------------+---------------------------------------------+
Dependencies
============
- The BIG-IP device must be located in your network.
- The BIG-IP device must be running a compatible software version.
- Enable basic authentication on BIG-IQ using set-basic-auth on in the
shell.
***BIG-IP Versions*** AskF5 SOL with this info:
https://support.f5.com/kb/en-us/solutions/public/14000/500/sol14592.html
**Note:** Port 22 and 443 must be open to the BIG-IQ management address,
or any alternative IP address used to add the BIG-IP device to the
BIG-IQ inventory.
How to access the lab in the Ravello environment
================================================
**Agility Lab specific instructions.**
For indivual access take the following steps:
**Ravello:**
Once the Instructor has started your Lab environment you will be
provided a URL/IP Address to access the environments Jump Host where you
will perform all the Lab Tasks.
The BIG-IQ User Interface
=========================
In this section, we will go through the main features of the user
interface. Feel free to log into the BIG-IQ device to explore some of
these features in the lab.
After you log into BIG-IQ, you will notice:
1) A navigation tab model at the top of the screen to display each high
level functional area.
2) A tree based menu on the left-hand side of the screen to display
low-level functional area for each tab.
3) A large object browsing and editing area on the right-hand side of
the screen.
|image2|
- Let us look a little deeper at the different options available in bar
at the top of the page.
|image3|
- At the top, each tab describes a high-level functional area for
BIG-IQ central management:
- Monitoring –Visibility in dashboard format to monitor performance and
isolate fault area.
- Configuration – Provides configuration editors for each module area.
- Deployment – Provides operational functions around deployment for
each module area.
- Devices – Lifecycle management around discovery, licensing and
software install / upgrade.
- System – Management and monitoring of BIG-IQ functionality.
- Application – Visibility for all of the components of the
application.
- Overview of left hand navigation for each top-level functional
area.\ |image4|
Note:
======
This Course is not intended to train you on the general device
management functions of BIG-IQ but rather to train you on the features
available within the Access portion of BIG-IQ for managing BIG-IP Access
Policy Manager module on multiple BIG-IPs throughout your organization.
Therefore we will jump right into the BIG-IQ Access specific related
workflows. Toward the end of the lab we will discuss what steps an Admin
must take in order to discover and import a BIG-IP device running Access
Policy Manager so that it can be managed by BIG-IQ.
BIG-IQ Access Policy Manager
============================
Objective
^^^^^^^^^
BIG-IQ can create, modify, and delete APM access and per-request
policies.
WORKFLOW 1: Access Policy Review
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Navigate to Configuration Access Access Groups Boston Access Policies
Per-Session Policies Test2
|image5|
The access policy will be displayed in a new screen as shown below.
Compare the Access policy in BIG IQ with the policy in BIG IP source
device and ensure that they are exactly same.
|image6|
WORKFLOW 2: Location Specific Object Modification
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Navigate to Configuration Access Access Groups Boston Authentication
Active Directory
|image7|
LSO or Location Specific Objects are objects within an access
profile/policy that relate to more specific geographic areas
normally and are not shared between all devices by default to
prevent misconfigurations. As an example, AAA servers are located in
all office/data centers globally however if an end user is accessing
a policy on an APM in Europe we wouldn’t want their authentication
requests to be sent over a WAN link to some Domain Controller in
another country and cause a tremendous delay for that user.
- Click the check box for the FrogPolicy-olympus-ad for the BIGIP02
device.
- Click the Mark Shared button and accept the warning
|image8|
This will move the object from the device specific location to the
Shared resources location.
- Click on the AAA object to edit the properties
- Change the Timeout value from 15 to 1500
- Click Save & Close
|image9|
BIG IQ provides the ability to transition LSO objects to Shared
Objects and vice versa. When an LSO object is made Shared it will
have the same configuration across all the BIG IPs after deployment.
WORKFLOW 3: Modifying an existing APM access policy using VPE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Navigate to ConfigurationAccessAccess Groups
- Select BosAG1 (or Boston)
|image10|
Click on Access Policies -> Per Session Policies:
|image11|
Select TestAccessProfile and add the following:
- Logon page (accept default settings)
- AD Auth using FrogPolicy-Olympus-AD
- If AD Auth successful, your allowed access
|image12|
|image13|
|image14|
|image15|
|image16|
After modifying the access profile, go to “Deployment tab- > Evaluate &
Deploy -> Access” and Click on Create in Evaluation section. Make sure
to select BOS-vBigIP01/02 devices.
|image17|
In the evaluation section, you will be able to view the added/changed
items.
Now go forward and deploy the changes.
|image18|
|image19|
You can verify on BigIP that the access profile changes were pushed:
|image20|
WORKFLOW 4: Create a new VPN Access profile
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Navigate to ConfigurationAccessAccess Groups
- Select Boston
|image21|
You can see all of the access policies listed in the Per Session
Policies:
|image22|
Click Create and you will see the Access Policy creation screen. Give it
a name of “VPN-AP” and click on **Save & Close**. You can change the
view from Basic -> Advanced if you want to modify additional settings
such as timeouts, SSO, logout URI, etc..
|image23|
Then click “New” in macros and select “AD Auth and resources” template.
Edit the macro with the following settings:
AD Server = FrogPolicy-olympus-ad
Resource-> Network Access = FrogPolicy-F5\_VPN
|image24|
|image25|
|image26|
|image27|
Then add the macro into the VPE and change the ending on the
“Successful” branch to **Allow**.
|image28|
After creating and saving the access profile, go to “Deployment - >
Evaluate & Deploy -> Access”.
Click on “Create” in Evaluations, give it a name, and select
BOS-vBIGIP01/02 devices.
In the evaluation section, you will be able to view the added/changed
items.
|image29|
Click on View after the evaluation is done to view the changes in Green.
|image30|
|image31|
Then Click on Deploy and verify the new VPN Access Profile is pushed
onto the BostonAG
|image32|
|image33|
|image34|
Objective
^^^^^^^^^
WORKFLOW 5: View APM Audit logs and Dashboards
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Navigate to Monitoring -> Audit Logs ->Access
Note: In case you do not have any data in BIG-IQ, check the active
session in Access tab in BIG-IP Boston Active cluster. If the session
shows pending (blue), restart the apmd process on the BIG-IP (bigstart
restart apmd).
|image35|
We will now walk through several different Dashboards available under
the Access portion of BIG-IQ. During this exercise we will bring
attention to several key areas of interest for Adminstrators.
Start by following along the separate menu paths below to each sub-menu
section for Access Dashboards:
- Navigate to Monitoring -> Dashboards -> Access
- View Access Summary
Notice the layout provides a great overview of usage of the entire
Access infrastructure of devices which are currently under
management with BIG-IQ. This single page view provide a quick
snapshot view of license usage, Geographic access usage, top
users, Session counts and Denied Sign-Ins. There is a time slider
at the top of the page allowing the Admin to apply constraints of
the time period for which the graphs and session counts should
display. Take notice of the current Session counts and Sign-In
Denied count, then adjust the left time slider moving it to the
right slightly. Then adjust the right slider moving it to the left
slightly. You will notice the session counts have changed. Now
notice from this point an Admin could quickly drill down into
certain areas of interest for troubleshooting. Click on the
Sign-in Denied number to review further details. On the lower
portion of this page you will find a list of denied sessions. You
can see the duration of the session for the given user along with
the username, client ip, and in this example IP-Reputation matched
that prevented access for many of the sessions.
- Application Summary
On the Application Summary screen we can see useage request for
Top 1p apps along with Bytes In/Out details and number of Unique
Users per application. By clicking on an application name like
Confluence we can drill down to the details for that specific
application.
- Federation -> SAML ->SP -> SP Summary
Federation is being used more widely these days. The BIG-IP Access
Policy Manager can perform both SAML Service Provider as well as
Identity Provider functions. In this summary screen we see the
Federated Assertions for foreign Identity Providers for Services
(Applications) hosted from the Access Policy Managers in the
organization.
Once again an Admin can use this screen to start diagnosing issues
like Failed Assertions by clicking the lines in that section for
drill down details.
- Federation -> SAML ->IdP -> IdP Summary
In the IdP Summary screen we see when the BIG-IP Access Policy
Manager is acting as the Identity Provider and providing
assertions to external Service Provider hosted applications. Same
drill down/troubleshooting benefits can be found here for the
Administrators of the Access environment.
- Remote Access -> Network Access -> Network Access Summary
In the Network Access Summary screen you will notice something new
between the user counts number at top and the graph below them.
There are three TABS, Sessions, Connections, Bytes Transferred.
You will currently be selected/presented with the Sessions Tab
information. Click the Connections tab and review. Now click the
Bytes Transferred tab. As of version 13.1 TMOS code that runs on
the BIG-IPs the BIG-IQ 5.4 can display these details for reporting
and troubleshooting and capacity usage and planning.
- Remote Access -> Network Access -> Network Access Usage
This screen again is providing more detailed reporting of the
Bytes In/Out/Transferred by given users for the Admin to utilize.
- Remote Access -> VDI Summary
Many companies have implemented the use of Virtual Desktop
Infrastructures of the years for deploying either individual
published applications or full desktops for users. This summary
screen provides reporting on the usage of those VDI objects being
served through the BIG-IP Access Policy Manager working as a VDI
Proxy for the three major flavors of VDI technology from Microsoft
RDP, VMWare Horizon and Citrix XenApp/XenDesktop.
- Sessions -> Sessions Summary
As we review the Session Summary screen you should notice under
the ACTIVE column there are Green Dots for sessions that are
currently active however this screen is displaying the list of all
sessions even those denied sessions we reviewed earlier. You can
click on the session ID to review the policy events for a given
session.
- Sessions -> Active
In this screen we are only reporting the Currently Active
Sessions. Notice the check box to the left of eash session. You
can click to check a box and the button above “Kill Selected
Sessions” will be un-grayed allowing the Admin to kill the checked
sessions. If the Admin were to click the check box in the Column
header it would check all sessions boxes and the Kill All Sessions
and/or Kill Selected Sessions buttons would then perform the kill
on all sessions. In both scenarios the Admin is presented with a
Confirmation Screen before actually killing those checked
sessions.
- Sessions -> Bad IP Reputation
In this section we can see the reported IP Reputation data for
incoming requests to the APM Policies.
- Sessions -> Bowsers and OS
This screen provide details of browser types and OSes being used
to access the APM policies. This is great information if an
organization has specific policies in place that stipulate which
Browsers and OSes that support. The Admin can quickly see where
they fall in line with those policies.
- Sessions -> By Geolocation
This reporting screen provides a Heatmap displaying from where
access attempts are being initiated from. If an organization only
allowed or supported access from certain geographic regions this
screen can provide quick details on possible bad actor attempts to
the organizations Access infrastructure.
- Endpoint Software -> Endpoint Software Summary
You may need to reset the Timeframe either by adjusting the
sliders or using the Timeframe dropdown. This screen provides
information of Endpoint Software in use by clients and detected
via the Endpoint Inspection helper applications that run on
clients systems and report back to the BIG-IP Access Policy
Manager during access.
- Endpoint Software -> Endpoint Software Summary
This is another great troubleshooting screen to review versions of
client AV software.
- License Usage
This screen provides an overview of the Access Policy Manager
license usage for both Access Session licenses as well as
Connectivity Session licenses per APM Device.
- User Summary
In the user summary screen one item that can be useful to an Admin
is the Filter Search field by Username. If your organization has a
large community of users accessing in many different methods or
applications the ability to filter by username and drill into
those sessions for a specific user are helpful for troubleshooting
issues.
Below are just a few of the screens mentioned above however taking the
time to review this Monitoring Dashboards with live data can be helpful
in getting familiar with Admin duties for Access Policy infrastructure
using the BIG-IQ Centralized Manager.
|image36|
|image37|
|image38|
|image39|
|image40|
|image41|
BIG-IQ Device Management
========================
The following workflows will get you familiar with the BIG-IQ for
management of BIG-IP devices specific to managing Access Policy Manager.
This course is not intented to walk through all the required steps to
implement BIG-IQ and setup logging and statistics collection. That
information can be referenced from the BIG-IQ CM Implementation Guide.
For this BIG-IQ Access lab we will proceed to general ADC management
tasks (importing a BIG-IP and managing its configuration).
WORKFLOW 1: Removing Previously Discovered devices for this LAB Exercise
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Since this Self Guided Lab started with the BIG-IQ pre populated with
the BIG-IP devices for the previous exercises we must now remove some of
those devices before continuing on to the next workflow.
Navigate to the top menu Devices tab then on the left menu select BIG-IP
Devices
Place a check in the box next to BOS-vBIGIP01.termmarc.com and
BOS-vBIGIP02.termmarc.com
Now click the Remove All Services button.
Navigate to the Devices Tab then BIG-IP Clusters menu then Access Groups
sub-menu
Verify if the Boston Access Group still exists and if so do the
following task otherwise skip to next step.
Place a check in the box next to BOSTON and click the REMOVE button
Navigate to BIG-IP Clusters -> DSC Groups
If there are any datasync groups from either of the BOS devices shown
then click the Refresh List button and verify they are removed.
Navigate to Devices -> Device Groups menu
Verify the BostonDC group is gone, if not place a check in the box next
to BostonDC and click the Delete button.
You can logon to both the BOS-vBIGIP01.termmarc.com and
BOS-vBIGIP02.termmarc.com devices locally and verify they are no longer
showing that they are managed by BIG-IQ
WORKFLOW 2: Importing BIG-IP devices for management and inventory (REQUIRED)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Time to complete: 15 Minutes
The first step of managing devices with BIG-IQ is device discovery. The
basic discovery allows for device inventory, device health monitoring,
backup and restore of the managed device, integration with F5’s iHealth
service, software upgrade, and device template deployment. As part of
the discovery process, you can choose to manage other parts of the
BIG-IP configuration.
In this scenario, we will import a pair (clustered) of BIG-IP devices,
review the device information available in BIG-IQ, export our inventory
to a CSV file, and review that.
Adding devices to BIG-IQ Inventory:
***Dependencies: ***
1. The BIG-IP device must be located in your network.
2. The BIG-IP device must be running a compatible software version.
***BIG-IP Versions***
+------------------------------+------------------------------+
| **Functional Description** | **Minimum BIG-IP version** |
+==============================+==============================+
| Backup/Restore | 11.5.0 HF7 |
+------------------------------+------------------------------+
| Upgrade - legacy devices | 10.2.0 |
+------------------------------+------------------------------+
| Upgrade - managed devices | 11.5.0 HF7 |
+------------------------------+------------------------------+
| Licensing BIG-IP VE | 11.5.0 HF7 |
+------------------------------+------------------------------+
| Licensing - WebSafe | 12.0.0 |
+------------------------------+------------------------------+
| ADC management | 11.5.1 HF4 |
+------------------------------+------------------------------+
| AFM | 11.5.2 |
+------------------------------+------------------------------+
| Access | 12.1.0 |
+------------------------------+------------------------------+
| ASM | 11.5.3 HF1 |
+------------------------------+------------------------------+
| DNS | 12.0.0 |
+------------------------------+------------------------------+
AskF5 SOL with this info:
https://support.f5.com/kb/en-us/solutions/public/14000/500/sol14592.html
1. Port 22 and 443 must be open to the BIG-IQ management address, or any
alternative IP address used to add the BIG-IP device to the BIG-IQ
inventory.
Big-IP Devices
^^^^^^^^^^^^^^
Adding a BIG-IP device to the BIG-IQ system inventory is the first step
to management. First, we will be adding an HA pair of devices to be
managed in BIG-IQ.
**\*\*Important-** Before you attempt to add the BIG-IP cluster
(***BOS-vBIGIP01.termmarc.com*** and ***BOS-vBIGIP02.termmarc.com***),
make sure that the devices are **‘In Sync’** from a configuration
standpoint or you will get an error when attempting to import. You will
need to access one of the devices directly to do this. Log in to either
**BOS-BIGIP** from the UDF Components page and sync the configs\ **.**
\*\*DO NOT SKIP THE ABOVE STEP\*\*
1. Log in to the BIG-IQ system with your user name (admin) and password
(admin).
2. On the top menu bar, select **Devices** from the BIG-IQ menu.
3. On the left-hand menu bar, click **BIG-IP Devices**.
4. Click the **Add Device** button in the main pane.
a. In the **IP Address (10.1.1.10)** field, type the IPv4 or IPv6
address of the device.
b. In the **User Name** and **Password** fields, type the user name
(admin) and password (admin) for the device.
c. Cluster Display Name: Select **Create New.**
d. Name the cluster **BostonCluster**
e. Leave the **‘Initiate..’** radio button checked
|image42|
1. Click the Add button to add this device to BIG-IQ.
2. BIG-IQ now exchanges certs with the BIG-IP and pops up a window for
the administrator to select which modules to manage from BIG-IQ. For
this device, select all services except **Fraud Protection
Services.** Leave the Statistics monitoring boxes all checked, and
then click the **Continue** button.
|image43|
1. The discovery process will start and you should see a screen like
this. At this point, BIG-IQ is using REST calls to the BIG-IP to pull
the selected parts of the BIG-IP configuration into BIG-IQ.
|image44|
While the discovery process is happening for the first device, add the
second device to BIG-IQ:
1. Click the **Add Device** button.
a. In the **IP Address (10.1.1.11)** field, type the IPv4 or IPv6
address of the device.
b. In the **User Name** and **Password** fields, type the user name
(admin) and password (admin) for the device.
c. Cluster Display Name: Select **Use Existing.**
d. Select **BostonCluster** from the list of existing clusters.
e. Leave the **‘Initiate..’** radio button checked
2. Click the Add button to add this device to BIG-IQ.
3. For this device, again, select all services except **Fraud Protection
Services.** Leave the Statistics monitoring boxes all checked, and
then click the **Continue** button.
Allow the import jobs to complete. At this point, the configuration of
the BIG-IPs that have been imported are not yet editable in BIG-IQ. To
make the configurations editable in BIG-IQ, we need to |image45|.
1. On the Device Inventory screen, click the |image46|\ link in the
Services column for **BOS-vBIGIP01**. *(you may need to scroll right
to see the services column*)
|image47|
1. In the Local Traffic (LTM) Section, select the check box for “Create
a snapshot of the current configuration before importing” and click
the **Import** button.
|image48|
1. Before proceeding un-check the LTM snapshot box if still checked. In
the Access Policy (APM) Section, select the check box for “Create a
snapshot of the current configuration before importing” and click the
**Import** button.
|image49|
a. BIG-IQ Access has its own notion of device grouping called “Access
Groups” where you define a “Source Device” where configuration
changes can be made and deployed to the other devices in the Access
Group. Create a new Access Group by choosing **Create** New from the
Access Group drop-down. Then name the new group **BostonAG**, and
Click the Add button to continue.
|image50|
1. In the Application Security (ASM) Section, select the check box for
“Create a snapshot of the current configuration before importing” and
click the **Import** button.
|image51|
a. In step 14, you will experience “Conflict Resolution.” A conflict is
when an object that is already in the BIG-IQ working config has the
same name, but different contents as an object that exists on the
BIG-IP that is being imported. The user must select whether to keep
the object from BIGIP or BIGIQ configuration. Storage will be updated
accordingly. Review the differences that have been discovered as part
of this import by clicking on each row in the difference view.
|image52|
a. In this lab, we are going to choose to keep the version of the object
that is already in the BIG-IQ. Click the continue button.
b. A window reminds us that these conflict resolution selections will
not modify the configuration that is running on this BIG-IP until we
deploy changes from BIG-IQ. Click the Resolve button to continue.
|image53|
1. In the Advanced Firewall (AFM) Section, select the check box for
“Create a snapshot of the current configuration before importing” and
click the **Import** button.
|image54|
a. Again, you will experience the conflict resolution screens. Choose to
keep the objects that are already on the BIG-IQ.
1. In the BIG-IP (DNS) Section, click the **Import** button.
|image55|
1. | Click the back arrow button at the top of the section to return to
the inventory.
| |image56|
2. Repeat steps 11-20 for BOS-vBIGIP02
|image57|
- For the APM import, make sure to choose **Add to existing** for the
Access Group and select the **BostonAG.** Accept any conflicts.
1. Once you have completed all of the import tasks for **BIGIP02**,
click the arrow in the upper left of the Services panel to return to
the device inventory screen.
|image58|
2. Click on the **BOS-vBIGIP01.termmarc.com** device link to review the
device Properties, Health, and Services information for the device.
|image59|
3. Click through the Properties, Health, Statistics Collection, and
Services tabs to review the information.
4. | Click the arrow in the upper left of the Services panel to return
to the device inventory screen.
| |image60|
5. Repeat steps 20-22 for the other devices, if you wish.
6. Click the Export Inventory button in the main pane to review the
contents of the device inventory CSV file
7. The CSV file is automatically downloaded to your client. Launch the
CSV file from your downloads folder. For example, in Chrome the CSV
file will appear in the lower left. |image61|
8. Review the contents of the file and understand all of the information
that is provided.
|image62|
WORKFLOW 5: Automating device backups and archiving a copy of the backup file
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Time to Complete: 5 min
BIG-IQ provides the ability to backup individual or groups of managed
devices on an ad-hoc or a scheduled basis. The admin can decide how long
to retain the backups on BIG-IQ and has the option of archiving a copy
of the UCS backup off to an external device for DR or deeper storage
purposes.
In this scenario, we are going to create a group of all of the devices
in our Boston data center and schedule a nightly backup that archives a
copy off to our archive for DR purposes.
First, we need to create the group for our backup schedule to reference.
We have two options in BIG-IQ: static groups, where devices are added
and removed manually and dynamic groups, where devices are selected from
a source group based on filter criteria. In this lab setup, the devices
have BOS in the name to indicate that they are in the Boston data
center. This makes the dynamic group the logical choice.
1. On the top menu bar, select **Devices** from the BIG-IQ menu.
2. Click **Device Groups** in the left-hand menu
3. Click **Create** in the main pane
4. | Complete the settings to create the group.
| Name: **BostonDCGroup**
| Group Type: **Dynamic**
| Parent Group: **Root (All BIG-IP Devices)**
| Search Filter: **BOS**
| |image63|
5. Click the **Save & Close** button to save the group.
Now, we can create our backup schedule that references this dynamic
group.
1. Click on the **Back Up & Restore** on the left-hand menu
2. Click on **Backup Schedules**
|image64|
3. Click the **Create** button in the main pane
4. | Fill out the Backup Schedule
| Name: **BostonNightly**
| Local Retention Policy: **Delete local backup copy 3 days after
creation**
| Backup Frequency: **Daily**
| Start Time 00:00 Eastern Standard Time
Under Devices, select the **Groups** radio button
| Select from the drop-down **BostonDCGroup**
| Archive: **Store Archive Copy of Backup**
| Location: **SCP**
| IP Address: **10.1.10.80**
| User name: f5
| Password: default
| Directory: /home/f5
|image65|
|image66|
1. Click **Save & Close** to save the scheduled backup job.
WORKFLOW 6: Uploading QKviews to iHealth for a support case
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Time to Complete: 10 min
BIG-IQ can now push qkviews from managed devices to ihealth.f5.com and
provide a report of heuristic hits based on the qkview. These qkview
uploads can be performed ad-hoc or as part of a F5 support case. If a
support case is specified in the upload job, the qkview(s) will
automatically be associated/linked to the support case.
1. Navigate to **Monitoring** on the top menu bar and then to
**REPORTS-> Device-> iHealth** -> **Configuration** on the left-hand
menu\ **.**
|image67|
2. | Add Credentials to be used for the qkview upload and report
retrieval. Click the Add button under Credentials.
| |image68|
3. | Fill in the credentials that you used to access
https://ihealth.f5.com :
| Name: **Give the credentials a name to be referenced in BIG-IQ**
| Username: **<Username you use to access iHealth.f5.com>**
| Password: **<Password you use to access iHealth.f5.com**>
4. | Click the Test button to validate that your credentials work.
| |image69|
5. Click the **Save & Close** button in the lower right.
6. | Click the **Tasks** button in the BIG-IQ iHealth menu.
| |image70|
7. | Click the **QKView Upload** button to select which devices we need