What is BIG-IQ?

Device management

Certificate management

License management

Role-based access control

Backup/Restore

API support

iHealth integration

Monitoring alerting reporting

Centralized security policies

Unified security dashboards

Application Centric Mgmt

BIG-IQ Central Management

NetOps SecOps

Ap

plic

ation

Ava

ilab

ility

Ap

plic

ation

Secu

rity

Vis

ibili

ty

App-Centric Management in Action

Deploy the App

AppOwner NetOps & SecOps

Deploy app

service X

Centralised Management Application-Centric Management

AppOwner

Self-service

portal

Manage

“profiles”

NetOps & SecOps

API based

12

App-Centric Management in Action

Troubleshoot the App Performance

AppOwner NetOps & SecOps

Centralised Management Application-Centric Management

AppOwner

Self-service

portal

Why is my app not

performing well ?

BIG-IQ Application-Centric Management

DevOps

AppOwner

Application-Centric Management

BIG-IQ

GUIs/APIs

DeviceManagement

OperationalManagement

PolicyManagement

Role Based Access Control

Automated BIG-IP deployment

BIG-IP via API

Self-serviced app services

Per-App Visibility

API

Application teams get to see only the apps they have created or are responsible for

Applications can be deployed on any BIG-IP

SSL offloadWAF app template

Service catalogue

HTTPapp

template

Deploy apps from templates

in the service catalogue

Deploy

Use pre-canned or

define custom templates

SecOps NetOps

HTTPapp

template

Application

Apply

RBAC

AppOwner

What should you choose?

CLOUD

TEMPLATES

DECLARATIVE

ONBOARDING

EXTENSION

APP SERVICES 3

EXTENSION

TELEMETRY

STREAMING

EXTENSION

Start BIG-IP

instances in public

and private clouds

Initial configuration of

BIG-IP instances

Deploy classic and

advanced application

services on BIG-IP

using declarative

REST APIs

Stream telemetry,

events, and logs from

BIG-IP to various

analytics and logging

solutions

L4-L7L1-L3

BOOTSTRAP ONBOARD DEPLOY APP SERVICES MONITORING/TELEMETRY

https://github.com/F5Networks

https://www.github.com/f5devcentral

https://github.com/F5Networks/f5-

declarative-onboarding

https://github.com/F5Networks/f

5-appsvcs-extension

https://github.com/F5Networks/f5-

telemetry-streaming

VIPRION or

BIG-IP

App

templates

NetOps SecOpsService catalogue

1

AppOwner

CI/CD tools

2

DevOps

F5 BIG-IQ

BIG-IQ Architecture

BIG-IQ Components and System Architecture

BIG-IQ

CMActive

DCD

BIG-IP BIG-IP BIG-IP BIG-IP

Mirrored state

BIG-IQ

Console

Cluster

BIG-IQ

Data

Collector

Devices

BIG-IQ System

BIG-IP

BIG-IQ

CMStandby

DCD DCD DCD DCD

BIG-IP

BIG-IQ COMPONENTS

• Central Managing of BIG-IP configuration objects

• Central Device Management

• Manage LTM, DNS, AFM, ASM, APM, SSLO through one

Console

• Delivers Analytics/Visibility and Reporting

• Automated BIG-IP Deployment, BIG-IP configurations

through API

• RBAC to accommodate different persona’s

BIG-IQ Central Manager

BIG-IQ

CM

BIG-IP 7000 Platform BIG-IQ Virtual

Edition(s)

PostgresTokuMX

v5.x, v6.x, v7.0 v7.1

NEW v7.1: Storage of BIG-IQ Configuration database

Security Dashboards and Reports

New DDoS dashboards - summary, HTTP, network

analysis, attach history and DNS activity

Layer 7 protection

ACL traffic

Security Analytics and Dashboards

DNS DDoS attack

details observed

by all managed

BIG-IP's

Shows: Attack

type, Size, Flow

history, SRC/

DST IP's, BigIP

metrics, GeoIP

map, status

BIG-IQ – DNS DDoS Active Attacks Details

Enable holistic

security and

visibility of

encrypted

traffic with F5

SSL

Orchestrator

and BIG-IQ

BIG-IQ – SSLO

BIG-IQ COMPONENTS

• Handles licensing only, for up to 5,000 un-managed

devices

• Included in BIG-IQ Central Manager

• Allows assigning and revoking of BIG-IP licenses for

Virtual Editions only

• Supports licensing of managed, un-managed and

unreachable BIG-IPs

• BIG-IQ License Manager = Free of Charge

BIG-IQ License Manager

BIG-IQ

LM

BIG-IQ Virtual

Edition(s)

BIG-IQ COMPONENTS

• Collects alerts, events and statistical data from managed

BIG-IPs using Elasticsearch

• Enables BIG-IQ CM to provide central analytics

dashboards and per-application visibility

• Can act as a Quorum Device in BIG-IQ HA use case

• Supports data collection optimization and disaster recovery

• New v7.1: BIG-IQ license no longer required for Data

Collection Devices

BIG-IQ Data Collector Device

DCD

BIG-IQ Virtual

Edition(s)

Support for up to:

• 1200 BIG-IP (LTM/AFM) devices

• 500 BIG-IP (LTM/AFM) stats collecting

devices

• 400000 total number of objects

• 1000 ASM policies across 160 BIG-IP

devices, max 60 policies per device

Sizing and Scaling

Scaling requirements:

• Use the BIG-IQ documentation on Askf5

• Use F5 supported platforms for BIG-IQ

• Understand min and max TMOS versions for

your BIG-IQ deployment

• Use provided BIG-IQ Sizing Tools available

through https://downloads.f5.com

https://techdocs.f5.com/en-us/bigiq-7-1-0/big-iq-sizing-guidelines.html

BIG-IQ

v7.1

Brownfield Deployment

• In BIG-IQ v5.4, we made the conscious decision to require applications to be deployed

from templates to get these views to help drive standardization and automation

• More modern releases require deployment via an AS3 template

• Overwhelming field/customer feedback, was that the deploy from templates

requirement was untenable just to get application analytics

• In 7.1, we bring the application dashboards for pre-deployed, “legacy” (or “brownfield”)

configuration

• These dashboards are read-only, except for enable, disable operations

BIG-IQ 7.1 FEATURES

Analytics for Brownfield BIG-IQ Applications

Analytics for Brownfield BIG-IQ ApplicationsBIG-IQ 7.1 FEATURES

Will warn user if no analytics profile is attached to the selected VS

A link to a support article detailing

the requirements is provided

Analytics for Brownfield BIG-IQ ApplicationsBIG-IQ 7.1 FEATURES

Brownfield Applications will be noted as “Legacy”

Configuration will be limited to Enable/Disable/Force Offline

• Customers should thoroughly test and monitor their environments as they enable the analytics on brownfield

applications

• Proper DCD sizing must be done before hand

• AVR is a requirement, and must be provisioned on the BIG-IP

• Analytics profiles must be pushed out to BIG-IP’s

• BIG-IP’s must be running 13.1.x.x or later

• Customer should carefully monitor their CPU and memory consumption on their BIG-IP’s before, during, and after roll

out of this feature

• Recommended to enable in small chunks, monitor resource consumption. Do not enable widescale all in one shot!

BIG-IQ 7.1 FEATURES

Analytics for Brownfield BIG-IQ Applications –Important Guidelines

TCP Analytics

• Prior to 7.1, the analytics that are provided are all HTTP centric

• In 7.1, BIG-IQ provides TCP analytics, both in the monitoring tab and in the

application tab

• Reminder: These TCP analytics leverage AVR, just as the HTTP analytics do for

TMOS 13.1.0.5+, customers must enable AVR

• https://support.f5.com/csp/article/K96505382

• New AS3 templates will be provided to support AS3 Application Services

deployment with TCP analytics. Support also from Legacy Applications

BIG-IQ 7.1 FEATURES

Use Case: Provide analytics for TCP based Applications

CONFIDENTIAL

Detailed TCP AnalyticsBIG-IQ 7.1 FEATURES

High Level TCP Stats

TCP Stats & Delay States

CONFIDENTIAL

Resolving Object Collisions on Import with Device Silos

CONFIDENTIAL

• BIG-IP configuration naming conventions are not consistent in many

customer environments

• It is common to find similar names reused across different BIG-IP’s for

shared configuration objects

• Profiles

• Monitors

• Etc…

• When the shared objects have the same name but different

configurations this creates a conflict within the centralized management

system, BIG-IQ will raise an error and fail to import

• Customers are unable to import the BIG-IP device unless they resolve

the conflicts manually, or overwrite one of the configurations

BIG-IQ 7.1 FEATURES

Device Silos: Why are they Needed?

HTTP Profile: Prod_HTTP

Insert X-Forwarded-

For: Enabled

BIG-IP B

BIG-IP A

Insert X-Forwarded-

For: Disabled

HTTP Profile: Prod_HTTP

Same Name

Different Configuration

Device Silos:BIG-IQ 7.1 FEATURES

Default Silo

B

Silo

HTTP Profile: Prod_HTTP

Insert X-Forwarded-

For: Enabled

BIG-IP B

BIG-IP A

Insert X-Forwarded-

For: Disabled

HTTP Profile:

Prod_HTTP

Insert X-Forwarded-For: Disabled

Insert X-Forwarded-For: Enabled

HTTP Profile:

Prod_HTTP

A Device was imported first, Prod_HTTP profile goes into default silo

B Device fails imported due to collision with Prod_HTTP, Device can

be imported into its own Silo to avoid conflict

Device SilosBIG-IQ 7.1 FEATURES

Device SilosBIG-IQ 7.1 FEATURES

An admin can compare Silos to determine what needs

to be resolved before the device can be added to the default Silo

Let’s Encrypt SSL Certificate Management Integration

Use Case: Let’s Encrypt Integration

Support all 3 challenge types:

https://letsencrypt.org/docs/challenge-types/

https://letsencrypt.org/

Auto-renew and auto-deploy options added for Let’s Encrypt and Venafi

BIG-IQ 7.1 FEATURES

Device Level RBAC for App Deployments

BIG-IQ 7.1 FEATURES

• In prior versions of BIG-IQ, we have no way to

limit where application owners could deploy

their applications

• Customers want more control over where

application owners deploy their applications

• In 7.1, we can associate devices or device

groups with a role, like the way we can limit

which SSGs a role can deploy to or what

templates a role can use

Limit Deployment Targets for Application Owners

BIG-IQ 7.1 FEATURES

Limit Deployment Targets for Application Owners

Centrally Manage Geo-IP Database Updates

Manage BIG-IP GeoIP Database Updates CentrallyBIG-IQ 7.1 FEATURES

Manage BIG-IP GeoIP Database Updates CentrallyBIG-IQ 7.1 FEATURES

Non-F5 DDoS Integration Module

• Replace proprietary 3rd party DDoS mitigation devices, with F5

AFM DDoS Solution

• Synchronizes 3rd party DDoS Host Objects, Mitigation Strategies, and clean return traffic config with F5 BIG-IQ.F5 BIG-IQ then provisions all F5 BIG-IP’s with the converted config.

• The sync is coming in BIG-IQ 7.1, and further enhancements will come in future.

• Supported DDoS vendors will be expanded in future releases

• BGP Flowspec announcer allows for mitigations to occur closer

to the edge. Also provides a way to group Flowspec

announcements to a select number of routers / devices.

• All features include iControl REST API’s so customers can

include this in their CI/CD pipeline or DevOps workflow

BIG-IQ 7.1 FEATURES

Non-F5 DDOS Integration Module

Supportability & Architectural Enhancements

• The goal is to support existing BIG-IQ functionality up to TMOS 15.1 with the release of BIG-IQ 7.1 for all

modules. NOTE: Any support for new features in new releases would be called out as a separate use case.

• **This is still being validated by the PD teams. The more changes to the underlying BIG-IP schema/APIs from release to

release, the more challenging it is for BIG-IQ to support that module.

Use Case: Support for TMOS up to 15.1

https://support.f5.com/csp/article/K34133507

BIG-IQ module Minimum supported BIG-IP version Maximum supported BIG-IP version**

Device - Backup/Restore, Upgrade,

Licensing, etc.

11.5.x 15.1.x

Device - Legacy Device Upgrade 10.2.x 11.4.x

Device - WebSafe Licensing 12.0.x 15.1.x

Access 12.1.0 15.1.x

ADC 12.1.0 15.1.x

FPS 12.1.0 15.1.x

Network Security 12.1.0 15.1.x

Web Application Security 12.1.0 15.1.x

DNS 12.1.0 15.1.x

IPSEC 12.1.0 15.1.x

SSLO 14.1.0 (SSLO 5.4) 15.1.x (SSLO x.y)

Architectural enhancement:

• Migration of BIG-IQ database from TokuMX to Postgres

BIG-IP lifecycle upgrade and update support:

How To Run Bash Scripts on Devices that BIG-IQ Manages

https://www.youtube.com/watch?v=PmaOq1bK4YU

Update Managed Devices to New Versions of TMOS with BIG-IQ

https://www.youtube.com/watch?v=fR2O864JQwY

BIG-IQ 7.1 FEATURES AND BIG-IP LIFECYCLE AUTOMATION

BIG-IQ Supportability and Architectural Enhancements

• Allows customers to submit direct feedback on the BIG-IQ UI improvements and workflows

• This has been requested by many customers, they wanted to be able to provide feedback directly with UI

developers

• Will open up a feedback forum/survey outside of BIG-IQ for submittal. This is not intended for use for opening

up support cases

BIG-IQ 7.1 FEATURES

UI Feedback Enhancement

BIG-IQ Automation

BIG-IQ: App and VE Lifecycle Management

BIG-IQ Centralized Management

NetOps

ApplicationOwner(s)

DevOpsBIG-IQ

Azure

VMware

AWS

App

Templates

API/UI

Supports Multi-App Virtual Edition as well as Per-App VE

• Supported for: VMware, AWS and Azure

• Available from BIG-IQ v7.0 through the GUI and API

• Makes use of Cloud Edition functions: Cloud Provider and Cloud Environment

• Same VMware templates are used for VE Creation as you use for SSG

• Onboarding supports creation of Single VEs and Clustered VEs

• Supports the use of AS3 declared application services

• Provides per application visibility

BIG-IQ VE Creation an Onboarding

Allows creation and onboarding (Via DO) of VE’s in VMware, AWS, & Azure

VE Lifecycle Management – VE Creation

Leverages the same Cloud

Environments as SSG

(Service Scaling Group)

After VE’s are created, they can be onboarded

VE Lifecycle Management –Declarative Onboarding

59

If two VE’s are selected they can be onboarded as a cluster

VE Lifecycle Management –Declarative Onboarding

VE Lifecycle Management –Declarative Onboarding

Deployment tool: https://github.com/f5devcentral/f5-big-iq-onboarding

BIG-IQ Quick start: https://github.com/f5devcentral/f5-big-iq-trial-quick-start

BIG-IQ Lab guide: https://clouddocs.f5.com/training/community/big-iq-cloud-edition/html/

BIG-IQ Youtube playlist: https://www.youtube.com/playlist?list=PLyqga7AXMtPMw9ob6u73-

anE6BWRsPhLr

BIG-IQ info