what is big-iq? - veracomp
TRANSCRIPT
Device management
Certificate management
License management
Role-based access control
Backup/Restore
API support
iHealth integration
Monitoring alerting reporting
Centralized security policies
Unified security dashboards
Application Centric Mgmt
BIG-IQ Central Management
NetOps SecOps
Ap
plic
ation
Ava
ilab
ility
Ap
plic
ation
Secu
rity
Vis
ibili
ty
App-Centric Management in Action
Deploy the App
AppOwner NetOps & SecOps
Deploy app
service X
Centralised Management Application-Centric Management
AppOwner
Self-service
portal
Manage
“profiles”
NetOps & SecOps
API based
12
App-Centric Management in Action
Troubleshoot the App Performance
AppOwner NetOps & SecOps
Centralised Management Application-Centric Management
AppOwner
Self-service
portal
Why is my app not
performing well ?
BIG-IQ Application-Centric Management
DevOps
AppOwner
Application-Centric Management
BIG-IQ
GUIs/APIs
DeviceManagement
OperationalManagement
PolicyManagement
Role Based Access Control
Automated BIG-IP deployment
BIG-IP via API
Self-serviced app services
Per-App Visibility
API
Applications can be deployed on any BIG-IP
SSL offloadWAF app template
Service catalogue
HTTPapp
template
Deploy apps from templates
in the service catalogue
Deploy
Use pre-canned or
define custom templates
SecOps NetOps
HTTPapp
template
Application
Apply
RBAC
AppOwner
CLOUD
TEMPLATES
DECLARATIVE
ONBOARDING
EXTENSION
APP SERVICES 3
EXTENSION
TELEMETRY
STREAMING
EXTENSION
Start BIG-IP
instances in public
and private clouds
Initial configuration of
BIG-IP instances
Deploy classic and
advanced application
services on BIG-IP
using declarative
REST APIs
Stream telemetry,
events, and logs from
BIG-IP to various
analytics and logging
solutions
L4-L7L1-L3
BOOTSTRAP ONBOARD DEPLOY APP SERVICES MONITORING/TELEMETRY
https://github.com/F5Networks
https://www.github.com/f5devcentral
https://github.com/F5Networks/f5-
declarative-onboarding
https://github.com/F5Networks/f
5-appsvcs-extension
https://github.com/F5Networks/f5-
telemetry-streaming
VIPRION or
BIG-IP
App
templates
NetOps SecOpsService catalogue
1
AppOwner
CI/CD tools
2
DevOps
F5 BIG-IQ
BIG-IQ Components and System Architecture
BIG-IQ
CMActive
DCD
BIG-IP BIG-IP BIG-IP BIG-IP
Mirrored state
BIG-IQ
Console
Cluster
BIG-IQ
Data
Collector
Devices
BIG-IQ System
BIG-IP
BIG-IQ
CMStandby
DCD DCD DCD DCD
BIG-IP
BIG-IQ COMPONENTS
• Central Managing of BIG-IP configuration objects
• Central Device Management
• Manage LTM, DNS, AFM, ASM, APM, SSLO through one
Console
• Delivers Analytics/Visibility and Reporting
• Automated BIG-IP Deployment, BIG-IP configurations
through API
• RBAC to accommodate different persona’s
BIG-IQ Central Manager
BIG-IQ
CM
BIG-IP 7000 Platform BIG-IQ Virtual
Edition(s)
PostgresTokuMX
v5.x, v6.x, v7.0 v7.1
NEW v7.1: Storage of BIG-IQ Configuration database
Security Dashboards and Reports
New DDoS dashboards - summary, HTTP, network
analysis, attach history and DNS activity
Layer 7 protection
ACL traffic
Security Analytics and Dashboards
DNS DDoS attack
details observed
by all managed
BIG-IP's
Shows: Attack
type, Size, Flow
history, SRC/
DST IP's, BigIP
metrics, GeoIP
map, status
BIG-IQ – DNS DDoS Active Attacks Details
Enable holistic
security and
visibility of
encrypted
traffic with F5
SSL
Orchestrator
and BIG-IQ
BIG-IQ – SSLO
BIG-IQ COMPONENTS
• Handles licensing only, for up to 5,000 un-managed
devices
• Included in BIG-IQ Central Manager
• Allows assigning and revoking of BIG-IP licenses for
Virtual Editions only
• Supports licensing of managed, un-managed and
unreachable BIG-IPs
• BIG-IQ License Manager = Free of Charge
BIG-IQ License Manager
BIG-IQ
LM
BIG-IQ Virtual
Edition(s)
BIG-IQ COMPONENTS
• Collects alerts, events and statistical data from managed
BIG-IPs using Elasticsearch
• Enables BIG-IQ CM to provide central analytics
dashboards and per-application visibility
• Can act as a Quorum Device in BIG-IQ HA use case
• Supports data collection optimization and disaster recovery
• New v7.1: BIG-IQ license no longer required for Data
Collection Devices
BIG-IQ Data Collector Device
DCD
BIG-IQ Virtual
Edition(s)
Support for up to:
• 1200 BIG-IP (LTM/AFM) devices
• 500 BIG-IP (LTM/AFM) stats collecting
devices
• 400000 total number of objects
• 1000 ASM policies across 160 BIG-IP
devices, max 60 policies per device
Sizing and Scaling
Scaling requirements:
• Use the BIG-IQ documentation on Askf5
• Use F5 supported platforms for BIG-IQ
• Understand min and max TMOS versions for
your BIG-IQ deployment
• Use provided BIG-IQ Sizing Tools available
through https://downloads.f5.com
https://techdocs.f5.com/en-us/bigiq-7-1-0/big-iq-sizing-guidelines.html
• In BIG-IQ v5.4, we made the conscious decision to require applications to be deployed
from templates to get these views to help drive standardization and automation
• More modern releases require deployment via an AS3 template
• Overwhelming field/customer feedback, was that the deploy from templates
requirement was untenable just to get application analytics
• In 7.1, we bring the application dashboards for pre-deployed, “legacy” (or “brownfield”)
configuration
• These dashboards are read-only, except for enable, disable operations
BIG-IQ 7.1 FEATURES
Analytics for Brownfield BIG-IQ Applications
Analytics for Brownfield BIG-IQ ApplicationsBIG-IQ 7.1 FEATURES
Will warn user if no analytics profile is attached to the selected VS
A link to a support article detailing
the requirements is provided
Analytics for Brownfield BIG-IQ ApplicationsBIG-IQ 7.1 FEATURES
Brownfield Applications will be noted as “Legacy”
Configuration will be limited to Enable/Disable/Force Offline
• Customers should thoroughly test and monitor their environments as they enable the analytics on brownfield
applications
• Proper DCD sizing must be done before hand
• AVR is a requirement, and must be provisioned on the BIG-IP
• Analytics profiles must be pushed out to BIG-IP’s
• BIG-IP’s must be running 13.1.x.x or later
• Customer should carefully monitor their CPU and memory consumption on their BIG-IP’s before, during, and after roll
out of this feature
• Recommended to enable in small chunks, monitor resource consumption. Do not enable widescale all in one shot!
BIG-IQ 7.1 FEATURES
Analytics for Brownfield BIG-IQ Applications –Important Guidelines
• Prior to 7.1, the analytics that are provided are all HTTP centric
• In 7.1, BIG-IQ provides TCP analytics, both in the monitoring tab and in the
application tab
• Reminder: These TCP analytics leverage AVR, just as the HTTP analytics do for
TMOS 13.1.0.5+, customers must enable AVR
• https://support.f5.com/csp/article/K96505382
• New AS3 templates will be provided to support AS3 Application Services
deployment with TCP analytics. Support also from Legacy Applications
BIG-IQ 7.1 FEATURES
Use Case: Provide analytics for TCP based Applications
CONFIDENTIAL
Detailed TCP AnalyticsBIG-IQ 7.1 FEATURES
High Level TCP Stats
TCP Stats & Delay States
• BIG-IP configuration naming conventions are not consistent in many
customer environments
• It is common to find similar names reused across different BIG-IP’s for
shared configuration objects
• Profiles
• Monitors
• Etc…
• When the shared objects have the same name but different
configurations this creates a conflict within the centralized management
system, BIG-IQ will raise an error and fail to import
• Customers are unable to import the BIG-IP device unless they resolve
the conflicts manually, or overwrite one of the configurations
BIG-IQ 7.1 FEATURES
Device Silos: Why are they Needed?
HTTP Profile: Prod_HTTP
Insert X-Forwarded-
For: Enabled
BIG-IP B
BIG-IP A
Insert X-Forwarded-
For: Disabled
HTTP Profile: Prod_HTTP
Same Name
Different Configuration
Device Silos:BIG-IQ 7.1 FEATURES
Default Silo
B
Silo
HTTP Profile: Prod_HTTP
Insert X-Forwarded-
For: Enabled
BIG-IP B
BIG-IP A
Insert X-Forwarded-
For: Disabled
HTTP Profile:
Prod_HTTP
Insert X-Forwarded-For: Disabled
Insert X-Forwarded-For: Enabled
HTTP Profile:
Prod_HTTP
A Device was imported first, Prod_HTTP profile goes into default silo
B Device fails imported due to collision with Prod_HTTP, Device can
be imported into its own Silo to avoid conflict
Device SilosBIG-IQ 7.1 FEATURES
An admin can compare Silos to determine what needs
to be resolved before the device can be added to the default Silo
Use Case: Let’s Encrypt Integration
Support all 3 challenge types:
https://letsencrypt.org/docs/challenge-types/
https://letsencrypt.org/
Auto-renew and auto-deploy options added for Let’s Encrypt and Venafi
BIG-IQ 7.1 FEATURES
BIG-IQ 7.1 FEATURES
• In prior versions of BIG-IQ, we have no way to
limit where application owners could deploy
their applications
• Customers want more control over where
application owners deploy their applications
• In 7.1, we can associate devices or device
groups with a role, like the way we can limit
which SSGs a role can deploy to or what
templates a role can use
Limit Deployment Targets for Application Owners
• Replace proprietary 3rd party DDoS mitigation devices, with F5
AFM DDoS Solution
• Synchronizes 3rd party DDoS Host Objects, Mitigation Strategies, and clean return traffic config with F5 BIG-IQ.F5 BIG-IQ then provisions all F5 BIG-IP’s with the converted config.
• The sync is coming in BIG-IQ 7.1, and further enhancements will come in future.
• Supported DDoS vendors will be expanded in future releases
• BGP Flowspec announcer allows for mitigations to occur closer
to the edge. Also provides a way to group Flowspec
announcements to a select number of routers / devices.
• All features include iControl REST API’s so customers can
include this in their CI/CD pipeline or DevOps workflow
BIG-IQ 7.1 FEATURES
Non-F5 DDOS Integration Module
• The goal is to support existing BIG-IQ functionality up to TMOS 15.1 with the release of BIG-IQ 7.1 for all
modules. NOTE: Any support for new features in new releases would be called out as a separate use case.
• **This is still being validated by the PD teams. The more changes to the underlying BIG-IP schema/APIs from release to
release, the more challenging it is for BIG-IQ to support that module.
Use Case: Support for TMOS up to 15.1
https://support.f5.com/csp/article/K34133507
BIG-IQ module Minimum supported BIG-IP version Maximum supported BIG-IP version**
Device - Backup/Restore, Upgrade,
Licensing, etc.
11.5.x 15.1.x
Device - Legacy Device Upgrade 10.2.x 11.4.x
Device - WebSafe Licensing 12.0.x 15.1.x
Access 12.1.0 15.1.x
ADC 12.1.0 15.1.x
FPS 12.1.0 15.1.x
Network Security 12.1.0 15.1.x
Web Application Security 12.1.0 15.1.x
DNS 12.1.0 15.1.x
IPSEC 12.1.0 15.1.x
SSLO 14.1.0 (SSLO 5.4) 15.1.x (SSLO x.y)
Architectural enhancement:
• Migration of BIG-IQ database from TokuMX to Postgres
BIG-IP lifecycle upgrade and update support:
How To Run Bash Scripts on Devices that BIG-IQ Manages
https://www.youtube.com/watch?v=PmaOq1bK4YU
Update Managed Devices to New Versions of TMOS with BIG-IQ
https://www.youtube.com/watch?v=fR2O864JQwY
BIG-IQ 7.1 FEATURES AND BIG-IP LIFECYCLE AUTOMATION
BIG-IQ Supportability and Architectural Enhancements
• Allows customers to submit direct feedback on the BIG-IQ UI improvements and workflows
• This has been requested by many customers, they wanted to be able to provide feedback directly with UI
developers
• Will open up a feedback forum/survey outside of BIG-IQ for submittal. This is not intended for use for opening
up support cases
BIG-IQ 7.1 FEATURES
UI Feedback Enhancement
BIG-IQ: App and VE Lifecycle Management
BIG-IQ Centralized Management
NetOps
ApplicationOwner(s)
DevOpsBIG-IQ
Azure
VMware
AWS
App
Templates
API/UI
Supports Multi-App Virtual Edition as well as Per-App VE
• Supported for: VMware, AWS and Azure
• Available from BIG-IQ v7.0 through the GUI and API
• Makes use of Cloud Edition functions: Cloud Provider and Cloud Environment
• Same VMware templates are used for VE Creation as you use for SSG
• Onboarding supports creation of Single VEs and Clustered VEs
• Supports the use of AS3 declared application services
• Provides per application visibility
BIG-IQ VE Creation an Onboarding
Allows creation and onboarding (Via DO) of VE’s in VMware, AWS, & Azure
VE Lifecycle Management – VE Creation
Leverages the same Cloud
Environments as SSG
(Service Scaling Group)
After VE’s are created, they can be onboarded
VE Lifecycle Management –Declarative Onboarding
59
If two VE’s are selected they can be onboarded as a cluster
Deployment tool: https://github.com/f5devcentral/f5-big-iq-onboarding
BIG-IQ Quick start: https://github.com/f5devcentral/f5-big-iq-trial-quick-start
BIG-IQ Lab guide: https://clouddocs.f5.com/training/community/big-iq-cloud-edition/html/
BIG-IQ Youtube playlist: https://www.youtube.com/playlist?list=PLyqga7AXMtPMw9ob6u73-
anE6BWRsPhLr
BIG-IQ info