Forum Discussion
CirrusBIQ-IQ questions
Hi team! I'm facing BIG-IQ for the first time and I have a couple question. Sorry for my english.
1. Do I have to Re-Discover and Re-Import configuration every time if I change config on BIG-IP devices.
2. What is the best practice for Making changes via BIG-IQ? Deploy it every time when I make changes (sounds stupid, I know)
3. Can I do everything in BIG-IQ same as in BIG-IP? For the first it seems like I can't.
3.1. Can i create traffic policies in BIG-IQ?
3.2. I found that I can't remove traffic policy from virtual server in BIG-IQ. Why?
3.3 I found that I can't apply ASM policy to virtual server in BIG-IQ. Why?
4. I configured DCD to get events from BIG-IP with ASM. It works but i can't see request in events. I can only see fragments of them. There are example of fragment of request:
GET /vulnerabilities/upload/ HTTP/1.1
Host: dvwa.com
User-Agent: Mozilla/5.0 (X11; UbuI hope the experts will help me deal with these issues.
Thank you in advance!
5 Replies
- Paulius
MVP
Aantat I would not say I am well versed in the BIG-IQ but I can definitely shed some light on some of your questions.
1Q. Do I have to Re-Discover and Re-Import configuration every time if I change config on BIG-IP devices.
1A. If you make changes on the BIG-IP itself you will have to re-import the configuration and make the BIG-IP as the configuration to trust when this sync occurs. It is easier to do a re-import and re-discover rather than just re-import.2Q. What is the best practice for Making changes via BIG-IQ? Deploy it every time when I make changes (sounds stupid, I know)
2A. I'm unsure if a best practice exists but if you make changes on the BIG-IQ you should absolutely push those changes to the BIG-IP if you want them to be in place.3Q. Can I do everything in BIG-IQ same as in BIG-IP? For the first it seems like I can't.
3A. You cannot. Some pieces or even entire sections of configuration from the BIG-IP cannot be configured under the BIG-IQ. An example that I know of is you cannot enable an F5 trunk through the BIG-IQ but you can set it up on the BIG-IP and then sync the BIG-IP configuration to the BIG-IQ.As for the rest of your questions I would venture that they are all limitations of the BIG-IQ and would require making the change on the BIG-IP side and then syncing the configuration changes back to the BIG-IQ.
For #4, Double check that your ASM logging profile is using the higher size, which I believe is 64KB.
AantatHi JoshBecigneul,
Yeap, that helped to solve it. Thanks!
I have last question about traffic policy. I didn't find any documentation about that. I assume that traffic policy not supported, but I can't find any docs on that
- Nikoolayy1
Also BIG-IQ should ignore the configuration that it does not understand when the F5 BIG-IP config is imported in the BIG-IQ like F5 ASM/APM guided configurations having iruleslx/fast templates but be carefull.
As Paulius mentioned some things like trunks can't be created on BIG-IQ but things like Declarative Onboarding (DO) can be used as an alternative.
Also BIG-IQ has a scripting feature that can be used to push some config to a BIG-IP:
https://techdocs.f5.com/en-us/bigiq-8-0-0/managing-big-ip-devices-from-big-iq/script-management.html
