Forum Discussion

Aantat's avatar
Aantat
Icon for Cirrus rankCirrus
Apr 07, 2023

BIQ-IQ questions

Hi team! I'm facing BIG-IQ for the first time and I have a couple question. Sorry for my english.

1. Do I have to Re-Discover and Re-Import configuration every time if I change config on BIG-IP devices.

2. What is the best practice for Making changes via BIG-IQ? Deploy it every time when I make changes (sounds stupid, I know)

3. Can I do everything in BIG-IQ same as in BIG-IP? For the first it seems like I can't.

3.1. Can i create traffic policies in BIG-IQ?

3.2. I found that I can't remove traffic policy from virtual server in BIG-IQ. Why?

3.3 I found that I can't apply ASM policy to virtual server in BIG-IQ. Why?

4. I configured DCD to get events from BIG-IP with ASM. It works but i can't see request in events. I can only see fragments of them. There are example of fragment of request:

GET /vulnerabilities/upload/ HTTP/1.1
Host: dvwa.com
User-Agent: Mozilla/5.0 (X11; Ubu

I hope the experts will help me deal with these issues. 

Thank you in advance!

5 Replies

  • Aantat I would not say I am well versed in the BIG-IQ but I can definitely shed some light on some of your questions.

    1Q. Do I have to Re-Discover and Re-Import configuration every time if I change config on BIG-IP devices.
    1A. If you make changes on the BIG-IP itself you will have to re-import the configuration and make the BIG-IP as the configuration to trust when this sync occurs. It is easier to do a re-import and re-discover rather than just re-import.

    2Q. What is the best practice for Making changes via BIG-IQ? Deploy it every time when I make changes (sounds stupid, I know)
    2A. I'm unsure if a best practice exists but if you make changes on the BIG-IQ you should absolutely push those changes to the BIG-IP if you want them to be in place.

    3Q. Can I do everything in BIG-IQ same as in BIG-IP? For the first it seems like I can't.
    3A. You cannot. Some pieces or even entire sections of configuration from the BIG-IP cannot be configured under the BIG-IQ. An example that I know of is you cannot enable an F5 trunk through the BIG-IQ but you can set it up on the BIG-IP and then sync the BIG-IP configuration to the BIG-IQ.

    As for the rest of your questions I would venture that they are all limitations of the BIG-IQ and would require making the change on the BIG-IP side and then syncing the configuration changes back to the BIG-IQ.

    • Aantat's avatar
      Aantat
      Icon for Cirrus rankCirrus

      Thanks Paulius,

      I have last question about traffic policy. I didn't find any documentation about that. I assume that traffic policy not supported, but I can't find any docs on that ­čś×

  • For #4, Double check that your ASM logging profile is using the higher size, which I believe is 64KB.

    • Aantat's avatar
      Aantat
      Icon for Cirrus rankCirrus

      Hi JoshBecigneul,

      Yeap, that helped to solve it. Thanks! 

      I have last question about traffic policy. I didn't find any documentation about that. I assume that traffic policy not supported, but I can't find any docs on that 

       

  • Also BIG-IQ should ignore the configuration that it does not understand when the F5 BIG-IP config is imported in the BIG-IQ like F5 ASM/APM guided configurations having iruleslx/fast templates but be carefull.

     

    As Paulius mentioned some things like trunks can't be created on BIG-IQ but things like Declarative Onboarding (DO) can be used as an alternative.

     

    Also BIG-IQ has a scripting feature that can be used to push some config to a BIG-IP:

     

    https://techdocs.f5.com/en-us/bigiq-8-0-0/managing-big-ip-devices-from-big-iq/script-management.html