For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RiadSanchz's avatar
RiadSanchz
Icon for Cirrus rankCirrus
Mar 29, 2021
Solved

Should you disable ASM LTM software update checks on the BIG-IPs when enabling them on BIG-IQ?

Hello F5'ers -

I am new to BIG-IQ and I am trying to figure out if I should disable the ASM signatures updates and SW updates on the BIG-IPs if I am enabling this option on the BIG-IQ's. System-> Software Management > Update Check and Live Update? And does BIG-IQ push these SW updates? I have reviewed multiple online docs but it's still not clear to me, nor is it noted anywhere if you should disable these updates from the BIG-IP's. We have a combination of BIG-IP VIPRION hosts --with multiple guests and virtual Editions in our environment. Appreciate your help!! Maria

ASM Advanced WAF
BIG-IQ
security
  • Nikoolayy1's avatar
    Nikoolayy1
    Apr 06, 2021

    The F5 documentation is one of the best I have seen, so the answer is there. You can have Auto updates from the F5 devices or make the BIG-IQ to do it, it is your choise. When you have BUG-IQ better do it from there, so better stop it on the F5 devices.

     

     

    https://techdocs.f5.com/en-us/bigiq-7-1-0/big-iq-web-application-security/managing-signature-files.html

     

     

     

    The issue you could see is that after 14.0 the F5 devices use live updates and not signature files and so better to have the BIG-IQ on a 7.1.x version or newer and F5 devices on 14.1.x or newer for this to work.

     

     

    https://support.f5.com/csp/article/K8217

3 Replies

  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Apr 06, 2021

    The F5 documentation is one of the best I have seen, so the answer is there. You can have Auto updates from the F5 devices or make the BIG-IQ to do it, it is your choise. When you have BUG-IQ better do it from there, so better stop it on the F5 devices.

     

     

    https://techdocs.f5.com/en-us/bigiq-7-1-0/big-iq-web-application-security/managing-signature-files.html

     

     

     

    The issue you could see is that after 14.0 the F5 devices use live updates and not signature files and so better to have the BIG-IQ on a 7.1.x version or newer and F5 devices on 14.1.x or newer for this to work.

     

     

    https://support.f5.com/csp/article/K8217

    • RiadSanchz's avatar
      RiadSanchz
      Icon for Cirrus rankCirrus
      Apr 14, 2021

      Nikoolayy1 - Thanks for answering my questions. Seems redundant to have updates on the BIG-IP and BIG-IQ. I have successfully disabled BIG-IP updates and the BIG-IQ has been updating the BIG-IP's. Thanks so much for the clarification!!