Hi team! I'm facing BIG-IQ for the first time and I have a couple question. Sorry for my english.
1. Do I have to Re-Discover and Re-Import configuration every time if I change config on BIG-IP devices.
2. What is the best practice for Making changes via BIG-IQ? Deploy it every time when I make changes (sounds stupid, I know)
3. Can I do everything in BIG-IQ same as in BIG-IP? For the first it seems like I can't.
3.1. Can i create traffic policies in BIG-IQ?
3.2. I found that I can't remove traffic policy from virtual server in BIG-IQ. Why?
3.3 I found that I can't apply ASM policy to virtual server in BIG-IQ. Why?
4. I configured DCD to get events from BIG-IP with ASM. It works but i can't see request in events. I can only see fragments of them. There are example of fragment of request:
GET /vulnerabilities/upload/ HTTP/1.1 Host: dvwa.com User-Agent: Mozilla/5.0 (X11; Ubu
I hope the experts will help me deal with these issues.
Thank you in advance!
@Aantat I would not say I am well versed in the BIG-IQ but I can definitely shed some light on some of your questions.
1Q. Do I have to Re-Discover and Re-Import configuration every time if I change config on BIG-IP devices.
1A. If you make changes on the BIG-IP itself you will have to re-import the configuration and make the BIG-IP as the configuration to trust when this sync occurs. It is easier to do a re-import and re-discover rather than just re-import.
2Q. What is the best practice for Making changes via BIG-IQ? Deploy it every time when I make changes (sounds stupid, I know)
2A. I'm unsure if a best practice exists but if you make changes on the BIG-IQ you should absolutely push those changes to the BIG-IP if you want them to be in place.
3Q. Can I do everything in BIG-IQ same as in BIG-IP? For the first it seems like I can't.
3A. You cannot. Some pieces or even entire sections of configuration from the BIG-IP cannot be configured under the BIG-IQ. An example that I know of is you cannot enable an F5 trunk through the BIG-IQ but you can set it up on the BIG-IP and then sync the BIG-IP configuration to the BIG-IQ.
As for the rest of your questions I would venture that they are all limitations of the BIG-IQ and would require making the change on the BIG-IP side and then syncing the configuration changes back to the BIG-IQ.
Also BIG-IQ should ignore the configuration that it does not understand when the F5 BIG-IP config is imported in the BIG-IQ like F5 ASM/APM guided configurations having iruleslx/fast templates but be carefull.
As @Paulius mentioned some things like trunks can't be created on BIG-IQ but things like Declarative Onboarding (DO) can be used as an alternative.
Also BIG-IQ has a scripting feature that can be used to push some config to a BIG-IP: