Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

BIQ-IQ questions

Aantat
Cirrus
Cirrus

Hi team! I'm facing BIG-IQ for the first time and I have a couple question. Sorry for my english.

1. Do I have to Re-Discover and Re-Import configuration every time if I change config on BIG-IP devices.

2. What is the best practice for Making changes via BIG-IQ? Deploy it every time when I make changes (sounds stupid, I know)

3. Can I do everything in BIG-IQ same as in BIG-IP? For the first it seems like I can't.

3.1. Can i create traffic policies in BIG-IQ?

3.2. I found that I can't remove traffic policy from virtual server in BIG-IQ. Why?

3.3 I found that I can't apply ASM policy to virtual server in BIG-IQ. Why?

4. I configured DCD to get events from BIG-IP with ASM. It works but i can't see request in events. I can only see fragments of them. There are example of fragment of request:

GET /vulnerabilities/upload/ HTTP/1.1
Host: dvwa.com
User-Agent: Mozilla/5.0 (X11; Ubu

I hope the experts will help me deal with these issues. 

Thank you in advance!

5 REPLIES 5

Paulius
MVP
MVP

@Aantat I would not say I am well versed in the BIG-IQ but I can definitely shed some light on some of your questions.

1Q. Do I have to Re-Discover and Re-Import configuration every time if I change config on BIG-IP devices.
1A. If you make changes on the BIG-IP itself you will have to re-import the configuration and make the BIG-IP as the configuration to trust when this sync occurs. It is easier to do a re-import and re-discover rather than just re-import.

2Q. What is the best practice for Making changes via BIG-IQ? Deploy it every time when I make changes (sounds stupid, I know)
2A. I'm unsure if a best practice exists but if you make changes on the BIG-IQ you should absolutely push those changes to the BIG-IP if you want them to be in place.

3Q. Can I do everything in BIG-IQ same as in BIG-IP? For the first it seems like I can't.
3A. You cannot. Some pieces or even entire sections of configuration from the BIG-IP cannot be configured under the BIG-IQ. An example that I know of is you cannot enable an F5 trunk through the BIG-IQ but you can set it up on the BIG-IP and then sync the BIG-IP configuration to the BIG-IQ.

As for the rest of your questions I would venture that they are all limitations of the BIG-IQ and would require making the change on the BIG-IP side and then syncing the configuration changes back to the BIG-IQ.

Thanks @Paulius,

I have last question about traffic policy. I didn't find any documentation about that. I assume that traffic policy not supported, but I can't find any docs on that 😞

For #4, Double check that your ASM logging profile is using the higher size, which I believe is 64KB.

Hi @JoshBecigneul,

Yeap, that helped to solve it. Thanks! 

I have last question about traffic policy. I didn't find any documentation about that. I assume that traffic policy not supported, but I can't find any docs on that 

 

Also BIG-IQ should ignore the configuration that it does not understand when the F5 BIG-IP config is imported in the BIG-IQ like F5 ASM/APM guided configurations having iruleslx/fast templates but be carefull.

 

As @Paulius mentioned some things like trunks can't be created on BIG-IQ but things like Declarative Onboarding (DO) can be used as an alternative.

 

Also BIG-IQ has a scripting feature that can be used to push some config to a BIG-IP:

 

https://techdocs.f5.com/en-us/bigiq-8-0-0/managing-big-ip-devices-from-big-iq/script-management.html