BIG-IQ 8.3 - no BIG IQ Central Management option
Trying to build a BIG IQ v 8.3 on Hyper V but I keep running into an issue where I can licence the box using a trial licence (all appears to be working as expected) create the Master Keys and reset the Password but as soon as I get to the System Personality the option for BIG-IQ Central Management is not available. It only presents me the option of BIG-IQ Data Collection Device. If skip the licence at Step 1 then I also get the option to create a License Manager but that's not really very useful either. 🤨 The guide I am following is the F5 one - BIG IQ Build Guide - and have assigned the VM 32GB RAM and 8 cores after initially trying it with half the above figures which I thought might be the issue but still no joy. Have deleted the VM and recreated using a new copy of the VHD file - same problem seen so I am at a bit of a loss as to what to try next. Any suggestions would be much appreciated.Implementing SSL Orchestrator - Management with BIG-IQ
Introduction This article is part of a series on implementing BIG-IP SSL Orchestrator. It includes high availability and central management with BIG-IQ. Implementing SSL/TLS Decryption is not a trivial task. There are many factors to keep in mind and account for, from the network topology and insertion point, to SSL/TLS keyrings, certificates, ciphersuites and on and on. This article focuses on management with BIG-IQ. This article is divided into the following high level sections: BIG-IQ installation Adding BIG-IP devices Visibility and reporting Managing policy Using templates Please forgive me for using SSL and TLS interchangeably in this article. Software versions used in this article: BIG-IP Version: 14.1.2 SSL Orchestrator Version: 5.5 BIG-IQ Version: 7.0.1 Notes on installing BIG-IQ If an existing pair (CM and DCD) are already installed: -Upgrade the BIG-IQ to 7.0.0.1 (latest as of in 10/16/2019): --scp BIG-IQ-7.0.0.1-0.0.6.iso root@192.168.41.129:/shared/images --ssh admin@192.168.41.129 --install sys software image BIG-IQ-7.0.0.1-0.0.6.iso volume HD1.2 create-partition reboot --Same on other BIG-IQ -Onboard BIG-IQ: --https://github.com/f5devcentral/f5-big-iq-onboarding Adding BIG-IP devices From the BIG-IQ UI go to Devices > BIG-IP Devices.Click Add Device(s). Enter the IP Address, User Name and Password.Click the down arrow next to Cluster Display Name and select Create New. Name it, in this example “My_Cluster” then click Add. On the next screen select the Services you wish to discover.LTM should be selected by default.Select the box next to SSL Orchestrator and click Continue. The Discovery process may take a few minutes.When complete click Add Device(s) again. Enter the IP Address, User Name and Password of the next BIG-IP device.Click the down arrow to the right of Cluster Display Name and select Use Existing.Under Select a cluster choose My_Cluster. Click Add. LTM should be selected by default.Select the box next to SSL Orchestrator and click Continue. When complete click the link to Complete import tasks. For LTM click the box to Create a snapshot.Click the Import button. Click the arrow to go back. Click the link to Complete import tasks. For LTM click the box to Create a snapshot.Click the Import button. Then scroll to the bottom and click Import. For the Location choose to Create New or Use Existing.In this example we Use Existing Location, “pmelab”.Click Deploy then Yes. You should see a success message like below.Click OK. Repeat the steps above to Import and Deploy the SSL Orchestrator settings on the 2 nd BIG-IP. Note: If you receive an out of sync error message you may need to connect to the BIG-IP Configuration Utility and manually synchronize the devices. Under Services you should see Management, LTM, SSO.If there is an error under Stats Collection click the blue text. Click Save & Close Do this for both BIG-IP devices if needed. The next screen should look like this. Note: The Status icon will indicate overall device health.Notice in this example it’s a yellow triangle.Hover the mouse cursor over the Status icon to get more details. The pop-up message indicates that disc space is running low.You can click the Device Name to drill in and get more detail. Visibility and Reporting For Visibility and Reporting go to Monitoring > SSL Orchestrator > SSL Overview.This screen gives you an overview of your Topologies, Devices and more. Click the highlighted icon on the top right to toggle on/off the different statistical widgets. Click the highlighted icon on the top right to change the refresh rate of this page. Clicking on any of the widgets drills down into more detail.Click the SSL Decryption widget to view more detail. Click SSLO Analytics for more analytical reports. Notice the following on the right.Click the Export button to export this report in a printer friendly format or save as a PDF.There are also extensive filtering criteria, like Destination Countries, that you can use to refine your report data. Managing Policies Edit/create new policy From the BIG-IQ UI go to Configuration > SSL Orchestrator > Security Policies.Click the Security Policy name. Click the pencil icon to edit the Security Policy. Scroll down to view the Rules.Click the pencil icon to edit the Pinners_Rule. We will add another Category to this rule to bypass decryption.Click in the field to the right of the last Category.Start typing Education and it should come up.Select the Education Category and click Save. Note: This rule is still set to Allow, the connection will not be decrypted and it will not be sent to a Service Chain. On the next screen click Deploy then Yes. When complete it should look like the image below. Use Config Templates to make devices changes, like adding a new NTP server. From the BIG-IQ UI go to Devices > Config Templates > Templates.Click Create. Give it a name.In this example NTP_template.Click the Down arrow and select NTP. Click Add.Enter the IP address or hostname of the NTP server you wish to use.If needed, click the Plus sign to add more.Select your time zone, in this example America/Los Angeles.Click Save & Close. Click Deployments > Create. For the Config Template select the NTP_template created previously.Select both Devices and click the arrow to move them from Available to Included. Give the deployment a name, in this example my_deployment.Click Next. Click Deploy then OK. You should see a successful deployment. Summary In this article you learned how to install and configure BIG-IQ. Then you learned how to add BIG-IP devices to BIG-IQ and import their configuration. We also covered some common tasks with Visibility and Reporting. You learned how to manage and update the security policy. And finally, you learned how to use Config Templates to configure common items in your BIG-IP deployment. Next Steps Click Next to proceed to the next article in the series.
