Overview: Migrate BIG-IP application configurations onto BIG-IP Next Central Manager

The following tool assists the application service migration experience of Local Traffic Manager (LTM), Access, and Web Application Firewall (WAF) services into BIG-IP Next from existing BIG-IP devices. The process provides an end-to-end automation of application migration with minimal disruption to ongoing operations. Application migration into BIG-IP Next Central Manager provides feature compatibility checks and application validation to ensure the application is properly migrated and deployed to your BIG-IP Next instances. In addition, as some features are not yet supported on BIG-IP Next, the migration tool ensures that only supported features are migrated.

About application service migration

The application service migration tool allows you to select virtual servers currently running on your BIG-IP devices to convert into Application Services (AS3 declaration) and deploy them to BIG-IP Next instances . This version of BIG-IP Next Central Manager supports migration from a UCS for application delivery and control services for HTTP and HTTPS applications services.

The migrated application services are added to BIG-IP Next Central Manager and you can edit the AS3 declaration for later deployment.

In addition, during the pre-deployment stage of application migration you can install shared objects, such as, iRules, SSL certificates, and WAF or Access policies to BIG-IP Next Central Manger. Once installed, these objects can be attached to application services and modified on BIG-IP Next Central Manager. Modifying objects will be automatically updated on attached applications services.

Overview of Application Migration at a glance

  • Supports per-application service migration and their dependencies from BIG-IP to BIG-IP Next (per-app only).

  • Supports migration of applications with LTM services on BIG-IP version 12.1 (or later) to AS3 declarations onto BIG-IP Next.

    Note: The migration process from the USC file to BIG-IP Next Central Manager applies bigip.conf translation to AS3. The application services are then deployed to using AS3 API.

  • Supports migration of HTTP and HTTPS applications.

  • Supports migration of applications with WAF services on BIG-IP version 12.1 (or later) .

  • Supports migration of applications with Access services on BIG-IP version 12.1 (or later).

  • Supports migration of iRules found on migrated applications.

  • Supports platform destination of Virtual Edition (VE) and VELOS, rSeries.

  • Supports application service migration of the following default objects within the declaration: monitors, profiles, and iRules.

Application migration and deployment process

The migration wizard provides a 3-step process to migrate and deploy your application services to a BIG-IP Next instance:

  • Upload the UCS file from your BIG-IP device and select how to group the virtual servers in their application services.

  • View application services and manage their virtual server configuration. Select application services for migration.

  • Select the deployment destination, save application service as draft, or save imported objects (certificates, iRules, WAF and Access policies) to BIG-IP Next Central Manager.

    Note: When you save an application service as a draft, you can make changes to the AS3 declaration. In some cases the configuration of the application service or virtual server is not supported by BIG-IP Next. You can make these changes and later deploy the application service with the supported changes.

After you deploy your migrated application services, you can view a summary of the migration and deployment process.

For more information, see How to: Migrate BIG-IP application configurations onto BIG-IP Next Central Manager.

Automatic conversion

The migration process performs automatic conversion of objects to ensure they are supported on BIG-IP Next.

In some cases, objects cannot be converted because they are not supported on BIG-IP Next. These objects are either removed or cannot be deployed unless they are updated in the AS3 declaration.

Application Objects

The migration tool might discover objects in virtual servers that are not supported by BIG-IP Next. BIG-IP Next Central Manager provides a conversion status when you select applications for migration. During the application selection process you can review and verify the objects that will be automatically removed or converted. These application services can then be deployed or saved to BIG-IP Next Central Manager as a draft for manual changes before you deploy to an instance.

For more information about deployment statuses, see Reference: Application migration status.

For more information about selecting application services for migration, see How to: Migrate BIG-IP application configurations onto BIG-IP Next Central Manager.

Default object conversion

The migration tool recognizes configured default objects in the UCS and automatically migrates these objects into BIG-IP Next. However, shared or default object definitions are not copied from the UCS, but are hardcoded into the migration tool based on the source BIG-IP version. This means that most objects will be added, but if the object was manually modified, those modifications are lost in the migration process.

Entries within objects that are not supported on BIG-IP Next are removed during conversion to an AS3 declaration.

Supported default objects include, iRules, monitors and profiles.

Supported Certificates

SSL certificate and key pairs that are unsupported report a security warning status. This version of BIG-IP Next supports cipher suites that use these algorithms:

  • RSA (2048/3072/4096)

  • ECDSA (prime256v1/secp384r1)

Unsupported certificate and key pairs will be marked and can be replaced in the AS3 declaration after you save the migrated application service as a draft.

Note: Mutual Transport Layer Security (mTLS) is not supported during the migration. A certificate and key pair from a Server SSL profile with this service can be imported, but won’t be attached to the application service.

If multiple SSL profiles of the same type (for example, both client SSL or server SSL) are found on the same virtual server, you will need to remove one of the certificates to ensure proper deployment to an instance.

PKCS type certificates

BIG-IP Next supports PKCS #12 and PKCS #8 certificates. If you created an application with a PKCS #1 certificate and encrypted key, the migration process will automatically convert the certificate to PKCS #8. Following the migration and import of the certificate to BIG-IP Next Central Manager, you will be able to access the certificate and private key.

Unsupported virtual servers

Certain types of virtual servers are not supported on BIG-IP Next. If these virtual server types are found in your application services, ensure they are removed from the application service during the Application Migration selection process.

The following virtual servers are not supported on BIG-IP Next and cannot be deployed to a BIG-IP Next instance:

  • Internal virtual servers - If you configured internal virtual server for HTTP request and response adaptation to your BIG-IP device (before migration).

  • IP forwarding virtual servers

  • Wildcard virtual servers ( - Deployment is not blocked, but is not recommended. Deploying more than one wildcard virtual server to a single instance can cause unexpected instance behavior.