How to: Provision Modules for a managed BIG-IP Next instance¶
Provisioning modules involves enabling specific features or functionalities on BIG-IP Next. BIG-IP Next is a network appliance that delivers services such as traffic management, application security, and more. Each module is designed to perform a unique function, and you can provision the modules according to your specific requirements.
When a managed BIG-IP Next instance is licensed, the Web Application Firewall (WAF) module is enabled by default.
Note: Review the impact of disabling or re-enabling a WAF module on an instance.
Prerequisites¶
To manage BIG-IP Next instances, you must have Administrator or Instance Manager user credentials. Users with Application Manager and Auditor credentials have read-only access to all application service information. For more information about user roles, see How to: Assign standard roles to users.
You must disable all deployed WAF or Access application services to the instance if you are disabling the module. If any security policies are deployed, de-provisioning from the instance will fail.
This section outlines the behaviors, use cases, and scenarios for both Standalone and High Availability (HA) configurations. It also provides details on module provisioning support in various upgrade situations.
Note: During the provisioning or de-provisioning of a module, there may be a brief traffic downtime lasting a few minutes.
Standalone¶
F5OS < 1.8.0 (1.6.x for VELOS, 1.7.x for rSeries)
Module Provisioning: Not supported.
Behavior: Only the module state can be changed via API. Modules remain unchanged; provisioning applies only to the BIG-IP Next API configuration.
F5OS-A 1.8.0
Module Provisioning: Supported.
Behavior: The provisioning of modules works for F5OS tenants similarly to VE, enabling the same provisioning capabilities.
Upgrade Situations¶
When upgrading various versions of F5OS with different BIG-IP Next releases, the following behaviors are observed for module provisioning:
Condition | Upgrading | Provisioning |
---|---|---|
F5OS 1.6.x/1.7.x with BIG-IP Next v. 20.3.0 | No | No |
F5OS 1.6.x/1.7.x with BIG-IP Next v. 20.2.1 or below | No | No |
F5OS-A 1.8.0 with BIG-IP Next v. 20.2.1 or below | No | No |
F5OS-A 1.8.0 with BIG-IP Next v. 20.3.0 | Yes | Yes |
High Availability (HA) Behavior¶
F5OS < 1.8.0 (1.6.x for VELOS, 1.7.x for rSeries)
Module Provisioning: Not supported.
Failover Behavior: No failover occurs during provisioning because modules are not provisioned. Only the configuration is updated. Upon API job completion, the initially Active node remains Active.
F5OS-A 1.8.0
Container Provisioning: Supported.
Failover Behavior: During provisioning, a failover occurs as modules are provisioned on both nodes, and the configuration is updated. Upon API job completion, the initially Active node transitions to Standby after the provisioning is completed on both nodes.
Procedure¶
Use the following steps to provision modules in BIG-IP Next Central Manager GUI:
Note:
DNS cannot be provisioned simultaneously with WAF or Access on the same instance.
If the WAF or Access modules are already provisioned with active, deployed policies, DNS provisioning will fail.
Provisioning the DNS module is possible when both the WAF and Access modules are disabled.
Log in to BIG-IP Next Central Manager, click the Workspace icon next to the F5 logo, and click Infrastructure.
Click the name of the BIG-IP Next instance you want to provision the modules.
From the left pane, click Provision.
The Provisioning screen opens.
Note:
Toggle the different modules as per the requirement. By default, for every other instance, WAF is enabled.
The BIG-IP Next Central Manager GUI does not support provisioning or de-provisioning multiple modules at once, but this request can be completed using the BIG-IP Next Central Manager API.
Enable/Disable Modules: For any module you want to provision (WAF, Access, DNS, or SSLO), follow the steps below:
Click the Enable/Disable on this instance button under the module name.
Confirm your choice by selecting Yes, Continue. A confirmation pop-up will appear.
Click Cancel & Exit to go back to the Instance page.
Use the following steps to provision modules in BIG-IP Next Central Manager API:
Authenticate with the BIG-IP Next Central Manager API. For details, refer to Use the following APIs to provision the modules:
Get the list of all devices by sending the GET request to
api/device/v1/inventory
endpoint. Identify the Device ID for the instance for which module provisioning needs to be configured.GET https://{{cm-host}}:{{cm-port}}/api/device/v1/inventory
Get the current module provisioning status by sending the GET request to
/api/device/v1/proxy/{{device_id}}?path=/services?include=provisioning
endpoint. Modify the Device ID from the previous response.GET https://{{cm-host}}:{{cm-port}}/api/device/v1/proxy/{{device_id}}?path=/services?include=provisioning
Provision the modules by sending the POST request to
api/v1/spaces/default/instances/{{device-id}}/module-provision
endpoint. Modify the Device ID.POST https://{{cm-host}}:{{cm-port}}/api/v1/spaces/default/instances/{{device-id}}/module-provision
For the request payload, use the following example, modifying the values as required.
{ "access": { "state": "disabled" }, "accessZtna": { "state": "nominal" }, "dns": { "state": "disabled" }, "ltm": { "state": "nominal" }, "sslo": { "state": "disabled" }, "waf": { "state": "disabled" } }
Get the module provisioning status by sending the GET request to
api/v1/spaces/default/instances/module-provision-tasks/{{task_Id}}
endpoint. Identify the Task ID generated from the previous response.GET https://{{cm-host}}:{{cm-port}}/api/v1/spaces/default/instances/module-provision-tasks/{{task_Id}}
Result¶
The modules are provisioned for the selected BIG-IP Next Instance and you can enable/disable any module again.