Remove a BIG-IP from BIG-IQ

Overview

This example describes the workflow which removes a BIG-IP from BIG-IQ management. This removes the BIG-IP’s pool license from the BIG-IQ, removes this BIG-IP’s modules from the BIG-IQ’s working config, and removes the trust relationship between this BIG-IP and the BIG-IQ.

GET to get the BIG-IP’s device reference

The value of deviceReference in the following example is a link object for the managed BIG-IP which is being removed. You can determine this value from the BIG-IP’s IP address and the BIG-IQ’s MachineId Resolver API. For example, if the address for the BIG-IP is 10.10.0.2, then you can send a GET request to the machineid-resolver endpoint and filter the response by the BIG-IP’s address. In the following example <BIG-IQ> represents a placeholder for the IP address of the BIG-IQ.

GET https://<BIG-IQ>/mgmt/cm/system/machineid-resolver?filter=address eq 10.10.0.2

Response

If this is the address of a managed BIG-IP, the response can include the BIG-IP’s address, machineId, and selfLink.

HTTP/1.1 200 OK

{
    "address": "10.10.0.2",
    "machineId": "93824fc2-6667-4506-9065-9946d01957ab",
            "selfLink": "https://localhost/mgmt/cm/system/machineid-resolver/93824fc2-6667-4506-9065-9946d01957ab"
}

The deviceReference field in this example is therefore the following.

"deviceReference": "https://<BIG-IQ>/mgmt/cm/system/machineid-resolver/93824fc2-6667-4506-9065-9946d01957ab"

POST to remove the pool license

Use the BIG-IQ’s License Assign/Revoke API to create a task to revoke the BIG-IP’s pool license on the BIG-IQ. This API can be used with all types of pool licenses except Fraud Protection Service (FPS) licenses.

POST https://<BIG-IQ>/mgmt/cm/device/tasks/licensing/pool/member-management

The JSON in the body of the POST request can look similar to the following example.

{
    "licensePoolName": "pool name",
    "command": "revoke",
    "address": "10.10.0.2"
}

Response

The response to the POST can look similar to the following example. The JSON in the body of the response includes the task’s id and an initial status of STARTED.

HTTP/1.1 200 OK

{
     "licensePoolName": "pool name",
     "command": "revoke",
     "address": "10.10.0.2",
     "id": "d717c6a1-f3bd-46cb-8410-c6fda58940b9",
     "status": "STARTED"
}

Note that the JSON in the body of the response includes the task’s id and an initial status of STARTED. After initiating the revoke license task you can poll for the task’s completion by sending GET requests to the task’s endpoint to check the updated value of status until the task completes. Polling for this example revoke license task would look as follows.

GET https://<BIG-IQ>/mgmt/cm/device/tasks/licensing/pool/member-management/d717c6a1-f3bd-46cb-8410-c6fda589

POST to remove module objects

Use the BIG-IQ’s Device RMA API to create a super-task to remove multiple module objects from the BIG-IQ’s working-config. To remove the module objects, send the POST request to the device-remove-mgmt-authority task collection on the BIG-IQ. Specify the modules being removed in moduleList (firewall, security_shared, asm, adc_core, access, dns, fps or sslo).

POST https://<BIG-IQ>/mgmt/cm/global/tasks/device-remove-mgmt-authority

The body of the POST can include the following JSON fields. This super-task can remove the firewall, security_shared, asm, adc_core, access, dns, fps and sslo module objects. This task can remove module objects from the working-config whether or not they have been discovered. If the required LTM (ADC) module is missing the entire super-task fails. Missing any other module does not cause failure and the super-task continues to remove the specified modules.

{
    "name": "device-rma_10.10.0.2",
    "deviceReference": {
            "link": "https://localhost/mgmt/cm/system/machineid-resolver/93824fc2-6667-4506-9065-9946d01957ab"
    },
    "moduleList": [{
                    "module": "access"
            },
            {
                    "module": "asm"
            },
            {
                    "module": "fps"
            },
            {
                    "module": "firewall"
            },
            {
                    "module": "security_shared"
            },
            {
                    "module": "dns"
            },
            {
                    "module": "sslo"
            }
    ]
}

Response

HTTP/1.1 200 OK

The JSON fields in the response to the POST can include the task’s id, selfLink and status. The value of id is the identifier for the super-task. The value of selfLink is the URL for the super-task. The value of status can be “STARTED” initially, which means the task has been started. To poll for the updated status, you can send repeated GET requests to the super-task’s selfLink. The status of each module is returned in moduleList. The API’s response can include the status for the super-task and for each individual module because the system runs a separate removal task for each module.

The following GET example gets the updated status for the super-task identified by id . You can send repeated GET requests to check the status of the super-task, which can eventually update to “DONE” and “FINISHED”.

GET https://<BIG-IQ>/mgmt/cm/global/tasks/device-remove-mgmt-authority/<id>

POST to remove the trust relationship

Use the BIG-IQ’s Device Remove Trust API to remove the trust relationship between BIG-IQ and a BIG-IP. The untrusted BIG-IP can then have no modules or services imported or discovered. This also removes data related to the BIG-IP, for example the BIG-IP’s membership in various device groups.

POST https://<BIG-IQ>/mgmt/cm/global/tasks/device-remove-trust

The following example creates a task to remove trust relationship of BIG-IP. The JSON in the body of the POST can be similar to the following.

{
    "name": "device-remove-trust__10.10.0.2",
    "deviceReference": {
            "link": "https://localhost/mgmt/cm/system/machineid-resolver/93824fc2-6667-4506-9065-9946d01957ab"
    }
}

Response

HTTP/1.1 200 OK

The JSON in the response to the POST can look similar to the following. The value of selfLink is the URL for the task. The value of status can be “STARTED” initially, which means the task has been started. To poll for the updated status, you can send repeated GET requests to the task’s selfLink.

The following example GET example gets the updated status for the remove trust task identified by id and selfLink. You can send repeated GET requests to check the status of the remove trust task, which can eventually update to “DONE” and “FINISHED”.

GET https://<BIG-IQ>/mgmt/cm/global/tasks/device-remove-trust/<id>