Re-import Device-specific configuration for Access groups

Overview

An Access group helps synchronize Access policies across multiple devices. The devices that need a common set of Access policies must be added to the Access group in order to have a synchronized configuration. After deploying an Access group configuration to devices in an Access group, some additional changes can be done by BIG-IP devices to the deployed configuration.  These device-specific changes must be re-imported back into an Access group configuration for the devices.

This document describes the necessary APIs and steps to re-import device-specific configuration back from devices into an Access group.

Prerequisites

To re-import a device-specific configuration for devices in an Access group, the following pre-requisites must be met.

  • The BIG-IQ system is operational, has completed the setup, and has all the system level configurations in place.
  • An Access group is created with zero or more devices.
  • Devices from which the configuration must be re-imported already belongs to an Access group.
  • Users have necessary RBAC permissions “Trust Discovery and Import” role to re-import device-specific configuration back into an Access group.

Required Information

In addition to the prerequisites, users must provide the following to re-import device-specific configuration for devices in an Access group.

  • An Access group Name
  • BIG-IP Device Reference for devices in BIG-IQ.

Actions

Using the BIG-IQ API, users can complete the following actions to collect necessary information and re-import a device-specific configuration for one or more devices in an Access group.

  • List existing BIG-IP devices.
  • Initiate, and monitor “Discovery and Import Controller” task to re-import device-specific configuration for one or more devices in an Access group.

List existing BIG-IP devices

To list existing BIG-IP devices discovered in the BIG-IQ system, users must use the “MachineID Resolver” API. This API lists all the BIG-IP devices discovered in the system.   Any device that has "properties/cm-access-allBigIpDevices/cm:access:access-group-name” : “<access_group_name>” belongs to the <access_group_name> Access group.

GET https://<management_ip>/mgmt/cm/system/machineid-resolver

Response

{
        "items": [
                {
                        "uuid": "77dab84d-4fab-498a-83d2-7c839b095229",
                        "deviceUri": "https://<device_ip_address>:<device_https_port>",
                        "machineId": "77dab84d-4fab-498a-83d2-7c839b095229",
                        "state": "ACTIVE",
                        "address": “<device_ip_address>",
                        "httpsPort": <device_https_port>,
                        "hostname": “<device_host_name>",
                        "version": "13.1.0",
                        "product": "BIG-IP",
                        "edition": "Final",
                        "build": "0.0.1843",
                        "restFrameworkVersion": "13.1.0-0.0.1843",
                        "managementAddress": “<device_ip_address>",
                        "mcpDeviceName": "/Common/<device_name>",
                        "trustDomainGuid": "ca44652e-43c4-4f46-8b97005056b0a86c",
                        "properties": {
                                "cm:gui:module": [
                                        "BigIPDevice"
                                ],
                                "modules": [],
                                "cm-access-allDevices": {
                                        "cm:gui:module": [
                                                "Access"
                                        ],
                                        "modules": [
                                                "All Access managed BIG-IP devices"
                                        ]
                                },
                        "cm-access-allBigIpDevices": {
                                        "discovered": true,
                                        "imported": true,
                                        "clusterName": "cluster_1",
                                        "supportsIncrementalDiscovery": true,
                                        "lastDiscoveredDateTime": "2018-02-08T12:30:21.363Z",
                                        "discoveryStatus": "FINISHED",
                                        "lastUserDiscoveredDateTime": "2018-02-08T12:30:21.363Z",
                                        "cm:access:access-group-name": “<access_group_name",
                                        "cm:access:swg-provisioned": true,
                                        "cm:access:access-group-device-link": "https://localhost/mgmt/shared/resolver/device-groups/TEST/devices/3b556a3e-0ef8-4805-9c9c-b403e673dff2",
                                        "cm:access:import-version": "13.1.0",
                                        "cm:access:access-group-link": "https://localhost/mgmt/shared/resolver/device-groups/TEST",
                                        "importedDateTime": "2018-02-08T12:31:06.540Z",
                                        "importStatus": "FINISHED",
                                        "cm:gui:module": [
                                                "Access"
                                        ],
                                        "modules": [
                                                "All Access managed BIG-IP devices"
                                        ]
                                },
                                "cm-adccore-allbigipDevices": {
                                        "discovered": true,
                                        "imported": true,
                                        "clusterName": "cluster_1",
                                        "supportsIncrementalDiscovery": true,
                                        "lastDiscoveredDateTime": "2018-02-08T12:29:48.021Z",
                                        "discoveryStatus": "FINISHED",
                                        "lastUserDiscoveredDateTime": "2018-02-08T12:29:48.021Z",
                                        "importedDateTime": "2018-02-08T12:30:38.836Z",
                                        "importStatus": "FINISHED",
                                        "cm:gui:module": [
                                                "adc"
                                        ],
                                        "modules": []
                                },
                                "cm-bigip-allBigIpDevices": {
                                        "cm:gui:module": [
                                                "BigIPDevice"
                                        ],
                                        "shared:resolver:device-groups:discoverer": "30f43266-b545-4ac8-b64e-d524d2e13730",
                                        "modules": []
                                },
                                "cm-bigip-allDevices": {
                                        "shared:resolver:device-groups:discoverer": "30f43266-b545-4ac8-b64e-d524d2e13730",
                                        "cm:gui:module": [],
                                        "modules": []
                                }
                        },
                        "isClustered": false,
                        "isVirtual": true,
                        "isLicenseExpired": false,
                        "slots": [],
                        "kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
                        "selfLink": "https://localhost/mgmt/cm/system/machineid-resolver/77dab84d-4fab-498a-83d2-7c839b095229"
                }
        ],
        "selfLink": "http://localhost:8100/cm/system/machineid-resolver"
}

Initiate and Monitor the “Device Discovery and Import Controller” task to add new devices to an Access group

To add one or more new devices to an Access group, users must use the “Device Discovery and Import Controller” task.  An Access group name and one or more devices’ selfLink obtained from “List existing BIG-IP Devices” is used to complete this step.

POST  https://<management_ip>/mgmt/cm/global/tasks/device-discovery-import-controller
{
        "name" : "reimport_device_specific_config_in_access_group",
        "operationalMode": "EXISTING_DEVICE",
        "deviceDetails": [{
                "deviceReference" : {"link":"https://localhost/mgmt/cm/system/machineid-resolver/77dab84d-4fab-498a-83d2-7c839b095229"}
        }],
        "conflictPolicy": "USE_BIGIP",
        "deviceConflictPolicy": "USE_BIGIP",
        "snapshotWorkingConfig": true,
        "accessGroupName": “<access_group_name>"
}

Poll for the status of the task until the task status changes to FINISHED or FAILED state. When the task completes, the device import status can be obtained from the deviceStatus field for each device.

GET  https://<management_ip>/mgmt/cm/global/tasks/device-discovery-import-controller/<task_id>

Response

{
        "accessGroupName": “<access_group_name",
        "conflictPolicy": "USE_BIGIP",
        "currentStep": "DISCOVER_DEVICES",
        "deviceConflictPolicy": "USE_BIGIP",
        "deviceDetails": [
                {
                        "deviceReference": {
                                "link": "https://localhost/mgmt/cm/system/machineid-resolver/77dab84d-4fab-498a-83d2-7c839b095229"
                        },
                        "moduleList": [
                                {
                                        "module": "adc_core"
                                },
                                {
                                        "module": "access",
                                        "properties": {
                                                "cm:access:conflict-resolution": "accept",
                                                "cm:access:access-group-name": “<access_group_name>",
                                                "cm:access:import-shared": false
                                        }
                                }
                        ],
                        "deviceStatus": "DISCOVERY_STAGE"
                }
        ],
        "identityReferences": [
                {
                        "link": "https://localhost/mgmt/shared/authz/users/admin"
                }
        ],
        "kind": "cm:global:tasks:device-discovery-import-controller:discoveryandimportcontrollertaskitemstate",
        "name": "reimport_device_specific_config_in_access_group",
        "operationalMode": "EXISTING_DEVICE",
        "ownerMachineId": "30f43266-b545-4ac8-b64e-d524d2e13730",
        "selfLink": "https://localhost/mgmt/cm/global/tasks/device-discovery-import-controller/19426d42-2b9b-48ad-aa61-e83460982933",
        "snapshotWorkingConfig": true,
        "startDateTime": "2018-02-08T05:34:08.952-0800",
        "status": "STARTED",
        "userReference": {
                "link": "https://localhost/mgmt/shared/authz/users/admin"
        },
        "username": "admin"
}
GET  https://<management_ip>/mgmt/cm/global/tasks/device-discovery-import-controller/<task_id>

Response

{
        "accessGroupName": “<access_group_name>",
        "conflictPolicy": "USE_BIGIP",
        "currentStep": "DONE",
        "deviceConflictPolicy": "USE_BIGIP",
        "deviceDetails": [
                {
                        "deviceReference": {
                                "link": "https://localhost/mgmt/cm/system/machineid-resolver/77dab84d-4fab-498a-83d2-7c839b095229"
                        },
                        "moduleList": [
                                {
                                        "module": "adc_core"
                                },
                                {
                                        "module": "access",
                                        "properties": {
                                                "cm:access:conflict-resolution": "accept",
                                                "cm:access:access-group-name": “<access_group_name>",
                                                "cm:access:import-shared": false
                                        }
                                }
                        ],
                        "deviceStatus": "FINISHED",
                        "superDiscoveryTaskReference": {
                                "link": "https://localhost/mgmt/cm/global/tasks/device-discovery/549d8858-56e8-4fd6-874b-414543201061"
                        },
                        "superImportTaskReference": {
                                "link": "https://localhost/mgmt/cm/global/tasks/device-import/2835042a-c75a-4ce1-9939-d4bfd365622e"
                        }
                }
        ],
        "endDateTime": "2018-02-08T05:35:07.102-0800",
        "identityReferences": [
                {
                        "link": "https://localhost/mgmt/shared/authz/users/admin"
                }
        ],
        "kind": "cm:global:tasks:device-discovery-import-controller:discoveryandimportcontrollertaskitemstate",
        "name": "reimport_device_specific_config_in_access_group",
        "operationalMode": "EXISTING_DEVICE",
        "ownerMachineId": "30f43266-b545-4ac8-b64e-d524d2e13730",
        "selfLink": "https://localhost/mgmt/cm/global/tasks/device-discovery-import-controller/19426d42-2b9b-48ad-aa61-e83460982933",
        "snapshotWorkingConfig": true,
        "startDateTime": "2018-02-08T05:34:08.952-0800",
        "status": "FINISHED",
        "userReference": {
                "link": "https://localhost/mgmt/shared/authz/users/admin"
        },
        "username": "admin"
}

Result

By using the BIG-IQ API to perform the above tasks, users can write a script for re-importing a device-specific configuration for devices in an Access group.