Boosting BIG-IP AFM Efficiency with BIG-IQ: Technical Use Cases and Integration Guide

Introduction

Security teams depend on BIG-IP’s Advanced Firewall Manager (AFM) to deliver robust DDoS protection and granular access control, but managing these protections at scale requires centralized intelligence and streamlined workflows. Here comes BIG-IQ, the platform that transforms how BIG-IP AFM is managed across the enterprise.

Whether you're looking to centralize firewall rule management, gain visibility into real-time security metrics, or automate backup and restoration of device configurations, BIG-IQ offers the tools to operationalize and optimize BIG-IP AFM deployments.

This article shows how to connect BIG-IQ with BIG-IP AFM. It also talks about how to set up the system, best practices, and the real benefits of using a centralized security management model.

 

Understanding Components

In this section we go through the main components, BIG-IP AFM, BIG-IQ CM and BIG-IQ DCD,

 

BIG-IP AFM

BIG-IP AFM is a full-proxy, firewall module designed to protect applications and infrastructure against DDoS attacks and malicious traffic. It provides:

• Stateful firewalling
• IP intelligence and geolocation enforcement
• DoS protection

BIG-IQ CM

It is F5's centralized management and analytics platform that supports:

• Centralized device and policy management
• Automated backups and version control
• Real-time event logging and dashboards

BIG-IQ DCD

This is responsible for gathering logs from the deployments,

• Centralized Data collection.
• Data storage and processing.
• Can operate in cluster.

 

 

BIG-IQ to transform BIG-IP AFM experience

BIG-IQ enhances the way network and security teams work with BIG-IP AFM, by providing:

• Centralized Policy Management: Define, deploy, and monitor firewall policies from a single interface.
• Analytics and Logging: View real-time DDoS and ACL event dashboards.

• Automated Backups: Schedule regular configuration backups and quickly restore devices.
• Operational Consistency: Prevent misconfiguration with version control and role-based access.

 

 

BIG-IQ deployments

BIG-IQ can fit in different deployments, ranging from a simple version without any DCDs just BIG-IQ CM up to BIG-IQ CM and DCD with separate internal network between cluster members.

• A simple version with only BIG-IQ CM to manage configurations, perform devices backup, and view stats and analytics without Data Collection Devices. 

 

• A version where we need Data Collection Devices. In this version, we have: 
  • BIG-IQ CM
  • BIG-IQ DCD
  • Remote storage server for data and backup archive.

 

• In a more advanced scenario, we can have separate cluster networks connecting BIG-IQ CM and BIG-IQ DCDs to achieve further segmentation between network flows.

 

 

Integration Walkthrough

Installing BIG-IQ Centralized Manager

1. Deploy the BIG-IQ Virtual Machine (Can be completed via Hardware/VE):
• Use your preferred hypervisor (For example., VMware, Hyper-V) to deploy the BIG-IQ OVA or ISO image.
• Allocate resources as per the BIG-IQ system requirements.
2. Initial Configuration and Licensing:
   
   
• Access the BIG-IQ GUI via a web browser using the management IP.
• Log in with default credentials and change the password upon first login.
• Configure network settings, DNS, and NTP.
• Enter your license key and activate it online or manually if required.
3. High Availability (Optional):
• For HA setup, deploy a second BIG-IQ instance.
• Navigate to System > High Availability and follow the prompts to pair the devices.

 

 

Setting Up Data Collection Devices (DCDs)

 

1. Deploy DCD Virtual Machines:
• Similar to BIG-IQ, deploy the DCD OVA or ISO images on your hypervisor.
• Ensure each DCD has network connectivity to the BIG-IQ manager.
2. Initial Configuration:
• Access each DCD via SSH or console.
• Configure network settings, DNS, and NTP.
3. Add DCDs to BIG-IQ:
• In the BIG-IQ GUI, navigate to System > BIG-IQ Data Collection > BIG-IQ Data Collection Devices.
• Click Add, enter the DCD's IP address, and provide administrative credentials.
• Repeat for each DCD you wish to add.
4. Cluster Configuration:
• Once all DCDs are added, navigate to System > BIG-IQ Data Collection > BIG-IQ Data Collection Cluster.
• Configure the cluster settings, including replication factors, based on your data retention and performance requirements.

 

Configuring Data Collection and Retention Policies

1. Statistics Collection:
• Navigate to Monitoring > Statistics Collection.
• Enable statistics collection for desired BIG-IP devices and modules.
2. Retention Policies:
• In the BIG-IQ GUI, go to System > BIG-IQ Data Collection > BIG-IQ Data Collection Cluster.
• Under Configuration, set data retention periods for different data types (For example., events, alerts, statistics).
3. Snapshot Schedules:
   • Navigate to System > BIG-IQ Data Collection > BIG-IQ Data Collection Cluster.
   • Under Configuration, select External Storage & Snapshots.
   • Define snapshot schedules based on your organization's requirements.
• To create snapshots of your DCD data:

 

Integrating BIG-IP AFM and BIG-IQ

 

1. Discover BIG-IP Devices:
• Navigate to Devices > BIG-IP Devices.
• Click Add Device, enter the management IP, credentials, and select the services to manage.
2. Import and Manage Configurations:
• After discovery, import configurations and manage services like LTM, ASM, AFM, etc., directly from BIG-IQ.
3. Monitoring and Alerts:
• Use the Monitoring section to view real-time statistics, logs, and alerts from managed BIG-IP devices.

 

 

Managing BIG-IP AFM from BIG-IQ 

In the previous section, we integrated our F5 BIG-IP AFM with BIG-IQ Central Manager and enabled logging on the Data Collection Device.

Once we integrate and import the configurations, we can see the configurations and dashboard at BIG-IQ CM.

Enabled features for BIG-IP AFM,

• Network Firewall.
• DoS/DDoS protection.
• IP reputation.
• Scrubbing center.

Enable Logging / statistics BIG-IP

From BIG-IQ dashboard,

• Go to Devices > Select the BIG-IP device.
• Click on Enable / Disabled under statistics collection column.
• Enable statistics collection and analytics.

 

 

Managing BIG-IP from BIG-IQ

Deploying Configurations

BIG-IQ provides a centralized dashboard for both configuring BIG-IP and dashboard monitoring.

• From the configurations tab, Create the new version of configuration you need, whether virtual server, network policy, network configurations or something else.

 

• Once the virtual server is created, we add the virtual server context to add specific policies

 

Dashboard and Monitoring

Head to dashboard tab and we can observe AFM statistics at two main levels,

• DDoS protection dashboard
• AFM rules specific dashboard.

In DDoS dashboard we can observe different types of information

• Attacks and filter on wide range of functions.

• BIG-IQ scheduled reports can help provide daily, weekly, or custom-defined period reports that are beneficial to both operations and management.
• Network DoS and filter on different flow elements.

• Add events to the same graph to highlight any system event during specific traffic conditions.

In the AFM specific dashboard, we can observe:

• AFM firewall rules hit count.

 

• Ability to include IP reputation.
• Ability to view event logs in a centralized location.

 

 

Conclusion

Integrating BIG-IQ with BIG-IP AFM empowers network security teams with a scalable, centralized approach to firewall management. From simplifying policy deployment and automating backups to delivering deep visibility through logging and analytics, BIG-IQ transforms how AFM is operationalized. For teams managing complex, distributed environments, this integration is not just helpful, it’s essential.

 

Related Content

• BIG-IQ Planning and deployment
• BIG-IQ Sizing
• BIG-IQ Labs