This blog post will provide a high-level overview of the steps required for adding a new F5 BIG-IP device to an existing device group and syncing the group configuration to the new device. The steps listed below assume each BIG-IP device is of the same series and model, running the same software version, and therefore fully compatible.
It is possible to add a device of a different series and/or model to the device group and sync the configuration between them. However, if you use the embedded HSM to store your digital certificates and keys, the new BIG-IP device must be of the same series as the current device to sync that information. Otherwise, you will have to add your certificates and keys manually to the new device upon initial configuration, and each time you renew or add new certificates and/or keys. Therefore, any attempt to deploy such a configuration may not be possible and is not advisable.
The information provided below is intended for educational purposes only and is in no way intended to supplant official guidance from F5 Support. Any use of the information contained herein should be followed at your own risk.
Preparation
Before getting started, several configuration tasks need to be completed. Each environment is different, and the following list may not be exhaustive.
Upon first boot, login to the command line via the console and change the boot location to the version closest to, but not higher than, the version running on your existing BIG-IP device. In many cases, you will have to update the software from there to match your existing device exactly.
- The BIG-IP default login credentials are below
- Username: root
- Password: default
- You can use the following commands to see and change the default boot volume location
- tmsh show sys software status
- tmsh reboot volume <location>
- tmsh reboot volume MD1.1
- tmsh reboot volume MD1.1
After rebooting into the boot location with the software version nearest your existing device, use the screen on the front panel of the device to configure the management interface IP information and confirm access to the Configuration Utility GUI via the web browser. The default login credentials are below:
- Username: admin
- Password: admin
The next step will be the initial BIG-IP setup, during which you will configure basic device settings. Again, this list may not be exhaustive and there may be some sections you can skip and configure later.
- License activation & module provisioning
- Device certificate
- Hostname
- NTP & DNS
The final preparation step is to update the BIG-IP device software version to the same version running on your existing device(s). You can download the BIG-IP software from downloads.f5.com and then upload it to your device to perform the update.
- Install the software
- Navigate to System > Software Management > Image List
- Click Import to browse your local system and upload the .iso file which contains the BIG-IP software version you want to install
- Once the upload is complete, you will see it in the list of available images
- Click the checkbox next to the software image you want to install, then click the install button below.
- On the next screen, you will need to provide a boot location and then proceed with the install. Change the boot location to the new software
- Once the install is complete, click the Boot Locations tab from across the top of this page, select the newly installed software image, and click the Activate button to change to the new boot location.
- Once the install is complete, click the Boot Locations tab from across the top of this page, select the newly installed software image, and click the Activate button to change to the new boot location.
Add New Device to Existing Device Group and Sync Configuration
Before we can add the new device to the device group, a few more configuration items need to be addressed on the new BIG-IP. All of the below configuration settings can be accessed in the Device Management and Network areas of the Configuration Utility located in the navigation bar down the left side of the screen.
- Create VLANs
- Internal/External
- Assign Interfaces to VLANs
- Tagged/Untagged
- Add Self-IPs
- Floating/Non-floating
- Create Default Route
- Assign ConfigSync Local Address
- Assign Failover Network
After making the above configurations to the new device, make sure the device is in the “Forced Offline” state to avoid any potential network problems until after the initial syncing of the configuration is complete.
- From the existing device, you will then need to add the new device to the Device Trust Members as a “Peer” device and supply the following information for the new device.
- IP address
- Admin credentials
- After establishing device trust with the new device, it should be in “Offline (Standby)” mode.
Lastly, you are ready to sync the configuration between the devices. Be sure to do this from the existing device.
- Navigate to Device Management > Overview
- Select the existing device (self) and use the “Push” option to complete the sync.
- You may need to perform this action a couple of times.
Post-sync Actions
Login to the new device and confirm the configuration has been successfully synced over. The best way to do this is to pull up the Network Map on both the existing and new devices and compare. From this screen, you will be able to see objects such as Virtual Servers, Pools, Pool Members, Nodes, iRules, etc.
If you make use of the ASM module, be sure to check the Application Security Policies. In my experience, while the policies do sync over, the Enforcement Mode was set to “Blocking” for every policy. This may not be the desired configuration, and you will need to change the Enforcement Mode manually on a per-policy basis to meet the needs of your environment.
Once you have confirmed that everything is as desired configuration-wise between your devices, you are ready to bring the new BIG-IP device online and failover to it. At this point, you can monitor traffic from the Statistics tab to ensure that the Virtual Servers are processing traffic as expected. If you notice any issues or receive reports of issues from users, you can always failover back to the original device while troubleshooting.
