Consequences of Not Syncing ASM's datasync-global-dg?
Evening team,
I have several scenarios in which my device trust spans multiple sites in order to service sync-only device-groups that are used to sync ASM policy. That being said, syncing the datasync-global-dg device-group makes me apprehensive as it is documented via KB's and via the in GUI pop-up that all but the device we choose to push from will go to an offline state for a few minutes upon initial sync. Therefore - even at my sites that have HA via a sync-failover device-group, it seems I will have down time? Is that assumption correct?
If so, it will be nearly impossible to take multiple sites offline simultaneously due to business requirements. It's noted that the device group "synchronizes the system client-side scripts as well as the system cryptographic keys". What does that mean in layman terms? How are these things relevant to my production work loads passing through the F5's? What are the consequences of never syncing this datasync-global-dg?
Thanks in advance.
My pleasure. I was actually able to discuss this with a colleague and provide a bit more information to hopefully answer your question. Basically, datasync-global-dg is used to keep the JS generated on each device compatible with each other. It's not a direct sync of JS, but of other meta data needed to ensure that in the event of a failover, the traffic to the newly active unit isn't blocked due to incompatible ASM/Adv. WAF JS from the previously active unit. If this device group is not in sync, the meta data will not sync, and Attack Signature Updates or Live Updates for the JS-engine will not be fully applied until it goes back into sync.
In short, while the group is out of sync, the necessary meta data will not be updated on either device. This is because the live updates must be installed at the same time on all of the CMI devices. Otherwise, users may get falsely blocked when traffic is shared between the devices. On top of that, since the group is currently out of sync there is a chance that if you were to fail over that users might trigger false positives on the peer that they weren't triggering on the currently Active unit.
Hopefully this helps to answer your main question regarding the potential consequences of not syncing that group.