Forum Discussion

bsb's avatar
bsb
Icon for Nimbostratus rankNimbostratus
Sep 25, 2019

WAF sync across DC

Have a pair of LTM + WAF device in X location in HA, also have a pair of LTM + WAF device configured in Y location configured in HA.

 

as of now, i am manually exporting all the ASM(WAF) policies from location X and importing to location Y.

 

there are lot many mismatches and doesnt work as expected whenever we do a switchover of traffic from X location to Y location.

 

is there a way we can configure all 4 devices to sync only for WAF policies and LTM configuration would still be different.

 

thanks

application delivery
ASM Advanced WAF
BIG-IP

6 Replies

Sort By
  • DanS92's avatar
    DanS92
    Icon for Cirrus rankCirrus
    Sep 25, 2019

    I have actually been looking at this for about 6 months, and plan on implementing it this Sunday in my environment. I'm currently using cron jobs to export the policy, SCP the policy to the other device, then import and overwrite it on that device. The cron jobs keep getting deleted and I have to reestablish device trust using a private key every time I upgrade...

     

    The documentation on doing this is below, but my understanding is that the basic steps are:

    • Add device as Peer
    • Create a Sync-Only Device Group, using either "Manual with Incremental Sync" or "Automatic with Incremental Sync"
    • Open port TCP 4353 on Firewall between devices and ensure they can route to each other
    • Establish Device Trust by syncing the "device_trust_group"
    • Go to Security > Options > Application Security > Synchronization, and add both devices to the Sync-Only Device Group
    • Click Sync

    https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/37.html

     

    I'm planning this on the weekend just in case it does sync more than just the ASM portion. I'll be taking backups beforehand just in case it breaks everything.

    • bsb's avatar
      bsb
      Icon for Nimbostratus rankNimbostratus
      Sep 27, 2019

      oh great, my worry was will the LTM configuration too gets synchronized as they are in different ip ranges.

      its a production env in my case, cant perform testing.

      • DanS92's avatar
        DanS92
        Icon for Cirrus rankCirrus
        Sep 27, 2019

        I'm in the exact same situation... If LTM gets synchronized my production environment will break. My understanding is that the "Incremental Sync" only syncs the portions that you specifically configure it to sync.

        Like with ASM, you can go to Security > Options > Application Security > Synchronize to tell it to sync the ASM portion.

        It looks like APM has a simlar feature under Access > Profiles/Policies > Policy Sync

        My change got pushed back due to network issues in my environment, so I won't be able to do it for a few more weeks...

    • DanS92's avatar
      DanS92
      Icon for Cirrus rankCirrus
      Oct 14, 2019

      bsb,

       

      I was finally able to implement this in my environment. I can definitively confirm that if you follow the steps in the linkedin article to create a Device Group that is Sync-Only and uses Incremental Sync, your LTM config will not sync.

      You just have to be very careful to never accidentally sync the global device group. It should prompt you with a warning if you accidentally click the sync button for that device group. Your device_trust_group Device Group, and your ASM Sync Device Group should be in sync, but not the global. Feel free to reach out to me with any questions you have on configuring this!

       

      The only potential hangups I can foresee is that you have to allow destination port TCP4353 between the devices on your firewalls, and the ASM Policies and the VIPs attached to them need to have the same name.

       

      Thanks,

       

      Dan