Forum Discussion
NimbostratusAPM Policy Sync
Good Day everyone !!
We have F5's deployed at 4 DC's in active/standby mode so total of 8 devices , we are using Access Policy Module for Remote access VPN solution.This was designed by our engineering team and I'm trying to understand the setup of auto-sync policy because recently it was found that sync was not happening properly.
When i checked we have 3 Device Groups 1) Contains all the 8 F5's , sync-only and Full Sync checked so this is Manual (Not sure for what purpose?) 2) contains all the 8 F5's , sync-only , Automatic Sync & Full Sync checked (this is intended for APM policy sync) 3) Contains 2 F5's local box and its redundant pair , sync-Fail over , Automatic Sync checked (This is for Active/standby setup)
I'm trying to understand how the APM policy is getting synced automatically ? For example if i made a change to the policy in one box do i need to login to all the other three boxes and apply the policy manually ? does auto sync in APM means only the data is getting transferred and we need to apply the policy? or its done automatically as well?
Also i heard something like this from my Architect which i couldn't understand "There three different types configuration synchronization on F5 devices, TMOS, DNS, APM policy. The APM policy configuration synchronization uses the TMOS config sync only to transfer data to the redundancy active device. Once the active receives the updated APM policy it has to successful load the policy before the standby device will receive the updated APM policy."
Thank you for your patience ! Hoping to get a reply :)
Murali.
murali_125469Could someone please direct me to any documents or resources which explains about F5 APM policy sync in detail , when i checked i could only find at a high level overview.
Thanks in advance ! Murali.
Leonardo_SouzaCirrocumulus
Each module syncs information differently, APM configuration is synced with LTM.
Can you provide the output from these commands?
tmsh list cm device-grouptmsh list sys provisionI can try to explain you after, why the multiple device groups.
Erich_Rockman_1Cirrus
Hey all. I posted a similar question a few weeks ago, it went unanswered but relates to this post.
https://devcentral.f5.com/questions/apm-policy-sync-synconly-group-56512
I do not see the same behavior. The APM policy change from a syncOnly group member does not automatically sync the APM policy to the other members. Syncing from Device Management does nothing. Syncing from Access Profiles -> Policy Sync does indeed sync the policy but the "Apply Access Policy" link appears on the other syncOnly members. The policy does not get automatically applied after syncing. v12.1.2HF2.
Auto sync and full sync are checked on the syncOnly group.
Any ideas? Thanks.
- Leonardo_Souza
I will answer your question in the original post.
Roman_B_248530Hello experts,
I have been searching for an answer to similar question. I need to clarify that by configuring config-sync for ASM doesn't impact other modules - LTM/APM that live on the same F5 box. I have an environment with a sync-failover cluster consisting of 2 F5 devices in each data centre so in total - 4 devices. Each cluster runs APM, LTM and ASM.
What I want is to configure sync only between clusters for ASM module not impacting other modules. So if I make ASM change on a cluster in 1st DC the change is synced to 2nd DC cluster. All other changes for LTM/APM are synced between devices in the particular DC cluster only - not propagated between clusters in different DCs.
If I add other boxes with ASM in a separate config-sync device group and refer to this group in "Security ›› Options : Application Security : Synchronization : Application Security Synchronization" section, will that sync ASM data not impacting LTM and APM? Can someone please confirm?
- Leonardo_Souza
It should work with a sync-only device group with the 4 devices, and you then select that device group in the ASM.
