For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

VB_95896's avatar
VB_95896
Icon for Nimbostratus rankNimbostratus
Nov 18, 2008

ASM Configurations Active-Active

Hi,     I have got a little problem with 2 units "Big-IP ASM" (platform : "4100") running version "9.4.5" (+ Hotfix).     In an Active-Active configuration, I wish I could config...
config
design
VB_95896's avatar
VB_95896
Icon for Nimbostratus rankNimbostratus
Nov 20, 2008
Hi,

 

 

Thanks a lot for your answer.

 

 

Actually, it works without using MAC masquerading addresses. But I might test your scenario with 2 different mac masq @ (the interest being to avoid gratuitous ARP replies and susbequent latencies).

 

 

I am more concerned with the risks of an Active-Active configuration.

 

 

1) Monitoring of the load seems difficult. It first requires a definition of the MRL{conf} = "Maximum Required Load under a given configuration". MRL{conf} should then be monitored to be ketp under 50%: before any configuration change, one would have to test (computation is never reliable enough...) MRL{new_conf} to make sure it is below 50%. First problem: the test could crash the unit. Second problem :

 

certain configuration change can't be forecasted : (as far as I understood) an unknown change in a web application could cause the related security policy

 

to increase its needs. Hence the requirement for a - possibly big - security margin...

 

 

2) A test showed that a config sync can produce a high load: in a scenario with 2 HTTP virtual servers, 2 active security policies (one blocking, the other not),

 

and absolutely no traffic, a config sync took around 15 minutes and consumed up to 80% of CPU0 (a confirmation of your point). Knowing that before the sync,

 

the single difference between the 2 units was only 1 basic security policy, what one shall expect with more advanced configurations ?

 

 

 

How to interprete this test ? Does it mean that, even in an active-standby configuration, one has to keep the load under 60% of the total CPU (CPU0 + CPU1) ?

 

 

 

More generally, I wish I could answer the following question :

 

 

How does the processing power of a Big-IP ASM (PF 4100, VER 9.4.5, HF2) translates in terms of :

 

 

- max number of virtual servers/pools/nodes

 

- max number of active/standby security policies (nb of rollback versions, nb of active attack signatures)

 

- max number and scope of web applications (objects/parameters)

 

- ...

 

 

 

Any info is welcome,

 

 

Thanks,

 

 

VB