Forum Discussion

Evan_25555's avatar
Evan_25555
Historic F5 Account
Jan 04, 2012

Best Practice - Policy management when there are several instances of the same application behind several ASM's

It seems to me that there are several ways to go.     1) Manage each security policy in isolation. At a minimum, this is something of a burden since you would be reviewing and acting on violati...
app sec
BIG-IP Access Policy Manager (APM)
security
hooleylist's avatar
hooleylist
Icon for Cirrostratus rankCirrostratus
Jan 05, 2012
Also, in 11.0 ASM added support for synching policies across separate ASM units. Though you can only have the policy builder running on one unit at a time. But you run it on the main ASM unit and then still tune the policy on other units using Learning or manual changes and have the changes synchronized.

 

 

 

http://support.f5.com/kb/en-us/products/big-ip_asm/releasenotes/product/relnotes_asm_11_0_0.htmlnew_feat

 

 

Device Management

 

 

Device management is a mechanism used to maintain a synchronized configuration, between a group of Application Security Manager (ASM) enabled BIG-IP devices in a given network, called a device group. For ASM purposes, a device group comprises one or more BIG-IP devices, using the same ASM configuration. All devices must run the same version of ASM. Using device management, all new security policies, and any configuration changes made to a security policy on one device, can be manually pushed to all other devices within the device group, even if you do not apply the security policy. However, we recommend you apply the security policy in order to ensure consistent enforcement among all devices.

 

 

If device management is used within different data centers, the logging profiles will also be synchronized, meaning that the Syslog server destination will be synchronized as well, even though it probably resides on a different address.

 

 

The Real Traffic Policy Builder® may be run on only one device for any given policy. Activating Policy Builder on any device will automatically disable Policy Builder for that policy on all other devices within the device group. All security policy configuration changes made by Policy Builder will be relayed and performed by all devices within the group.

 

 

If Attack Signature Update is configured for scheduled automatic updates, each device in the device group will update itself independently according to each device’s configured schedule. This update is not relayed to other devices.

 

 

You can select whether a preconfigured ASM device group’s devices are to be synchronized, and if so, which device group. Navigate to Application Security > Synchronization > Application Security Device Group.

 

 

 

Aaron