Best Practice - Policy management when there are several instances of the same application behind several ASM's

So I am in the same situation as you are with 4 ASMs 2 in each Data Center and we have multiple applicaations that run through them. Same sort of thing where one application is identical across all 4 ASMs and we have to keep policy in Sync. I am currently running the same version as you are as well. The process I have here is we use a testing environment that is a copy of production to do learning for major changes to the application, I also have a form and spreadsheet that I send to the Developers to have them fill out all the file types, URL's, parameters and information on the values. Then we normally take that information and build policy in the test environment put the policy in blocking and have the users test. Then we copy the policy from the test environment to all 4 production boxes, from there any violations should be minimal so we just manually adjust all 4 boxes when needed, which is not all that often.

 

 

You are probably thinking this is very tedious and time consuming, and it is a bit, but once you get people rolling in the process it is not that bad. You spend a bit of time building policy during the development phase of the application and dealing with a few blocks during testing, but once you go production you should very few violations to manage across all the devices. This process and the forms we use have been refined over the last 4 years of working with ASM, and it took a bit of teeth pulling from the developers to get them on board but it works quite nicely now.

 

 

Having said all that I will say I am planning to upgrade to 11.x code sometime this year and look forward to the features Aaron described as it will save some time in production. So ultimately if you have the ability to upgrade to 11.x and use the new sync features I would go that route.