Forum Discussion

I_R_101_110's avatar
I_R_101_110
Icon for Cirrus rankCirrus
Jun 27, 2019
Solved

Consequences of Not Syncing ASM's datasync-global-dg?

Evening team,

 

I have several scenarios in which my device trust spans multiple sites in order to service sync-only device-groups that are used to sync ASM policy. That being said, syncing the datasync-global-dg device-group makes me apprehensive as it is documented via KB's and via the in GUI pop-up that all but the device we choose to push from will go to an offline state for a few minutes upon initial sync. Therefore - even at my sites that have HA via a sync-failover device-group, it seems I will have down time? Is that assumption correct?

 

If so, it will be nearly impossible to take multiple sites offline simultaneously due to business requirements. It's noted that the device group "synchronizes the system client-side scripts as well as the system cryptographic keys". What does that mean in layman terms? How are these things relevant to my production work loads passing through the F5's? What are the consequences of never syncing this datasync-global-dg?

 

Thanks in advance.

application delivery
ASM Advanced WAF
  • Nathan_F__F5_'s avatar
    Nathan_F__F5_
    Jul 01, 2019

    My pleasure. I was actually able to discuss this with a colleague and provide a bit more information to hopefully answer your question. Basically, datasync-global-dg is used to keep the JS generated on each device compatible with each other. It's not a direct sync of JS, but of other meta data needed to ensure that in the event of a failover, the traffic to the newly active unit isn't blocked due to incompatible ASM/Adv. WAF JS from the previously active unit. If this device group is not in sync, the meta data will not sync, and Attack Signature Updates or Live Updates for the JS-engine will not be fully applied until it goes back into sync.

     

    In short, while the group is out of sync, the necessary meta data will not be updated on either device. This is because the live updates must be installed at the same time on all of the CMI devices. Otherwise, users may get falsely blocked when traffic is shared between the devices. On top of that, since the group is currently out of sync there is a chance that if you were to fail over that users might trigger false positives on the peer that they weren't triggering on the currently Active unit.

     

    Hopefully this helps to answer your main question regarding the potential consequences of not syncing that group.

     

4 Replies

Sort By
  • Nathan_F__F5_'s avatar
    Nathan_F__F5_
    Icon for Employee rankEmployee
    Jun 28, 2019

    Hi I R 101 110,

     

    Regarding the potential downtime, that would depend on whether or not the device you are syncing to is Active or not. If it is Active then yes there is a chance that it could cause some downtime. That is why F5 recommends that you sync from the Active device to the Standby device if possible. If that isn't possible then I would recommend scheduling a short maintenance window to do the sync if you can.

     

    Regarding the "system client-side scripts as well as the system cryptographic keys" part of the article, I have some short descriptions for those as well. System client-side scripts are javascript challenges ASM can inject into a webpage to detect if a client is a bot or a legitimate browser. ASM also uses private keys aka "system cryptographic keys" to encrypt cookies such as the ASM main cookie. Those are synced via the datasync-global-dg and should only need to be synced very infrequently as noted in the article.

     

    K16509: Overview of the datasync-global-dg device group

    https://support.f5.com/csp/article/K16509

     

    I hope this helps to answer your questions.

    • I_R_101_110's avatar
      I_R_101_110
      Icon for Cirrus rankCirrus
      Jul 01, 2019

      Thank your reply. I gathered as much from the documentation but what I am really looking for is what kind of negative impact not syncing the device group would have. My javascript challenges and my ASM cookies seem to me working appropriately across the board; I want to know the necessity and priority I should give to this undesirable downtime. From my pane of glass, it doesn't seem to be absolutely necessary?

      • Nathan_F__F5_'s avatar
        Nathan_F__F5_
        Icon for Employee rankEmployee
        Jul 01, 2019

        My pleasure. I was actually able to discuss this with a colleague and provide a bit more information to hopefully answer your question. Basically, datasync-global-dg is used to keep the JS generated on each device compatible with each other. It's not a direct sync of JS, but of other meta data needed to ensure that in the event of a failover, the traffic to the newly active unit isn't blocked due to incompatible ASM/Adv. WAF JS from the previously active unit. If this device group is not in sync, the meta data will not sync, and Attack Signature Updates or Live Updates for the JS-engine will not be fully applied until it goes back into sync.

         

        In short, while the group is out of sync, the necessary meta data will not be updated on either device. This is because the live updates must be installed at the same time on all of the CMI devices. Otherwise, users may get falsely blocked when traffic is shared between the devices. On top of that, since the group is currently out of sync there is a chance that if you were to fail over that users might trigger false positives on the peer that they weren't triggering on the currently Active unit.

         

        Hopefully this helps to answer your main question regarding the potential consequences of not syncing that group.