Forum Discussion
CirrusConsequences of Not Syncing ASM's datasync-global-dg?
My pleasure. I was actually able to discuss this with a colleague and provide a bit more information to hopefully answer your question. Basically, datasync-global-dg is used to keep the JS generated on each device compatible with each other. It's not a direct sync of JS, but of other meta data needed to ensure that in the event of a failover, the traffic to the newly active unit isn't blocked due to incompatible ASM/Adv. WAF JS from the previously active unit. If this device group is not in sync, the meta data will not sync, and Attack Signature Updates or Live Updates for the JS-engine will not be fully applied until it goes back into sync.
In short, while the group is out of sync, the necessary meta data will not be updated on either device. This is because the live updates must be installed at the same time on all of the CMI devices. Otherwise, users may get falsely blocked when traffic is shared between the devices. On top of that, since the group is currently out of sync there is a chance that if you were to fail over that users might trigger false positives on the peer that they weren't triggering on the currently Active unit.
Hopefully this helps to answer your main question regarding the potential consequences of not syncing that group.
CirrusThank your reply. I gathered as much from the documentation but what I am really looking for is what kind of negative impact not syncing the device group would have. My javascript challenges and my ASM cookies seem to me working appropriately across the board; I want to know the necessity and priority I should give to this undesirable downtime. From my pane of glass, it doesn't seem to be absolutely necessary?
EmployeeMy pleasure. I was actually able to discuss this with a colleague and provide a bit more information to hopefully answer your question. Basically, datasync-global-dg is used to keep the JS generated on each device compatible with each other. It's not a direct sync of JS, but of other meta data needed to ensure that in the event of a failover, the traffic to the newly active unit isn't blocked due to incompatible ASM/Adv. WAF JS from the previously active unit. If this device group is not in sync, the meta data will not sync, and Attack Signature Updates or Live Updates for the JS-engine will not be fully applied until it goes back into sync.
In short, while the group is out of sync, the necessary meta data will not be updated on either device. This is because the live updates must be installed at the same time on all of the CMI devices. Otherwise, users may get falsely blocked when traffic is shared between the devices. On top of that, since the group is currently out of sync there is a chance that if you were to fail over that users might trigger false positives on the peer that they weren't triggering on the currently Active unit.
Hopefully this helps to answer your main question regarding the potential consequences of not syncing that group.
