Forum Discussion

I_R_101_110's avatar
I_R_101_110
Icon for Cirrus rankCirrus
Jun 27, 2019
Solved

Consequences of Not Syncing ASM's datasync-global-dg?

Evening team,   I have several scenarios in which my device trust spans multiple sites in order to service sync-only device-groups that are used to sync ASM policy. That being said, syncing the d...
application delivery
ASM Advanced WAF
  • Nathan_F__F5_'s avatar
    Nathan_F__F5_
    Jul 01, 2019

    My pleasure. I was actually able to discuss this with a colleague and provide a bit more information to hopefully answer your question. Basically, datasync-global-dg is used to keep the JS generated on each device compatible with each other. It's not a direct sync of JS, but of other meta data needed to ensure that in the event of a failover, the traffic to the newly active unit isn't blocked due to incompatible ASM/Adv. WAF JS from the previously active unit. If this device group is not in sync, the meta data will not sync, and Attack Signature Updates or Live Updates for the JS-engine will not be fully applied until it goes back into sync.

     

    In short, while the group is out of sync, the necessary meta data will not be updated on either device. This is because the live updates must be installed at the same time on all of the CMI devices. Otherwise, users may get falsely blocked when traffic is shared between the devices. On top of that, since the group is currently out of sync there is a chance that if you were to fail over that users might trigger false positives on the peer that they weren't triggering on the currently Active unit.

     

    Hopefully this helps to answer your main question regarding the potential consequences of not syncing that group.

     

I_R_101_110's avatar
I_R_101_110
Icon for Cirrus rankCirrus

Thank your reply. I gathered as much from the documentation but what I am really looking for is what kind of negative impact not syncing the device group would have. My javascript challenges and my ASM cookies seem to me working appropriately across the board; I want to know the necessity and priority I should give to this undesirable downtime. From my pane of glass, it doesn't seem to be absolutely necessary?

Nathan_F__F5_'s avatar
Nathan_F__F5_
Icon for Employee rankEmployee
Jul 01, 2019

My pleasure. I was actually able to discuss this with a colleague and provide a bit more information to hopefully answer your question. Basically, datasync-global-dg is used to keep the JS generated on each device compatible with each other. It's not a direct sync of JS, but of other meta data needed to ensure that in the event of a failover, the traffic to the newly active unit isn't blocked due to incompatible ASM/Adv. WAF JS from the previously active unit. If this device group is not in sync, the meta data will not sync, and Attack Signature Updates or Live Updates for the JS-engine will not be fully applied until it goes back into sync.

 

In short, while the group is out of sync, the necessary meta data will not be updated on either device. This is because the live updates must be installed at the same time on all of the CMI devices. Otherwise, users may get falsely blocked when traffic is shared between the devices. On top of that, since the group is currently out of sync there is a chance that if you were to fail over that users might trigger false positives on the peer that they weren't triggering on the currently Active unit.

 

Hopefully this helps to answer your main question regarding the potential consequences of not syncing that group.