For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_FP's avatar
Chris_FP
Icon for Cirrus rankCirrus
Jun 23, 2014

CyberARK integration - Active Passive pairs (or will apply to 3+ device groups)

The organisation I work for insists that all privilge access is controlled via CyberARK such that passwords are reset following use. In the same vain we want to prevent un-authorised use of the F5 estate so the cyberark user id used to reset passwords is configured as "user manager".

 

This will work well until we get to our LTM's which are in an active/passive setup because when the user id is changed on either device in the pair the config must be sync'd over to the other device (manual sync is mandatory to prevent an incorrect config change on one box from being automatically propagated to the other box before verifying it has worked.).

 

The command to sync the boxes "run cm config-sync to-group ", however, is NOT available to a "user manager" and we are at an impasse with regards to getting our privilege accounts into CyberARK.

 

Given that we cannot give them a full admin account does anybody know of a workaround for this issue.

 

application delivery
BIG-IP Access Policy Manager (APM)
BIG-IP DNS
LTM
management
security
TMSH

3 Replies

  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Jun 23, 2014

    I don't know of any way of solving this, but do you really want the synchronization to be handled an external program? Sometimes it's useful when testing config to synchronize the other way, ie for a quick rollback. If another program synchronizes the config it could put you in a difficult spot.

     

    If you want though, there's an option for automatic synchronization in v11 (available when creating configuring device groups).

     

    /Patrik

     

  • DavidH11_162003's avatar
    DavidH11_162003
    Icon for Nimbostratus rankNimbostratus
    Jun 25, 2014
    Hi Chris, I work for CyberArk in the UK and just saw your post, following which I wanted to reach out and offer any assistance that I can. As you know the solution is capable of automatically changing the password on the F5 devices, but I am not overly familiar with this specific configuration that you mentioned. There is a lot of flexibility in terms of what we can do when invoking a password change process and protecting the accounts in use. If you are interested in doing so, I would be more than happy to have a more direct conversation so that I can share more with you around capability and options, whilst also understanding more from yourself about the current configuration? Thanks David
  • Chris_FP's avatar
    Chris_FP
    Icon for Cirrus rankCirrus
    Jun 29, 2014
    Hi David, I'd def be interested in chatting. Check out my linkedin profile so we can connect etc.