Forum Discussion

Chen_Tat_93126's avatar
Chen_Tat_93126
Icon for Nimbostratus rankNimbostratus
Jun 20, 2011

Exporting ASM policies into existing LTM box

Hi all,

 

 

I have an existing ASM 3600 and I wish to export the application security classes and the security policies and then import and merge them into an existing LTM 3900 box.

 

 

 

The license for the ASM will also be transferred to the 3900 LTM box.

 

 

 

Can any one advise me if it is possible?

 

7 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Chen Tat,

     

     

    Theres a script on codeshare that may help. I've never had to use it myself though and not 100% sure you can import on another device but thought you'd appreciate the link nonetheless. Something to try at least.

     

     

    http://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/ASM_all_policy_export.html

     

     

    N
  • I'd check with your F5 or partner account manager. Normally it is not possible to transfer an addon license between units.

     

     

    If you do have a license for ASM, it might be simplest to follow the RMA replacement process:

     

     

    http://support.f5.com/kb/en-us/solutions/public/11000/300/sol11318.htmlrestore_bigpipe

     

     

    This will save you from needing to manually create the HTTP class objects and import the ASM policies. Make sure to:

     

     

    name the 3900 with the same hostname as the 3600 when the 3600 UCS was exported

     

    back up the 3900 license and config to a UCS off the box

     

     

    Aaron
  • @hoolio: Would there be any problems if my old 3600 is on version 9 and the new 3900 is on version 10?

     

     

    @nathan: As for the ASM export command, is there an ASM IMPORT command? The thing is, after exporting out, is there any way to import it into another ASM unit?

     

     

    As for the license, the ASM on the 3600 is a standalone license, and it will be transferred into the 3900 as an add-on license.

     

     

    Or are there any simpler ways to export the policies and import it into the new box?
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Having not used it I presume you can scp the exported tgz file to the new box and then do a restore in the Archives section.

     

     

    N
  • Which specific 9.x version are your policies? How many policies do you have? How complex are the policies you've deployed?

     

     

    There were some significant improvements and changes to ASM in 9.4.2. If your policies are from before that I'd strongly consider rewriting them from scratch on v10. You can take a lot of the basics from the old v9 policy and configure it manually in the v10 policy, but so much changed in 9.4.2 that I don't think it's useful to use the policies which are automatically generated by ASM in an upgrade from pre-9.4.2 to 9.4.2+. You might also consider using the 10.2.2 policy builder to automatically start new policies.

     

     

    I'd also talk with your local F5 or partner SE to get recommendations based on your specific scenario.

     

     

    Aaron
  • Thanks guys, this project is still in the pre-sales stage, I do not know about the exact version of the version 9 box as of now. I guess reconfiguration of the policies from scratch might be the best option.
  • Hi All

     

     

    I have got similar requirement to develop ASM policy in an LTM which is placed for Test&Dev and to deploy the same policy in production network once learning period is completed.

     

     

    I have seen export/import option against ASM policy, could you confirm that this covers all the parameters related to ASM policy.