Moving ASM to Standalone Configuration

Question

Can anyone please assist me on this.&nbsp;
&nbsp;We have an exisitng HA Pair of 3600's running LTM and ASM on Version 9.4.8, we want to split the functionaility and run ASM on an additional HA pair of 6400's on Version 10.&nbsp;
&nbsp;I have seen two methods, one in the deployment guides called
&nbsp;Deploying the BIG-IP LTM with Multiple BIG-IP Applications Security Managers.pdf&nbsp;
&nbsp;The second being: sol9372 - Configuring BIG-IP ASM in transparent bridge mode&nbsp;&nbsp;
&nbsp;Can anyone point me in the right direction here on which would be the recommended path to achieve this?&nbsp;
&nbsp;Thanks&nbsp;&nbsp;&nbsp;&nbsp;

mike_maher · Answer

I can tell you that we have something similar currently deployed.  Our LTMs and ASMs are on seperate hardware.  Basically we run LTMs and ASMs in our DMZ and then LTMs on the internal network in front of the servers.  So the traffic for an external facing web application hit the LTM gets load balanced to an ASM and the ASM runs the traffic through policy, then sends the traffic to an internal LTM pool which load balances it to a server.  This design has worked pretty well for us.  Let me know if you have any specific questions &nbsp;

wilko_113503 · Answer

Thanks so if you check page 3 on the deployment guide; 
&nbsp;  http://www.f5.com/pdf/deployment-guides/big-ip-ltm-asm-dg.pdf  
&nbsp; Do you have something like this? 
&nbsp;  
&nbsp; So on your LTM you have all your Virtual servers defined "exterior" the traffic is then passed onto the ASM which runs its policy on the traffic, then sends traffic to an internal virtual server or pool back up to the LTM that then load balances to your web servers? 
&nbsp;  
&nbsp; Are your ASM's in an Active/Active setup behind the exterior Virtual server on the LTM?

mike_maher · Answer

Similar but actually our external and internal LTMs are physically seperate devices.  The externals live in a DMZ behind our firewall and the internals, obviously live behind a firewall on our internal network.&nbsp;
&nbsp;Yes our ASMs are both Active behind the external LTM.&nbsp;
&nbsp;I guess it would depend how you feel about the security of VLANing if you wanted to use the design concept in this document.  Personally I prefer the physical separation of the 2 LTMs.  From a security perspective having the external LTM out in a DMZ allows us to only allow the ASMs access to the internal LTM.  I would rather have the external traffic stop in the DMZ and be proxied by the ASM, that way the external requests are never directly going to a device on our internal network.  &nbsp;

wilko_113503 · Answer

Thanks Mike 
&nbsp;  
&nbsp; We currently have LTM and ASM running on the same unit anyway but will take the security concern into consideration. 
&nbsp;  
&nbsp; Does anyone know if F5 are able to exchange the LTM licenses that the new units came with for ASM licenses?

Forum Discussion

Recent Discussions

bot signature update without Treat campaign license

F5OS cloud-init on 21.1 does tenants come with DO and AS3 RPM installed?

AS3 per-app JSON schema issue

F5 LTM Virtual Server IP NAT Configuration

F5 https monitor receive string

Related Content

How to move a BIG-IP VE license

Moving HTTP Load Balancers Between F5 Distributed Cloud Namespaces — Why It's Harder Than You Think

Managing iRules configuration

Moving Target

Shape Security and Volterra moving to F5 Distributed Cloud Services

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS