For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Thor's avatar
Thor
Icon for Nimbostratus rankNimbostratus
May 10, 2020

Sync ASM only across data centres

We have two different clusters of bigip with LTM + ASM.   Each cluster has different LTM configuration with different IP. They share the same applications so ASM policy is the same.   We'r...
application delivery
ASM Advanced WAF
BIG-IP
Kevin_Davies's avatar
Kevin_Davies
Icon for Nacreous rankNacreous
May 12, 2020

Make sure the two HA pairs have different sync-failover device group names.

 

On the primary add the other cluster of devices in the remote DC as peers.

Create a NEW sync-only group with those new members.

Synchronize only the NEW group.

You may find you now need to synchronize the local HA group to update the HA pair with the new information.

You will now see three sync groups. The local HA sync-failover group, the remote HA sync-failover group and your new global Sync-Only group. You will always see the remote HA group as unknown and that is expected as it is not part of this local HA group.

Once you have your global Sync-Only group synced across all devices then begin to add it to ASM as per that article.

 

In my experience ASM policy updates pushed out across the Automatic Sync Group have to be manually applied within ASM on the remote DC.