Forum Discussion
yadgayan
Cirrus
CirrusWAF profile replicate
Hi All,
When we have a DR setup and we have WAF enabled in the Active site then how do we keep identical learned copy of the WAF profile on both sides?
Usually Primary site WAF profile is matured during the time being but how do we keep the same mature profile in DR site as well?
Thanks
Gayan
Hi Gayan,
This article might help you out: Syncing ASM WAF Policies Between F5 BIG-IP's in Di... - DevCentral
Have fun,
--Niels
- Nikoolayy1
MVP
Also Terraform can be a nice way to go outside of what Niels_van_Sluis mentioned as it can even take in account the policy builder suggerstions:
Manage F5 BIG-IP Advanced WAF Policies with Terraform (Intro)
Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 1 - Policy Creation)
Scenario #5: Manage an F5 BIG-IP Advanced WAF Policy with Policy Builder on a single device
Other than that you can create the policy on BIG-IQ and distribute it to the F5 devices you want:
Deploying a web application firewall policy with c... - DevCentral (f5.com)
- yadgayan
Thanks a lot to both Nikoolayy1 and Niels_van_Sluis.
Niels_van_Sluis can we implement CI/CD and continuously develop based on suggestions?
Not sure if your question about CI/CD is for me, but I think the articles that Nikoolayy1 mentioned about Terraform come close on how to implement CI/CD.
- Nikoolayy1
If you want CI/CD use terraform or AS3 Declarative WAF (you can use ansible or terraform to again push as3) and host the WAF config in github. If you want to also handle learnings with policy builder then terraform is better or you can just make your own automation by using the api to export them.
Displaying BIG-IP ASM learning suggestions using the iControl REST API (f5.com)
Exercise 3.3 - Deploying a WAF policy through AS3 (f5.com)
"new_asm_policy": { "class": "WAF_Policy", "url": "https://raw.githubusercontent.com/f5devcentral/FAS-ansible-workshop-101/master/3.3-as3-asm/Test_WAF_Policy.xml", "ignoreChanges": true }
