Forum Discussion
WAF sync across DC
I have actually been looking at this for about 6 months, and plan on implementing it this Sunday in my environment. I'm currently using cron jobs to export the policy, SCP the policy to the other device, then import and overwrite it on that device. The cron jobs keep getting deleted and I have to reestablish device trust using a private key every time I upgrade...
The documentation on doing this is below, but my understanding is that the basic steps are:
- Add device as Peer
- Create a Sync-Only Device Group, using either "Manual with Incremental Sync" or "Automatic with Incremental Sync"
- Open port TCP 4353 on Firewall between devices and ensure they can route to each other
- Establish Device Trust by syncing the "device_trust_group"
- Go to Security > Options > Application Security > Synchronization, and add both devices to the Sync-Only Device Group
- Click Sync
I'm planning this on the weekend just in case it does sync more than just the ASM portion. I'll be taking backups beforehand just in case it breaks everything.
- bsbSep 27, 2019Nimbostratus
oh great, my worry was will the LTM configuration too gets synchronized as they are in different ip ranges.
its a production env in my case, cant perform testing.
- DanS92Sep 27, 2019Cirrus
I'm in the exact same situation... If LTM gets synchronized my production environment will break. My understanding is that the "Incremental Sync" only syncs the portions that you specifically configure it to sync.
Like with ASM, you can go to Security > Options > Application Security > Synchronize to tell it to sync the ASM portion.
It looks like APM has a simlar feature under Access > Profiles/Policies > Policy Sync
My change got pushed back due to network issues in my environment, so I won't be able to do it for a few more weeks...
- DanS92Sep 27, 2019Cirrus
I'm reading more about full vs. incremental sync at the link below, and it has a different description of Incremental Sync, so if you try this before me, make sure you take backups and do it in off hours! Otherwise I'll let you know how it goes when I try it.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com