For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bsb's avatar
bsb
Icon for Nimbostratus rankNimbostratus
Sep 25, 2019

WAF sync across DC

Have a pair of LTM + WAF device in X location in HA, also have a pair of LTM + WAF device configured in Y location configured in HA.   as of now, i am manually exporting all the ASM(WAF) policies...
application delivery
ASM Advanced WAF
BIG-IP
  • DanS92's avatar
    DanS92
    Icon for Cirrus rankCirrus
    Oct 14, 2019

    bsb,

     

    I was finally able to implement this in my environment. I can definitively confirm that if you follow the steps in the linkedin article to create a Device Group that is Sync-Only and uses Incremental Sync, your LTM config will not sync.

    You just have to be very careful to never accidentally sync the global device group. It should prompt you with a warning if you accidentally click the sync button for that device group. Your device_trust_group Device Group, and your ASM Sync Device Group should be in sync, but not the global. Feel free to reach out to me with any questions you have on configuring this!

     

    The only potential hangups I can foresee is that you have to allow destination port TCP4353 between the devices on your firewalls, and the ASM Policies and the VIPs attached to them need to have the same name.

     

    Thanks,

     

    Dan