Forum Discussion
bsb
Nimbostratus
NimbostratusWAF sync across DC
Have a pair of LTM + WAF device in X location in HA, also have a pair of LTM + WAF device configured in Y location configured in HA. as of now, i am manually exporting all the ASM(WAF) policies...
DanS92
Cirrus
CirrusAnother resource for implementing this with screenshots is here:
https://www.linkedin.com/pulse/syncing-asm-waf-policies-between-f5-big-ips-different-stephen-lyons/
- DanS92
bsb,
I was finally able to implement this in my environment. I can definitively confirm that if you follow the steps in the linkedin article to create a Device Group that is Sync-Only and uses Incremental Sync, your LTM config will not sync.
You just have to be very careful to never accidentally sync the global device group. It should prompt you with a warning if you accidentally click the sync button for that device group. Your device_trust_group Device Group, and your ASM Sync Device Group should be in sync, but not the global. Feel free to reach out to me with any questions you have on configuring this!
The only potential hangups I can foresee is that you have to allow destination port TCP4353 between the devices on your firewalls, and the ASM Policies and the VIPs attached to them need to have the same name.
Thanks,
Dan