For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Syncing ASM WAF Policies Between F5 BIG-IP's in Different Datacenters or Cloud Regions

Not too long ago, a question in one of my tech talks came up regarding how F5 sync's ASM policies between devices that may not be apart of the same HA Pair. The question derived from experience with ...
Published Dec 18, 2018
Version 1.0
ASM Advanced WAF
security
Steve_Lyons's avatar
Ret. Employee
My name is Steve Lyons and I reside in Tampa, FL with my 3 children, wife and Frenchie. We live the typical Florida life of swimming, fishing, boating, and BBQ. I started my F5 journey as a customer in 2009 where I was first introduced to it as a "load balancer." I have since deployed and maintained all modules realizing the BIG-IP is so much more. I joined F5 in 2015 where I have made it a personal mission to educate as many people as I can so they too can take advantage of the tremendous potential of the BIG-IP.
View Profile
Steve_Lyons's avatar
Ret. Employee
My name is Steve Lyons and I reside in Tampa, FL with my 3 children, wife and Frenchie. We live the typical Florida life of swimming, fishing, boating, and BBQ. I started my F5 journey as a customer in 2009 where I was first introduced to it as a "load balancer." I have since deployed and maintained all modules realizing the BIG-IP is so much more. I joined F5 in 2015 where I have made it a personal mission to educate as many people as I can so they too can take advantage of the tremendous potential of the BIG-IP.
View Profile
Leonardo_Souza's avatar
Leonardo_Souza
Icon for Cirrocumulus rankCirrocumulus
Jan 17, 2019

Thank you for the article.

 

I wasn't aware of the specific ASM ports for policy sync.

 

"BIG-IP ASM requires the following additional Policy Sync TCP ports: 6123-6128."

 

I think I read the K13946 multiple times in the past, either was updated, or I missed this important information.

 

Anyway, the following article says that even if you setup allow none, if the system is in an HA pair there will be exceptions for the HA ports.

 

https://support.f5.com/csp/article/K17333

 

What was the configuration for port lockdown for the internal self IP?