Syncing ASM WAF Policies Between F5 BIG-IP's in Different Datacenters or Cloud Regions
Not too long ago, a question in one of my tech talks came up regarding how F5 sync's ASM policies between devices that may not be apart of the same HA Pair. The question derived from experience with another vendor in which policies would not or could not sync causing inconsistencies and most importantly affecting the end user experience. I personally do not know the specifics though I wanted to take a few minutes to provide a how-to based on my own recent experience deploying a pair of F5 BIG-IP's in AWS.
To provide some background on this specific use case, I was asked to assist in the deployment of two standalone BIG-IP's in separate availability zones. The application I was asked to protect actually resided in both availability zones so the policies needed to be in sync at all times. While my use case was specific to AWS and a single region, this use case is relevant to anyone with applications that may reside in separate data centers or regions in a cloud-based scenario. So with that, let's get started.
Prerequisites
Define a ConfigSync Address on the Devices to Share ASM Configs
- Navigate to Device Management >> Devices.
- Click the device listed.
- Select the ConfigSync tab.
- From the drop-down menu, select a local address to be used.
Note: I am using the Internal Self IP for demonstration purposes.
- Repeat this step on the other device to be synced.
Configuring a Device Trust
- Navigate to Device Management >> Device Trust : Device Trust Members.
- Click Add.
- Device Type: Peer
- Device IP Address: Management or Self IP address of peer
- Administrator Username: admin
- Administrator Password: the admin password
- Click Retrieve Device Information.
- Click Device Certificate Matches.
- Click Add Device.
Create a Sync-Only Device Group
- Navigate to Device Management >> Device Groups.
- Click Create.
- Name: demo_sync_only
- Group Type: Sync-Only
- Members: Include the BIG-IP's to be synced
- Sync Type: Automatic with Incremental Sync
- Click Finished.
Perform Initial Sync of Device Groups if Prompted with Changes Pending
In the event you receive a notice of Changes Pending, perform a sync of Manual Sync Groups. Though the device group created in the previous steps is Automatic, there are global sync groups and trust groups created during the process of establishing trusts. Believe me, there is no need to worry. The device group that was created in this how-to will be synced automatically without manual intervention.
- Click Changes Pending from the top left of the TMUI.
- Identify the Device Group that is not in sync.
- Click Sync.
Configure ASM Policy Syncing
Prior to configuring the sync operation for ASM, attached is a screenshot of the policies on the secondary box. Notice there is nothing device prior to completing the steps below.
- Navigate to Security >> Options >> Application Security >> Synchronization >> Application Security Synchronization.
- From the Device Group drop-down menu, select the Device Group created in the previous step.
Click Save.
Validate the ASM Policy has Synced
Navigate to Device Management >> Overview.
- Locate demo_sync_group and ensure it shows In Sync.
Note: If the device group is not in sync, use the following article to troubleshoot ConfigSync issues. https://support.f5.com/csp/article/K13946
- On the Device that did not previously have the ASM policy, navigate to Security >> Application Security >> Security Policies.
- Validate the ASM policies have been synced between devices by viewing the Version information as shown below.
The Screenshot above is of BIG-IP 02 which received its initial sync from BIG-IP 01. However, this is a two sync process. You will see the screenshot below of BIG-IP 01 now after I modified the policy directly on BIG-IP 02. The version now reflects that change.
You are now successfully syncing ASM policies between BIG-IP's in different regions or data centers. Until next time!
- rob_carrCirrocumulus
Excellent article.
- Steve_LyonsRet. Employee
Thank you, sir. Any feedback whether negative or positive is greatly appreciated!
nice, thanks for the article.
- Leonardo_SouzaCirrocumulus
Thank you for the article.
I wasn't aware of the specific ASM ports for policy sync.
I think I read the K13946 multiple times in the past, either was updated, or I missed this important information.
Anyway, the following article says that even if you setup allow none, if the system is in an HA pair there will be exceptions for the HA ports.
What was the configuration for port lockdown for the internal self IP?
- bsbNimbostratus
Nice article. have a query.
have an environment with below case.
LTM + ASM - zone 1 in HA pair (x ip range)
LTM + ASM - zone 2 in HA pair (y ip range)
in such scenario, is it feasible to sync ASM config alone (ltm configuration shouldn't get synchronized).
Will this be feasible by adding devices in group and initiating sync.