on 18-Dec-2018 02:28
Not too long ago, a question in one of my tech talks came up regarding how F5 sync's ASM policies between devices that may not be apart of the same HA Pair. The question derived from experience with another vendor in which policies would not or could not sync causing inconsistencies and most importantly affecting the end user experience. I personally do not know the specifics though I wanted to take a few minutes to provide a how-to based on my own recent experience deploying a pair of F5 BIG-IP's in AWS.
To provide some background on this specific use case, I was asked to assist in the deployment of two standalone BIG-IP's in separate availability zones. The application I was asked to protect actually resided in both availability zones so the policies needed to be in sync at all times. While my use case was specific to AWS and a single region, this use case is relevant to anyone with applications that may reside in separate data centers or regions in a cloud-based scenario. So with that, let's get started.
Note: I am using the Internal Self IP for demonstration purposes.
In the event you receive a notice of Changes Pending, perform a sync of Manual Sync Groups. Though the device group created in the previous steps is Automatic, there are global sync groups and trust groups created during the process of establishing trusts. Believe me, there is no need to worry. The device group that was created in this how-to will be synced automatically without manual intervention.
Prior to configuring the sync operation for ASM, attached is a screenshot of the policies on the secondary box. Notice there is nothing device prior to completing the steps below.
Click Save.
Navigate to Device Management >> Overview.
Note: If the device group is not in sync, use the following article to troubleshoot ConfigSync issues. https://support.f5.com/csp/article/K13946
The Screenshot above is of BIG-IP 02 which received its initial sync from BIG-IP 01. However, this is a two sync process. You will see the screenshot below of BIG-IP 01 now after I modified the policy directly on BIG-IP 02. The version now reflects that change.
You are now successfully syncing ASM policies between BIG-IP's in different regions or data centers. Until next time!
Thank you, sir. Any feedback whether negative or positive is greatly appreciated!
Thank you for the article.
I wasn't aware of the specific ASM ports for policy sync.
"BIG-IP ASM requires the following additional Policy Sync TCP ports: 6123-6128."
I think I read the K13946 multiple times in the past, either was updated, or I missed this important information.
Anyway, the following article says that even if you setup allow none, if the system is in an HA pair there will be exceptions for the HA ports.
https://support.f5.com/csp/article/K17333
What was the configuration for port lockdown for the internal self IP?
Nice article. have a query.
have an environment with below case.
LTM + ASM - zone 1 in HA pair (x ip range)
LTM + ASM - zone 2 in HA pair (y ip range)
in such scenario, is it feasible to sync ASM config alone (ltm configuration shouldn't get synchronized).
Will this be feasible by adding devices in group and initiating sync.