on 04-Jan-2019 05:59
In a previous article, I discussed the syncing of F5 ASM policies across BIG-IP instances stretching separate datacenters or different cloud regions. This use case was extremely useful to me when deploying standalone BIG-IPs in the same AWS regions but separate availability zones. The application I was securing was in both AZ's as an active/active instance so I needed to ensure WAF policies were being synced.
Today I wanted to discuss a very similar use case though with a different F5 module -- the Access Policy Manager (APM). In the same environment, I was supporting authentication and single sign-on (SSO) to the same application yet different availability zones. They were authenticating to the same active directory infrastructure using the same attributes so I needed to come up with an automated solution of syncing configurations rather than me making human mistakes when trying to duplicate them across BIG-IPs. So with the use case out of the way, let's get started deploying it.
Note: I am using the Internal Self IP for demonstration purposes.
In the event you receive a notice of Changes Pending, perform a sync of Manual Sync Groups. Though the device group created in the previous steps is Automatic, there are global sync groups and trust groups created during the process of establishing trusts. Believe me, there is no need to worry. The device group that was created in this how-to will be synced automatically without manual intervention.
Note: If you have issues syncing, a quick step would be to delete the Device Group, ensure all other default device groups have synced and recreate the Device Group.
Before we get started, let's take a look at the policy we are going to sync and see why it can be very beneficial to sync rather than manually recreating the policy.
In this policy, I am performing smart card auth with AD auth as a fallback. To support multi-factor authentication I have configured the AD auth branch to use F5's native OTP capability. Now, this is a simple policy, could you imagine doing a complex policy across 10 or more BIG-IP's? Me either!
Once the APM Policy Sync pop up displays as shown above, you will notice there are options to Ignore errors, Use Source configuration on Target as well as Advanced Settings. The goal of this article is a basic introduction of the ability to sync policies. I will not review each setting in detail though I will provide the F5 overview of each setting. Additional information on syncing APM policies can be found here.
You have now successfully synced Access Policies across appliances in separate datacenters or cloud regions. Until next time!
if I remember well, there is (was?) a limitation: you cannot add the source BIGIP in a sync-failover cluster after configuring a sync-only. So the solution is either to build the Sync-failover cluster before or temporarily remove the sync-only, create the sync-failover and re-create the sync-only.
Amolari, thanks for the feedback. Yes, you are correct.
Understanding policy sync device group setup for Active-Standby pairs To add devices to a device group, all devices must belong to the same local trust domain. If you want to sync access policies with a device that does not belong to the local trust domain, but also belongs to a Sync-Failover group, you must reset the trust between the devices and remove them from the Sync-Failover device group. (For more information, see BIG-IP® Device Service Clustering: Administration on the AskF5™ web site located at http://support.f5.com/.)
After you establish device trust between your BIG-IP system and the devices, you can add them to a Sync-Failover group again.