cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Do attack signatures, bot signature & server technology set synchronizes in HA pair

Venkatesh_786
Altostratus
Altostratus

Dear Team,

 

Can anyone help me to obtain clarification on my below queries.

 

We are migrating our asm from f5 big-ip s4000 to i4600 series. so as per our plan of action we will be disconnecting & removing one standby device of older platform s4000 and will add one new platform i4600 in HA pair (adding in device trust and device group). so resulting HA pair will be of one old platform and one new platform. once the HA pair is established between them, we will push all the configuration from older device to new device in Ha pair.

 

So my question is all the configuration related to ltm and asm (objects/policies) will sync, but my new platform is completely clean device so is it required to bring the attack signature sets version on the new platform to the current running version on older platform before proceeding with the migration activity or the sets will get synchronized at the time of configuration push.

 

note:- we have done all the network layer configuration (vlan, self-ip, routes) on new device manually. also both old and new platform are equipped with same platform version and license provisioning.

 

Regards,

Venkatesh Mudiraj

4 REPLIES 4

Ivan_Chernenkii
F5 Employee
F5 Employee

Hello Venkatesh,

 

Yes, all configuration should be synced. Just pay attention, that for full ASM sync you need to specify Device Group on "Security ›› Options : Application Security : Synchronization : Application Security Synchronization"

 

Thanks, Ivan

Dear Ivan,

 

Thanks for the reply.

 

For your update we have performed the migration activity from s4000 platform to new i4600 platform a couple of days before following below steps:

 

>We forced offline one standby device in an existing HA pair of s4000 Platform. Performed device trust reset to break the existing HA.

 

>Disconnected all network interface cables and connected it to one of the new platforms (i4600), which was also in forced offline state to prevent it from going active in the middle of the activity.

 

>Rebuild HA by adding a new i4600 platform to s4000's device trust and device groups. Performed Config-sync from s4000 to i4600 platform (we decided to fail-over the traffic to i4600 once config-sync is successfully).

 

Sync Issue Encountered:-

 

Sync error on <hostname_of_i4600>: Load failedfrom /Comman/<hostname_of_s4000> 01b9000f:3: This platform doesn't support DoS hardware capability, which is needed to disable this sys db variable.

 

Recommendation from Support Team:-

 

We got an update from a support Team that there is some compatibility issue as the DoS sys db variable is set to "false" in s4000 and the same is set to "true" in i4600. To perform Config-sync, we should change the DoS sys db variable value to "true" in s4000 as we cannot change it to "false" in i4600.

 

Also, Support Team committed the change might cause increase in cpu usage on s4000 platform and till the recommendation arrived we have already crossed the downtime limit and we did not know till what extent the high cpu usage will impact or occur so we decided to roll-back the activity and rescheduled it once we get a proper resolution.

 

i just thought to share you the history. can you provide some clarifications on my below point if possible for you..??

 

  1. what is the functionality difference between DoS sys db variable value set to "true" and DoS sys db variable value set to "false"....??
  2. As the sync-fail-over-group status was showing "Sync failed". so in this case, it is clear that sync will fail but just wanted to confirm will fail-over works in this state..??

 

Thanks & Regards,

Venkatesh Mudiraj

 

 

Hello Venkatesh,

 

  1. As I understand, here we have problem with hardware DoS, which is AFM and not ASM module. For more details you can look at https://cdn.f5.com/product/bugtracker/ID713707.html and https://cdn.f5.com/product/bugtracker/ID787969.html
  2. Yes, I think fail-over will work, but as we have sync failed, then behavior can be changed after fail-over, because configuration can be different.

 

Thanks, Ivan

Thanks Ivan.