Forum Discussion

Thor's avatar
Thor
Icon for Nimbostratus rankNimbostratus
May 10, 2020

Sync ASM only across data centres

We have two different clusters of bigip with LTM + ASM.

 

Each cluster has different LTM configuration with different IP. They share the same applications so ASM policy is the same.

 

We're currently syncing changes manually between clusters which is very difficult to maintain.

 

I recently saw this article https://devcentral.f5.com/s/articles/syncing-asm-waf-policies-between-f5-big-ips-in-different-datacenters-or-cloud-regions-32891 which seems to fit our requirements.

 

My concern is will this sync ASM configuration and policies only or it will include other components?

How will initial sync work in for ASM for existing policies?

 

application delivery
ASM Advanced WAF
BIG-IP

1 Reply

Sort By
  • Kevin_Davies's avatar
    Kevin_Davies
    Icon for MVP rankMVP
    May 12, 2020

    Make sure the two HA pairs have different sync-failover device group names.

     

    On the primary add the other cluster of devices in the remote DC as peers.

    Create a NEW sync-only group with those new members.

    Synchronize only the NEW group.

    You may find you now need to synchronize the local HA group to update the HA pair with the new information.

    You will now see three sync groups. The local HA sync-failover group, the remote HA sync-failover group and your new global Sync-Only group. You will always see the remote HA group as unknown and that is expected as it is not part of this local HA group.

    Once you have your global Sync-Only group synced across all devices then begin to add it to ASM as per that article.

     

    In my experience ASM policy updates pushed out across the Automatic Sync Group have to be manually applied within ASM on the remote DC.