Manual Chapter : Connection Mirroring with ASM

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Connection Mirroring with ASM

Intro to connection mirroring with ASM

ASM security policies can be applied to LTM mirrored traffic. The best practice for using ASM with connection mirroring is an LTM and AWAF license and a floating Self IP configuration. For details on configuring LTM connection mirroring, see the Managing Connection Mirroring section in the BIG-IP Device Service Clustering: Administration Guide. For troubleshooting traffic mirroring with ASM, see this knowledge article

Connection mirroring limitations with ASM

Applying an ASM security policy to mirrored traffic has certain limitations.

LTM Limitations

  • Only 2 devices supported: Traffic is mirrored only to one stand-by device in case of several devices.
  • No multiple failover support: Only 2 devices are supported. The connection is reset on the third device in the case of failover from the first device to the second and then from the second to the third.
  • No failback support: The connection is reset in case of failover from one device to another and back.
  • No default SSL cert/key support.

AWAF Limitations

  • When sending a request to a remote service, such as remote logging, DNS, ICAP, and CPB, the remote service will get 2 requests from both devices in mirroring.
  • CS features, such as Brute Force, Session Awareness and Device ID, can have a different state (different counters) on active and stand-by devices.
  • Mirroring of CS challenges in case of failover can work incorrectly.
  • PB on an Active device periodical syncs statistics to the Standby device. This can cause non deterministic behavior.

License Limitation

Connection mirroring works fully only with a licensed and provisioned LTM. In the case of a standalone ASM or standalone AWAF license, mirroring can be enabled for a virtual server but, in such cases, it works with the same limitation as we have for non-floating Self IP, even in case of floating Self IP.

Non-floating Self-IP ASM Feature Limitations

If a HA pair is configured with a non-floating Self IP, then only the first HTTP request in the TCP connection is mirrored, while the whole connection is not mirrored. In particular all HTTP requests and any response for any HTTP request are not mirrored. In addition, only the first response or request in the same TCP connection are mirrored to the stand-by device.
In the case of a floating Self IP, all ASM features are supported with the known ASM limitations. As a lot of ASM features do not work with a non-floating Self IP configuration, we strongly recommend that you use a floating Self IP configuration with mirroring. See the table below.
Non-floating Self-IP ASM Feature Limitations
Feature
Parts Supported
Parts Not Supported
Comments
1
Enforcement mode
Fully Supported
Transparent & Blocking
2
Violations Settings
Fully Supported
3
Policy Building
Fully Supported (maintenance window assumed )
Device ID learning is not supported, but there is no relevant configuration option. This is under the hood
  • CPB - double statistics because of requests from both devices.
  • PB on Active periodically syncs to Standby which can cause non deterministic behavior .
4
Attack Signatures
In Request only
In Response
5
Headers
Fully Supported
Redirection Protection (see feature below)
6
File Types
Fully Supported
7
Content Profiles
Fully Supported
Content-Based Routing (see feature below)
8
IP Intelligence
Fully Supported
9
Geolocation Enforcement
Fully Supported
10
Dynamic Session ID in URL
None
Not Supported
11
Threat Campaigns
Fully Supported
Not present in 13.1.1.5
12
Login Pages
Fully Supported
  • Note that Login Enforcement is not supported.
13
Logout Pages
Fully Supported
  • Note that Login Enforcement is not supported.
14
Vulnerability Assessments
Fully Supported
15
Anti-Virus protection (ICAP)
None
Not Supported
16
Database Security
None
Not Supported
17
Login Enforcement
None
Not Supported
18
Session Tracking
None
Not Supported
19
CSRF Protection
None
Not Supported
20
Single Page Application
None
Not Supported
21
Content-Based Routing (CBR)
None
Not Supported
22
Brute Force
None
Not Supported
Not supported because stats/counters collection can be unstable due to threads sync. After failover bf counters are reset, so prevention for attack can not continue.
23
CORS(HTML5 Cross-Origin Request Sharing)
Within:
  • Allowed HTTP URLs
  • Allowed Websocket URLs
None
Not Supported
24
WebSocket Enforcement
None
Not Supported
25
URL Enforcement
Fully Supported
26
Parameters
Fully Supported
27
Data Guard
None
Not Supported
28
Cookies
Fully Supported
"Modified domain cookie(s)"
29
iRules
Fully Supported
ASM_RESPONSE_VIOLATION
Fully supported if iRule is doing deterministic operation.
30
Logging and Reporting
Fully Supported
31
uBOT
None
Not Supported 
Not present in 13.1.1.5
32
DOSL7
None
Not Supported 
33
BADOS
None
Not Supported
34
Allowed Response Status Codes
None
Not Supported
"Illegal HTTP status in response" violation
35
Redirection Protection
None
Not Supported
36
Web Scraping
None
Not Supported
37
Remote logging
Fully Supported
Duplicate entries in remote logger, each with different device name (mgmt_ip).

Configuring SSL with mirroring

You need to create an SSL certificate and custom SSL profile for secure communications between the two mirrored devices.
  1. Enable sys db:
    • tmsh modify sys db statemirror.secure value enable
    • tmsh modify sys db statemirror.verify value enable
  2. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    SSL Certificate List
    and create a new SSL certificate.
    Standard SSL certificates are not supported for this feature.
  3. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Server
    . The SSL Server profile list screen opens. Create a new SSL profile with the created SSL certificate and with "Cache Size" = 0.
    See the BIG-IP System: SSL Administration Guide for more information on creating a custom SSL profile.