Manual Chapter :
Connection Mirroring with ASM
Applies To:
Show Versions
BIG-IP ASM
- 16.0.1, 16.0.0, 15.1.0, 15.0.1, 15.0.0
Connection Mirroring with ASM
Intro to connection mirroring with ASM
ASM security policies can be applied to LTM mirrored traffic. The best
practice for using ASM with connection mirroring is an LTM and AWAF license and a
floating Self IP configuration. For details on configuring LTM connection mirroring,
see the Managing Connection Mirroring section in the BIG-IP Device Service Clustering:
Administration Guide. For troubleshooting traffic mirroring with ASM, see this knowledge article
Connection mirroring limitations with ASM
Applying an ASM security policy to mirrored traffic has certain
limitations.
LTM Limitations
- Only 2 devices supported: Traffic is mirrored only to one stand-by device in case of several devices.
- No multiple failover support: Only 2 devices are supported. The connection is reset on the third device in the case of failover from the first device to the second and then from the second to the third.
- No failback support: The connection is reset in case of failover from one device to another and back.
- No default SSL cert/key support.
AWAF Limitations
- When sending a request to a remote service, such as remote logging, DNS, ICAP, and CPB, the remote service will get 2 requests from both devices in mirroring.
- CS features, such as Brute Force, Session Awareness and Device ID, can have a different state (different counters) on active and stand-by devices.
- Mirroring of CS challenges in case of failover can work incorrectly.
- PB on an Active device periodical syncs statistics to the Standby device. This can cause non deterministic behavior.
License Limitation
Connection mirroring works fully only with a licensed and provisioned LTM. In the
case of a standalone ASM or standalone AWAF license, mirroring can be enabled for a
virtual server but, in such cases, it works with the same limitation as we have for
non-floating Self IP, even in case of floating Self IP.
Non-floating Self-IP ASM Feature Limitations
If a HA pair is configured with a non-floating Self IP, then only the first HTTP
request in the TCP connection is mirrored, while the whole connection is not
mirrored. In particular all HTTP requests and any response for any HTTP request are
not mirrored. In addition, only the first response or request in the same TCP
connection are mirrored to the stand-by device.
In the case of a floating Self IP, all ASM features are supported with the known ASM
limitations. As a lot of ASM features do not work with a non-floating Self IP
configuration, we strongly recommend that you use a floating Self IP configuration
with mirroring. See the table below.
Feature | Parts Supported | Parts Not Supported | Comments | |
|---|---|---|---|---|
1 | Enforcement mode | Fully Supported | Transparent & Blocking | |
2 | Violations Settings | Fully Supported | ||
3 | Policy Building | Fully Supported (maintenance window assumed ) | Device ID learning is not supported, but there is no relevant
configuration option. This is under the hood |
|
4 | Attack Signatures | In Request only | In Response | |
5 | Headers | Fully Supported | Redirection Protection (see feature below) | |
6 | File Types | Fully Supported | ||
7 | Content Profiles | Fully Supported | Content-Based Routing (see feature below) | |
8 | IP Intelligence | Fully Supported | ||
9 | Geolocation Enforcement | Fully Supported | ||
10 | Dynamic Session ID in URL | None | Not Supported | |
11 | Threat Campaigns | Fully Supported | Not present in 13.1.1.5 | |
12 | Login Pages | Fully Supported |
| |
13 | Logout Pages | Fully Supported |
| |
14 | Vulnerability Assessments | Fully Supported | ||
15 | Anti-Virus protection (ICAP) | None | Not Supported | |
16 | Database Security | None | Not Supported | |
17 | Login Enforcement | None | Not Supported | |
18 | Session Tracking | None | Not Supported | |
19 | CSRF Protection | None | Not Supported | |
20 | Single Page Application | None | Not Supported | |
21 | Content-Based Routing (CBR) | None | Not Supported | |
22 | Brute Force | None | Not Supported | Not supported because stats/counters collection can be
unstable due to threads sync. After failover bf counters are
reset, so prevention for attack can not continue. |
23 | CORS(HTML5 Cross-Origin Request Sharing) Within:
| None | Not Supported | |
24 | WebSocket Enforcement | None | Not Supported | |
25 | URL Enforcement | Fully Supported | ||
26 | Parameters | Fully Supported | ||
27 | Data Guard | None | Not Supported | |
28 | Cookies | Fully Supported | "Modified domain cookie(s)" | |
29 | iRules | Fully Supported | ASM_RESPONSE_VIOLATION | Fully supported if iRule is doing deterministic
operation. |
30 | Logging and Reporting | Fully Supported | ||
31 | uBOT | None | Not Supported | Not present in 13.1.1.5 |
32 | DOSL7 | None | Not Supported | |
33 | BADOS | None | Not Supported | |
34 | Allowed Response Status Codes | None | Not Supported | "Illegal HTTP status in response" violation |
35 | Redirection Protection | None | Not Supported | |
36 | Web Scraping | None | Not Supported | |
37 | Remote logging | Fully Supported | Duplicate entries in remote logger, each with different
device name (mgmt_ip). |
Configuring SSL with mirroring
You need to create an SSL certificate and custom
SSL profile for secure communications between the two mirrored devices.
- Enable sys db:
- tmsh modify sys db statemirror.secure value enable
- tmsh modify sys db statemirror.verify value enable
- On the Main tab, click and create a new SSL certificate.Standard SSL certificates are not supported for this feature.
- On the Main tab, click . The SSL Server profile list screen opens. Create a new SSL profile with the created SSL certificate and with "Cache Size" = 0.See the BIG-IP System: SSL Administration Guide for more information on creating a custom SSL profile.
