Connection mirroring limitations with ASM
Applying an ASM security policy to mirrored traffic has certain limitations.
- Only 2 devices supported: Traffic is mirrored only to one stand-by device in case of several devices.
- No multiple failover support: Only 2 devices are supported. The connection is reset on the third device in the case of failover from the first device to the second and then from the second to the third.
- No failback support: The connection is reset in case of failover from one device to another and back.
- No default SSL cert/key support.
- When sending a request to a remote service, such as remote logging, DNS, ICAP, and CPB, the remote service will get 2 requests from both devices in mirroring.
- CS features, such as Brute Force, Session Awareness and Device ID, can have a different state (different counters) on active and stand-by devices.
- Mirroring of CS challenges in case of failover can work incorrectly.
- PB on an Active device periodical syncs statistics to the Standby device. This can cause non deterministic behavior.
Connection mirroring works fully only with a licensed and provisioned LTM. In the case of a standalone ASM or standalone AWAF license, mirroring can be enabled for a virtual server but, in such cases, it works with the same limitation as we have for non-floating Self IP, even in case of floating Self IP.
If a HA pair is configured with a non-floating Self IP, then only the first HTTP request in the TCP connection is mirrored, while the whole connection is not mirrored. In particular all HTTP requests and any response for any HTTP request are not mirrored. In addition, only the first response or request in the same TCP connection are mirrored to the stand-by device.
In the case of a floating Self IP, all ASM features are supported with the known ASM limitations. As a lot of ASM features do not work with a non-floating Self IP configuration, we strongly recommend that you use a floating Self IP configuration with mirroring. See the table below.
| Feature | Parts Supported | Parts Not Supported | Comments | |
|---|---|---|---|---|
| 1 | Enforcement mode | Fully Supported | Transparent & Blocking | |
| 2 | Violations Settings | Fully Supported |
||| |3|Policy Building|Fully Supported (maintenance window assumed )
|Device ID learning is not supported, but there is no relevant configuration option. This is under the hood|- CPB - double statistics because of requests from both devices.
- PB on Active periodically syncs to Standby which can cause non deterministic behavior .
|4|Attack Signatures
|In Request only|In Response|| |5|Headers|Fully Supported|Redirection Protection (see feature below)|| |6|File Types|Fully Supported||| |7|Content Profiles|Fully Supported|Content-Based Routing (see feature below)
|| |8|IP Intelligence|Fully Supported||| |9|Geolocation Enforcement|Fully Supported||| |10|Dynamic Session ID in URL|None|Not Supported|| |11|Threat Campaigns|Fully Supported||Not present in 13.1.1.5| |12|Login Pages|Fully Supported||- Note that Login Enforcement is not supported. |13|Logout Pages|Fully Supported||- Note that Login Enforcement is not supported. |14|Vulnerability Assessments|Fully Supported||| |15|Anti-Virus protection (ICAP)|None|Not Supported|| |16|Database Security|None|Not Supported|| |17|Login Enforcement|None|Not Supported|| |18|Session Tracking|None|Not Supported|| |19|CSRF Protection|None|Not Supported|| |20|Single Page Application|None|Not Supported|| |21|Content-Based Routing (CBR)|None|Not Supported|| |22|Brute Force|None|Not Supported|Not supported because stats/counters collection can be unstable due to threads sync. After failover bf counters are reset, so prevention for attack can not continue.| |23|CORS(HTML5 Cross-Origin Request Sharing)
Within:
- Allowed HTTP URLs
- Allowed Websocket URLs
|None|Not Supported|| |24|WebSocket Enforcement|None|Not Supported|| |25|URL Enforcement|Fully Supported||| |26|Parameters|Fully Supported||| |27|Data Guard|None|Not Supported|| |28|Cookies|Fully Supported|“Modified domain cookie(s)"|| |29|iRules|Fully Supported|ASM_RESPONSE_VIOLATION|Fully supported if iRule is doing deterministic operation.| |30|Logging and Reporting|Fully Supported||| |31|uBOT|None|Not Supported |Not present in 13.1.1.5 |32|DOSL7|None|Not Supported || |33|BADOS|None|Not Supported|| |34|Allowed Response Status Codes|None|Not Supported|“Illegal HTTP status in response” violation| |35|Redirection Protection|None|Not Supported|| |36|Web Scraping|None|Not Supported|| |37|Remote logging|Fully Supported||Duplicate entries in remote logger, each with different device name (mgmt_ip).|
Parent topic:Connection mirroring with ASM