F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP ASM
  4. BIG-IP Application Security Manager: Implementations
  5. Manually Synchronizing Application Security Configurations
Manual Chapter : Manually Synchronizing Application Security Configurations

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Manually Synchronizing Application Security Configurations

Overview: Manually synchronizing ASM systems

This implementation describes how to set up two BIG-IP® systems running Application Security Manager™ (ASM) so that you can synchronize their security policies and configurations. With this implementation, the BIG-IP systems can fail over to one another, and you can manually sync all of the BIG-IP configuration data, including ASM policy data.

Synchronizing two ASM systems

Manually synchronizing ASM configuration data

The two BIG-IP systems are set up for redundancy: one active and the other standby. Both systems are in the local trust domain and in the same Sync-Failover device group. If one system is unavailable, the other system begins to process application traffic. You can manually synchronize the systems. The ASM™ configurations and security policies are duplicated on both systems.

You can use this implementation as the basis for more complex configurations. For example, if you have multiple redundant pairs each supporting a different web application, you can use this implementation to set up each pair. You could create a Sync-Failover device group for each pair and then synchronize the data within each pair only. In this configuration, you all devices reside in the local trust domain.

Task summary

About device management and synchronizing application security configurations

You can use device management to set up several BIG-IP® systems running Application Security Manager™ (ASM) so that the systems synchronize their security policies and configurations, and fail over to one another if a system goes offline for any reason. By using application security synchronization, you can set up application security and create security policies on one system, and can propagate them to other systems in an application security device group. In BIG-IP ASM™, a device group is two or more BIG-IP devices using the same configuration and providing consistent security policy enforcement.

You can set up application security synchronization, for example, behind an Application Delivery Controller where multiple BIG-IP systems running Application Security Manager are deployed as members of a pool. The options and security policies on all of the systems stay in sync regardless of where you update them.

When you set up ASM™ synchronization, in addition to security policies, other settings such as custom attack signatures, logging profiles, SMTP configuration, anti-virus protection, system variables, and policy templates, are synchronized with all devices in the ASM-enabled device group.

Considerations for application security synchronization

When using device management with Application Security Manager™ (ASM™), you need to be aware of the following considerations that apply specifically to application security synchronization.

  • A BIG-IP® system with Application Security Manager can be a member of only one ASM-enabled device group.
  • All BIG-IP systems in a device group must be running the same version (including hot fix updates) of Application Security Manager (version 11.0 or later).
  • The BIG-IP systems in the ASM-enabled device group synchronize application security configuration data and security policies, providing consistent enforcement on all the devices.
  • Real Traffic Policy Builder® can run on only one system per security policy. For example, you can set up automatic security policy building on one system that is a member of an ASM-enabled device group, the policy is built on that system and then automatically updated on all of the systems in the device group.
  • If using a VIPRION® platform (with multiple blades), it is considered one device, and you need to add only the master blade to the device trust and group.

Performing basic network configuration for synchronization

You need to perform basic networking configuration for each of the BIG-IP® systems whose Application Security Manager™ (ASM) configurations you want to synchronize.
  1. Install the same BIG-IP system version (including any hot fixes) on each device.
  2. Provision LTM® and ASM™ on each device ( System > Resource Provisioning ).
  3. On each device, create one or more VLANs, depending on your networking configuration ( Network > VLANs ).
  4. On each device, create a self IP ( Network > Self IPs ).
    When creating the self IP, set Traffic Group to traffic-group-local-only (non-floating).
  5. On each device, create a default gateway, if needed ( Network > Routes ).
  6. On each device, configure DNS ( System > Configuration > Device > DNS ) and NTP ( System > Configuration > Device > NTP ) so they are set to the same time.
  7. Verify connectivity between the devices (self IP address to self IP address). For example, use this command to ensure communications: ping -I vlan_interface device_self_IP
  8. On each device, specify the IP address to use when synchronizing configuration objects to the local device:
    1. Click Device Management > Devices .
    2. Click the name of the local device.
    3. From the Device Connectivity menu, choose ConfigSync.
    4. For the Local Address setting, select the self IP address.
    5. Click Update.
  9. If your company requires special device certificates, install them on each device ( System > Device Certificates and click Import).
The basic networking setup is complete for the BIG-IP ASM systems for which you want to share security policies and configurations.

Specifying an IP address for config sync

Before configuring the config sync address, verify that all devices in the device group are running the same version of BIG-IP® system software.
You perform this task to specify the IP address on the local device that other devices in the device group will use to synchronize their configuration objects to the local device.
Note: You must perform this task locally on each device in the device group.
  1. Confirm that you are logged in to the device you want to configure.
  2. On the Main tab, click Device Management > Devices .
    This displays a list of device objects discovered by the local device.
  3. In the Name column, click the name of the device to which you are currently logged in.
  4. From the Device Connectivity menu, choose ConfigSync.
  5. For the Local Address setting, retain the displayed IP address or select another address from the list.
    F5 Networks recommends that you use the default value, which is the self IP address for the internal VLAN. This address must be a non-floating self IP address and not a management IP address.
    Important: If the BIG-IP device you are configuring is accessed using Amazon Web Services, then the internal self IP address that you select must be an internal private IP address that you configured for this EC2 instance as the Local Address.
  6. Click Update.
After performing this task, the other devices in the device group can synchronize their configurations to the local device whenever a sync operation is initiated.

Establishing device trust

Before you begin this task, verify that:

  • Each BIG-IP® device that is to be part of the local trust domain has a device certificate installed on it.
  • The local device is designated as a certificate signing authority.

You perform this task to establish trust among devices on one or more network segments. Devices that trust each other constitute the local trust domain. A device must be a member of the local trust domain prior to joining a device group.

By default, the BIG-IP software includes a local trust domain with one member, which is the local device. You can choose any one of the BIG-IP devices slated for a device group and log into that device to add other devices to the local trust domain. For example, devices Bigip_1, Bigip_2, and Bigip_3 each initially shows only itself as a member of the local trust domain. To configure the local trust domain to include all three devices, you can simply log into device Bigip_1 and add devices Bigip_2 and Bigip_3 to the local trust domain; there is no need to repeat this process on devices Bigip_2 and Bigip_3.

  1. On the Main tab, click Device Management > Device Trust , and then either Peer List or Subordinate List.
  2. Click Add.
  3. Type a device IP address, administrator user name, and administrator password for the remote BIG-IP® device with which you want to establish trust. The IP address you specify depends on the type of BIG-IP device:
    • If the BIG-IP device is an appliance, type the management IP address for the device.
    • If the BIG-IP device is a VIPRION® device that is not licensed and provisioned for vCMP®, type the primary cluster management IP address for the cluster.
    • If the BIG-IP device is a VIPRION device that is licensed and provisioned for vCMP, type the cluster management IP address for the guest.
    • If the BIG-IP device is an Amazon Web Services EC2 device, type one of the Private IP addresses created for this EC2 instance.
  4. Click Retrieve Device Information.
  5. Verify that the certificate of the remote device is correct.
  6. Verify that the management IP address and name of the remote device are correct.
  7. Click Finished.
After you perform this task, the local device is now a member of the local trust domain. Also, the BIG-IP system automatically creates a special Sync-Only device group for the purpose of synchronizing trust information among the devices in the local trust domain, on an ongoing basis.
Repeat this task to specify each device that you want to add to the local trust domain.

Creating a Sync-Failover device group

This task establishes failover capability between two or more BIG-IP® devices. If an active device in a Sync-Failover device group becomes unavailable, the configuration objects fail over to another member of the device group and traffic processing is unaffected. You perform this task on any one of the authority devices within the local trust domain.

Repeat this task for each Sync-Failover device group that you want to create for your network configuration.

  1. On the Main tab, click Device Management > Device Groups .
  2. On the Device Groups list screen, click Create.
    The New Device Group screen opens.
  3. Type a name for the device group, select the device group type Sync-Failover, and type a description for the device group.
  4. From the Configuration list, select Advanced.
  5. In the Configuration area of the screen, select a host name from the Available list for each BIG-IP device that you want to include in the device group, including the local device. Use the Move button to move the host name to the Includes list.
    The Available list shows any devices that are members of the device's local trust domain but not currently members of a Sync-Failover device group. A device can be a member of one Sync-Failover group only.
  6. For the Network Failover setting, select or clear the check box:
    • Select the check box if you want device group members to handle failover communications by way of network connectivity. This choice is required for active-active configurations.
    • Clear the check box if you want device group members to handle failover communications by way of serial cable (hard-wired) connectivity.
    For active-active configurations, you must select network failover, as opposed to serial-cable (hard-wired) connectivity.
  7. For the Automatic Sync setting, select or clear the check box:
    • Select the check box when you want the BIG-IP system to automatically sync the BIG-IP configuration data whenever a config sync operation is required. In this case, the BIG-IP system syncs the configuration data whenever the data changes on any device in the device group.
    • Clear the check box when you want to manually initiate each config sync operation. In this case, F5 networks recommends that you perform a config sync operation whenever configuration data changes on one of the devices in the device group.
  8. For the Full Sync setting, select or clear the check box:
    • Select the check box when you want all sync operations to be full syncs. In this case, the BIG-IP system syncs the entire set of BIG-IP configuration data whenever a config sync operation is required.
    • Clear the check box when you want all sync operations to be incremental (the default setting). In this case, the BIG-IP system syncs only the changes that are more recent than those on the target device. When you select this option, the BIG-IP system compares the configuration data on each target device with the configuration data on the source device and then syncs the delta of each target-source pair.
    If you enable incremental synchronization, the BIG-IP system might occasionally perform a full sync for internal reasons. This is a rare occurrence and no user intervention is required.
  9. In the Maximum Incremental Sync Size (KB) field, retain the default value of 1024, or type a different value.
    This value specifies the total size of configuration changes that can reside in the incremental sync cache. If the total size of the configuration changes in the cache exceeds the specified value, the BIG-IP system performs a full sync whenever the next config sync operation occurs.
  10. Click Finished.
You now have a Sync-Failover type of device group containing BIG-IP devices as members.

Syncing the BIG-IP configuration to the device group

Before you sync the configuration, verify that the devices targeted for config sync are members of a device group and that device trust is established.
This task synchronizes the BIG-IP® configuration data from the local device to the devices in the device group. This synchronization ensures that devices in the device group operate properly. When synchronizing self IP addresses, the BIG-IP system synchronizes floating self IP addresses only.
Important: You perform this task on either of the two devices, but not both.
  1. On the Main tab, click Device Management > Overview .
  2. In the Device Groups area of the screen, in the Name column, select the name of the relevant device group.
    The screen expands to show a summary and details of the sync status of the selected device group, as well as a list of the individual devices within the device group.
  3. In the Devices area of the screen, in the Sync Status column, select the device that shows a sync status of Changes Pending.
  4. In the Sync Options area of the screen, select Sync Device to Group.
  5. Click Sync.
    The BIG-IP system syncs the configuration data of the selected device in the Device area of the screen to the other members of the device group.
Except for non-floating self IP addresses, the entire set of BIG-IP configuration data is replicated on each device in the device group.

Specifying IP addresses for failover communication

You typically perform this task during initial Device Service Clustering (DSC®) configuration, to specify the local IP addresses that you want other devices in the device group to use for continuous health-assessment communication with the local device or guest. You must perform this task locally on each device in the device group.

Important: If the system is running vCMP, you must log in to each guest to perform this task.
Note: The IP addresses that you specify must belong to route domain 0.
  1. Confirm that you are logged in to the device you want to configure.
  2. On the Main tab, click Device Management > Devices .
    This displays a list of device objects discovered by the local device.
  3. In the Name column, click the name of the device to which you are currently logged in.
  4. From the Device Connectivity menu, choose Failover Network.
  5. For the Failover Unicast Configuration settings, click Add for each IP address on this device that other devices in the device group can use to exchange failover messages with this device. The unicast IP addresses you specify depend on the type of device:
    Platform Action
    Appliance without vCMP Type a static self IP address associated with an internal VLAN (preferably VLAN HA) and the static management IP address currently assigned to the device.
    Appliance with vCMP Type a static self IP address associated with an internal VLAN (preferably VLAN HA) and the unique management IP address currently assigned to the guest.
    VIPRION without vCMP® Type a static self IP address associated with an internal VLAN (preferably VLAN HA). If you choose to specify unicast addresses only (and not a multicast address), you must also type the existing, static management IP addresses that you previously configured for all slots in the cluster. If you choose to specify one or more unicast addresses and a multicast address, then you do not need to specify the existing, per-slot static management IP addresses when configuring addresses for failover communication.
    VIPRION with vCMP Type a self IP address that is defined on the guest and associated with an internal VLAN on the host (preferably VLAN HA). If you choose to specify unicast failover addresses only (and not a a multicast address), you must also type the existing, virtual static management IP addresses that you previously configured for all slots in the guest's virtual cluster. If you choose to specify one or more unicast addresses and a multicast address, you do not need to specify the existing, per-slot static and virtual management IP addresses when configuring addresses for failover communication.
    Important: Failover addresses should always be static, not floating, IP addresses.
  6. To enable the use of a failover multicast address on a VIPRION® platform (recommended), then for the Use Failover Multicast Address setting, select the Enabled check box.
  7. If you enabled Use Failover Multicast Address, either accept the default Address and Port values, or specify values appropriate for the device.
    If you revise the default Address and Port values, but then decide to revert to the default values, click Reset Defaults.
  8. Click Update.
After you perform this task, other devices in the device group can send failover messages to the local device using the specified IP addresses.

Enabling ASM synchronization on a device group

You need to have already set up the BIG-IP®systems you want to synchronize in a device trust and a device group. Application Security Manager™ (ASM) must be provisioned on all the systems in the device group.
You can enable ASM™ synchronization on a device group to synchronize security policies and configurations on all devices in the device group. You do this task on one system; for example, the active system in an active-standby pair.
  1. On the Main tab, click Security > Application Security > Synchronization .
    The system displays a list of device groups of which this device is a member.
  2. For Device Group, select the device group whose members you want to synchronize.
  3. Click Save.
The BIG-IP ASM systems that you want to share security policies and configurations are part of a device group with ASM synchronization.

Synchronizing an ASM-enabled device group

You need to have set up the BIG-IP® Application Security Manager™ (ASM) systems you want to synchronize in a Sync-Failover device group that is ASM™-enabled.
You can manually synchronize security policies and configuration of systems in an ASM-enabled device group.
  1. On one system in the ASM-enabled failover device group, create an application security policy.
    Because the two systems are not in sync, you see a Changes Pending status message on the screen.
  2. Click the Changes Pending message.
    Tip: You can also click Device Management > Overview .
    The Overview screen opens.
  3. In the Device Groups area of the screen, in the Name column, select the name of the relevant device group.
    The screen expands to show a summary and details of the sync status of the selected device group, as well as a list of the individual devices within the device group.
  4. In the Devices area of the screen, in the Sync Status column, select the device that shows a sync status of Changes Pending.
  5. In the Sync Options area of the screen, select Sync Device to Group.
  6. Click Sync.
    The BIG-IP system syncs the configuration data of the selected device in the Device area of the screen to the other members of the device group.
  7. Verify that the devices are synchronized.
    For example, log in to another device in the device group and verify that the security policy you created also resides on that system. Click Security > Application Security > Security Policies and see if the policy is listed.

Except for static self IP addresses, the entire set of BIG-IP configuration data including ASM™ security policies and configuration is replicated on one or more devices in the ASM-enabled device group. If the active device is not available, the standby device becomes active and handles traffic.

You can create new security policies or update existing ones on any of the devices in the group, or update the ASM configuration options. You can manually synchronize changes you make on one device with the other devices in the ASM-enabled device group.

Implementation result

You have now set up two BIG-IP® systems running Application Security Manager™ (ASM) so that you can synchronize their security policies and configurations. With this implementation, you manually synchronize the ASM and BIG-IP configurations.

The two BIG-IP systems are in the same Sync-Failover device group. If one system becomes unavailable, the other system begins processing application traffic.

Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information